Black Code: Inside the Battle for Cyberspace (25 page)
Read Black Code: Inside the Battle for Cyberspace Online
Authors: Ronald J. Deibert
Tags: #Social Science, #True Crime, #Computers, #Nonfiction, #Cybercrime, #Security, #Retail
A more detailed peek – indeed, more like a strip show – was provided in December 2011 by the whistleblower organization, WikiLeaks. Working with a number of organizations (including Privacy International), the renegade outfit released what they dubbed the “Spy Files,” a collection of restricted documents, brochures, and manuals from dozens of obscure companies. This type of information is never posted on the Web or circulated publicly; rather it is disseminated at closed-door industry conferences with exorbitant registration fees, meetings that are restricted to a narrow circle of intelligence, law enforcement, and defence agencies. Privacy International personnel managed to infiltrate this inner sanctum, gather up promotional materials, and use WikiLeaks to shed light on this underground but massively expanding industry. I wrote the foreword to the release of “Spy Files” for Privacy International (on whose advisory board I sit). “Not too long ago, Internet pundits mocked slow-footed authoritarian regimes and predicted their demise,” I remarked. “Today, they are prime customers for the tradecraft of cyberspace controls.”
Among the brochures in “Spy Files” is a PDF for a product, FinSpy, marketed by Gamma Group and described as a “Remote Monitoring and Infection Solution.” The glossy brochure resembles something you might casually peruse in a dentist’s office or perhaps at the Apple store, except that in Canada and many other countries, the product being advertised, if used by a consumer, would be in clear violation of the law. FinSpy breaks into and secretly monitors the computers of its unwitting targets. The brochure describes how FinSpy is a “field-proven Remote Monitoring Solution that enables Governments to face the current challenges of
monitoring Mobile and Security-Aware Targets
that regularly
change location
, use
encrypted and anonymous communication
channels and
reside in foreign countries
” [bold and capitalization in the original]. Mobile and security-aware targets that change location? Reside in foreign countries? An apt description of the globally networked, popular insurrection that faced off against the Egyptian government in 2011. No wonder the product was sold there.
The brochure provides an overview of FinSpy that amounts to a laundry list of the seamy side of cyberspace, and worthy for that reason of some considerable scrutiny:
• • •
Bypassing of 40 regularly tested Anti-Virus systems
. Here, Gamma insists that its FinSpy product is so advanced that it escapes the detection of forty companies whose mission it is to protect customer computers from trojan horses, viruses, and computer worms … the very same type of trojan horse being manufactured by Gamma itself! FinSpy is a “zero-day” vulnerability; that is, its “signature” has not yet been discovered by antivirus companies like Norton and Symantec.
• • •
Covert communication with Headquarters
. Here, the company explains that it can infect targets and communicate back to those operating FinSpy without users knowing it. Ingenious, unethical, and, well, illegal – unless you are working for a secret agency whose activities are exempt from the law (which is, after all, a target group of Gamma).
• • •
Full Skype Monitoring (Calls, Chats, File Transfers, Video, Contact List)
. No surprise here – Skype is used by many people who wrongly believe that it provides communications security – and the brochure gives an intriguing generic “use-case” of how FinSpy was used to monitor Skype: FinSpy was installed on several computer systems inside Internet cafés
in order to monitor them for suspicious activity, especially Skype communications to foreign individuals. Using the webcam, pictures of the targets were taken while they were using the system.
Such details bring to mind stories that circulated in Egypt (where the product was sold to intelligence agencies). In June 2011, the
Wall Street Journal
reported that Egypt’s security service listened in on Skype communications of young dissidents and that “an internal memo from the ‘Electronic Penetration Department’ even boasted it had intercepted one conversation in which an activist stressed the importance of using Skype ‘because it cannot be penetrated online by any security device.’ ” That the means by which the Electronic Penetration Department did so was Gamma’s FinSpy certainly adds missing colour to this “use-case”; that Egypt had something called an Electronic Penetration Department in the first place paints its government in a hue of blood red.
In addition to the contract that ransacking protesters stumbled across, the
Wall Street Journal
also reported on a “Top Secret” memo from Egypt’s interior ministry. Dated January 1, 2011, it describes the five-month trial of a “high-level security system” produced by Gamma Group that succeeded in “hacking personal accounts on Skype.” The
Journal
notes that “the system was being offered for €388,604 ($559,279), including the training of four officers to use it, by Gamma’s Egyptian reseller, Modern Communication Systems.”
These revelations underscored how lucrative the market for FinSpy-like products has become. They also confirmed fears that U.S.-based NGOS like Freedom House that were training Middle East activists to use tools like Skype to secure their communications were actually instilling a false sense of security when computers are commandeered by customized trojan horses like FinSpy. (To this day, I regularly encounter activists relying on Skype and
other “secure communications” tools touted by “trainers.” They should know better.)
Which brings us back to other features in Gamma’s FinSpy brochure:
• • •
Recording of common communication like Email, Chats, and Voice-over-IP
and
Live Surveillance through Webcam and Microphone
. Surveilling webcams and microphones in real time was exactly what the Chinese hackers in the GhostNet espionage campaign achieved through Ghost RAT. Here the same capabilities are being professionally repackaged and marketed. As we noted when
Tracking GhostNet
was published: “We are used to having computers be our window to the world; it’s time to get used to them looking back at us.”
• • •
Country Tracing of Target
. This feature seems superfluous in light of FinSpy’s other capabilities, but governments today face transnational networks of adversaries, and thus this is an important selling feature for agencies looking to penetrate and immobilize them. Perhaps to track them down and eliminate them.
• • •
Silent Extracting of Files from Hard Disk
. The silent part is interesting. Picture yourself working at your computer while files are being silently removed, without your knowledge, from your hard drive and down a fibre-optic cable.
• • •
‘Process-based Keylogger’ for faster analysis
. Somewhere, each one of your keystrokes is being recorded and analyzed –
as you are typing
. This means not just the words you are entering into a document, but each and every password you use for what you assume are secure websites and programs – like
encryption and anonymizer tools – including, of course, the master password for your computer.
• • •
Live Remote Forensics on Target System
. A standard reconnaissance task undertaken to provide a snapshot of a victim’s computer layout, and thus vulnerabilities, so that they can be further exploited with other pieces of malware. Given FinSpy’s other capabilities you have to wonder why this is necessary, but there you have it.
• • •
The contracts, brochures
, and obscure company names in the WikiLeaks collection – as endlessly fascinating as they may be – are but
a glimpse into a vast labyrinth and arms race in cyberspace. It’s wrong to describe this labyrinth as “underground” in the sense that today such attack tools are cheap and widely available, and attackers can mount their assaults at fibre-optic speed from anywhere on the planet to anywhere else; but “underground” is apt as they can also disguise their origins and mask responsibility, and, of course, the market for such products is dominated by shadowy security services. As Harvard’s Joseph Nye, who has been assistant secretary of defense and chairman of the National Intelligence Council, argues, “
The cyber domain of computers and related electronic activities is a complex man-made environment, and human adversaries are purposeful and intelligent. Mountains and oceans are hard to move, but portions of cyberspace can be turned on and off by throwing a switch. It is far cheaper and quicker to move electrons across the globe than to move large ships long distances.” And it is far easier for the perpetrators to remain anonymous, hence the critiques of Eugene Kaspersky, Richard Clarke, and others, and the attacks on online anonymity itself.
War scholars have long understood that in an offence-dominant environment such as this, there is constant pressure to keep up. Fear and insecurity grow, threats lurk everywhere, and rash decisions lead to unexpected outcomes. For those in the defence and intelligence services industry this scenario represents an irresistibly attractive market opportunity. Some estimates value cyber-security military-industrial business at upwards of US$150 billion annually. Like Dwight Eisenhower’s military-industrial complex before it, the cyber-security industrial complex is intimately connected to militarization processes in the West and, in particular, the U.S. major corporate giants that arose in the Cold War, such as Boeing and Northrop Grumman, are now positioning themselves to service the cyber security market. “We’ve identified cyber as one of our four key areas for growth for the next five years,” says Tim McKnight, vice-president at Northrop’s intelligence systems division. They have been joined by dozens of little-known niche outfits like Gamma, VUPEN, and Endgame. In an era of financial austerity, with so many industries squeezed by economic downturns, the growing cyber security sector represents a golden egg.
There are numerous good reasons for a thriving cyber security market. Dynamic networks need to constantly fend off malicious software, and the private sector generally produces the most efficient and agile responses. But when twinned with the growing desire among defence and intelligence agencies (and some companies) to monitor an ever-widening range of threats and to sometimes “strike back,” the same market creates perverse dynamics. Securing cyberspace is only a part of the cyber security market: exploiting it, mining it for intelligence, and even propagating vulnerabilities that undermine and destabilize it are quickly becoming just as lucrative parts of the game.
In 2012, the satirical website the Onion published a news video calling Facebook a “massive online surveillance program run by the
CIA” and alleging “that Facebook has replaced almost every other CIA information gathering program.” The video shows testimony from a fictional deputy director of the CIA, Christopher Sartinsky: “After years of secretly monitoring the public we were astounded so many people would willingly publicize where they live, their religious and political views, an alphabetized list of all their friends, personal email addresses, phone numbers, hundreds of photos of themselves, and even status updates about what they were doing moment to moment. It is truly a dream come true for the CIA.”
Sometimes great satire is just too true. Of course, it truly
is
a dream come true for the CIA, and for the companies that sell social network monitoring products and services to the CIA (and other defence and intelligence agencies). When that market opportunity is combined with growing pressures on the private sector, including social network platforms themselves, to effectively police the Internet, accompanied by laws that relax independent oversight and judicial restraints, a very troubling mix of incentives emerges.
Consider Social360, a company that monitors social networks for other companies. It advertises a special “crisis-monitoring” service which aims to identify protester activities that might be threatening to companies tarnished by scandals. Although they don’t publish to whom they sell their services, one can easily imagine this service being offered to oppressive regimes threatened by popular uprisings like those that arose during the Arab Spring.
Or consider the U.K.-based ThorpeGlen Company, a world leader in the design and development of mass data analysis and storage solutions for the security sector. On July 6, 2010, the company announced that it had created the “largest social network” in the world with more than 1.2 billion nodes. “A node on a social network is a person, piece of equipment or account,” ThorpeGlen explains. “The network itself maps the linkages between nodes meaning that the flow of funds through bank accounts, the movement of people
and materials within a production facility or the way in which people communicate with each other by e-mail or telephone can be visualized and analyzed.” ThorpeGlen offers little explanation about how it acquires such node information, but in a 2008 web demo, its VP of global sales showed off one of the company’s “lawful access” tools by mining a single week’s worth of call data from 50 million users in Indonesia. The purpose was to find the dissident needle in the haystack. As the
London Review of Books
reported:
Of the 50 million subscribers ThorpeGlen processed, 48 million effectively belonged to ‘one large group’: they called one another, or their friends called friends of their friends; this set of people was dismissed. A further 400,000 subscriptions could be attributed to a few large ‘nodes’, with numbers belonging to call centres, shops and information services. The remaining groups ranged in size from two to 142 subscribers. Members of these groups only ever called each other – clear evidence of antisocial behaviour – and, in one extreme case, a group was identified in which all the subscribers only ever called a single number at the centre of the web. This section of the ThorpeGlen presentation ended with one word: ‘WHY??’
“Why??” indeed. What does this analysis prove? Beneath the slick presentation, the demo suggests that ThorpeGlen had access to real user data in Indonesia, presumably shared with the company by cellphone and other telecommunications companies. One company, one case, one country. But doesn’t this beg two questions: how many other ThorpeGlens are out there mining our social network data? And, how many countries are doing what Indonesia and Indonesian telecom companies presumably did in 2008: share users’ data without their consent with a private company servicing law enforcement and intelligence?