Read Black Code: Inside the Battle for Cyberspace Online
Authors: Ronald J. Deibert
Tags: #Social Science, #True Crime, #Computers, #Nonfiction, #Cybercrime, #Security, #Retail
Black Code: Inside the Battle for Cyberspace (26 page)
• • •
In 2011
, the German hacker collective, Chaos Computer Club (CCC) announced that it had discovered and examined a backdoor trojan horse made by the German company DigiTask as part of a “lawful interception” program to listen in on Internet-based communications. In Germany, courts have long allowed the use of backdoor programs to help law enforcement listen in on encrypted communications as part of legal wiretaps. However, the CCC alleged that the software went far beyond those permissible purposes, and claimed the trojan could be used to monitor Skype, Yahoo! Messenger, and MSN Messenger; log keystrokes made through Firefox, Internet Explorer, and other browsers; and take screen captures of desktops. The CCC wrote that the “State Trojan” violated German law because it could also upload and execute programs remotely. “This means, an ‘upgrade path’ from [lawful spyware] to the full State Trojan’s functionality is built-in right from the start. Activation of the computer’s hardware like a microphone or camera can be used for room surveillance. The government malware can, unchecked by a judge, load extensions by remote control, [and] use the Trojan for other functions, including but not limited to eavesdropping.”
A German lawyer said that one of his clients was infected with the trojan while travelling through a German airport. After his client was arrested the lawyer contacted the CCC, which found the infection in the client’s computer. WikiLeaks documents show that in 2008 German law enforcement was working with DigiTask to develop software that could intercept Skype phone calls. DigiTask stated that the program that the CCC found was probably a tracking program it had sold to Bavaria in 2007, and admitted that it sold similar spyware to governments throughout Europe.
The digital arms trade for products and services around “active defence” may end up causing serious instability and chaos. Frustrated
by their inability to prevent constant penetrations of their networks through passive defensive measures, it is becoming increasingly legitimate for companies to take retaliatory measures. As the desire for such active defence strategies mounts, firms like CrowdStrike and Mandiant now openly go “on the hunt,” distinguishing their services by contrasting them with those of mere “protection firms.” “It’s a lot more fun to fight the adversary than to guard against him,” Mandiant company founder Kevin Mandia told NPR, citing another industry expert who says that “there are dozens, if not hundreds, of service providers doing similar things to Mandiant.”
One extremely lucrative part of this market involves the sale of fresh “exploitations” or undiscovered computer vulnerabilities not yet detected by the antivirus industry, like Gamma’s Zero Day. A 2012
Forbes
magazine investigation acquired a price list of zero-day vulnerabilities, offering another peek inside this otherwise closed industry. Want a fresh exploit that will target Adobe? That will cost anywhere from $5,000 to $30,000. Mac OS X? $20,000 to $50,000. Android? $30,000 to $60,000. One exploit targeting Apple’s iOS system was reportedly sold to a U.S. agency for $250,000.
The
Forbes
report profiles
a Bangkok middleman, “The Grugq,” who was set to earn over $1 million annually acting as a digital-age arms broker between those who engineer fresh exploitations and their purchasers, usually U.S. and European government agencies. Clearly, the burgeoning industry includes small obscure firms, lone actors, and industry giants like Northrop Grumman and Raytheon.
Of course, much of the industry is shrouded in the type of secrecy that accompanies defence, law enforcement, and intelligence agencies and their practices and markets. Entire segments of the cyber-security industrial complex operate in the shadows, reaping millions from ballooning “black budgets” that escape public scrutiny and independent oversight. An occasional leak here or there, dedicated investigative reporting, or a careless boast made
by someone like “The Grugq” represent the only real chances the general public has to gain insight into this dark trade.
One of the few companies not afraid to speak out is the French-headquartered VUPEN Security, which came to prominence when its hackers won a 2012 contest sponsored by Google to see if anyone could find a vulnerability in its Chrome browser. The prize was $60,000, but in exchange for publicly disclosing the vulnerability the winner had to help Google engineers plug the holes. VUPEN surprised everyone by turning down the prize. “We wouldn’t share this with Google for even $1 million,” said the company’s president. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
VUPEN says it only sells to law enforcement agencies under a nondisclosure agreement, and only then to law enforcement agencies in the NATO, ANZUS, or ASEAN alliances. This sounds principled, but it should be noted that those alliances include such luminaries of human rights non-compliance as Albania, Bulgaria, Croatia, Hungary, Romania, Slovenia, Slovakia, Spain, Indonesia, Malaysia, Thailand, Brunei, Burma, Cambodia, Laos, and Vietnam. Nonetheless, in a glossy VUPEN brochure in the WikiLeaks “Spy Files” archive, the company boasts that it “provides its customers … reports about critical vulnerabilities up to 9 months in advance before any patches are released.”
One of the other means by which researchers have tracked the growing black market industry is through job postings. In 2012, Mikko Hyppönen of the security firm F-Secure took notice of an increasing number of postings from large companies advertising for skill sets that included offensive exploitation capabilities. For example, a search by Hyppönen of the massive defence contractor SAIC’S job database using the keywords “top secret/sci” and “exploit” returned over 137 job postings. Intriguingly, a 2012 job
posting at defence contractor Booz Allen Hamilton for a “target network analyst” looked to recruit someone who could “exploit development for personal computer and mobile device operating systems, including Android, BlackBerry, iPhone and iPad.”
A 2011 Bloomberg News exclusive (based on anonymous sources) provides a detailed description of
a service offered by one U.S. company, Endgame. It is worth quoting at length:
People who have seen the company pitch its technology – and who asked not to be named because the presentations were private – say Endgame executives will bring up maps of airports, parliament buildings, and corporate offices. The executives then create a list of the computers running inside the facilities, including what software the computers run, and a menu of attacks that could work against those particular systems. Endgame weaponry comes customized by region – the Middle East, Russia, Latin America, and China – with manuals, testing software, and “demo instructions.” There are even target packs for democratic countries in Europe and other U.S. allies. Maui (product names tend toward alluring warm-weather locales) is a package of 25 zero-day exploits that runs clients $2.5 million a year. The Cayman botnet-analytics package gets you access to a database of Internet addresses, organization names, and worm types for hundreds of millions of infected computers, and costs $1.5 million. A government or other entity could launch sophisticated attacks against just about any adversary anywhere in the world for a grand total of $6 million. Ease of use is a premium. It’s cyber warfare in a box.
A person who used to work for the company, and requested anonymity, gave me a look inside that box. When I asked him about the type of product that Endgame might sell and how it might work for a customer, he went away for a few minutes, hammered
on a keyboard at his computer, and produced a printout containing a long list of IP addresses of computers based in government ministries in Iran, all of which were “checking in” to a botnet he was carefully monitoring. Armed with this knowledge, he could have injected malware into those machines and had them all under his effective control. “That,” he said, pointing to the printout, “is the type of information a client – let’s say an adversary of Iran – would pay a lot to access on a regular basis.”
• • •
One of the better snapshots of
the cyber exploit and surveillance industry comes from a major trade show called the Intelligence Support Systems (ISS), something of a lightning rod for privacy activists. (Some of the WikiLeaks/Privacy International Spy Files were obtained at this trade show.) The ISS expo is restricted to defence, intelligence, and law enforcement agencies, but its public website provides summaries of the type of topics being discussed and products and services being marketed. The ISS World Middle East and North Africa expo, scheduled for March 2013 in Dubai, will feature the following panels and presenters: “Exploiting Computer and Mobile Vulnerabilities for Electronic Surveillance,” Chaouki Bekrar, CEO and Director of Vulnerability Research, VUPEN; “Challenging the IP Interception Problem: Know your enemy, use the right weapon!”, Murat Balaban, President, Inforcept Network; “Monitoring Social Networking Sites for Actionable Intelligence,” Nanda Kumar, Director, Paladion Networks; “Identify ‘Unknown’ Suspects Using Unique Movement Patterns Derived from High Accuracy, Historical Mass Geo-Location of Wireless Devices,” Bhavin Shah, VP Marketing and Business Development, Polaris Wireless – and, not to be outdone, this presentation from Gamma Group (of Egyptian “Electronic Penetration Department”
fame): “Governmental IT Intrusion: Applied hacking techniques used by government agencies,” MJM, Gamma Group.
The sponsors’ page for the trade show reads like a rogues’ gallery. Here are some highlights:
• • •
trovicor: headquartered in Munich, Germany and with affiliate offices in Europe, Middle East, Asia-Pacific, trovicor services “Law Enforcement and Government Agencies in the security sector with deployments in more than 100 countries.”
• • •
Al Fahad Group: providing national security solutions ranging from “Interception, mediation, comprehensive protocol decoding including webmail and web 2.0 services; evidence processing, forensics, fraud detection, surveillance and cyber intelligence … [a]cross our operations in the Middle East, North Africa and Europe.”
• • •
Hacking Team: “Proven by more than 10 years of worldwide adoption and designed to fulfill LEAS and Security Agencies higher expectations, newly released version 8 ‘Da Vinci’ gives you total control over endpoint devices.”
• • •
Polaris Wireless: “With commercial deployments in EMEA and APAC regions, our lawful and mass location intercept solutions are ideal for tracking known/unknown targets to within 50 meters including urban and indoor areas.”
• • •
Semptian Technologies: headquartered in Shenzhen, China, a cyber-monitoring expert in “providing the technical LI means to intercept Internet, PSTN fixed telephone and mobile phone networks … Semptian helps Law Enforcement
Agencies accomplish their missions such as criminal investigation, counter-terrorism, intelligence gathering and network security.”
The ISS is unabashed about the type of trade that takes place under its auspices, and leaves no stone unturned in defence of its practices. Tatiana Lucas, ISS’s world program director, for instance, wrote a letter to the editor of the
Wall Street Journal
taking issue with an article that exposed the trade fair and its implications for civil liberties. In a remarkably candid argument for greater commercial surveillance opportunities in the wake of the Arab Spring, Lucas said that criticism of the industry would hurt the U.S. economy, which would be left in the dust by others less shy about entering the market: “Based on our work with customers from around the globe, we expect that most countries outside the U.S. and Western Europe will begin to place intercept mandates on social networks, especially following the Arab Spring. This would give U.S. companies an opportunity to develop such tools and thus create jobs.”
As one might expect, given its cloistered character, the political economy of this cyber exploit, data mining, and surveillance industry is woven through with former staffers of the very agencies it serves – thousands of replicas of former NSA director Kenneth Minihan. For example, the Israeli intelligence services elite Unit 8200, responsible for that country’s advanced electronic warfare capabilities, has spawned numerous alumni who have gone on to create leading-edge companies in the cyber exploit and surveillance business. Many of them, like Gil Shwed, the CEO of Check Point Software Technologies, have become billionaires. Capitalizing on the cyber security boon, Check Point’s shares have risen more than 70 percent over the past two years. “It’s almost impossible to find a technology company in Israel without people from 8200, and in many cases the entrepreneur,
the manager, or the person who had an idea for the project will be from 8200,” says Yair Cohen, a former brigadier general who once commanded Unit 8200. In the United States, meanwhile, the
NSA partners with “cleared” universities to train students in cyber operations for intelligence, military, and law enforcement jobs. Though run at the universities, the programs are secret to all but a select group of faculty and students who pass the necessary national security clearances. The training generally includes offensive orientations: “We’re trying to create more of these, and yes they have to know some of the things that hackers know, they have to know a lot of other things too, which is why you really want a good university to create these people for you,” an NSA staffer told reporters. Indeed, a rotating cast of characters from the spook world is reinforced by norms of secrecy across the public and private sectors, while providing opportunities for business inside government agencies.
• • •
While most of these products
and services are manufactured or offered by North American and European companies, the market’s greatest opportunities may lie in the global South and East, where there is a potent combination of exponential technological growth and connectivity and autocratic regimes looking to shore up hierarchical controls against digitally mobilized populations. Although the shroud of secrecy is often difficult to penetrate (an already secretive industry combined with autocratic regimes leaves little public accountability).
Privacy International has identified at least thirty British companies that it believes have sold surveillance technologies to countries with shoddy human rights records – Syria, Iran, Yemen, Bahrain, et cetera – and it estimates the revenues of the global surveillance industry at $5 billion annually. In
August 2011, a French company, Amesys, sold deep packet inspection systems to the Gaddafi regime that were deployed by security services to monitor Libyan dissidents. The regime also purchased technology from China’s ZTE, and from a South African company, VASTech, capable of tapping into international phone calls. When asked to justify its sales to a regime that was murdering its own citizens, a spokesperson for the company said it sells “only to governments that are internationally recognized by the United Nations and are not subject to international sanctions.” Although the Gaddafi regime was finally ousted, and much of this cyber spying infrastructure shut down, insiders claim that the monitoring capabilities were quietly reactivated, and cellphones, emails, and chats are once again being systematically scrutinized.