Black Code: Inside the Battle for Cyberspace
Page 21
A 2011 Bloomberg News exclusive (based on anonymous sources) provides a detailed description of a service offered by one U.S. company, Endgame. It is worth quoting at length:
People who have seen the company pitch its technology – and who asked not to be named because the presentations were private – say Endgame executives will bring up maps of airports, parliament buildings, and corporate offices. The executives then create a list of the computers running inside the facilities, including what software the computers run, and a menu of attacks that could work against those particular systems. Endgame weaponry comes customized by region – the Middle East, Russia, Latin America, and China – with manuals, testing software, and “demo instructions.” There are even target packs for democratic countries in Europe and other U.S. allies. Maui (product names tend toward alluring warm-weather locales) is a package of 25 zero-day exploits that runs clients $2.5 million a year. The Cayman botnet-analytics package gets you access to a database of Internet addresses, organization names, and worm types for hundreds of millions of infected computers, and costs $1.5 million. A government or other entity could launch sophisticated attacks against just about any adversary anywhere in the world for a grand total of $6 million. Ease of use is a premium. It’s cyber warfare in a box.
A person who used to work for the company, and requested anonymity, gave me a look inside that box. When I asked him about the type of product that Endgame might sell and how it might work for a customer, he went away for a few minutes, hammered on a keyboard at his computer, and produced a printout containing a long list of IP addresses of computers based in government ministries in Iran, all of which were “checking in” to a botnet he was carefully monitoring. Armed with this knowledge, he could have injected malware into those machines and had them all under his effective control. “That,” he said, pointing to the printout, “is the type of information a client – let’s say an adversary of Iran – would pay a lot to access on a regular basis.”
• • •
One of the better snapshots of the cyber exploit and surveillance industry comes from a major trade show called the Intelligence Support Systems (ISS), something of a lightning rod for privacy activists. (Some of the WikiLeaks/Privacy International Spy Files were obtained at this trade show.) The ISS expo is restricted to defence, intelligence, and law enforcement agencies, but its public website provides summaries of the type of topics being discussed and products and services being marketed. The ISS World Middle East and North Africa expo, scheduled for March 2013 in Dubai, will feature the following panels and presenters: “Exploiting Computer and Mobile Vulnerabilities for Electronic Surveillance,” Chaouki Bekrar, CEO and Director of Vulnerability Research, VUPEN; “Challenging the IP Interception Problem: Know your enemy, use the right weapon!”, Murat Balaban, President, Inforcept Network; “Monitoring Social Networking Sites for Actionable Intelligence,” Nanda Kumar, Director, Paladion Networks; “Identify ‘Unknown’ Suspects Using Unique Movement Patterns Derived from High Accuracy, Historical Mass Geo-Location of Wireless Devices,” Bhavin Shah, VP Marketing and Business Development, Polaris Wireless – and, not to be outdone, this presentation from Gamma Group (of Egyptian “Electronic Penetration Department” fame): “Governmental IT Intrusion: Applied hacking techniques used by government agencies,” MJM, Gamma Group.
The sponsors’ page for the trade show reads like a rogues’ gallery. Here are some highlights:
• • • trovicor: headquartered in Munich, Germany and with affiliate offices in Europe, Middle East, Asia-Pacific, trovicor services “Law Enforcement and Government Agencies in the security sector with deployments in more than 100 countries.”
• • • Al Fahad Group: providing national security solutions ranging from “Interception, mediation, comprehensive protocol decoding including webmail and web 2.0 services; evidence processing, forensics, fraud detection, surveillance and cyber intelligence … [a]cross our operations in the Middle East, North Africa and Europe.”
• • • Hacking Team: “Proven by more than 10 years of worldwide adoption and designed to fulfill LEAS and Security Agencies higher expectations, newly released version 8 ‘Da Vinci’ gives you total control over endpoint devices.”
• • • Polaris Wireless: “With commercial deployments in EMEA and APAC regions, our lawful and mass location intercept solutions are ideal for tracking known/unknown targets to within 50 meters including urban and indoor areas.”
• • • Semptian Technologies: headquartered in Shenzhen, China, a cyber-monitoring expert in “providing the technical LI means to intercept Internet, PSTN fixed telephone and mobile phone networks … Semptian helps Law Enforcement Agencies accomplish their missions such as criminal investigation, counter-terrorism, intelligence gathering and network security.”
The ISS is unabashed about the type of trade that takes place under its auspices, and leaves no stone unturned in defence of its practices. Tatiana Lucas, ISS’s world program director, for instance, wrote a letter to the editor of the Wall Street Journal taking issue with an article that exposed the trade fair and its implications for civil liberties. In a remarkably candid argument for greater commercial surveillance opportunities in the wake of the Arab Spring, Lucas said that criticism of the industry would hurt the U.S. economy, which would be left in the dust by others less shy about entering the market: “Based on our work with customers from around the globe, we expect that most countries outside the U.S. and Western Europe will begin to place intercept mandates on social networks, especially following the Arab Spring. This would give U.S. companies an opportunity to develop such tools and thus create jobs.”
As one might expect, given its cloistered character, the political economy of this cyber exploit, data mining, and surveillance industry is woven through with former staffers of the very agencies it serves – thousands of replicas of former NSA director Kenneth Minihan. For example, the Israeli intelligence services elite Unit 8200, responsible for that country’s advanced electronic warfare capabilities, has spawned numerous alumni who have gone on to create leading-edge companies in the cyber exploit and surveillance business. Many of them, like Gil Shwed, the CEO of Check Point Software Technologies, have become billionaires. Capitalizing on the cyber security boon, Check Point’s shares have risen more than 70 percent over the past two years. “It’s almost impossible to find a technology company in Israel without people from 8200, and in many cases the entrepreneur, the manager, or the person who had an idea for the project will be from 8200,” says Yair Cohen, a former brigadier general who once commanded Unit 8200. In the United States, meanwhile, the NSA partners with “cleared” universities to train students in cyber operations for intelligence, military, and law enforcement jobs. Though run at the universities, the programs are secret to all but a select group of faculty and students who pass the necessary national security clearances. The training generally includes offensive orientations: “We’re trying to create more of these, and yes they have to know some of the things that hackers know, they have to know a lot of other things too, which is why you really want a good university to create these people for you,” an NSA staffer told reporters. Indeed, a rotating cast of characters from the spook world is reinforced by norms of secrecy across the public and private sectors, while providing opportunities for business inside government agencies.
• • •
While most of these products and services are manufactured or offered by North American and European companies, the market’s greatest opportunities may lie in the global South and East, where there is a potent combination of exponential technological growth and connectivity and autocratic regimes looking to shore up hierarchical controls against digitally mobilized populations. Although the shroud of secrecy is often difficult to penetrate (an already secretive industry combined with autocratic regimes leaves little public accountability). Privacy International has identified at least thirty British companies that it believes have sold surveillance technologies to
countries with shoddy human rights records – Syria, Iran, Yemen, Bahrain, et cetera – and it estimates the revenues of the global surveillance industry at $5 billion annually. In August 2011, a French company, Amesys, sold deep packet inspection systems to the Gaddafi regime that were deployed by security services to monitor Libyan dissidents. The regime also purchased technology from China’s ZTE, and from a South African company, VASTech, capable of tapping into international phone calls. When asked to justify its sales to a regime that was murdering its own citizens, a spokesperson for the company said it sells “only to governments that are internationally recognized by the United Nations and are not subject to international sanctions.” Although the Gaddafi regime was finally ousted, and much of this cyber spying infrastructure shut down, insiders claim that the monitoring capabilities were quietly reactivated, and cellphones, emails, and chats are once again being systematically scrutinized.
In July 2011, the Washington Post reported on a U.S. Air Force contract solicitation for a surveillance system to be employed in Iraq, designed to intercept calls and messages in order “to assist in combating criminal organizations and insurgencies.” It specified that the product must be capable of maintaining a database of “a comprehensive catalog of targets, associates and relationships … With mapping overlays, it should have the ability to locate targets being monitored and a warning alarm of less than 10 minutes if two or more targets come within a defined distance of each other,” the Post reported. An Air Force spokesperson said that the technology is similar to that used by American federal and state law enforcement agencies, and that its use would be protected by Iraq’s “stringent surveillance laws.” A Human Rights Watch report disagreed, finding Iraq’s “information crime laws” to be “part of a broad effort by authorities to suppress peaceful dissent by criminalizing legitimate information sharing and networking activities.”
In 2012, an investigation undertaken by Swedish television producers uncovered a huge surveillance market in Central Asia being serviced by the Swedish Telecom giant TeliaSonera, which had allegedly enabled the governments of Belarus, Uzbekistan, Azerbaijan, Tajikistan, Georgia, and Kazakhstan to spy on journalists, union leaders, and members of the political opposition. One whistleblower told the producers, “The Arab Spring prompted the regimes to tighten their surveillance … There’s no limit to how much wiretapping is done, none at all.”
In October 2011, Bloomberg News provided a striking overview of the technologies used in Iran to quell dissent and create a climate of fear and self-censorship. As elsewhere, apprehended activists were routinely presented with transcripts of their mobile phone calls, emails, and text messages. After examining more than 100 documents and conducting dozens of interviews with technicians and managers who worked on the systems, Bloomberg concluded that the technology was provided to Iranian authorities by Stockholm-based Ericsson, Creativity Software of the United Kingdom, and Dublin-based AdaptiveMobile. Ericsson had pitched a sophisticated tracking system to the Iranian mobile operator MCI, which it said could assist law enforcement to track users and archive locations for later analysis. Nokia Siemens Networks faced an international “No to Nokia” boycott, EU Parliamentary hearings, and a lawsuit filed in U.S. courts (but eventually dismissed) by relatives of imprisoned Iranians for selling its communications intercept products to Iranian law enforcement. The Bloomberg story quotes an imprisoned activist, Mansoureh Shojaee, who was shown transcripts of her own communications while being interrogated in Tehran’s notorious Evin Prison: “My mobile phone was my enemy, my laptop was my enemy, my landline was my enemy,” she said.
On January 15, 2013, Citizen Lab researchers used a combination of technical interrogation methods to scan the Internet to look for signature evidence of censorship and surveillance devices associated with the American company, Blue Coat Systems. While our investigation was not exhaustive, what we did find raised alarm bells. We identified 61 Blue Coat ProxySG (designed for filtering and censorship) and Blue Coat PacketShaper devices (used for surveillance) on public or government networks in countries with a history of human rights abuses, surveillance, and censorship. Although both of the products have legitimate uses, their deployment in such contexts should be cause for everyone’s concern.
Bloomberg News and the Wall Street Journal have sections on their websites – “Wired for Repression” and “Censorship Inc.”, respectively – dedicated to the rapidly expanding cyber security industrial complex. Tools to track cellphones, deep packet inspection, social network analysis, and computer network attack and exploitation are being developed by firms the world over and sold to regimes seeking to isolate and arrest dissidents and activists, and to strengthen strangleholds over communications within their borders.
• • •
Can this market be regulated? Would export restrictions of the sort placed on advanced munitions make a difference?
In September 2011, the EU Parliament passed a resolution that bans the export of information technology systems that can be used “in connection with a violation of human rights, democratic principles or freedom of speech … by using interception technologies and digital data transfer devices for monitoring mobile phones and text messages and targeted surveillance of Internet use.” A strong and principled position, but far from flawless.
The same deep packet inspection systems used to spy on Libyan or Bahraini activists have legitimate purposes, like controlling against spam and other malicious flows of communication, but it is highly debatable that these functions are separated out by regimes and agencies not transparent about how they employ them. American political scientist Milton Mueller has argued, “The problem with this approach is that information technology, unlike bombs or tanks, is fundamentally multi-purpose in nature. You cannot isolate ‘bad’ information technology in order to control bad uses. There is no technical difference between the devices and services for digital surveillance used by the Chinese and Iranian governments and those used by the American, Canadian, French or British governments. The same capabilities inhere in all of them.”
Moreover, attempts to regulate do not get at the root of the problem – the demand for such technologies. And this brings us back to the responsibilities the West has in driving the cyber-security industrial complex forward in the first place. Since 9/11, and with unrelenting momentum, liberal democracies have moved towards the normalization of what Yale University law professor Jack Balkin calls “the national-surveillance state.” Whereas once it was fashionable to argue that the Internet would bring about the end of authoritarianism, how cyberspace is now being used and, more specifically, the new and emergent tools and tradecraft of surveillance and targeted attacks, suggest just the opposite. Summarizing Balkin’s concerns, a 2012 New Yorker essay reported that since 9/11 the U.S. has witnessed “the emergence of a vast security bureaucracy in which at least two and a half million people hold confidential, secret, or top secret clearances; huge expenditures on electronic monitoring, along with a reinterpretation of the law in order to sanction it; and corporate partnerships with the government that have transformed the counterterrorism industry into a powerful lobbying force.” More or less the same tendencies towards illiberal policies can be found in countries like Canada, across Europe, and parts of Asia. As long as law enforcement and intelligence agencies in such countries continue to drive demand, the cyber-security industrial complex will continue to expand worldwide and the surveillance society will be a fact of life at home and abroad.
• • •
July 2012. Bahrain’s already restrictive media controls are ratcheted up. Bloggers and activists are increasingly at risk, many of them arrested and sentenced to lengthy prison terms for criticizing the regime or using social media to organize opposition campaigns. Once again Bahraini activists report experiencing targeted phishing and malware attacks, some of genuine sophistication, and dissidents arrested by authorities are presented with transcripts of their own text messages during interrogations.
/> The Citizen Lab’s Morgan Marquis-Boire is contacted by Vernon Silver, a Bloomberg investigative journalist who has received what he believes is a high-grade trojan horse that has been menacing Bahrain’s Net dissidents. Marquis-Boire contacts the Lab’s security analyst Seth Hardy, a man who spent many years in the antivirus industry reverse-engineering sophisticated malicious software. What he sees is unprecedented in its complexity, its cloaking features “several orders of magnitude better than anything I have ever seen,” says Hardy. This produces palpable excitement in the Lab, and Marquis-Boire seeks me out on a secure channel of communications. He describes the malware’s sophisticated features, especially the way it masks itself within a computer, and then says that he was able to unravel a signature that connects the malware to its manufacturer. “We know who made it,” Marquis-Boire says. “We have proof that it is Gamma’s FinSpy.”
A zero day no more.
14.
Anonymous: Expect Us
But at this terminal point, where the automatic process is on the verge of creating a whole race of acquiescent and obedient human automatons, the forces of life have begun, sometimes stealthily, sometimes ostentatiously, to re-assert themselves in the only form that is left them: an explosive affirmation of the primal energies of the organism.
—Lewis Mumford, The Pentagon of Power
June 3, 2011. A video is posted on YouTube from those outlaws of the Net: Anonymous. It is a still image of a now-classic Anonymous poster: blue and black shading, a frightening looking lineup of men in suits topped with question marks where their heads should be. Hovering above is the overlord Guy Fawkes, brim down, covering his gaze in menacing fashion. Underneath, in large letters, is the caption “Expect Us.” A computerized voice-over, backed by a pulsating symphonic score, is addressed directly to the world’s largest and most formidable military alliance: “Good evening, NATO. We are Anonymous. It has come to our attention that a NATO draft report has classified Anonymous a potential threat to member states’ security, and that you seek retaliation against us.”