Schneier on Security
A blog covering security and security technology.
« Gauss |
| Lessons From the FBI's Insider Threat Program »
March 19, 2013
Twenty five countries are using the FinSpy surveillance software package (also called FinFisher) to spy on their own citizens:
The list of countries with servers running FinSpy is now Australia, Bahrain, Bangladesh, Britain, Brunei, Canada, the Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, the United Arab Emirates, the United States and Vietnam.
It's sold by the British company Gamma Group.
EDITED TO ADD (3/20): The report.
EDITED TO ADD (4/12): Some more links.
Posted on March 19, 2013 at 1:34 PM
• 22 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Thanks for the link, Bruce. If I wasn't already on some government watchdog list, I am now that I've poked around the Gamma Group's website. But I'm in good company, it seems.
Tom K, I'm sure just reading "Schneier on Security" is enough to get someone to open a file on you...
I don't think that for all countries that are in the list, the government is spying on their own citizens using this software. This just says that the servers are located in those countries.
Here are a few promo vids for FinSpy:
2. I personally love this one
"FinSpy is spyware sold by the Gamma Group, a British company that says it sells monitoring software to governments solely for criminal investigations." - the Gamma Group
“Let us not forget ... that everything Adolph Hitler did in Germany was ‘legal,’ and that everything the Freedom Fighters in Hungary did was ‘illegal.’” - Martin Luther King Jr
"most frequently used "against pedophiles, terrorists, organized crime, kidnapping and human trafficking.""
I do like how they roll out the buzzwords at every available opportunity.
I'm not sure attempts at a ban on sales to repressive regimes (they didn't say whether the US & the UK counted...) will help though. Far better to get this stuff labelled as malware and improve detection of that - or will we be told next that there's such a thing as legitimate spyware?
Of course, according to the US government everyone who doesn't bow down before Mordor on the Potomac is a "terrorist."
The message being that ordinary people indulging in such activities can and will go to jail, but that it is perfectly ok to do so if you manage to sell even one copy to a government organisation. I wonder what legislation/regulation is actually overseeing the products and services Gamma Group, HBGary and the like are offering.
@Jeff H: Good idea to classify such software as malware - but I don't think that the anti-malware industry will do so. Whitelisting might be a better protection approach, but it's not an easy task...
You probably want to read this if you haven't already
The Surveillance CatalogWhere governments get their tools
Documents obtained by The Wall Street Journal open a rare window into a new global market for the off-the-shelf surveillance technology that has arisen in the decade since the terrorist attacks of Sept. 11, 2001.
The techniques described in the trove of 200-plus marketing documents include hacking tools that enable governments to break into people’s computers and cellphones, and "massive intercept" gear that can gather all Internet communications in a country.
The documents—the highlights of which are cataloged and searchable here—were obtained from attendees of a secretive surveillance conference held near Washington, D.C., last month. Read more about the documents and see a list of agencies attending several such conferences (updated Feb. 7, 2012).
Above, a still image from a marketing video by FinFisher touting the brand's surveillance technology. Click "play" to learn more about what these documents reveal.
The documents fall into five general categories: hacking, intercept, data analysis, web scraping and anonymity. Below, explore highlights related to each type of surveillance, and search among selected documents.
Sources: Amazon and CIA ink cloud deal
"In a move sure to send ripples through the federal IT community, FCW has learned that the CIA has agreed to a cloud computing contract with electronic commerce giant Amazon, worth up to $600 million over 10 years."
@ i hate triangles!
And would that contract be to host services of their own or to spy on everybody else who's using AWS ?
@nobnop: Kaspersky has repeatedly declared that they will fight state-sponsored surveillance tools just like all other malware, back when the German spytoy, dubbed "Bundestrojaner" was ripped apart by the CCC (hard to tell whether the blatant violation of diverse laws or the exceptionally shoddy craftsmanship was more embarrassing). I don't know for sure how serious Kaspersky takes their claim, since I've never heard them publish any results from reverse-engineering this (or similar) government spyware.
Kaspersky's TDSSKiller didn't help eliminate a trojan virus, couldn't even run it since the damage was already done and control of the machine was lost. It was a brand new Dell on an enterprise network with updated Symantec everywhere in a large corporation with well-staffed IT dept. IT was 3 months before Symantec even issued an advisory. The drive had to be removed. I have Kaspersky on this machine and get updates all the time. I expect it would probably catch and protect from a third of the threats. Fortunately those it wouldn't snag are less common. But this? Good luck. When something is specifically tested in a lab to blow through the latest COTS stuff, forget it.
Any thoughts on how well the free/open-source ClamXAV detects FinSpy and similar quasi-state-sponsored threats?
Issue 1: The CNC server is saved as a variable
So it waits for a 168 second of network idle, send a packet to the server at a specific port and deletes the packet from the host machine.
Issue 2: In an older version the CNC server can delete the program remotely but it will also self delete if it loses the ability to send packets. you could cheat it if you disconnect from the network and reset the system clock. A different version did not have this.
Issue 3: at least 4 programmers made the backbone. One of them is not a native English speaker, probably learned to code in eastern Europe.
Issue 4: Anti-virus will catch the older versions but it can be adjusted to come in through java, adobe updates or email attachments
Big warning here. If it's like Novopay in good ol' NZ, anything might happen.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.