Entries Tagged "spyware"

Page 8 of 11

More on Hacking Team's Government Spying Software

Hacking Team is an Italian malware company that sells exploit tools to governments. Both Kaspersky Lab and Citizen Lab have published detailed reports on its capabilities against Android, iOS, Windows Mobile, and BlackBerry smart phones.

They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone’s camera to snap pictures or piggyback on the phone’s GPS system to monitor the user’s location. The Android version can also enable the phone’s Wi-Fi function to siphon data from the phone wirelessly instead of using the cell network to transmit it. The latter would incur data charges and raise the phone owner’s suspicion.

[…]

Once on a system, the iPhone module uses advance techniques to avoid draining the phone’s battery, turning on the phone’s microphone, for example, only under certain conditions.

“They can just turn on the mic and record everything going on around the victim, but the battery life is limited, and the victim can notice something is wrong with the iPhone, so they use special triggers,” says Costin Raiu, head of Kaspersky’s Global Research and Analysis team.

One of those triggers might be when the victim’s phone connects to a specific WiFi network, such as a work network, signaling the owner is in an important environment. “I can’t remember having seen such advanced techniques in other mobile malware,” he says.

Hacking Team’s mobile tools also have a “crisis” module that kicks in when they sense the presence of certain detection activities occurring on a device, such as packet sniffing, and then pause the spyware’s activity to avoid detection. There is also a “wipe” function to erase the tool from infected systems.

Hacking Team claims to sell its tools only to ethical governments, but Citizen Lab has found evidence of their use in Saudi Arabia. It can’t be certain the Saudi government is a customer, but there’s good circumstantial evidence. In general, circumstantial evidence is all we have. Citizen Lab has found Hacking Team servers in many countries, but it’s a perfectly reasonable strategy for Country A to locate its servers in Country B.

And remember, this is just one example of government spyware. Assume that the NSA—as well as the governments of China, Russia, and a handful of other countries—have their own systems that are at least as powerful.

Posted on June 26, 2014 at 6:37 AMView Comments

RCS Spyware and Citizen Lab

Remote-Controlled System (RCS) is a piece of spyware sold exclusively to governments by a Milan company called Hacking Team. Recently, Citizen Lab found this spyware being used by the Ethiopian government against journalists, including American journalists.

More recently, Citizen Lab mapped the software and who’s using it:

Hacking Team advertises that their RCS spyware is “untraceable” to a specific government operator. However, we claim to identify a number of current or former government users of the spyware by pinpointing endpoints, and studying instances of RCS that we have observed. We suspect that agencies of these twenty-one governments are current or former users of RCS: Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, UAE, and Uzbekistan.

Both articles on the Citizen Lab website are worth reading; the details are fascinating. And more are coming.

Finally, congratulations to Citizen Lab for receiving a 2014 MacArthur Award for Creative and Effective Institutions, along with the $1M prize. This organization is one of the good guys, and I’m happy to see it get money to continue its work.

Posted on February 20, 2014 at 9:19 AMView Comments

"The Mask" Espionage Malware

We’ve got a new nation-state espionage malware. “The Mask” was discovered by Kaspersky Labs:

The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists. Victims of this targeted attack have been found in 31 countries around the world—from the Middle East and Europe to Africa and the Americas.

The main objective of the attackers is to gather sensitive data from the infected systems. These include office documents, but also various encryption keys, VPN configurations, SSH keys (serving as a means of identifying a user to an SSH server) and RDP files (used by the Remote Desktop Client to automatically open a connection to the reserved computer).

“Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment,” said Costin Raiu, Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab. “This level of operational security is not normal for cyber-criminal groups.”

It’s been in operation, undetected, for at least seven years.

As usual, we infer the creator of the malware from the target list.

We counted over 380 unique victims between 1000+ IPs. Infections have been observed in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.

Based on the prevalence of Spanish-speaking victims, the number of infected victims in Morocco, and the fact that Gibraltar is on the list, that implies Spain is behind this one. My guess is that soon countries will start infecting uninteresting targets in order to deflect blame, but that they still think they’re immune from discovery. So Spain, if it is you, attack a few sites in the Falklands next time—and use a separate tool for Morocco.

There are several news articles.

Posted on February 11, 2014 at 6:57 AMView Comments

More on FinSpy/FinFisher

FinFisher (also called FinSpy) is a commercially sold spyware package that is used by governments world-wide, including the U.S. There’s a new report that has a bunch of new information:

Our new findings include:

  • We have identified FinFisher Command & Control servers in 11 new Countries. Hungary, Turkey, Romania, Panama, Lithuania, Macedonia, South Africa, Pakistan, Nigeria, Bulgaria, Austria.
  • Taken together with our previous research, we can now assert that FinFisher Command & Control servers are currently active, or have been present, in 36 countries.
  • We have also identified a FinSpy sample that appears to be specifically targeting Malay language speakers, masquerading as a document discussing Malaysia’s upcoming 2013 General Elections.
  • We identify instances where FinSpy makes use of Mozilla’s Trademark and Code. The latest Malay-language sample masquerades as Mozilla Firefox in both file properties and in manifest. This behavior is similar to samples discussed in some of our previous reports, including a demo copy of the product, and samples targeting Bahraini activists.

Mozilla has sent them a cease and desist letter for using their name and code.

News story.

Here’s my previous post on the spyware.

Posted on May 2, 2013 at 6:50 AMView Comments

Hacking Brain-Computer Interfaces

In this fascinating piece of research, the question is asked: can we surreptitiously collect secret information from the brains of people using brain-computer interface devices? One article:

A team of security researchers from Oxford, UC Berkeley, and the University of Geneva say that they were able to deduce digits of PIN numbers, birth months, areas of residence and other personal information by presenting 30 headset-wearing subjects with images of ATM machines, debit cards, maps, people, and random numbers in a series of experiments. The paper, titled “On the Feasibility of Side-Channel Attacks with Brain Computer Interfaces,” represents the first major attempt to uncover potential security risks in the use of the headsets.

This is a new development in spyware.

EDITED TO ADD (9/6): More articles. And here’s a discussion of the pros and cons of this sort of technology.

Posted on September 5, 2012 at 6:06 AMView Comments

Carrier IQ Spyware

Spyware on many smart phones monitors your every action, including collecting individual keystrokes. The company that makes and runs this software on behalf of different carriers, Carrier IQ, freaked when a security researcher outed them. It initially claimed it didn’t monitor keystrokes—an easily refuted lie—and threatened to sue the researcher. It took EFF getting involved to get the company to back down. (A good summary of the details is here. This is pretty good, too.)

Carrier IQ is reacting really badly here. Threatening the researcher was a panic reaction, but I think it’s still clinging to the notion that it can keep the details of what it does secret, or hide behind such statements such as:

Our customers select which metrics they need to gather based on their business need—such as network planning, customer care, device performance—within the bounds of the agreement they form with their end users.

Or hair-splitting denials it’s been giving to the press.

In response to some questions from PCMag, a Carrier IQ spokeswoman said “we count and summarize performance; we do not record keystrokes, capture screen shots, SMS, email, or record conversations.”

“Our software does not collect the content of messages,” she said.

How then does Carrier IQ explain the video posted by Trevor Eckhart, which showed an Android-based phone running Carrier IQ in the background and grabbing data like encrypted Google searches?

“While ‘security researchers’ have identified that we examine many aspects of a device, our software does not store or transmit what consumers view on their screen or type,” the spokeswoman said. “Just because every application on your phone reads the keyboard does not make every application a key-logging application. Our software measures specific performance metrics that help operators improve the customer experience.”

The spokeswoman said Carrier IQ would record the fact that a text message was sent correctly, for example, but the company “cannot record what the content of the SMS was.” Similarly, Carrier IQ records where you were when a call dropped, but cannot record the conversation, and can determine which applications drain battery life but cannot capture screen shots, she said.

Several things matter here: 1) what data the CarrerIQ app collects on the handset, 2) what data the CarrerIQ app routinely transmits to the carriers, and 3) what data can the CarrierIQ app transmit to the carrier if asked. Can the carrier enable the logging of everything in response to a request from the FBI? We have no idea.

Expect this story to unfold considerably in the coming weeks. Everyone is pointing fingers of blame at everyone else, and Sen. Franken has asked the various companies involved for details.

One more detail is worth mentioning. Apple announced it no longer uses CarrierIQ in iOS5. I’m sure this means that they have their own surveillance software running, not that they’re no longer conducting surveillance on their users.

EDITED TO ADD (12/14): This is an excellent round-up of everything known about CarrierIQ.

Posted on December 5, 2011 at 6:05 AMView Comments

Sears Spies on its Customers

It’s not just hackers who steal financial and medical information:

Between April 2007 and January 2008, visitors to the Kmart and Sears web sites were invited to join an “online community” for which they would be paid $10 with the idea they would be helping the company learn more about their customers. It turned out they learned a lot more than participants realized or that the feds thought was reasonable.

To join the “My SHC Community,” users downloaded software that ended up grabbing some members’ prescription information, emails, bank account data and purchases on other sites.

Reminds me of the 2005 Sony rootkit, which—oddly enough—is in the news again too:

After purchasing an Anastacia CD, the plaintiff played it in his computer but his anti-virus software set off an alert saying the disc was infected with a rootkit. He went on to test the CD on three other computers. As a result, the plaintiff ended up losing valuable data.

Claiming for his losses, the plaintiff demanded 200 euros for 20 hours wasted dealing with the virus alerts and another 100 euros for 10 hours spent restoring lost data. Since the plaintiff was self-employed, he also claimed for loss of profits and in addition claimed 800 euros which he paid to a computer expert to repair his network after the infection. Added to this was 185 euros in legal costs making a total claim of around 1,500 euros.

The judge’s assessment was that the CD sold to the plaintiff was faulty, since he should be able to expect that the CD could play on his system without interfering with it.

The court ordered the retailer of the CD to pay damages of 1,200 euros.

Posted on September 24, 2009 at 6:37 AMView Comments

Building in Surveillance

China is the world’s most successful Internet censor. While the Great Firewall of China isn’t perfect, it effectively limits information flowing in and out of the country. But now the Chinese government is taking things one step further.

Under a requirement taking effect soon, every computer sold in China will have to contain the Green Dam Youth Escort software package. Ostensibly a pornography filter, it is government spyware that will watch every citizen on the Internet.

Green Dam has many uses. It can police a list of forbidden Web sites. It can monitor a user’s reading habits. It can even enlist the computer in some massive botnet attack, as part of a hypothetical future cyberwar.

China’s actions may be extreme, but they’re not unique. Democratic governments around the world—Sweden, Canada and the United Kingdom, for example—are rushing to pass laws giving their police new powers of Internet surveillance, in many cases requiring communications system providers to redesign products and services they sell.

Many are passing data retention laws, forcing companies to keep information on their customers. Just recently, the German government proposed giving itself the power to censor the Internet.

The United States is no exception. The 1994 CALEA law required phone companies to facilitate FBI eavesdropping, and since 2001, the NSA has built substantial eavesdropping systems in the United States. The government has repeatedly proposed Internet data retention laws, allowing surveillance into past activities as well as present.

Systems like this invite criminal appropriation and government abuse. New police powers, enacted to fight terrorism, are already used in situations of normal crime. Internet surveillance and control will be no different.

Official misuses are bad enough, but the unofficial uses worry me more. Any surveillance and control system must itself be secured. An infrastructure conducive to surveillance and control invites surveillance and control, both by the people you expect and by the people you don’t.

China’s government designed Green Dam for its own use, but it’s been subverted. Why does anyone think that criminals won’t be able to use it to steal bank account and credit card information, use it to launch other attacks, or turn it into a massive spam-sending botnet?

Why does anyone think that only authorized law enforcement will mine collected Internet data or eavesdrop on phone and IM conversations?

These risks are not theoretical. After 9/11, the National Security Agency built a surveillance infrastructure to eavesdrop on telephone calls and e-mails within the United States.

Although procedural rules stated that only non-Americans and international phone calls were to be listened to, actual practice didn’t always match those rules. NSA analysts collected more data than they were authorized to, and used the system to spy on wives, girlfriends, and famous people such as President Clinton.

But that’s not the most serious misuse of a telecommunications surveillance infrastructure. In Greece, between June 2004 and March 2005, someone wiretapped more than 100 cell phones belonging to members of the Greek government—the prime minister and the ministers of defense, foreign affairs and justice.

Ericsson built this wiretapping capability into Vodafone’s products, and enabled it only for governments that requested it. Greece wasn’t one of those governments, but someone still unknown—a rival political party? organized crime?—figured out how to surreptitiously turn the feature on.

Researchers have already found security flaws in Green Dam that would allow hackers to take over the computers. Of course there are additional flaws, and criminals are looking for them.

Surveillance infrastructure can be exported, which also aids totalitarianism around the world. Western companies like Siemens, Nokia, and Secure Computing built Iran’s surveillance infrastructure. U.S. companies helped build China’s electronic police state. Twitter’s anonymity saved the lives of Iranian dissidents—anonymity that many governments want to eliminate.

Every year brings more Internet censorship and control—not just in countries like China and Iran, but in the United States, the United Kingdom, Canada and other free countries.

The control movement is egged on by both law enforcement, trying to catch terrorists, child pornographers and other criminals, and by media companies, trying to stop file sharers.

It’s bad civic hygiene to build technologies that could someday be used to facilitate a police state. No matter what the eavesdroppers and censors say, these systems put us all at greater risk. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in.

This essay previously appeared—albeit with fewer links—on the Minnesota Public Radio website.

Posted on August 3, 2009 at 6:43 AMView Comments

"Scareware" Vendors Sued

This is good:

Microsoft Corp. and the state of Washington this week filed lawsuits against a slew of “scareware” purveyors, scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software.

The case filed by the Washington attorney general’s office names Texas-based Branch Software and its owner James Reed McCreary IV, alleging that McCreary’s company caused targeted PCs to pop up misleading security alerts about security threats on the victims’ computers. The alerts warned users that their systems were “damaged and corrupted” and instructed them to visit a Web site to purchase a copy of Registry Cleaner XP for $39.95.

I would have thought that existing scam laws would be enough, but Washington state actually has a specific law about this sort of thing:

The lawsuits were filed under Washington’s Computer Spyware Act, which among other things punishes individuals who prey on user concerns regarding spyware or other threats. Specifically, the law makes it illegal to misrepresent the extent to which software is required for computer security or privacy, and it provides actual damages or statutory damages of $100,000 per violation, whichever is greater.

Posted on October 2, 2008 at 7:03 AMView Comments

1 6 7 8 9 10 11

Sidebar photo of Bruce Schneier by Joe MacInnis.