The Mozilla Foundation has sent a legal threat to Gamma International, a UK company that makes a product called "FinSpy" that is used by governments, including brutal dictatorships to spy on dissidents. FinSpy allows these governments to hijack their citizens' screens, cameras, hard-drives and keyboards. Gamma disguises this spyware as copies of Firefox, Mozilla's flagship free/open browser.
Gamma International markets its software as a “remote monitoring” program that government agencies can use to take control of computers and snoop on data and communications. In theory, it could be legitimately used for surveillance efforts by crime fighting agencies, but in practice, it has popped up as a spy tool unleashed against dissident movements operating against repressive regimes.
Citizen Lab researchers have seen it used against dissidents from Bahrain and Ethiopia. And in a new report, set to be released today, they’ve found it in 11 new countries: Hungary, Turkey, Romania, Panama, Lithuania, Macedonia, South Africa, Pakistan, Nigeria, Bulgaria, and Austria. That brings the total number of countries that have been spotted with FinFisher to 36.
To date, Citizen Lab researchers have found three samples of FinSpy that masquerades as Firefox, including a “demo” version of the spyware according to Morgan Marquis-Boire, a security researcher at the Citizen Lab, who works as a Google Security Engineer. Marquis-Boire says his work at Citizen Lab is independent from his day job at Google.
Mozilla Takes Aim at Spyware That Masquerades as Firefox [Robert McMillan/Wired]
Here's a must-read story from Tech Review about the thriving trade in "zero-day exploits" -- critical software bugs that are sold off to military contractors to be integrated into offensive malware, rather than reported to the manufacturer for repair. The stuff built with zero-days -- network appliances that can snoop on a whole country, even supposedly secure conversations; viruses that can hijack the camera and microphone on your phone or laptop; and more -- are the modern equivalent of landmines and cluster bombs: antipersonnel weapons that end up in the hands of criminals, thugs and dictators who use them to figure out whom to arrest, torture, and murder. The US government is encouraging this market by participating actively in it, even as it makes a lot of noise about "cyber-defense."
Exploits for mobile operating systems are particularly valued, says Soghoian, because unlike desktop computers, mobile systems are rarely updated. Apple sends updates to iPhone software a few times a year, meaning that a given flaw could be exploited for a long time. Sometimes the discoverer of a zero-day vulnerability receives a monthly payment as long as a flaw remains undiscovered. “As long as Apple or Microsoft has not fixed it you get paid,” says Soghioan.
No law directly regulates the sale of zero-days in the United States or elsewhere, so some traders pursue it quite openly. A Bangkok, Thailand-based security researcher who goes by the name “the Grugq” has spoken to the press about negotiating deals worth hundreds of thousands of dollars with government buyers from the United States and western Europe. In a discussion on Twitter last month, in which he was called an “arms dealer,” he tweeted that “exploits are not weapons,” and said that “an exploit is a component of a toolchain … the team that produces & maintains the toolchain is the weapon.”
The Grugq contacted MIT Technology Review to state that he has made no “public statement about exploit sales since the Forbes article.”
Some small companies are similarly up-front about their involvement in the trade. The French security company VUPEN states on its website that it “provides government-grade exploits specifically designed for the Intelligence community and national security agencies to help them achieve their offensive cyber security and lawful intercept missions.” Last year, employees of the company publicly demonstrated a zero-day flaw that compromised Google’s Chrome browser, but they turned down Google’s offer of a $60,000 reward if they would share how it worked. What happened to the exploit is unknown.
Welcome to the Malware-Industrial Complex [Tom Simonite/MIT Technology Review]
(via O'Reilly Radar)
In "Credibility ranking of tweets during high impact events," a paper published in the ACM's Proceedings of the 1st Workshop on Privacy and Security in Online Social Media , two Indraprastha Institute of Information Technology researchers describe the outcome of a machine-learning experiment that was asked to discover factors correlated with reliability in tweets during disasters and emergencies:
The number of unique characters present in tweet was positively correlated to credibility, this may be due to the fact
that tweets with hashtags, @mentions and URLs contain
more unique characters. Such tweets are also more informative and linked, and hence credible. Presence of swear words
in tweets indicates that it contains the opinion / reaction of
the user and would have less chances of providing informa-
tion about the event. Tweets that contain information or
are reporting facts about the event, are impersonal in nature, as a result we get a negative correlation of presence of
pronouns in credible tweets. Low number of happy emoticons [:-), :)] and high number of sad emoticons [:-(, :(] act
as strong predictors of credibility. Some of the other important features (p-value < 0.01) were inclusion of a URL in
the tweet, number of followers of the user who tweeted and
presence of negative emotion words. Inclusion of URL in a
tweet showed a strong positive correlation with credibility,
as most URLs refer to pictures, videos, resources related to
the event or news articles about the event.
Of course, this is all non-adversarial: no one is trying to trick a filter into mis-assessing a false account as a true one. It's easy to imagine an adversarial tweet-generator that suggests rewrites to deliberately misleading tweets to make them more credible to a filter designed on these lines. This is actually the substance of one of the cleverest science fiction subplots I've read: in Peter Watt's Behemoth, in which a self-modifying computer virus randomly hits on the strategy of impersonating communications from patient zero in a world-killing pandemic, because all the filters allow these through. It's a premise that's never stopped haunting me: the co-evolution of a human virus and a computer virus.
Credibility Ranking of Tweets during High Impact Events [PDF]
Russian security firm Kaspersky Lab
claims to have uncovered a new "cyber-espionage toolkit"
designed by the same people behind the state-sponsored Flame malware that infiltrated machines in Iran. The researchers claim this new malware has been found infecting systems in other countries in the Middle East, and targets online financial systems. More at Wired Threat Level
. They're calling this one "Gauss." — Xeni
Yesterday, noted security researcher (and Google employee) Tavis Ormandy published his discovery that Ubisoft's UPlay DRM installs a browser plugin that leaves your computer terribly vulnerable to drive-by attacks over the Internet. The plugin is meant to allow Ubisoft to start games on your computer over the Internet, but it lacks an effective authentication mechanism. This means that an attacker could check your browser to see if you have Ubisoft's DRM installed, and if it finds it, cause the plugin to run malicious software that hijacks your computer.
An early report on Hacker News characterized this as a "rootkit," which triggered a long (and tedious) debate about the formal definition of rootkits and whether Ubisoft's system qualified. To me, this seems rather beside the point, which is that Ubisoft's overall installation process involves a high degree of secrecy and obfuscation, because none of Ubisoft's users want DRM (some may not mind it, but it's a rare gamer who says, "Please install software on my computer that watches what I do and orders my computer to prevent me from doing things that displease a distant corporation"). As a result, security vulnerabilities that arise from sloppiness (or malice) are more difficult to discover and to put right.
PC Gamer got a rare and terse quote from Ubisoft on the issue, in which the company says it is "looking into" the issue, later updated with the statement that a "forced patch" has been issued to fix the issue (though this claim hasn't been independently verified by any source I can find).
There's more commentary on TorrentFreak, which places the DRM in context -- "seen as an essential part of life for many games developers." The Slashdot thread on the issue is lively, but also full of deeply misinformed legal speculation about which laws Ubisoft may or may not have broken in the process.
Security researchers from AVG were decompiling a trojan -- it had been originally posted to a Diablo III forum, masquerading as a how-to video -- when the malware's author popped up in a window on their screen. It turned out that the trojan had a built-in chat, as well as a screen-capture facility. The hacker who wrote the malware saw them working on defeating her or his virus and decided to tell them off for their audacity. Franklin Zhao and Jason Zhou, the AVG researchers, wrote up their experience:
The dialog is not from any software installed in our virtual machine. On the contrary, it’s an integrated function of the backdoor and the message is sent from the hacker who wrote the Trojan. Amazing, isn’t it? It seems that the hacker was online and he realized that we were debugging his baby...
We felt interested and continued to chat with him. He was really arrogant.
Chicken: I didn’t know you can see my screen.
Hacker: I would like to see your face, but what a pity you don’t have a camera.
He is telling the truth. This backdoor has powerful functions like monitoring victim’s screen, mouse controlling, viewing process and modules, and even camera controlling.
We then chatted with hacker for some time, pretending that we were green hands and would like to buy some Trojan from him. But this hacker was not so foolish to tell us all the truth. He then shut down our system remotely.
Have you ever chatted with a Hacker within a virus?
The Moscow-based security firm credited with solving various mysteries around Stuxnet and Duqu today announced the discovery of Flame, a data-stealing virus said to have lurked on thousands of computers in the Mideast for as long as 5 years. A Kaspersky Lab spokesperson described it in a Reuters interview as "the most complex piece of malicious software discovered to date."
Adds Bruce Sterling, "Given that this has been out in the wild for a couple of years now, what’s five times bigger than 'Flame' and even less understood?"
Writing today at Wired News, Kim Zetter reports that Flame is believed to be "part of a well-coordinated, ongoing, state-run cyberespionage operation."
Kaspersky has a FAQ about Flame, here.
(Image: Kaspersky Labs)
Dancho Danchev reports an incident in which a friend pinged him at an odd hour on Skype "with a message pointing to what appeared to be a photo site with the message 'hahahahaha foto' and a link to hxxp://random_subdomain.photalbum.org." Yup, malware. The Poison Ivy trojan is spreading across Skype
. [webroot via Joseph Menn
] — Xeni
An "Intelligence Note" from the Internet Crime Complaint Center (IC3) today warns that "malicious actors are targeting travelers abroad through pop-up windows while establishing an Internet connection in their hotel rooms." This vulnerability isn't really new, but a recent string of reports follow a common pattern. Details here
. (via @producermatthew) — Xeni
A fake PDF purporting to contain information on "the formation of the leadership council of the Syrian revolution" is circulating. As the Electronic Frontier Foundation's Eva Galperin and Morgan Marquis-Boire report, it's bad news for people who install it.
The latest surveillance malware comes in the form of an extracting file which is made to look like a PDF if you have file extensions turned off. The PDF purports to be a document concerning the formation of the leadership council of the Syrian revolution and is delivered via Skype message from a known friend. The malware installs a remote administration tool called DarkComet RAT, which can capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more. It sends this data back to the same IP address in Syrian IP space that was used in several previous attacks, including the attacks reported by CNN in February, the Xtreme RAT Trojan EFF reported in March, and this sample from March 21st.
Syrian Internet users should be extremely cautious about clicking on suspicious-looking links, or downloading documents over Skype, even if the document purportedly comes from a friend.
Campaign Targeting Syrian Activists Escalates with New Surveillance Malware
Carl Malamud sez, "Paul Vixie tells a real-life action adventure about the DNS Changer and Conficker plagues that are still active on the Internet and how he ended up running a center for disease control in addition to his day job. His day job, in case you're not familiar with isc.org, consists of helping keep the DNS going and as a sideline hosting a lot of important software and services like Mozilla, the Internet Archive, and many others (and a few lightweight low-volume clients like public.resource.org)."
Since the original court order that authorized ISC to install and operate these replacement DNS servers was due to expire on March 9 2012, a new DNS Changer Working Group (DCWG) was formed to handle victim notification and remediation. We had roughly four months to identify and notify half million or so DNS Changer victims, and to help these victims clean up their infected computers. Many victims would have to reinstall Windows on their computers — which at first was the only sure cure for this particular infection. On top of that, many of the victims have had their DSL or Cable modems ("home routers") reconfigured by the DNS Changer malware, so that they were using ISC's replacement DNS servers even if none of their computers are still infected and even if none of their computers were running Windows. Most Internet users do not have the skills necessary to check and repair the configuration of their home routers, and most Windows users are also unwilling to reinstall Windows. So, even when we could identify and notify a victim, we had a hard time "closing the deal".
We didn't make it. When March 9 2012 loomed, we still had hundreds of thousands of victims dependent on ISC's replacement DNS servers. Therefore the FBI asked the judge for an extension and we were given four more months. No fooling around this time, there won't be another extension, it's now or never, put up or shut up, etc. Noting that no private company or individual can legally operate this replacement DNS service on the open Internet unless they have a judge's permission to do so, many ISP's are now starting up replacement DNS servers inside their own networks, accessible only by their own customers, in order to control the risks they would otherwise face on July 9 2012 when the second and final court order is due to expire. But that kind of risk management isn't the same as cleaning up the problem. I don't think we want to "kick this can down the road". If an ISP wants to run a replacement DNS server for the purpose of forcibly breaking these computers, in small batches, to get their owners to call in and ask for help, that's one thing. But if it's just going to be a new permanent service that the ISP offers to these customers, count me as "opposed."
We as a digital society are much better at strategies for coping than we are at strategies for remediation.
Brian Krebs has been through the support forums for the "Citadel" trojan, a piece of commercial malicious software (spun out from the notorious ZeuS trojan) you can buy and use to take over other peoples' computers to make botnets for sending spam or taking down websites with traffic-floods. The fun-loving crooks running Citidel take their customers' satisfaction very seriously, so they've established an efficient trouble-ticket system to help solve any support problems that arise.
The Citadel trojan deactivates itself in the presence of computers running Russian or Ukrainian keyboard layouts. Krebs explains, "This feature is almost certainly a hedge to keep the developers out of trouble: Authorities in those regions are far less likely to pursue the Trojan’s creators if there are no local victims."
“We have created for you a special system — call it the social network for our customers. Citadel CRM Store allows you to take part in product development in the following ways:
- Report bug reports and and other errors in software. All tickets are looked at by technical support you will receive a timely response to your questions. No more trying to reach the author via ICQ or Jabber.
-Each client has the right to create an unlimited number of applications within the system. Requests can contain suggestions on a new module or improvements of existing module. Such requests can be public or private.
-Each client has a right to vote on new ideas suggested by other members and offer his/her price for development of the enhancement/module. The decision is made by the developers on whether to go forward with certain enhancement or new module depending on the voting results.
-Each client has the right to comment on any application and talk to any member. Now it is going to be interesting for you to find partners and like-minded people and also to take active parts in discussions with the developers.
‘Citadel’ Trojan Touts Trouble-Ticket System
Ars Technica has a small gallery of the latest Wikileaks dump, consisting of brochures from companies that sell malicious software to governments for use in spying on their citizens. I spoke at length with one of the sources for these and we agreed that it was freakishly weird and scary -- I've spent the past two months in a bit of a paranoid stupor as a result. On the other hand, I have seen enough product brochures to know that companies often stretch the truth when they're pimping their products, and I wouldn't expect truth-in-advertising ethics from vichy nerds that specialize in violating the UN Declaration of Human Rights.
One product marketed by HackingTeam is the Remote Control System, malware that infects computers and smartphones in order to enable covert surveillance. The company says that its trojan can intercept encrypted communication, including Skype voice calls. They prominently advertise the fact that the malware can be installed remotely. They say that it can scale up to monitor "hundreds of thousands of targets" and is capable of being deployed to Apple, Android, Symbian, and Blackberry mobile devices.
Gallery: how the surveillance industry markets spyware to governments
More revelations on the official police-spread malware that Germany's Chaos Computer Club discovered in the wild and reverse engineered: pretty much everything the German police said in their defense turns out to be a lie. Another trojan has been uncovered, and it confirms the German police's depraved indifference and incompetence in their cyberwar efforts.
Chaos Computer Club analyzes new German government spyware
The excuses vary from "trial" to "prototype", DigiTask still insisted on October 11th 2011 to its governmental customers, that almost all problems are being solved in newer versions. The manufacturer DigiTask and the authorities view the functionality of code-reloading as a "natural need", for which the implication of fundamental rights violation is relative in any way. It serves a purpose, and therefore the aim justifies the means.
Therefore, the CCC now presents a more detailed technical documentation of a newer version of the "Staatstrojaner" from the year 2010. The testimony of DigiTask  is the basis of a detailed report that serves as a euphemistic attempt to conceal its illegal nature. At the same time, both disassembled versions of the Trojan, commented by the CCC, were made publicly available in order to ensure the traceability of the findings and to facilitate further research by interested parties. 
„Even during the last three years, the authorities and their providers were clearly not capable of developing a "Staatstrojaner" which would meet the minimum of requirements for juridical evidence, basic law compliance and security against manipulation”, a CCC spokesperson summed up about the new findings. “By these concrete and principal reasons, it is logical not to expected that this would succeed in the future."