The Mozilla Foundation has sent a legal threat to Gamma International, a UK company that makes a product called "FinSpy" that is used by governments, including brutal dictatorships to spy on dissidents. FinSpy allows these governments to hijack their citizens' screens, cameras, hard-drives and keyboards. Gamma disguises this spyware as copies of Firefox, Mozilla's flagship free/open browser.

Gamma International markets its software as a “remote monitoring” program that government agencies can use to take control of computers and snoop on data and communications. In theory, it could be legitimately used for surveillance efforts by crime fighting agencies, but in practice, it has popped up as a spy tool unleashed against dissident movements operating against repressive regimes.

Citizen Lab researchers have seen it used against dissidents from Bahrain and Ethiopia. And in a new report, set to be released today, they’ve found it in 11 new countries: Hungary, Turkey, Romania, Panama, Lithuania, Macedonia, South Africa, Pakistan, Nigeria, Bulgaria, and Austria. That brings the total number of countries that have been spotted with FinFisher to 36.

To date, Citizen Lab researchers have found three samples of FinSpy that masquerades as Firefox, including a “demo” version of the spyware according to Morgan Marquis-Boire, a security researcher at the Citizen Lab, who works as a Google Security Engineer. Marquis-Boire says his work at Citizen Lab is independent from his day job at Google.

Mozilla Takes Aim at Spyware That Masquerades as Firefox [Robert McMillan/Wired]

Here's a must-read story from Tech Review about the thriving trade in "zero-day exploits" -- critical software bugs that are sold off to military contractors to be integrated into offensive malware, rather than reported to the manufacturer for repair. The stuff built with zero-days -- network appliances that can snoop on a whole country, even supposedly secure conversations; viruses that can hijack the camera and microphone on your phone or laptop; and more -- are the modern equivalent of landmines and cluster bombs: antipersonnel weapons that end up in the hands of criminals, thugs and dictators who use them to figure out whom to arrest, torture, and murder. The US government is encouraging this market by participating actively in it, even as it makes a lot of noise about "cyber-defense."

Exploits for mobile operating systems are particularly valued, says Soghoian, because unlike desktop computers, mobile systems are rarely updated. Apple sends updates to iPhone software a few times a year, meaning that a given flaw could be exploited for a long time. Sometimes the discoverer of a zero-day vulnerability receives a monthly payment as long as a flaw remains undiscovered. “As long as Apple or Microsoft has not fixed it you get paid,” says Soghioan.

No law directly regulates the sale of zero-days in the United States or elsewhere, so some traders pursue it quite openly. A Bangkok, Thailand-based security researcher who goes by the name “the Grugq” has spoken to the press about negotiating deals worth hundreds of thousands of dollars with government buyers from the United States and western Europe. In a discussion on Twitter last month, in which he was called an “arms dealer,” he tweeted that “exploits are not weapons,” and said that “an exploit is a component of a toolchain … the team that produces & maintains the toolchain is the weapon.”

The Grugq contacted MIT Technology Review to state that he has made no “public statement about exploit sales since the Forbes article.”

Some small companies are similarly up-front about their involvement in the trade. The French security company VUPEN states on its website that it “provides government-grade exploits specifically designed for the Intelligence community and national security agencies to help them achieve their offensive cyber security and lawful intercept missions.” Last year, employees of the company publicly demonstrated a zero-day flaw that compromised Google’s Chrome browser, but they turned down Google’s offer of a $60,000 reward if they would share how it worked. What happened to the exploit is unknown.

Welcome to the Malware-Industrial Complex [Tom Simonite/MIT Technology Review]

(via O'Reilly Radar)

In "Credibility ranking of tweets during high impact events," a paper published in the ACM's Proceedings of the 1st Workshop on Privacy and Security in Online Social Media , two Indraprastha Institute of Information Technology researchers describe the outcome of a machine-learning experiment that was asked to discover factors correlated with reliability in tweets during disasters and emergencies:

The number of unique characters present in tweet was positively correlated to credibility, this may be due to the fact that tweets with hashtags, @mentions and URLs contain more unique characters. Such tweets are also more informative and linked, and hence credible. Presence of swear words in tweets indicates that it contains the opinion / reaction of the user and would have less chances of providing informa- tion about the event. Tweets that contain information or are reporting facts about the event, are impersonal in nature, as a result we get a negative correlation of presence of pronouns in credible tweets. Low number of happy emoticons [:-), :)] and high number of sad emoticons [:-(, :(] act as strong predictors of credibility. Some of the other important features (p-value < 0.01) were inclusion of a URL in the tweet, number of followers of the user who tweeted and presence of negative emotion words. Inclusion of URL in a tweet showed a strong positive correlation with credibility, as most URLs refer to pictures, videos, resources related to the event or news articles about the event.

Of course, this is all non-adversarial: no one is trying to trick a filter into mis-assessing a false account as a true one. It's easy to imagine an adversarial tweet-generator that suggests rewrites to deliberately misleading tweets to make them more credible to a filter designed on these lines. This is actually the substance of one of the cleverest science fiction subplots I've read: in Peter Watt's Behemoth, in which a self-modifying computer virus randomly hits on the strategy of impersonating communications from patient zero in a world-killing pandemic, because all the filters allow these through. It's a premise that's never stopped haunting me: the co-evolution of a human virus and a computer virus.

Credibility Ranking of Tweets during High Impact Events [PDF] (via /.)

Yesterday, noted security researcher (and Google employee) Tavis Ormandy published his discovery that Ubisoft's UPlay DRM installs a browser plugin that leaves your computer terribly vulnerable to drive-by attacks over the Internet. The plugin is meant to allow Ubisoft to start games on your computer over the Internet, but it lacks an effective authentication mechanism. This means that an attacker could check your browser to see if you have Ubisoft's DRM installed, and if it finds it, cause the plugin to run malicious software that hijacks your computer.

An early report on Hacker News characterized this as a "rootkit," which triggered a long (and tedious) debate about the formal definition of rootkits and whether Ubisoft's system qualified. To me, this seems rather beside the point, which is that Ubisoft's overall installation process involves a high degree of secrecy and obfuscation, because none of Ubisoft's users want DRM (some may not mind it, but it's a rare gamer who says, "Please install software on my computer that watches what I do and orders my computer to prevent me from doing things that displease a distant corporation"). As a result, security vulnerabilities that arise from sloppiness (or malice) are more difficult to discover and to put right.

PC Gamer got a rare and terse quote from Ubisoft on the issue, in which the company says it is "looking into" the issue, later updated with the statement that a "forced patch" has been issued to fix the issue (though this claim hasn't been independently verified by any source I can find).

There's more commentary on TorrentFreak, which places the DRM in context -- "seen as an essential part of life for many games developers." The Slashdot thread on the issue is lively, but also full of deeply misinformed legal speculation about which laws Ubisoft may or may not have broken in the process.

Security researchers from AVG were decompiling a trojan -- it had been originally posted to a Diablo III forum, masquerading as a how-to video -- when the malware's author popped up in a window on their screen. It turned out that the trojan had a built-in chat, as well as a screen-capture facility. The hacker who wrote the malware saw them working on defeating her or his virus and decided to tell them off for their audacity. Franklin Zhao and Jason Zhou, the AVG researchers, wrote up their experience:

The dialog is not from any software installed in our virtual machine. On the contrary, it’s an integrated function of the backdoor and the message is sent from the hacker who wrote the Trojan. Amazing, isn’t it? It seems that the hacker was online and he realized that we were debugging his baby...

We felt interested and continued to chat with him. He was really arrogant.

Chicken: I didn’t know you can see my screen.

Hacker: I would like to see your face, but what a pity you don’t have a camera.

He is telling the truth. This backdoor has powerful functions like monitoring victim’s screen, mouse controlling, viewing process and modules, and even camera controlling.

We then chatted with hacker for some time, pretending that we were green hands and would like to buy some Trojan from him. But this hacker was not so foolish to tell us all the truth. He then shut down our system remotely.

Have you ever chatted with a Hacker within a virus? (via JWZ)