Helping Governments Hack Terrorists, Criminals—and Political Opponents


http://www.technologyreview.com/featuredstory/543991/the-growth-industry-helping-governments-hack-terrorists-criminals-and-political/#comments





The Growth Industry Helping Governments Hack Terrorists, Criminals?and
Political Opponents



?It looked very suspicious,? M says of an anonymous e-mail she and several
other journalists received late in 2014. It promised a scoop about a
government scandal, but something just didn?t sit right with her. Soon
after, strange things started happening on her computer. ?I remember
clearly not being able to connect via Skype to give an interview about
torture,? she says. ?There was somehow interference and I had to use
someone else?s phone.?



After passing a file attached to the e-mail to security experts, M learned
that she and her coworkers had been targeted with Remote Control System
(RCS), a sophisticated piece of spying software developed by a small
Italian company called Hacking Team. Later, she would find out that it was
being used against her by her own government, which likely objected to her
reporting. M spoke on condition of anonymity because she fears further
reprisals.



M is just one of probably thousands of people who have been hacked with RCS
by intelligence and law enforcement agencies that have bought the software.
As governments and police departments increase their use of such tools in
coming years, there?s reason to think that not only criminals and people
who have antagonized an authoritarian government should worry.



After the recent attacks in Paris, figures such as CIA director John
Brennan and New York City police commissioner Bill Bratton complained that
encryption is neutralizing conventional search and surveillance techniques.
That feeling, shared by some European authorities, may deliver a sales
boost to RCS, which Hacking Team pitches as a solution to the encryption
?problem? because hacking a person?s phone or computer can reveal protected
data. And it will help Hacking Team?s competitors. Experts tracking the
company say it is just the best-known of many that sell hacking tools that
can let even local police use techniques once reserved for national
intelligence agencies.



What we know about Hacking Team shows that this new approach is fraught
with technological, moral, and legal issues getting scant attention even as
access to these tools becomes standard. As they become more widely
available to law enforcement agencies, abuses are likelier to occur.
?Before hacking trickles down from the FBI to state and local law
enforcement agencies, we urgently need to debate if and how such
surveillance tools should be used,? says Christopher Soghoian, principal
technologist at the American Civil Liberties Union.



Offensive pivot



Hacking Team was founded in 2003 as a more traditional cybersecurity outfit
by CEO David Vincenzetti, who emerged from the 1990s community of
encryption experts and enthusiasts that also incubated Julian Assange of
Wikileaks. Corporations hired Hacking Team to test their computer networks
for weaknesses, with early clients including Deutsche Bank and Barclays.



A few years later, however, Vincenzetti switched the company to focus on
offense rather than defense. Hacking Team started selling software that
could infiltrate people?s computers and smuggle out their data without
their noticing. Its main product became a package called RCS, the software
used to target M.



RCS can infect both PCs and mobile devices. It can copy files from your
hard drive, listen in on Skype calls and instant messages, read e-mails
before they?ve been encrypted, capture passwords typed into a Web browser,
and turn on the microphone and camera to watch or listen to you.



The program can infect a device by taking advantage of security flaws in
operating systems and other software; Hacking Team either discovers these
vulnerabilities itself or pays other companies for knowledge of them. RCS
can get onto a computer through a malware-laden e-mail, as in M?s case, or
by someone covertly getting physical access to a device. Some customers
deploy RCS by installing a device called a Network Injection Appliance at
an Internet service provider, which can steer a targeted person?s Web
browser to a phony Web page that smuggles RCS onto his or her system.
Customers pay Hacking Team for the software and a system of proxies that
keep their communications with the software?and their investigations?under
wraps. They also get comprehensive technical support. ?The value that
they?re adding is the training, consultancy, and ease of use that they can
offer to any agent who is unfamiliar with computers,? said Edin Omanovic, a
research officer at Privacy International, who

 has tracked the surveillance industry.



The Italian authorities were among the first clients for RCS, and mafia
leaders among the first targets. But Hacking Team rapidly expanded beyond
its domestic market, promising customers in slick video ads that they
would, among other things, be empowered to ?overcome encryption and capture
relevant data.?



In 2006, Spain?s spying agency, the CNI, signed up, followed two years
later by its counterparts in Singapore and Hungary. Before long, Saudi
Arabia, Mexico, Egypt, Sudan, Russia, and Kazakhstan had purchased Hacking
Team?s tools for their security agencies. The FBI and some other U.S.
agencies also bought licenses for RCS. A wide range of local and even
university police forces have also asked Hacking Team to demonstrate its
tools. E-mails obtained via the Freedom of Information Act by MuckRock show
an ordinary sheriff?s office in Florida worrying it couldn?t ?survive?
without RCS after seeing a demo, although a sale was never made.



Some of Hacking Team?s customers have used RCS in troubling ways. In 2012,
the University of Toronto?s Citizen Lab, which investigates how computer
security affects human rights, found that Hacking Team software had been
used by the United Arab Emirates government to infect the PC of a political
dissident and by the Ethiopian government to break into the computers of
journalists working in the United States. ?We found some fucked-up stuff,?
says Claudio Guarnieri, a security researcher who worked with Citizen Lab
on a number of its reports.



Many details about Hacking Team and its clients come from documents
released after the company was itself hacked this July. An internal
spreadsheet, dated May 2015, suggests that 6,550 individual devices?phones
or computers?may have been infected with RCS since 2008. In all, the
company sold to around 70 different customers, including governments, which
provided over 40 million euros (more than $44 million) in revenue.



Having its dirty laundry aired online didn?t seem to pose too much of a
problem for Hacking Team?s business, though, and no customers publicly
distanced themselves from the company. ?Clients have stuck with us, because
I think they recognize the value of what we do, and the superiority of the
product,? says company spokesman Eric Rabe. (The CEO, Vincenzetti, declined
to be interviewed.)



    Even having its dirty laundry aired online didn?t seem to pose too much
of a problem for Hacking Team?s business. No customers publicly distanced
themselves from the company.



There is a great deal of competition, however, from small hacking shops and
large government contractors alike. Gamma International, a company with
offices in Germany and the U.K., offers a tool similar to RCS called
FinFisher. It has been bought by government agencies and police forces in
Australia, Belgium, and Italy. FinFisher was also used by the Bahraini
government to target activists, and by the government of Uganda, which
Privacy International says used it to blackmail political opponents. Gamma
was hacked in 2014 and, like Hacking Team, this year had internal files
leaked online but didn?t appear to suffer much. CitizenLab reports that it
has gained customers.



Omanovic says that he knows of around 16 companies that sell products
similar to Hacking Team?s. Two weeks prior to our interview he had found
another firm based in Israel, and two months before that a new one in South
Africa. Guarnieri, who worked with Citizen Lab, thinks there are many more.
?I think the most important ones, in terms of size of business and customer
base, are still to be revealed,? he says. ?They haven?t really got much
attention, maybe just because they?ve been better at not getting busted.?



Unchecked power



In the U.S., use of tools like RCS to access a person?s data are governed
by the Fourth Amendment and the rules of criminal procedure, which means
the FBI needs a warrant before it can hack your computer. But the U.S.
Department of Justice is in the process of tweaking the rules for securing
warrants for ?remote access? searches in a way that the American Civil
Liberties Union and Google have both complained could significantly widen
their use.



When police get access to new surveillance technologies, they are often
quickly deployed before any sort of oversight is in place to regulate their
use. In the United States, the abuse of Stingrays?devices that sweep up
information from cell phones in given area?has become common. For example,
the sheriff of San Bernadino County, near Los Angeles, deployed them over
300 times without a warrant in the space of less than two years. That
problem is only being addressed now, years after it emerged, with the FBI
now requiring a warrant to use Stingrays, and efforts underway to force
local law enforcement to do the same. It?s easy to imagine a similar
pattern of abuse with hacking tools, which are far more powerful and
invasive than other surveillance technologies that police currently use.



Soghoian, the ACLU technologist, believes that a public and political
discussion about the power of hacking tools and their growing use by
authorities is desperately needed. ?I think that many Americans would be
shocked to learn that the government can take over their webcam (without
the indicator light turning on), or remotely activate the microphone in
their laptop or phone,? he says.



It is unlikely that Congress or its equivalents in other Western nations
are about to take up the debate Soghoian wants. After recent attacks by the
Islamic State and its sympathizers, interest in empowering intelligence and
law enforcement is only increasing. And an attempt to limit the sale of
tools like RCS to governments with poor human rights records has already
faltered. Late in 2013, an arms control pact signed by the U.S. and 40
other countries, the Wassenaar Arrangement, was updated to restrict the
export of surveillance technology to certain governments. But the proposed
rules in the U.S. were laid to rest after security researchers protested
they were too broad and would restrict vital work needed to keep the
Internet secure.



The close relationship between vendors of hacking tools and national
intelligence and crime agencies might also confer some immunity to
regulation. Internal e-mails from Hacking Team show that it met with
military officials after the Italian government halted exports of RCS over
human rights concerns. The ban was soon lifted.



Guarnieri worries that we are sleepwalking toward a world in which the sale
and use of such tools is taken for granted. ?If in 10 years we have 50
Hacking Teams in Italy ? sabotaging secure operating systems, finding ways
to make security software meaningless, that creates a stack of problems
that we?re never going to address because it?s been legitimized,? he says.



We appear to have arrived at a crossroads for surveillance without society
being much aware, let alone getting to choose the path taken. That has
downsides even for people lucky enough to live in places with good civil
rights protections. People like M, targeted by her own government for
spreading truths it found inconvenient, can only hope that companies like
Hacking Team might show some restraint about who they sell to.



Rabe, the company?s spokesman, suggests that?s the case: ?Society has
always expected law enforcement to conduct surveillance of suspects in
order to keep us all safe from fraud, theft, bodily harm, terrorism, and
other crimes,? he said in a statement. ?Hacking Team provides tools
exclusively to government?to be used with appropriate safeguards?that can
bypass the encryption routinely employed by criminals and terrorists to
attack us. ?



But security researchers aren?t buying it. ?I believe that one could start
a responsible company that sells intrusion solutions,? says Bill Marczak, a
senior research fellow from Citizen Lab. ?Would such a company have any
customers? I don?t know.?






__._,_.___
------------------------------
Posted by: "Beowulf" <[email protected]>
------------------------------


Visit Your Group
<https://groups.yahoo.com/neo/groups/grendelreport/info;_ylc=X3oDMTJmaGNqZGViBF9TAzk3MzU5NzE0BGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDdnRsBHNsawN2Z2hwBHN0aW1lAzE0NDk4NTk1NzA->


[image: Yahoo! Groups]
<https://groups.yahoo.com/neo;_ylc=X3oDMTJlbjJxMjYyBF9TAzk3NDc2NTkwBGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDZnRyBHNsawNnZnAEc3RpbWUDMTQ0OTg1OTU3MQ-->
• Privacy <https://info.yahoo.com/privacy/us/yahoo/groups/details.html> •
Unsubscribe <[email protected]?subject=Unsubscribe>
• Terms of Use <https://info.yahoo.com/legal/us/yahoo/utos/terms/>

__,_._,___

-- 
-- 
Thanks for being part of "PoliticalForum" at Google Groups.
For options & help see http://groups.google.com/group/PoliticalForum

* Visit our other community at http://www.PoliticalForum.com/  
* It's active and moderated. Register and vote in our polls. 
* Read the latest breaking news, and more.

--- 
You received this message because you are subscribed to the Google Groups 
"PoliticalForum" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to