This story is reminiscent of arms trading where governments and companies sell their weapons to other countries in the name of “good intentions” but then turn a blind eye to the misuse of their sales. Now new weapons are being marketed and sold around the world. These weapons are hacking tools that enable governments to break into people’s computers and cellphones and “massive intercept” gear that can gather all Internet communications in a country. These hacking tools are “falling” into the wrong hands or being misused (to spy on citizens).
Companies making and selling this gear say it is intended to catch criminals and is available only to governments and law enforcement. They say they obey export laws and aren’t responsible for how the tools are used. There goes that blind eye.
Documents obtained by The Wall Street Journal open a rare window into a new global market for the off-the-shelf surveillance technology. More than 200 marketing documents, spanning 36 companies were obtained from those who attended a secretive surveillance conference held near Washington, D.C., last month. TeleStrategies holds ISS (Intelligence Support Systems) World conferences world-wide. The one near Washington, D.C., caters mainly to U.S., Canadian, Caribbean and Latin American authorities. The annual conference in Dubai has long served as a chance for Middle Eastern nations to meet companies hawking surveillance gear.
The Journal uncovered an Internet surveillance center installed by a French firm in Libya and reported that software made by Britain’s Gamma International UK Ltd., had been used in Egypt to intercept dissidents’ Skype conversations. In October, a U.S. company that makes Internet-filtering gear acknowledged to the Journal that its devices were being used in Syria.
One of the most controversial technologies on display at the conference were essentially computer-hacking tools to enable government agents to break into people’s computers and cellphones, log their keystrokes and access their data. Although hacking techniques are generally illegal in the U.S., law enforcement can use them with an appropriate warrant.
The documents showed that at least three companies-Vupen Security SA of France, HackingTeam SRL of Italy and Gamma’s FinFisher-marketed their skill at the kinds of techniques often used in “malware,” the software used by criminals trying to steal people’s financial or personal details. The goal is to overcome the fact that most surveillance techniques are “useless against encryption and can’t reach information that never leaves the device,” Marco Valleri, offensive-security manager at HackingTeam, said in an interview. “We can defeat that.”
Representatives of HackingTeam said they tailor their products to the laws of the country where they are being sold. The firm’s products include an auditing system that aims to prevent misuse by officials. HackingTeam also asks government customers to sign a license in which they agree not to provide the technology to unauthorized countries. Oh, now I feel better knowing government customers signed a piece of paper.
Vupen, which gave a presentation at the conference on “exploiting computer and mobile vulnerabilities for electronic surveillance,” said its tools take advantage of security holes in computers or cellphones that manufacturers aren’t yet aware of. Vupen’s marketing documents describe its researchers as “dedicated” to finding “unpatched vulnerabilities” in software created by Microsoft Corp., Apple Inc. and others. On its website, the company offered attendees a “free Vupen exploit sample” that relied on an already-patched security hole.
The documents for FinFisher, a Gamma product, say it works by “sending fake software updates for popular software.” In one example, FinFisher says intelligence agents deployed its products “within the main Internet service provider of their country” and infected people’s computers by “covertly injecting” FinFisher code on websites that people then visited. The company also claims to have allowed an intelligence agency to trick users into downloading its software onto BlackBerry mobile phones “to monitor all communications, including [texts], email and BlackBerry Messenger.” Its marketing documents say its programs enable spying using devices and software from Apple, Microsoft, and Google Inc., among others.
Documents discovered in Egypt earlier this year indicated that Gamma’s Egyptian reseller was offering FinFisher systems there for about $560,000. Gamma’s lawyer told the Journal in April that it never sold the products to Egypt’s government.
Privacy advocates say manufacturers should be more transparent about their activities. Eric King of the U.K. nonprofit Privacy International said “the complex network of supply chains and subsidiaries involved in this trade allows one after the other to continually pass the buck and abdicate responsibility.”
At the trade conferences held in Washington and Dubai this year, Journal reporters were prevented by organizers from attending sessions or entering the exhibition halls. My guess is that ISS World will ban reporters from their future conferences. Why would the public need to know how their governments are spying on them?
The Wall Street Journal’s online article provides a link to an online catalog of these companies’ marketing materials, which may interest TSCM-L list members. Here is that direct link:
Read full article@ wsj