Preliminary analysis of Hacking Team's slides

by arma | July 7, 2015

A few weeks ago, Hacking Team was bragging publicly about a Tor Browser exploit. We've learned some details of their proposed attack from a leaked powerpoint presentation that was part of the Hacking Team dump.

The good news is that they don't appear to have any exploit on Tor or on Tor Browser. The other good news is that their proposed attack doesn't scale well. They need to put malicious hardware on the local network of their target user, which requires choosing their target, locating her, and then arranging for the hardware to arrive in the right place. So it's not really practical to launch the attack on many Tor users at once.

But they actually don't need an exploit on Tor or Tor Browser. Here's the proposed attack in a nutshell:

1) Pick a target user (say, you), figure out how you connect to the Internet, and install their attacking hardware on your local network (e.g. inside your ISP).

2) Wait for you to browse the web without Tor Browser, i.e. with some other browser like Firefox or Chrome or Safari, and then insert some sort of exploit into one of the web pages you receive (maybe the Flash 0-day we learned about from the same documents, or maybe some other exploit).

3) Once they've taken control of your computer, they configure your Tor Browser to use a socks proxy on a remote computer that they control. In effect, rather than using the Tor client that's part of Tor Browser, you'll be using their remote Tor client, so they get to intercept and watch your traffic before it enters the Tor network.

You have to stop them at step two, because once they've broken into your computer, they have many options for attacking you from there.

Their proposed attack requires Hacking Team (or your government) to already have you in their sights. This is not mass surveillance — this is very targeted surveillance.

Another answer is to run a system like Tails, which avoids interacting with any local resources. In this case there should be no opportunity to insert an exploit from the local network. But that's still not a complete solution: some coffeeshops, hotels, etc will demand that you interact with their local login page before you can access the Internet. Tails includes what they call their 'unsafe' browser for these situations, and you're at risk during that brief period when you use it.

Ultimately, security here comes down to having safer browsers. We continue to work on ways to make Tor Browser more resilient against attacks, but the key point here is that they'll go after the weakest link on your system — and at least in the scenarios they describe, Tor Browser isn't the weakest link.

As a final point, note that this is just a powerpoint deck (probably a funding pitch), and we've found no indication yet that they ever followed through on their idea.

We'll update you with more information if we learn anything further. Stay safe out there!

Comments

Please note that the comment area below has been archived.

July 08, 2015

In reply to arma

Permalink

Just use a gender-neutral term, this doesn't make sense at all, replacing a male pronoun with a female one... what?

July 08, 2015

In reply to arma

Permalink

Also, unlike English, many languages actually have a gender distinction in most of their speech. So, for me for example, it was not weird to read "her".

July 08, 2015

Permalink

Would running Tor Browser in Sandboxie prevent the exploit from taking over a computer, if you delete the Sandbox contents everytime you finish an internet session?

Maybe! But also maybe not -- if they break into your computer some other way (like through your Internet Explorer), then they could in theory change your Sandboxie program so it no longer does what you think it does.

July 11, 2015

In reply to arma

Permalink

well, tor browser does not help if your computer is compromized - end of game.
just as using cloud services or any other commercial hosting.

Based on how the exploit is supposed to work, you don't need to sandbox Tor Browser; you need to sandbox any other browser you use.

Also, I would rather not trust Sandboxie given that it is closed-source...

Another idea (instead of sandboxing or possibly even alongside) would be installing and configuring the Microsoft Exploit Mitigation Experience Toolkit EMET for both your unsafe browser and also the Tor Browser.

Thereby any Tor process (i.e. the browser process itself and the Tor service) and browser plugins (e.g. the Flash plugin runs as a seperate process; be aware that any Flash update creates a differently named exe file, so that EMET needs to be manually updated each time a new Flash version is installed) shall be manually added to your EMET guarded applications (or processes).

E.g. EMET enforces memory address randomizations (mitigating the success rate of buffer overflow exploits), the usage of signed operating system APIs (preventing method injections), and much more. The amount of security related features differs with your Windows operating system (i.e. there are more and betterly effective security related features supported on Windows 8.1 and 10 than with older versions of Windows). Also: EMET extends the sandboxing features of Internet Explorer over the standard sandboxing, but you need to enable these extended features inside the Internet Explorer preferences menu (after installing EMET).

EMET seems to be very effective in mitigating the effectivity of most exploits.

EMET is great, but you need to keep upgrading it manually and maintaining it by adding new processes to the list and checking in all the mitigations. Not hard, but still something that most users just won't do.

Sandboxing. either with Sandboxie or with other options, is also great, though again it needs some tweeking and configuration. Generally you wan to insulate the TBB and only allow communication with the Tor daemon.

Or just use Tails, Cubes or Whonix.

July 08, 2015

Permalink

Could Tor Browser be made more resilient, and end users more aware of potential shenanigans, if it warned the user at startup of deviations from the defaults in connectivity settings?

This might be a good idea, to detect if somebody did the particular proposed changes here. But in the general case, if they've broken into your computer, they could corrupt your Tor Browser to not actually do any integrity checks. This is why I said you have to stop them at the 'break into your computer' step.

July 08, 2015

Permalink

Could this be prevented with AppArmor profiles? Or by running Tor Browser as a separate user?
Any info on this?

Adding extra layers of security is a good idea. For example, that's why Tails runs their 'unsafe browser' as a separate user, in a chroot. (It's not perfect, but all of those steps are useful steps towards better security.)

But remember that the lesson here is about whatever the weakest link is -- so securing your Tor Browser more, while also still running your normal browser with e.g. Flash enabled, is not going to fix the underlying issue.

July 08, 2015

In reply to arma

Permalink

Well, installing a backdoor is not smart... even if its name is Flash :-P
Of course I meant using apparmor in a secure system, with Free Software only, running a hardened linux kernel, firewall in place...

July 08, 2015

Permalink

I find a basic piece of security is simply to watch your modem lights when you are not doing anything on line. If they start flashing when not using the internet then either some program is auto updating or someone is trying to hack or has hacked. I am staggered at the number of people who let programs auto update and don't have a clue what is being sent. I block all updates and only allow them when I want to do it.

That does not apply of course while you are actually using the net.
John

Fact is there are many 0-day exploits, and the longer the time frame to update the more time you're vulnerable.

I still update manually, but i'm aware that the elderly woman across the street is probably closing those 0-day faster than me...

July 08, 2015

Permalink

The article says, "You have to stop them at step two, because once they've broken into your computer, they have many options for attacking you from there." But that's only true if your OS doesn't properly isolate the local browser, the Tor browser, and the Tor client from one another.

Qubes OS already solves this problem by having the netvm be different from the torvm. If an attacker exploits your netvm from your local network, he can't get into your torvm (where the Tor client runs) or your torbrowsevm (where the Tor browser runs).

Qubes also solves a related problem: the risk of a malicious web server exploiting your Tor browser to break into your computer, and then steal your data, reconfigure your Tor client, etc. The standard Tor Browser Bundle is vulnerable to this kind of attack, but Qubes isn't, because it has the torvm be separate from the torbrowsevm.

That means Qubes prevents attacks from both directions. To get control of the torvm without exploiting a vulnerability in the Tor client itself or something else in the torvm's software stack, the attacker would have to break Xen--a far more difficult task than breaking weaker isolators such as Sandboxie or the Linux kernel.

Yes, I agree.

Though if you run a great thing safely inside a VM and also an Internet Explorer alongside it, then things can still go poorly for you. Isolation is a great start but you need good opsec too, and whatever you do least well is the easiest way in.

Also, isolation by itself doesn't resolve the need for the local 'unsafe browser' equivalent in the captive portal situation.

These are related topics but not quite the same topics.

I was also thinking Qubes prevents this attack, if you know what you're doing and use Qubes properly. Which is easier said than done for most people, as arma rightly points out.

Tails is easier to use for most people. Though a chrooted browser in Tails is a far cry from the hardware and software isolation Qubes offers. On the flip side, the usability and learning curve of Qubes is a far cry from the ease and simplicity of Tails. ;)

I am not using the Tor service on the same machine where I have installed the Tor Browser. In my basement the Tor service directly runs on my gateway. The packet filter on my gateway only allows outgoing internet access originating from my gateway (i.e. only the Tor service can make outbound connections; and also a squid proxy can do so which handles my non-Tor traffic). The packet filter only allows connections from my PC to my gateway (Tor and squid proxy) but disallows any forwarding (i.e. internet access bypassing my proxies). With my Tor Browser running on my PC I have to use either the Tor or squid proxy both with my gateway address in order to successfully connect to the internet. Thus if anyone would change these proxy settings, then my gateway would not allow internet access from my PC at all and therefore this kind of targeted attack would not work for me.

July 08, 2015

Permalink

How safe is TOR at this time? Would I (or anybody else) be a target if I just casually browse the internet/hellhole with TOR?

This is the Tor blog discussing the Tor project. We are not here to discuss any other t0r, tOr, t0R, ToR, T0R, toR, tor, TOR projects that may or may not exist.

ha, do you forget to to use case-insensitive key in you seach engine?
any human can understand "t0r, tOr, t0R, ToR, T0R, toR, tor, TOR" !

you should use it ALL the time! Then nobody(?) can say when you connect to google/microsoft/... or somewhere else. More peeple use tor more safer you are! and anyway you can say i got a cool browser and do not care how it connect to my favoryte site. But do not mark you connections by using TOR casually. It's like cry "Hi, I am going to send my spy reports to China gov, so please get me".

July 08, 2015

Permalink

Part #1 of 3

arma wrote: 1) Pick a target user (say, you), figure out how you connect to the Internet, and install their attacking hardware on your local network (e.g. inside your ISP).

What exactly did you mean by "inside your ISP"? Can you elaborate please?

Can you give specific examples of "attacking hardware"?

Attacking hardware is a computer that routes your traffic and performs attacks like MITM. It is insider your ISP because then they can be sure to be able to route all of your traffic and being able to try and break things in the first place.

Attacker installs or programs hardware at isp level, they use that to drop a trojan by hijacking your connection and redirecting you to an infected website. Isps can and have hijacked sessions but for maliciousness purposes. So they drop whatever you were trying to connect to and instead send you to their MITM page.

July 08, 2015

Permalink

Part #2 of 3

arma wrote: 2) Wait for you to browse the web without Tor Browser, i.e. with some other browser like Firefox or Chrome or Safari, and then insert some sort of exploit into one of the web pages you receive (maybe the Flash 0-day we learned about from the same documents, or maybe some other exploit).

I am using Debian with Iceweasel as my only browser.

Have you known of any such exploits that have taken place on Iceweasel? If yes, please elaborate.

Yes, I know of hundreds of such exploits that have taken place on Iceweasel. I will take this time to remind the general community that generally speaking Iceweasel is nothing but a version of Firefox that has all of the non-free items removed from it (... in this case, the non-free items in the Firefox source code, is, funnily enough, the trademarks).

The Firefox (and other Mozilla) apps specifically via the Mozilla Foundation have the ownership of the trademark "Firefox". As a trademark holder, Firefox must be a protected trademark. Mozilla does this by using it's ability to deny the use of the name and other trademarks to unofficial builds.

This is why Firefox is not Firefox in Debian, because Firefox is not an official build, and the Debian team feels like it should stick to it's guns with the Debian Free Software Guidelines.

The artwork in Firefox had a proprietary copyright license which was not compatible with the Debian Free Software Guidelines, hence the rename of the product.

Don't fool yourself into thinking that because you are using Iceweasel you are not vulnerable to Firefox issues -- because I would hate to break it to you, Iceweasel is not any less insecure then Firefox.

And that is only the potential remote code execution vulnerabilities that have been publicly released in the last three months. I can tell you of many hundreds of issues such as these that only ever get discussed privately inside the Mozilla bug trackers.

July 08, 2015

Permalink

Part #3 of 3

arma wrote: 3) Once they've taken control of your computer, they configure your Tor Browser to use a socks proxy on a remote computer that they control.

Thanks for mentioning the above point.

I wish to check my Tor Browser now for possible hacks.

Where is socks proxy option in Tor Browser? What values should socks proxy take? 0, 1, 2 or something else?

I'd be careful using any source code from the leak. Because
(1) Such code will create patterns that anti-virus companies are more than likely looking for, and
(2) The hackers may take legal action, in which case you would have to point out all the warez in the Fileserver folders.

July 08, 2015

Permalink

arma, many thanks for your brief.

The sequence of events you describe sounds exactly like what happened to me the same week that the Belgian cryptographer Quisquater was reportedly attacked. My government is one of the those mentioned in the leaked documents as a particularly enthusiastic consumer of Hacking Team's "product". After I suspected my computers had been compromised I immediately stopped using them and have kept them untouched since then. I'd love to somehow get Citizen Labs experts to examine them, but have had difficulty making an encrypted connection with them. Any suggestions?

These days I use Tails on a different computer and hopefully I am a bit more secure. And yes, I am attempting to start using whonix or Qubes. It's an arms race: all of us (the citizens) versus all of them (the governments cited in the client lists of HackingTeam, Gamma, Nice...).

What is our plan if the FBI succeeds in outlawing strong citizen encryption? In outlawing Tor? Will the project move to Iceland?

> Why is there so little traffic in the Tor Forums? That's a bit scary.

Do you mean the #tor chat room? If so, oftc banned Tor users six months ago, so Tails users can't visit anymore.

July 08, 2015

Permalink

> I find a basic piece of security is simply to watch your modem lights when you are not doing anything on line. If they start flashing when not using the internet then either some program is auto updating or someone is trying to hack or has hacked.

At least some state-sponsored malware seems to make an effort to stop the LEDs from blinking during "exfiltration". Also, some of Snowden leaked documents stress that key exfiltration can occur very quickly when NSA/TAO successfully targets a vulnerable browser which uses openssl. Then the bad guys can copy your encrypted data stream for decryption at leisure. I hope and believe that Perfect Forward Secrecy should make this much harder, if you are using TBB.

July 08, 2015

Permalink

> Their proposed attack requires Hacking Team (or your government) to already have you in their sights. This is not mass surveillance — this is very targeted surveillance.

Agreed. But as Citizen Lab and other groups have documented, HackingTeam clients such as the government of Morocco have targeted human rights activists. This habit has led Human Rights Watch to label HackingTeam an "Enemy of the Internet".

Someone could be targeted because of a conversation in Germany with a visiting reporter who works in UAE. Or because they have contributed to HRW. Some governments don't want anyone anywhere to engage in human rights activism. For example, GCHQ has admitted that it targeted Amnesty International.

It is important to understand that if you are alive and kicking, you could very easily be targeted by some government. Maybe not even because of anything you have done, but simply because of someone you know. Maybe your uncle is a telco network engineer. Or your cousin teaches at MIT, and knows a student from Syria.

There is no law of human nature which holds that Government G's reason for attacking you must be comprehensible to you or me. It only has to make sense to Government G. And if the bad guys decide they have a reason to target you, well, they have the capability too. Thanks to companies like Gamma and HackingTeam.

July 09, 2015

Permalink

The most interesting content so far seems to be under /rcs-dev\share/HOME/Naga - they were trying to mount a pretty sophisticated attack, with MITM on SSL as well. Is Tor resilient against this sort SSL tampering - downgrading, adding system certificates (the Superfish scenario) etc. ?

July 10, 2015

Permalink

Tails vs Tor browser + debian on a live DVD. Other than "re-inventing the wheel" what would be the difference between the two?

Tails claims to force ALL of your network connections and traffic to be routed through Tor.

That would not be the case if one were to use Tor Browser on a (non-Tails) live system, Debian or otherwise.

July 11, 2015

Permalink

"Another answer is to run a system like Tails, which avoids interacting with any local resources."

Goto WikiLeaks and search for "UEFI resistant infection" in the Hacking Team's emails.

July 11, 2015

Permalink

Judging from the leaked emails, they showed this or a similar presentation to the Italian Secret Service.

July 12, 2015

Permalink

Over at the wikileaks.org searchable archive of emails leaked from Public Enemy Number Three (aka Hacking Team), I spotted a priceless exchange between Bernard J. "Joey" Quinn (Leidos, formerly known as SAIC) and the CEO of Hacking Team, David Vincenzetti, from 10 Nov 2014.

Joey Quinn states:

"The single most important point for me about the dark net is the fact that the majority of the funding supporting maintenance of the code base that provides the largest portion of it (Tor) comes from the US government."

David Vincenzetti replies:

"I totally agree with you, Joey."

Joey Quinn replies (referring to a new story which he regarded as insufficiently hostile to Tor):

" "Partly funded by the U.S. Government"? A bit of an understatement the misguided idiots at DOD and DOS provide something like 60 percent of their annual budget."

David Vincenzetti replies:

"Hi Joey,I was not aware of that, really."

Gee, now that I know how much it annoys Joey (he goes on to bitch about his taxpayer dollars being used to fund Tor), I have to change my position about taking funds from the USG. Take *more* and post a very polite message thanking Mr. Quinn for his generous contribution!

July 12, 2015

Permalink

Another gem from the wikileaks.org searchable archive of emails leaked from Hacking Team: in a 2013 email, David Vincenzetti (CEO of HT) wrote:

"Banning a technology is never the solution: the bad guys will simply switch to a different technology. IT offensive security is part of the solution."

So he needs Tor to exist in order that Darknet FUD continue to grow, in order for his business to survive. Unfortunately for HT, the archive shows repeated promises to HT "customers" that effective attacks on TBB will be included in the next edition, but as the years roll by, it seems that this promise has not been fulfilled.

(Keep up the good work, Tor people!)

Ironically, some HT customers also seem to be asking HT to modify RCS so that they can connect to the servers containing stolen data using TBB! (Prevented by a certificate issue I couldn't understand.)

The emails seem to show that, far from vetting their customers, in some cases HT has no idea who they are. So perhaps the clearnet-shy RCS users are... the mafia?

Also noteworthy are exchanges between HT employees and some dude going by the name of Dustin D. Trammell, who calls his company Vulnerabilities Brokerage International, who is selling expensive zero-days to companies like HT. This fellow sends around marketing emails describing his menu of zero-days available to anyone willing to pay.

Another weird thing: lately HT has refused to demonstrate its prowess at cyberintrusions into Linux servers except in its Milan headquarters, owing to concern over the Wassenaar arrangement. So they are seriously worried about being prosecuted for cybercrimes. Good!

July 12, 2015

Permalink

> Their proposed attack requires Hacking Team (or your government) to already have you in their sights. This is not mass surveillance — this is very targeted surveillance.

As far as I can see, that is correct, but David Vincenzetti (CEO of HT) wrote this about Tor to list AT hackingteam.it

"Definitely, privacy tools such as this one should be regulated. In the meantime, such "ONIONs" can be "crypto-exfoliated” aka their encryption layers decrypted and therefore fully penetrated by our groundbreaking / extra-low latency / effective on a mass scale offensive security solution (my apologies for being self referential here)."

He apparently never clarified what he meant by characterizing RCS as a "mass scale offensive security solution".

July 12, 2015

Permalink

Someone needs to say it, and I hope the moderators will allow me to try.

From:

https://www.wired.com/2015/07/hacking-team-breach-shows-global-spying-f…
Hacking Team Breach Shows a Global Spying Firm Run Amok
Andy Greenberg
6 Jul 2015

"Few news events can unleash more schadenfreude within the security community than watching a notorious firm of hackers-for-hire become a hack target themselves. In the case of the freshly disemboweled Italian surveillance firm Hacking Team, the company may also serve as a dark example of a global surveillance industry that often sells to any government willing to pay, with little regard for that regime’s human rights record."

Recall that the HT leaks follow similar leaks from Gamma International and HBGary Federal. Taken together, the leaks paint a clear portrait of Western based companies enabling the worst and most repressive regimes on Earth to identify and imprison/torture/execute domestic dissidents by means of dragnet surveillance and state-sponsored cyberintrusions.

The leaked HT documents show that HT's biggest customer is Saudi Arabia, an absolute monarchy which punishes dissident journalists by public whipping, and which has been designated an "Enemy of the Internet" by human rights groups.

Other customers include such American agencies as FBI, DEA, and DOD.

ACLU, EFF and other civil liberties watchdogs staunchly oppose FBI's demand to

o mandate backdoors in encryption,

o mandate backdoors in Tor,

o mandate backdoors in Linux and other operating systems,

o mandate self-imposed censorhip at websites,

o impose stiff sentences on journalists such as Glenn Greenwald who report news which some in USG would rather remain hidden from the public.

Why?

Because they can see the global trends, as exemplified by some other customers of HT:

Azerbaijan
https://en.rsf.org/azerbaijan.html

"Disturbing threats and harassment in wake of European games... Baku games sponsors urged to request release of journalists..."

Bahrain
https://en.rsf.org/bahrain.html

"Wave of arbitrary arrests of dissident information providers... Court upholds ten-year sentence for award-winning photographer..."

Egypt
https://en.rsf.org/egypt.html

"Journalists will face two years in prison for quoting unofficial sources... Three journalists sentenced to life imprisonment..."

Ethiopia
https://en.rsf.org/ethiopia.html

"Ethiopian government’s witchhunt against privately-owned media.. ong jail sentences for three magazine owners.."

Kazakhstan
https://en.rsf.org/kazakhstan.html

"Orchestrated throttling of Kazakh opposition weekly... Authorities poised to cut all communications at drop of hat"

Morocco
https://en.rsf.org/morocco.html

"Journalism NGO apparent target of “adultery” conviction...Sustained crackdown on independent reporting in Morocco..."

Nigeria
en.rsf.org/nigeria.html

"Journalist missing... Army seizes newspaper issues day after day on “security” grounds.."

Oman
https://en.rsf.org/oman.html

"Two bloggers detained in Oman for reporting rights violations.. Two journalists investigated over article about gays in Oman.."

Saudi Arabia
https://en.rsf.org/saudi-arabia.html

"Saudi court shows contempt for human dignity in Badawi case... Saudi netizen’s whipping could begin Friday..."

Sudan
https://en.rsf.org/sudan.html

"Intelligence agency arrests leading Sudanese journalist... Two journalists arrested, held in unknown location..."

FBI Director James Comey wants the USA to behave more and more like Sudan and Saudi Arabia, and less and less like the nation envisaged by the American Founding Fathers.

Roger Baldwin, co-founder of ACLU (with socialist firebrand Helen Keller) wrote:

"So long as we have enough people in this country willing to fight for their rights, we'll be called a democracy."

https://en.wikipedia.org/wiki/Roger_Nash_Baldwin
https://en.wikipedia.org/wiki/Helen_Keller

James Comey wants nothing less than to end democracy in America.

Martin Luther King wrote:

"A time comes when silence is betrayal".

And a previous FBI director, J. Edgar Hoover, responded by writing a threatening letter to King urging him to commit suicide. See the Pulitzer prize winning

Enemies: a History of the FBI
Tim Weiner
Random House, 2012.

July 12, 2015

Permalink

> Tails vs Tor browser + debian on a live DVD. Other than "re-inventing the wheel" what would be the difference between the two?

Someone correct me if I get anything wrong, but I believe that a fair brief description of recent Tails is:

"Debian stable on a live DVD, with Tor Browser, sandboxing, a firewall which does much to prevent accidental leaking of data over non-Tor connections to the Internet, document preparation software (including some metadata removal tools), and more."

Further, I believe that as time goes on, Tails, Qubes, and Whonix will exhibit a beneficial convergent evolution. Which would be very good.

Unless Western governments outlaw them. Which would be very bad.

July 12, 2015

Permalink

I hope people with more technical knowledge than I will use wikileak's searchable database of 1 million leaked emails from Hacking Team to look for valuable technical insight about how to resist RCS even better.

Here are some mostly nontechnical comments on Tor which seem noteworthy (note that these span several years, so some information or views are no doubt obsolete):

First, several comments by David Vincenzetti (CEO, Hacking Team):

Commenting on the recent Recorded Future report on the "Darknet":

> Definitely, such privacy tools [Tor] should be regulated. In the meantime, it can be technically crypto-depleted penetrated.

Responding to Alex Velasco (Key Account Manager, HT) who is discussing a client who fears "spooking" a "hard target" (it is not clear who the target is or even who the "customer" is, but Jacob Appelbaum is mentioned nearby):

> On May 6, 2012, at 5:53 PM, Alex Velasco wrote:
>
>> This sounds like what our client is faced with. he mentioned it in a few conversations. They are panicky that RCS will fail at install spooking the target and losing the case. But what other option do they have? I do not know the whole story but this guy could disappear and any given moment for any reason. They do not have an easy job. All we could to is help them and hold there hand until they do something.
>
> Our technology [RCS] is not infallible. The target could stop using the device. Our solutions resists PC hard disk formatting. This is a strong point. But the target could simply substitute the hard disk with a different one. Or move to a location where Internet connection is not available. So there are some special scenarios in which RCS looks like it is not working but it is not the backdoor that is not working, it is the operational environment that is not compatible with our solution.
>
> We are offering the best product available on the market for attacking, infecting and controlling targets' devices. We use state of the art technologies. And we continuously, tirelessly research in order to enhance our product and maintain the largest possible gap between our system and our competitors' ones.
>
> That is our mission and we are investing all our resources in doing so.

Responding to Jacob Appelbaum's call for everyone to use Tor:

> I forgot to mention that TOR is effective against traditional, passive monitoring but absolutely not effective against active monitoring, that is, RCS. Since RCS infects the very user's device it gets all the data irrespectively of any anonymizer system installed on such device.

> TOR is a proven (10+ years), robust and secure technology for browsing the Internet in an anonymous way. TOR makes use of "onion routing", that is, your HTTP connection "bounces" through a numbers of proxies before reaching the destination web site. In this way it is hard, but not impossible, for Governmental Agencies to understand what sites you are browsing and what data you are sending and receiving.
>
> TOR is widely used by dissidents in authoritative regimens. I used to have it installed on my PC but I really never used it much because HTTP connections are much slower when TOR is on on your box.

Responding to an employee who posted an article ona Japanese government call to ban Tor in Japan:

> Banning a technology is never the solution: the bad guys will simply switch to a different technology. IT offensive security is part of the solution.

Snarling about the Tor Project:

> LEAs are finally penetrating the DarkNet. They have identified, located and possibly shut down a number of hacktivists/anarchists/criminals/terrorists/insurgents sites. Some people have been arrested and more people will be arrested soon. This is GREAT news, this is a breakthrough in the battle between the good and the bad guys.
>
> HOW they did it is still “unknown”.
>
> The totally irresponsible people behind the "TOR project" don’t know. Is it a technological attack? Is it "simple old-fashioned police work in action”? They are groping in the dark. Is the DarkNet technologically neutralizable? I am afraid I can’t say anything about this, I am sorry (not really).
>
> "The Tor Project Inc., a nonprofit group behind Tor, said it doesn’t know exactly how investigators located the users. Court documents and statements made public this week “don’t disclose enough details to be useful for technical diagnosis,” said Andrew Lewman, executive director of the Tor Project. “We’re continuing to investigate."
>
> Investigate, investigate, young people :-

Danielle Milano (Operations Manager, HT) arguing with Vincenzetti about the title of a presentation (David wanted to stress "mass infections" and "dragnet", Danielle disagreed):

> Bear in mind tough that Remote Control System is not the right tool for mass surveillance, and in truth can seriously suffer from an high number of infections. Overexposure is bad.

Marco Fontana (Senior Software Developer, HT) on cookies in TBB:

> Ciao,
> impostando nel browser l'opzione 'remember history' (stessa operazione
fatta dal modulo url del soldier), tor browser salva anche i cookies,
quindi facebook dovrebbe funzionare.

Maro Valleri (CTO, Hacking Team) on what makes
Firefox "interesting":

> Concordo. Firefox e' interessante praticamente solo per tor

and on TBB:

> Dato che il browser usato dal tor bundle e’ firefox, il supporto c’e’ da quando supportiamo firefox ;)

Sergio Rodriguez-Solís y Guerrero (Field Application Engineer, HT) on attempting infection of TBB with RCS (accompanying figures suggest RCS cannot follow the websurfing of a TBB user):

https://wikileaks.org/hackingteam/emails/emailid/104366
...
> Testing RCS 9.4.0 in demo chain with demo mode, I infected my demo target (Win7) and most of things are working correctly.
>
> The referred problem is regarding Tor Browser.
>
> I opened it and connected to several newspaper in different tabs. Then, URL evidences shows same domain as first tab but correct tab title.
>
> Attached are 2 screenshots, one of target PC with tabs and one or RCS with evidences.
>
> For Firefox (that as far as I know is same browser) it also happens. I think evidence present correct window title but presents first tab domain instead of active tab domain.
>
> For Chrome and IE, both before and after testing Tor Browser, there is no problem.

Overall, pretty much confirms what Roger said above, I think.

July 12, 2015

Permalink

Regarding Tails, some notable not very technical excerpts from Wikileaks searchable database of one million leaked Hacking Team emails:

David Vincenzetti on the difficulty of attacking Tails:

> IF properly used, these “computers in a box” offer a much higher degree of security in respect to standard PCs.
>
> If properly used, the “attack surface” still exists but it’s much more limited. From an attacker point of view it ** is ** still possible to infect such devices but limitations apply.
>
> The devil is in the details and the old say (by Marcus J Ranum, circa 1995) “Easy, Cheap, Secure: pick TWO” fully applies here.

From an HT "Roadmap" outlining future goals:

> o Infezione di Tails USB da UEFI (Antonio)
> § L’infezione avverra’ a runtime
> § Combinabile con l’infezione del boot da “Infection Agent”
> o Nuovi driver NTFS per UEFI infection (Antonio)
> o Infezione persistente anche su OSX e UEFI firmati (Antonio)

So, users should perhaps prefer to boot Tails from a DVD, as Snowden advised.

An RCS Customer Support person explaining how to target a Linux user (bearing in mind that Tails is closely based on Debian Linux):

> You can use 4 different ways to infect a Linux target:
>
> - Silent installer
> - Melted Application
> - Offline instalation
> - Network injection
>
> If you have a physical access to Linux system and you know the password, you can use Silnet Installer infection.
If you have a physical access to Linux system and you not know the password,you can use Offline instalation infection.
>
> If you have not a physical access to Linux system you can use Melted Application infection or Network injection.
>
> We are sorry, there isn't a single strategy each targets it's different.
>
> To have more chance to infect a target you can use a social engineering strategies.

So, pretty much what NSA said in a Snowden leaked document, and pretty much what the Tails documentation has always said.

July 12, 2015

Permalink

Companies such as Hacking Team like to peddle their malware to paranoid governments by assuring would-be intruders that unveiling encrypted conversations offers an unparalleled view into the "innermost core of the target's private life" (as one document puts it) because "targets" reveal the most about their ambitions and fears when they think they cannot be overheard by the enemy.

So with that borne in mind-- savor the Schadenfreude!-- here are some excerpts which reveal what Vincenzetti fears and loathes about EFF (Electronic Frontier Foundation):

> I REALLY CAN’T WRITE what I think of the EFF and its affiliates.

> On a different line, this also reveals how irresponsible the people at EFF are.

Commenting on EFF's most recent edition of "Who has your back?":

> Just makes you feel good to know the EFF is our savior.

Speculating about the psychology of civil liberties advocates, and expressing the notion that we are somehow making money doing what we do:

> It looks like the EFF’s main goal is trying its best to frustrate the work of LEAs and Security Agencies.
>
> I am thinking of the psychology of the persons working at, or financially supporting, groups like the EFF.
>
> About such persons: some of them are simply idealists detached from reality, blind to what is happening in the real world.
>
> Others are astute professionals exploiting the Big Brother Is Watching You paranoia phenomenon: although they mostly work for no profit organizations they get hefty compensations for their “contributions to a better world", their information or defamation activities, their technical “discoveries” or “innovations”. Make no mistake: no profit merely means that the bottomline in the financial balance sheet is zero, such organizations’ balance sheets are seldomly publicly available, it would be interesting having such balance sheets published and checking who is earning what.
>
> At the same time, I am sure that such persons expect security for them, security for their own families, security for their countries. At the same time, I am sure they also expect an efficient LEA system, they expect to be protected, to stay warm and safe in this world, shielded away from domestic and foreign risks and menaces.
>
> The contradiction is straightforward.
>
> But I am wondering off: back to computer security.
>
> The EFF just announced TWO new tech projects — Trust me: such projects are nothing big, nothing significant to LEAs using the right technologies.
>
> #1 A FREE Certification Authority: https://letsencrypt.org/2014/11/18/announcing-lets-encrypt.html
>
> #2 A “new" malware detector: https://www.eff.org/deeplinks/2014/11/detekt-new-malware-detection-tool…

>although they mostly work for no profit organizations they get hefty compensations for their “contributions to a better world",

That is demonstrably true, just look at the salaries for executives of "non-profits" (including the Tor Project.)

>At the same time, I am sure they also expect an efficient LEA system, they expect to be protected, to stay warm and safe in this world, shielded away from domestic and foreign risks and menaces.

There is much validity in this point. Even the most vehement and extreme enemies of law enforcement and state-authority directly benefit from said entities in countless ways.

July 12, 2015

Permalink

An oriential strategist advises us to Know Our Enemy.

In the Wikileaks searchable database of one million emails leaked from Hacking Team, we certainly have the opportunity to get to know one of them.

Here is David V complaining that two of his employees are not as photogenic as Jacob Appelbaum:

https://wikileaks.org/hackingteam/emails/emailid/224480
..
> These idiots are playing their little games. They deliberately picked up the worst snapshots in order to depict Eric and Alberto in a bad light while promoting the others' image. In the first one Alberto and Eric look to me like characters from Sallustio's De Catilanae Conjuratione (Sallust's Conspiracy of Catiline):
>
> Here this asinine activist looks like a very smart guy:
>
> Here Eric looks frightened or embarrassed while this EFF man looks influential and authoritative:

(The literary reference is to the Roman historian Sallust, who used the dramatic story of a failed rebellion against the Roman Republic as a foil to mock the vices of the Roman aristocracy. Cataline's principal political (not military) opponent was Marcus Cicero; it is not clear whether Vincenzetti intended to deprecate Snowden's admiration of Cicero and the Roman Republic. It does seem, however, that Vincenzetti is expressing admiration for the Roman Empire, which constituted a succession of more or less insecure absolute dictatorships.)

A little later, DV adds

> He [Jacob Appelbaum] is a privacy advocate and, like most privacy advocates, he is a little paranoid.

Replying to a reporter who asked for comment about a Citizen Lab white paper documenting how Hacking Team's malware is being used by governments of nations like Morocco to target human rights activists:

> As far as I know, Mr. Appelbaum had nothing to do with the Citizen's Lab report. However, he is a tireless advocate of letting anyone who wants to communicated in secrecy on the Web. He ignores the fact that for many years civilized nations have considered the value of privacy of communications vs. the need to be able to investigate crime, and most have come down on the side of a reasonable expectation of privacy but not to the extent of being able to keep illegal actives secret from law enforcement illegal activities.

And here is what Vincenzetti wants to do to Chris Soghoian (ACLU Technologist):

> Sono molto tentato dal rispondere, ma scateneremmo solo un flame. Penso che sia self-evident quanto imbecille sia Soghoian.
>
> Se metto insieme abbastanza BitCoin uso un servizio della DarkNet e lo faccio eliminare. Un coglione di questa levatura non merita di continuare a consumare ossigeno.

Translation:

"I’m very tempted to respond [in public], but we would only start a flame war. I think it’s self evident what a inbecile Soghoian is. If I gather up enough Bitcoins I want to use a service from the DarkNet to eliminate him. An asshole of this caliber doesn’t deserve to continue to consume oxygen."

(When told of this comment, Soghoian said Vincenzetti had greatly cheered him up, because it shows that the work of ACLU/EFF is having a more positive effect than sometimes appears.)

July 14, 2015

Permalink

On July 12th, 2015 Anonymous said:
"[...]So, users should perhaps prefer to boot Tails from a DVD, as Snowden advised[...]"

Most users really dont't know USB(-Sticks) are a common infection vector.

And the main problem with UEFI is you have a full invisible persistant infection vector,
a lot Cert warnings/exploitation vectors in UEFI Firmware -Intel and AMD Motherboards- without real Write Protection and a very small minority of people
update their Motherboard Firmware -if update exists!
The motherboard manufacturers ignore this problem?

"The motherboard manufacturers ignore this problem?"
Of couse they are!! Why on earth they should protect YOU?! All this dancing around UEFI means to limit your control over your hardware. D'you know if this _security_ design have been evaluated by any well known _security_ expert?

July 15, 2015

Permalink

iseup servers are used by Tails and LEAP developers and others working on privacy-enhancing tools. Further, FBI has seized a Riseup server in the past, and Riseup has been targeted by a prosecutor in Spain in connection with the crackdown there on Occupy activists.

Therefore it seems notable that someone going by the name "Richard Hiller", whose email address is in a domain ( pcr.cz) used by Czech police, recently requested from HT an exploit targeting the new Riseup mail server

https://mail.riseup.net/rc/

See

https://wikileaks.org/hackingteam/emails/emailid/629790

for what appears to be an email from an RCS support technician responding to a request from Hiller submitting a ticket asking a coder to add malware to a file (presumably composed by Hiller and intended for use in a phishing attack on one or more riseup.net users):

> Ticket ID: MOO-684-39569
> URL: https://support.hackingteam.com/staff/index.php?/Tickets/> Ticket/View/3613
> Name: Richard Hiller
> Email address: *** pcr.cz
> Creator: User
> Department: Exploit requests
> Staff (Owner): -- Unassigned --
> Type: Issue
> Status: Open
> Priority: Normal
> Template group: Default
> Created: 21 November 2014 11:21 AM
> Updated: 21 November 2014 11:21 AM
>
> Please craete exploit Internet explorer
>
> Url: https://mail.riseup.net/rc/
>
> Thank you
>
> Rene

Riseup's quarterly canary update is somewhat overdue

https://help.riseup.net/en/canary

Apparently Hiller has not yet requested exploits for nolog or boum. This is not for lack of ambition: he also requested exploits for facebook.com and cnn.net.

Riseup is also used by political dissidents, and various civil liberties and human rights groups, including Occupy activists in Spain targeted under the new "vomit law" and Mexican anti-drug-cartel activists targeted by the drug cartels.

Correction: on closer examination, vice.com now reports that Mexico (not Saudi Arabia) is HT's biggest client:

https://news.vice.com/article/mexico-is-hacking-teams-biggest-paying-cl…

"The country has paid more than $6.3 million to help it spy on its targets, topping the nearest state client Italy by $1.9 million. A graph leaked online and linked to the firm shows Mexico, Italy, and Morocco are the highest paying clients of Hacking Team, followed by Saudi Arabia, Chile, and Hungary."

http://www.eluniversal.com.mx/articulo/english/2015/07/6/pemex-mexican-…

"The following is the list of current and expired Mexican clients of the company:
- CUSAEM Health Service for the Auxiliary Security Corporations of the State of Mexico. Expired.
- DUSTIN Government of the State of Durango. Active.
- EDQ Government of the State of Querétaro. Expired.
- GEDP Government of the State of Puebla. Expired.
- MCDF Mexico City police. Expired.
- MXNV Ministry of the Navy. Not active.
- PEMEX Petróleos Mexicanos. Expired.
- PF Federal Police. Expired.
- PGJEM Office of the Attorney of the State of Mexico. Active.
- SDUC Government of the State of Campeche. Expired.
- SEGOB (CISEN) Ministry of the Interior. Active.
- SEPYF Department of Planning and Finances of the Government of the State of Baja California. Active.
- SSPT Department of Public Security of the State of Tamaulipas. Active.
- YUKI General Secretariat of the Government of the State of Yucatán. Active"

The recent escape of "El chapo" Guzman from Mexico's supermax prison, which everyone agrees could only have been accomplished with extensive help from corrupt government officials, highlights the endemic penetration of the MX government by the cartels. The numerous requests for Hacking Team exploits from various MX government officials is particularly troubling in view of the very real possibility that information obtained using HT supplied malware may be used to locate and target persons for assassination by the cartels.

Similar remarks hold for requests from Greek and Italian officials; some years ago, in two breach incidents, it was discovered that unknown parties had been happily spying on Greek and Italian government officials and journalists by subverting government surveillance systems.

And as the OPM breach in the US demonstrates, not only the security service networks of the Greek and Mexican governments are vulnerable to such intrusions and misuse. Citizens of Columbia should be alarmed to learn that HT emails show that the US DEA is tracking *all* internet traffic in Columbia:

https://news.vice.com/article/the-dea-is-tracking-all-internet-traffic-…

"All of Colombia's internet traffic is monitored by the US Drug Enforcement Administration, according to a hacked email circulated on Twitter on Monday night, signaling widespread American surveillance of electronic communications in the country considered the longtime central battlefield in the global war on drugs."

Another notable point about the Hacking Team breach is the large number of unencrypted emails containing such items as

o complete logs from router bootup (troubleshooting with HT's ISP)

o MAC and IP addresses of HT laptops (sent to hotels in foreign countries)

o internal correspondence showing that HT (contrary to its assurances to its customers) can and did routinely snoop on what its customers were "collecting" from their "targets"

http://motherboard.vice.com/read/leaked-emails-show-hacking-team-lied-t…

There is much more about the Hacking Team leaks at

motherboard.vice.com
firstlook.org/theintercept
citizenlab.org

Thanks to all the reporters who are covering this important public interest story!

July 16, 2015

Permalink

Im quite freaked i come to page from clicking button am i on a oth tnat i should be...i think i kniw what im reading but i got a hypervigilance on conspiracy theories of everything atm. I kno i have been hacked both phine n computer but unsure of the intended full reasoning.
Im fully onboard if i an being coded with what im feeling im drawn towards. I just really dont understand the process of creating n execution of installation for assurance that I may need for risks i think im pointed to. I can bring my technologies and cafe lunch to allow time for the files to be uploaded. No idea on modem without assist. Have concern of solo media apps yes.
j think i can Identify aspects of concerns tho i will sign papeer to allow all infiltration to get honesty for legal CONSIDERATION. But if this is.. why was i leff alone to rott. With no securoty support in place n having no support as its known. Ill illuminate i cant not im capabke n teady to do what ever to sucure lea n minor applications in any circumstances. Im trying to learn code but it seems out of my knowledge what is what n iam reading one way. Please contact if possible to make arrangements to meet no. Or email anything. Ill try what i xan

July 16, 2015

Permalink

Could using an OS (with Tor installed) on a bootable - read-only - USB stick (or bootable DVD) be sufficient to prevent this attack?

And would the OS on the bootable DVD/roUSB need to be Tails, or could it be something else?

July 19, 2015

Permalink

> Could using an OS (with Tor installed) on a bootable - read-only - USB stick (or bootable DVD) be sufficient to prevent this attack?

> And would the OS on the bootable DVD/roUSB need to be Tails, or could it be something else?

Some leading network security experts work for/with Tor Project and Tails Project (two related but separate NGOs), but they are very busy, so although I am not an expert, I'll take a stab at answering your question, based upon my experience and what I have read. What follows mostly repeats things already stated in various comments above, but I hope it will help newbies to orient themselves.

By "this attack" I assume you mean HT's malicious criminal actions as described in the blog post by arma.

First, I believe that one of the best easy-to-use alternatives for ordinary people concerned about malicious actors (such as hostile governments) possibly spying upon their on-line activity is using the current version Tails booted from a DVD, provided that

o you verified the iso image by checking the signature as described here

https://tails.boum.org/download/index.en.html#verify

o you do not have good reason to fear that your DVD drive burner has itself been compromised (we hope this is unlikely for "the average citizen", maybe even "the average Tor user", but this opinion is based on optimistic guesses, not facts).

Tails provides (among other good things):

o a temporary "hardened" Linux computer system on most laptops, tablets, PCs,

o a special firewall, which can prevent many accidental leaks of your true IP address from software other than the Tor browser,

o some sandboxing, which can help prevent some malware from doing damage,

o "ready to surf" Tor Browser,

o document preparation software such as editors, printer drivers, and an easily configured temporary printing system which should work with most peripheral printers,

o encryption utilities for storage devices such as USB drives,

o "amnesia"

Amnesia means that when you finish a Tails session, the memory should be wiped and few if any traces left on your laptop, tablet or PC that you used Tails (but damning traces might be left on peripherals such as printers so be careful).

When you are using Tails, you can insert any common brand of USB drive into a USB port and format an encrypted volume (AES encryption) on the USB drive. You can securely store information in the encrypted volume and retrieve it in subsequent Tails sessions. This can be a convenient and quite secure (if you choose a strong passphrase and if your USB drives are not already infected with APT malware) way to combine the convenience of long-term data storage with the security advantages of "amnesia".

Second, you can choose to install Tails on a USB drive instead of a DVD, and unless your hardware is very old, you should be able to boot Tails from this USB. This is much more convenient in some ways because

o you can save useful persistent data such as bookmarks and documents (but that violates "amnesia")

o you can update to the next version, sometimes, without needing to download the entire iso image

Unfortunately, USB drives are notoriously insecure. There is currently no way even an expert user can ensure that a given USB drive has not been infected, since malware might lurk in components, such as microcontroller inside the drive, which the OS on your PC, laptop, or tablet cannot see or verify. Perhaps for this reason, malware providers such as Hacking Team are known to attempt to use bad USB drives to attack "hard targets". In particular, in the comments above you can find a quotation from a Hacking Team roadmap showing that they were recently trying to subvert UEFI (which is ironically intended to improve security) to plant malware which could enable HT to spy on anyone who uses Tails booted from a USB rather than a DVD.

Edward Snowden recommended using Tails booted from a DVD (burned using a properly verified iso image), and he clearly knows what he is talking about. (Before he defected to The People, it seems that Snowden taught cybersecurity courses to USIC operators, so he is familiar with methods used to attack USG networks, which are pretty much the same as what the USG uses to attack all the worlds networks.)

It seems notable that one way in which NSA is trying to "shape" the internet environment is by pressing manufacturers to stop making DVD drives, especially those with burning capability, and by pressing laptop makers to stop putting disk drives in their products. It is probable that this is intended to combat the spreading use of Tails by security-aware citizens.

Third, Tails attempts to meet the needs of human rights workers, who are particularly targeted by the most lethal cyberwar entities. The leaked Hacking Team emails show that CEO David Vincenzetti regularly followed news releases from organizations like Amnesty International which are targeted by many of HT's customers, as he appears to have been well aware. To my knowledge, Vincenzetti has not attempted to explain why he followed such news, but I have the impression that he had no moral objection to human rights abuses, but wanted to test the political temperature; possibly he was considering dropping some customers who "took things too far" by too frequently executing human rights workers, for example. Pretty much a Mafia mentality, in my opinion, if so.

A recent news story states that some leaked Hacking Team and Stratfor emails at wikileaks are infected with dangerous live malware:

http://www.theregister.co.uk/2015/07/17/wikileaks_malware_warning/

One possible explanation is that intelligence organizations often try to infect downloads "on the fly". This is one reason why it is so important to prefer https sites to http sites. Wikileaks uses https but is a major target of the most lethal espionage organization which has ever existed, NSA, so it is quite possible that in some cases NSA can subvert TSL protection (https) sufficiently to insert malware on the fly into attachments to emails downloaded from wikileaks.org.

It should also be noted that USIC and other enemies are known to regularly attempt to "plant" stories in the media which contain disinformation intended to discourage people from accessing Wikileaks. The Register is usually resistant to such attempts to "plant" stories, I think, but anyone can be fooled sometimes.

One advantage of using Tails to access websites which some intelligence agencies might view as "watering holes" is that you probably are protected against many kinds of malware, even advanced malware. I encourage people not to be frightened off by scare stories about Wikileaks, but to use Tails for reading all news sites, not just Wikileaks. The reason is that several intelligence agencies have been caught trying to subvert major news sites. Indeed, a comment above pointed out that one "Richard Hiller", apparently a Czech cop, requested that HT prepare an exploit to attack cnn.com, presumably because he wanted to infect some or all visitors to CNN.

Fourth, Tails isn't the only game in town; see

https://en.wikipedia.org/wiki/Whonix
https://en.wikipedia.org/wiki/Qubes_OS
https://en.wikipedia.org/wiki/Tor-ramdisk

As noted in the comments above, these projects share ideas and over time tend to adopt more and more good security practices, so there is a beneficial convergent evolution toward more and more hacking-resistant systems with similar goals to Tails.

I believe that Tails is currently easier to use than these alternatives, and considerably more secure than using TBB with your usual (non-amnesiac) OS, so I think it makes good sense to start with Tails and look into Whonix etc once you have gained extensive experience using Tails and have had time to read enough security news (e.g. theregister.co.uk, arstechnica.com) to learn more about potential hazards and current known attacks on citizen bloggers and other at-risk people.

One point which may be attractive to users who are worried about USG sponsorship of Tor Project: Tails Project also accepts some money from similar sources, but the key developers mostly live and work outside the USA, so unlike Tor developers they may less susceptible to certain kinds of threats from the USG. In particular, it is known that the US IRS (tax authority) regularly threatens to deny tax-exempt status to NGOs which develop privacy/security/anonymity enhancing software, and makes further threats. Unfortunately, as with every bad thing the USG does, other governments appear to be eager to follow the American lead in the arena of harassment of people engaged in legal activities which create difficulties for the security services.

One last point: anyone can donate to these projects by various means, and they all seem to have many virtues, so I hope others here will join me in donating to some of them.

July 21, 2015

Permalink

One of the best technical reviews of Hacking Team's malware system RCS is:

http://labs.bromium.com/2015/07/10/government-grade-malware-a-look-at-h…
Government Grade Malware: a Look at HackingTeam’s RAT
Nick Cano
10 Jul 2015

"HackingTeam’s RCS is a fully-featured RAT with the ability to intercept large amounts of personal information, record conversations, access cameras, propagate to peripheral devices, and do it all without triggering any alarms. The source-code shows that the malware was developed by a very ambitious team, and the repository logs make it clear that it was under active development. The implications this carries are huge, especially considering HackingTeam’s customer list."

Cano answers the question: How does RCS work? In this post I want to answer two further questions:

1. Who are Hacking Team's customers"

2. How are they using (or rather abusing) HT's RAT?

A recent financial spreadsheet leaked from Hacking Team shows that since its founding in 2004, the company has taken in about 41.3 million Euros. The regional breakdown is

Europe 29%
Middle East 28%
Latin America 24%
Asia 15%
North America 4%

The breakdown by the nature of HT's customers is

Intel agencies 41%
LEAs 36%
Other 17%
Unknown 6%

Intriguingly, the US DEA (Drug Enforcement Agency) is listed as "Other", perhaps because its monitoring of the entire national internet of countries like Colombia, which is known to HT, makes it a foreign intel agency as much as an international law enforcement agency.

The document lists 64 current or former customers, located in 34 countries, and was trying to sell to another 4 customers at the time of the leak. The countries which have provided the most revenue to HT are

Mexico 11 2010 5.81
Italy 7 2004 4.02
Morocco 2 2009 3.17
Saudi Arabia 3 2010 2.91
Hungary 2 2008 1.90
Malaysia 4 2009 1.86
UAE 2 2011 1.83
USA 3 2011 1.46
Kazakhstan 1 2012 1.01
Sudan 1 2012 0.96
Uzbekistan 1 2011 0.92
Vietnam 2 2014 0.83

Many customers (including FBI and DEA) appear to have briefly tried RCS only to decide not to enter into a long-term contract.

The leaked documents include email addresses for about 40 HT employees over the years (including Administrative Support). Often one person uses several different addresses. Sometimes both HT employees and their customers appear to use pseudonyms.

The evolution of HT's customer base over the years is illuminating.

HT's first customer (acquired 2004) was an Italian LEA. Spanish intelligence became a customer in 2006. This should have been somewhat alarming given Spain's long history of fascistic government (and anyone who has followed recent legislation there knows that Spain has taken a decisive and tragic turn back towards fascism with its Vomit Law). The alarm bells definitely should have sounded when HT acquired a third customer, in Singapore, in 2008. Singapore is run with an iron hand by an unabashedly authoritarian government. The city state is the only nation in the entire world which immediately and enthusiastically adopted Poindexter's TIA (Total Information Awareness), and its human rights record gives cause for alarm.

Also in 2008, Hungary became a customer, then Morocco and Malaysia in 2009. Malaysia's human rights record was already deteriorating when it became an HT customer, and Morocco soon followed. There are also questions about the actions of Hungary (like Spain, another nation which was formerly governed by fascists) against Roma people ("gypsies"), a group numbered among the first victims of the original European fascists.

Vincenzetti argues that a country which becomes a customer when its government is democratic (Morocco was one of the first nations to throw off strongman rule in the recent round of revolutions in North Africa) might later take a turn down a dark road, as has happened in Morocco. Which begs the question: why didn't HT boot Morocco and disable its "collectors" as its human rights record deteriorated? The answer is obvious: HT needed the money.

In 2010, Saudi Arabia became an HT customer, and since then has provided the largest annual revenue to HT. Then Turkey, Egypt, and Uzbekistan became customers in 2011. The human rights records of each of these countries shows very clearly that by 2011 Vincenzetti had abandoned all pretense of refusing to sell APT malware to the most abusive governments on Earth.

A new low point occurred in 2012, when via its shady partner in cyberespionage-as-a-service, NICE, HT acquired a new customer, the notoriously corrupt government of the state of Bayelsa in Nigeria. According to Nigerian papers reacting to the publication at Wikileaks of the leaked HT emails, soon after the Bayelsa account became active, then governor Seriake Dickson distributed free smart phones to politicians and journalists. These smart phones had allegedly been infected with HT's APT malware. It seems that HT spied on Bayelsa state "collector" servers to verify that Dickson was misusing their RCS system, but apparently the money was too good for HT to use its "kill switch" to shut down the Nigerian collectors. The Bayelsa account eventually resulted in about a half million Euros revenue for HT.

Many of HT's customers are poorly known to HT, since they deal with HT through its partner NICE, the Israeli cyberwar-for-hire company. In such cases, HT appears to accept without question assurances from NICE that a given customer is "respectful of human rights". As pointed out in the comments above, this claim is hardly credible since CEO David Vincenzetti was following human rights issues involving such customers as Egypt, Nigeria, Saudi Arabia, Sudan, Uzbekistan, and Vietnam, whose governments are notorious for their human rights abuses. Indeed, almost all of HT's most enthusiastic customers, for example Malaysia, could be described as "sketchy at best" when it comes to respecting the civil rights of citizens.

The emails show that the poorer nations often try to get as much as they can for free. One gets the impression that when pressed, they often cite an urgent "national security need" [sic] to shut down a particular blog or to spy on a particular political opponent, and surveillance-as-a-service customers raise few if any objections to such short-term goals.

Some of HT's customers appear anxious to hide as much information as possible about their activity, and even their identity. Others seemed to seek to get around NICE to deal directly with HT, but generally speaking, most customers seem to prefer to set up front companies to run their RCS accounts.

One example is particularly interesting because it appears to show HT colluding in an attempt to evade EU law. Russian secret agents appears to have set up a front company in Moscow called

JSC Advanced Monitoring
+7 495 737-61-97
advancedmonitoring.ru

This company partners with a "research institute" at Moscow State University called Kvant ("quantum"), but it appears to be a rather transparent front for FSB (Federal Security Service), the successor agency to the KGB. From a blurb for an "academic research" conference apparently sponsored by KVANT:

> Vulnerabilities of Android Cryptographic Applications
> Author: Pyotr Khenkin
> The report will cover the most well-known mobile applications for Android (with the focus on the USA market), which deal with user information — text encoders, user credentials storages, messengers. The results of the performed research show that none of the considered applications complies with the stated characteristics. They include both indirect and direct security threats, which allow accessing confidential data.
>
> Pyotr Khenkin
> System analyst at JSC Advanced Monitoring. Graduated from the Academy of Federal Security Service of Russia, has a wide experience in the cryptographic research of algorithms and their implementation in various operating systems. His area of interest also includes information system security analysis and software research in terms of information security.

I suggest these rough analogies:

NSA:FSB
IARPA: Kvant
Leidos: JSC Advanced Monitoring

The Russian account was still active in August 2014, which apparently is a violation of EU law. See

http://arstechnica.com/tech-policy/2015/07/hacking-teams-surveillance-s…
Hacking Team apparently violated EU rules in sale of spyware to Russian agency
Cyrus Farivar
17 Jul 2015

The emails confirm that HT is one of dozens of major international cyberwar-as-a-service corporations which compete for the same customers. Many of them are based in Israel, for example Elbit (which also sells surveillance drones and missiles) vied with HT to acquire Kazakhstan as a customer. The emails also confirm that these companies often form uneasy partnerships (e.g. HT and NICE), and then proceed to try to cheat each other by violating non-competition agreements. Further, the emails show that several HT employees left to found competing companies, which led to many (many!) emails between DV and his lawyers.

These communications are almost entirely unencrypted. And we must always bear in mind that one of the functions of NSA's XKEYSCORE system is to collect and funnel to NSA's long term storage intercepts of private data being stolen by criminal or espionage actors. In particular, NSA has considerable viability into networks in Italy, Nigeria, etc.

The fact that sensitive emails are so often encrypted poorly or not at all shows that as long as NSA can keep its clunky XKEYSCORE clandestine servers operating in target nations, it can rather easily keep tabs on all the worlds spies, LEAs, and criminals. It clearly doesn't use that information for good purposes, however. NSA never even considering warning Nigerian activists that their emails were being read, their phone calls overheard by the Nigerian government. It never even considered warning human rights activists in the US that their computers had been trojaned by the Syrian government. Clearly, NSA's only interest is in grabbing ever more power and influence by spying on an ever expanding fraction of all the world's people. It cares not one jot for the human rights of anyone, anywhere.

The cybersecurity of HT's key partner, NICE, is astonishingly lax, and this company's collection servers are apparently easily spied upon by various other actors, not just NSA. See

http://www.theregister.co.uk/2014/05/29/spy_platform_zero_day_exposes_c…
Spy platform zero day exposes cops' wiretapped calls
Darren Pauli
29 May 2014

The leaked documents also show much evidence of amazingly lax security standards at HT.

For example, at least six HT employees were regularly taking English lessons, apparently paid for by HT, and to judge from the regularity with which they broke their appointments, this was among their least enjoyable job-related activities.

In Sep 2014, the language teacher explains to a new student

> Morning! As we discussed in the last lesson, let's do a role play of a scenario that you do at work. So bring anything you need to the lesson. See you this afternoon! Peter

The language teacher regularly exchanged Evernote powered emails correcting his students' language exercises, which reveal substantial hints about employee experience as Hacking Team. Snippets suggest that essential skills at Hacking Team include:
> You have to be able to speak using layman terms
> to give demos of the product
> to automatize something
> to smooth something out = fix it, make it better
> to tweak something (to make a small change)
> To deal with the questions / problems

The employee email disparaging comments:

> They eat too much meat in Mexico.
> He didn’t know how to use the software.
> They never look in your eyes when they use the phone.
> Barack Obama: short greying hair, athletic build,
> Dresses professionally in a suit, Good social skills, No
> substance (just a media guy).

They discuss personal details and events at work:

> How did you learn to do these things?
> I started studying computer science when I was 13 years old.
> They ask us about the level of privacy in the system.
> a government agency.
> Eavesdropping.
> Sensitive information.
> To bust = to arrest
> Sketchy = suspicious and dangerous
> There is no trace of the operation.
> You can follow the target’s movements.
> The media don’t speak about it.
> Activists entered in our office.
> Security removed them.
> They published an old manual of ours.
> the media are all over it.

They discuss job-related difficulties:

> This problem has existed forever.
> It’s still not fixed by all the internet companies
> It’s an example of my abilities. A marketing project / Self promotion
> My rapport with him is very complicated.
> People get too big for their boots.
> He is lost and confused. He is anti-social because of
> psychological problems. He’s an alcoholic.

They make confessions which might be inappropriate in company email:

> I might create my own company.

So how has HT responded to vocal criticism from human rights organizations around the world? Has it cleaned up its act? Not exactly.

Here is Emad Shehata, Key Account Manager for Africa, writing to a potential customer in Kenya on 27 Apr 2015 with the standard HT "pitch":

> Dear Sir, I’m Emad Shehata, Key Account Manager in charge of your country.

> Since you have showed interest in our product, I take the occasion to send you some information related to the latest version of Remote Control System, codenamed Galileo. Galileo is designed to attack, infect and monitor target PCs and Smartphones, in a stealth way. It allows you to covertly collect data from the most common desktop operating systems, such as:
> * Windows
> * OS X
> * Linux
>
> Furthermore, Remote Control System can monitor all the modern smartphones:
> * Android
> * iOS
> * Blackberry
> * Windows Phone
>
> Once a target is infected, you can access all the information, including:
>
> * Skype calls
> * Facebook, Twitter, WhatsApp, Line, Viber and many more
> * device location
> * files
> * screenshots
> * microphone
>
> and much more. To protect your operations, resistance and invisibility to the major endpoint protection systems is integral to the solution. Galileo also introduces Intelligence, a module designed to correlate the collected information, to speed up your investigation and highlight relevant connections.
>
> There is more to show you than this. If you are interested, please get in touch: we would be more than happy to schedule a presentation and live demonstration at your premises.

The Kenyan customer replies with an urgent special request:

> Dear Emad, Hope this email finds you well. We have seen your proposal on the Galileo product and all looks great and would wish to move forward. Meanwhile, there is a quick task we have for you:
>
> 1) There is a website we would wish you urgently bring down, either by defacement or by making it completely inaccessible. The website url is http://www.kahawatungu.com. If you can bring this site down, it would serve as a great proof of concept for your capabilities and also provide a means of immediate engagement.
>
> Please let me know if this is possible, and how soon you can have it done. Best regards, Support team.

HT Operations Manager Danielle Milan then sends a worried email to Shehata warning that "the url (http://www.kahawatungu.com) they asked us to tear down is a news website that is highlighting corruption and other wrongdoings in the Kenya government. I don’t think we want to be involved with this". Initially, Vincenzetti appeared to agree, but as of June 2015, it seems that instead of declining the Kenyan account, HT was trying to "educate" this potential customer to be a little less direct in expressing its eagerness to use RCS attack anti-corruption bloggers.

The well-known anti-cybercrime blogger Brian Krebs is generally approving of "darknet take downs" by entities such as FBI, but he too appears to recoil from HT's abuse of the internet:

https://krebsonsecurity.com/2015/07/hacking-team-used-spammer-tricks-to…
Hacking Team Used Spammer Tricks to Resurrect Spy Network
Brian Krebs
7 Jul 2015

> New analysis of the leaked Hacking Team emails suggests that in 2013 the company used techniques perfected by spammers to hijack Internet address space from a spammer-friendly Internet service provider in a bid to regain control over a spy network it apparently had set up for the Italian National Military Police.

Krebs is referring to the fact that HT colluded with an Italian agency and a telecom to subvert a critical internet protocol, BGP:

http://arstechnica.com/security/2015/07/hacking-team-orchestrated-braze…
Hacking Team orchestrated brazen BGP hack to hijack IPs it didn’t own
Hijacking was initiated after Italian Police lost control of infected machines.
Dan Goodin
12 Jul 2015

"Over a six day period in August 2013, Italian Web host Aruba S.p.A. fraudulently announced its ownership of 256 IP addresses into the global routing system known as border gateway protocol, the messages document. Aruba's move came under the direction of Hacking Team and the Special Operations Group of the Italian National Military Police, which was using Hacking Team's Remote Control System malware to monitor the computers of unidentified targets. The hijacking came after the IP addresses became unreachable under its rightful owner Santrex, the "bullet-proof" Web hosting provider that catered to criminals and went out of business in October 2013, according to KrebsOnSecurity."

Of course, this is precisely the kind of naked abuse of governmental powers which flourishes in the atmosphere of "dark governance" introduced and energetically promoted around the world by USG.

Bloggers with a wide range of political perspectives have called for prosecution of Hacking Team. But predictably, "the authorities" are so far focusing on investigating suspected leakers:

http://gadgets.ndtv.com/internet/news/ex-employees-probed-for-attack-on…
Ex-Employees Probed for Attack on Surveillance Software Maker Hacking Team
Reuters, 18 July 2015

"Milan prosecutors are investigating six former employees of surveillance software maker Hacking Team in connection with a massive attack on the data system of the Italian cyber-security firm, sources familiar with the case said on Friday."

There has already been some major political "fallout" from the leaked emails:

http://in-cyprus.com/intelligence-service-chief-steps-down/
Intelligence Service chief steps down
incyprus — 11/07/2015
KYP-PENTARAS

"The head of the Cyprus Intelligence Service (KYP), Andreas Pentaras, has resigned following revelations that the island’s secret service department had purchased spy-hacking software. Last week, leak documents revealed that KYP had paid €50,000 for what appeared to be remote attack vectors from Italian company ‘The Hacking Team’ in order to spy on persons of interest by either hacking their mobile telephones or other electronic devices like laptops and Ipads."

http://radiobiafra.co/index.php?option=com_k2&view=item&id=102987:in-su…
In Suicide Note, South Korea Hacking Expert Denies Domestic Spying
19 July 2015

"A hacking specialist at South Korea’s National Intelligence Service who was found dead left a suicide note denying that his team spied on South Korean citizens’ cellphone or other online communications, the police said on Sunday. The 45-year-old agent, who was identified only by his last name, Lim, was found dead in his car near Seoul on Saturday. His apparent suicide came as the political opposition demanded an investigation into suspicions that the spy agency had been intercepting the cellphone and computer communications of South Korean citizens, including government critics, using software it purchased from the Italian firm Hacking Team."

"Last week, the agency admitted buying hacking programs from the Italian company in 2012. But it said the purchase was for research purposes as it tried to bolster its spying on North Korea. South Korean bloggers, news outlets and opposition parties have cited Hacking Team’s leaked data to suggest that the agency may have spied on the country’s own citizens... South Korea held a presidential election in 2012, and a former spy chief is on trial on charges of leading a secret online smear campaign against the rivals of the eventual winner, President Park Geun-hye."

The agent left a note denying that his agency had used RCS to spy on political opponents of President Park.

Given the widespread interest from newspapers all around the world, as well as human rights groups, it seems undeniable that leaking the information from HT was clearly in the public interest. Examples:

Kenya's abuse of RCS:

http://tuko.co.ke/19859-wikileaks-how-kenyan-government-tried-to-tear-d…
WIKILEAKS: How Government Wanted To Spy On Kenyans
Dickens Kasami
14 Jul 2015

http://mobile.english.rfi.fr/africa/20150717-kenyan-government-asked-ha…
Kenya : Kenyan government asked Hacking Team to attack dissident website
Daniel Finnan
17 July 2015

Nigeria's abuse of RCS:

http://www.metronaija.com/2015/07/bayelsa-governor-hires-worlds-most.ht…
Bayelsa Governor Hires World’s Most Ruthless Hackers To Hack Computers
9 Jul 2015

Vietnam's abuse of RCS:

http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/
Hacking Team's snoopware 'spied on anti-communist activists in Vietnam'
John Leyden
13 Jul 2015

HT hawking its RAT to Bangladeshi death squads:

http://motherboard.vice.com/read/leaked-emails-show-hacking-team-lied-t…
Leaked Emails Show Hacking Team Lied to Its ‘Rascal’ Customers
Lorenzo Franceschi-Bicchierai
July 14, 2015 // 02:50 PM EST

"Contrary to its public claims of vetting customers to make sure its software wouldn’t be abused, leaked documents and emails showed that Hacking Team, sold its spyware to authoritarian countries with poor human rights records such as Ethiopia or Sudan, and even considered selling to Bangladesh’s “death squad,” and Rwanda."

So what's next? Recent email exchanges between HT and Insitu, a Boeing subsidiary which makes surveillance drones to militaries, intelligence agencies, and LEAs confirm warnings from privacy advocates that drone makers are seeking to provide US LEAs with the ability to insert malware into the devices of targeted citizens from overflying drones (a technique which has been extensively used by NSA to attack all WiFi-enabled devices of all citizens in certain nations):

https://firstlook.org/theintercept/2015/07/18/hacking-team-wanted-infec…
Hacking Team and Boeing Subsidiary Envisioned Drones Deploying Spyware
Cora Currier
2015-07-18

"There are lots of ways that government spies can attack your computer, but a U.S. drone company is scheming to offer them one more. Boeing subsidiary Insitu would like to be able to deliver spyware via drone. The plan is described in internal emails from the Italian company Hacking Team, which makes off-the-shelf software that can remotely infect a suspect’s computer or smartphone, accessing files and recording calls, chats, emails and more."

This, evidently, is how companies like HT intend to "leverage" the Internet of Things (IoT) to harm even more citizens, if they are not eliminated from the international marketplace.

July 21, 2015

Permalink

A further indication that Hacking Team is fated for corporate death: its former partners are denouncing-- and racing to distance themselves from-- its repugnant business practices.

http://arstechnica.com/security/2015/07/firm-stops-selling-exploits-aft…
Firm stops selling exploits after delivering Flash 0-day to Hacking Team
Dan Goodin
20 Jul 2015

> Security firm Netragard has suspended its exploit acquisition program two weeks after it was found selling a potent piece of attackware to the Italian malware developer Hacking Team.
>
> Netragard has long insisted that it sold exploits only to ethical people, companies, and governments. An e-mail sent in March and leaked by one or more people who compromised Hacking Team networks, however, showed Netragard CEO Adriel Desautels arranging the sale of an exploit that worked against fully patched versions of Adobe's Flash media player. Hacking Team in turn has sold surveillance and exploit software to a variety of repressive governments, including Egypt, Sudan, and Ethiopia.
>
> "Our motivation for termination revolves around ethics, politics, and our primary business focus," Desautels wrote in a blog post published Friday. "The Hacking Team breach proved that we could not sufficiently vet the ethics and intentions of new buyers. Hacking Team unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations."

Strong stuff. Alas, Desautels is far from being a heroic defender of internet security: he goes on to argue that his own business, selling zero-days to government agencies--- hey, wait, isn't that precisely the putative business model of Hacking Team? Why, yes indeed--- is "legitimate" and "necessary". Well, he would say that, wouldn't he?

Former HT employees are beginning to speak out, describing an increasingly paranoid atmosphere inside the company as it continued further and further down the path charted by David Vincenzetti: selling the most powerful exploits to the worlds most oppressive governments.

http://arstechnica.com/security/2015/07/italian-prosecutors-investigate…
Hacking Team goes to war against former employees, suspects some helped hackers
Cyrus Farivar
21 Jul 2015

> "[When I joined], they were only doing [penetration testing], they were only a defensive unit—the offensive unit had only existed for three months, it was brand new," [Alberto] Pelliccione told Ars.
>
> That changed, however, and Hacking Team’s income soon skewed heavily toward offensive products.
>
> "The environment at the beginning was really nice, it was a startup," Pelliccione noted. "After the first sales came in, the first bad guys were put in jail, it was nice, it was rewarding. Things changed when the customer base started to enlarge."
>
> Pelliccione said that things really started to change for Hacking Team in 2012. That was both the first crisis for the company (a critical article published in August on Slate) as well as the beginning of the company’s expanded sales. Pelliccione, who by that time was in charge of mobile R&D, said that the company began to put up more and more internal walls. He said the exploitation team eventually became separated from the R&D development team.
>
> "We had no idea what they were working on," Pelliccione continued. "We almost didn't have access. They really compartmentalized everything. That was really the moment that I stopped working there. What was the point of making so many secrets? There was a guy developing exploits for the mobile platform and I had no idea that he was working on exploits for my platform. It was normal to do that. I don't like that! We weren’t even talking any more."

Pelliccione confirms an episode mentioned in a comment above:

> In early November 2013, some Anonymous protestors even broke into > the Hacking Team offices. "And from that point, they started to have physical security, there were cameras in the entrance and you needed a badge," Pelliccione said. "Before that you didn't need it except a padlock and a key to get into the office."
>
> He called the then-management at Hacking Team "oppressive."
>
> "I think that part of the reason was to avoid generating debates and discussions internally of who the customers were," Pelliccione continued. "That's the way I interpreted it when I was there. We shifted from a really open environment to a really closed environment. They started more making groups. There was a group called FAE (Field Application Engineers): they created this group and they were in charge of pre-sales and post-sales process. At some point they became completely separated from us. We didn't know what sales were in progress. They were five stories above us. Before, we were together, talking—this talking thing was really dis-incentivized."

July 28, 2015

Permalink

The infamous Israeli arms dealer Ori Zoller was employed by NICE Systems as a Hacking Team reseller for Honduras government:

https://firstlook.org/theintercept/2015/07/27/ak-47-arms-dealer-goes-cy…
Former AK-47 Dealer Goes Cyber, Supplied Surveillance Tools to Honduras Government
Lee Fang
27 Jul 2015

"The revelations are contained in the internal files and emails from Hacking Team, an Italian company that has sold spyware to repressive regimes and law enforcement agencies around the world, including Sudan and the United Arab Emirates. The Hacking Team files were dumped on the web by an anonymous source."

NICE Systems is just one of the dozens of kinetic/cyber arms peddling Israeli companies whose names keep coming up in almost everything evil happening anywhere in the world. The others are mostly located in USA and Europe. Curiously, all of these brutality-enabling countries style themselves as "democratic republics".

One can hardly praise the human rights practices of China or the former Soviet Union, but when one studies where the worst of the worst companies are based, one cannot help but being struck by how few operate from Asia or Africa. Currently.

August 24, 2015

Permalink

I'm playing with docker containers and tor/firefox/tbb — this might prove to become hard to hack, even if desktop is compromised at some level.
Docker might provide some more secure way to launch TBB I think — even better than a chroot.

In order to do that, I created a crafted docker image, with a dedicated user and ssh key — when I need some privacy, I just launch the docker image, and then "ssh -Y docker firefox", and that's it: contained firefox is running, in its own environment.

Might be a nice way, at least on linux systems…

Cheers,

C.