‘One takes on invincibility defending, one takes on vulnerability attacking.’
The sale and use of surveillance products developed by Western firms isn’t anything new, but there have been some revealing developments. Wired.com covered the Intelligence Support Systems (ISS World) conference back in 2006, which brought together vendors and prospective customers from around 30 nations, but we could say the current trend started in the late 1990s with the establishment of what’s known as the Great Firewall of China.
A lot more information became available in recent months, partly because of the ‘Arab Spring’, and largely because it transpired a handul of repressive regimes were (and still are) using Western technology to monitor and censor communications, and much of this has been traced to ISS World vendors.
The Wall Street Journal, Telecomix Blue Cabinet project, Wikileaks and Wired.com, have outlined the technologies and services being traded over the last decade, and from this we can derive something about the industry’s trends. Initially surveillance was mainly about intercepting traffic, but today everyone has the means to communicate over secure channels like SSL/HTTPS. To get around this, various government and law enforcement agencies are now concentrating on the endpoints – in particular through the use of ‘remote forensics’ malware to exfiltrate information before it’s encrypted and communicated, and perhaps to manipulate the systems remotely. DigiTask and Hacking Team are just two examples of this. Other vendors, like Vupen Security, are selling exploits and the usual malicious hacking services.
Overall, the surveillance industry is beginning to imitate the ‘black hats’ and ‘script kiddies’, with most services being variations on the same thing.
Thanks to excellent journalism by Wired.com, Bloomberg and Privacy International, we also have some insight into those involved with ISS World. What I gained from this rather surprised me.
My impression, from reading those reports, is that ISS World is more a kindergarten for an assortment of amateurs and Walter Mitties, their behaviour strongly suggesting a very limited background in security. Many of them are essentially ‘black hats’ operating as registered companies, with little regard for the kind of ethics developed by true hackers.
This is actually important, because it indicates the surveillance industry is substantially less advanced than first appears, the people attending ISS World lack understanding of key areas like threat assessment, and there are even discrepencies between what they advertise and what we’ve actually seen in practice. This is why Vupen, DigiTask and Hacking Team are able to find a market here. Wired.com journalist Thomas Green also reached a similar conclusion. I’d say it’s certain the surveillance methods are ineffective against reasonably well-defended targets.
Meanwhile, the following are countermeasures that immediately come to mind, based on the observation that SSL/HTTPS connections themselves are very secure, and surveillance is concentrated instead on the endpoints. The aim should be a secure connection between a trusted client and server. While these measures won’t guarantee safety, they’ll massively reduce the risks.
* Follow the same precautions that apply to common malware and everyday security.
* When communicating, check the server’s certificate in case a third party is impersonating the destination address.
* Become familiar with the operating system and look for any unusual processes. Don’t rely on cheap/free anti-malware systems.
* If possible, use another host on the local network to monitor traffic from a suspect device.
* Consider running a trusted live OS from the CD/DVD drive, instead whatever’s installed.
* Finally the golden rule of COMSEC: Assume all communications are being intercepted.
There’s also a BBC documentary on this: BBC File on 4: Cyber Spies