Slashdot Mirror

← Back to Stories (view on slashdot.org)

Autocratic Governments Can Now 'Buy Their Own NSA' (wired.com)

Posted by EditorDavid on from the off-the-shelf-spyware dept.

Citizen Lab has been studying information controls since 2001, and this week their director -- a Toronto political science professor -- revealed how governments (including Ethiopia's) are using powerful commercial spyware. Slashdot reader mspohr shared their report: We monitored the command and control servers used in the campaign and in doing so discovered a public log file that the operators mistakenly left open... We were also able to identify the IP addresses of those who were targeted and successfully infected: a group that includes journalists, a lawyer, activists, and academics... Many of the countries in which the targets live -- the United States, Canada, and Germany, among others -- have strict wiretapping laws that make it illegal to eavesdrop without a warrant... Our team reverse-engineered the malware used in this instance, and over time this allowed us to positively identify the company whose spyware was being employed by Ethiopia: Cyberbit Solutions, a subsidiary of the Israel-based homeland security company Elbit Systems. Notably, Cyberbit is the fourth company we have identified, alongside Hacking Team, Finfisher, and NSO Group, whose products and services have been abused by autocratic regimes to target dissidents, journalists, and others...

Remarkably, by analyzing the command and control servers of the cyber espionage campaign, we were also able to monitor Cyberbit employees as they traveled the world with infected laptops that checked in to those servers, apparently demonstrating Cyberbit's products to prospective clients. Those clients include the Royal Thai Army, Uzbekistan's National Security Service, Zambia's Financial Intelligence Centre, and the Philippine president's Malacañang Palace. Outlining the human rights abuses associated with those government entities would fill volumes.... Governments like Ethiopia no longer depend on their own in-country advanced computer science, engineering, and mathematical capacity in order to build a globe-spanning cyber espionage operation. They can simply buy it off the shelf from a company like Cyberbit. Thanks to companies like these, an autocrat whose country has poor national infrastructure but whose regime has billions of dollars, can order up their own NSA. To wit: Elbit Systems, the parent company of Cyberbit, says it has a backlog of orders valuing $7 billion.
Reached for comment, Cyberbit said they were not responsible with what others do with their software, arguing that "governmental authorities and law enforcement agencies are responsible to ensure that they are legally authorized to use the products in their jurisdictions."

35 of 109 comments (clear)

  1. Buy your own NSA! by 93+Escort+Wagon · · Score: 1

    With Blackjack! And Hookers!

    --
    #DeleteChrome
  2. fomrally by Anonymous Coward · · Score: 1

    called intelligence sharing. They added a price on it. So what ?

  3. Adobe Flash: spyware installer by MrKaos · · Score: 3, Informative

    How many more reasons are required to get rid of it.

    --
    My ism, it's full of beliefs.
  4. NSA never thought it would be so easy by AHuxley · · Score: 1

    In Capitalist West business sector malware collects on you.
    In Capitalist East NGO puts sanctions on you.

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:NSA never thought it would be so easy by Hognoxious · · Score: 1

      And in Israel a despot's money is as good as anyone else's. Oy vey, you got to make a living already!

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  5. Re:You faggots and your tinfoil hats... by PopeRatzo · · Score: 4, Funny

    You faggots and your tinfoil hats...

    My hat has feathers and fruit and is fabulous.

    --
    You are welcome on my lawn.
  6. We're getting a private NSA in the US, too. by PopeRatzo · · Score: 3, Informative

    This story broke just a few days ago.

    http://www.theblaze.com/news/2...

    https://www.salon.com/2017/12/...

    Autocrats gonna be autocrats.

    --
    You are welcome on my lawn.
  7. Awesome investigative journalism! by Anonymous Coward · · Score: 2, Insightful

    The authors must be time travelers from the last century. It is rare to find this kind of true reporting today. Let's hope there are no accidents in their futures.

  8. The part they leave out: by Gravis+Zero · · Score: 1

    The countries with real hackers are going to piggyback on your system and if need be, use it against you. However, there are some great DIY freedom oppression kits on the market.

    --
    Anons need not reply. Questions end with a question mark.
  9. can we PLEASE start calling out the vulnerability? by Anonymous Coward · · Score: 1

    TFA says:

    The emails were specifically designed to entice each individual to click a malicious link. Had the targets done so, their internet connections would have been hijacked and surreptitiously directed to servers laden with malware designed by a surveillance company in Israel

    Invariably, these things are due to running javascript by default which exposes a HUGE, HUGE attack surface. That is the underlying vulnerability so close to 100% of these things as not to matter.

      Anyone running javascript by default in 2017 is a fool. You NEED to shit it off to be secure on today's web. Not only from things like this, but simple commercial surveillance and random ad-injected malware.

  10. Why would Ethiopia care? by crimson+tsunami · · Score: 1

    Many of the countries in which the targets live -- the United States, Canada, and Germany, among others -- have strict wiretapping laws that make it illegal to eavesdrop without a warrant

    Why would other countries care about United States, Canada, and Germany, among others -- strict wiretapping laws?
    It's not like those countries are going to respect say Ethiopia's domestic laws when they hack into their country.

  11. Re: If you're not breaking the law... by hackwrench · · Score: 2

    That's because they've passed so many stupid laws everyone is guilty of something and just want things to end one way or another already.

  12. Re: LOL @ USA by dreamchaser · · Score: 1

    And I hope you get the help you so desperately seem to need.

  13. Re:Impersonating me AGAIN? Please (lol)... apk by dreamchaser · · Score: 1

    You are all fake. APK would post with an actual username if he were not a cowardly troll.

  14. is there a NON autocratic government? by swell · · Score: 3, Informative

    Autocratic governments?

    I'm trying real hard to think of a government that would NOT do such things. Maybe Norway? Is there any country where government officials are not far more wealthy than the citizens? Any country where government officials are not exempt from the laws that apply to citizens? Any country where government officials don't receive a lifetime income for their short term in power?

    --
    ...omphaloskepsis often...
    1. Re:is there a NON autocratic government? by Antique+Geekmeister · · Score: 4, Insightful

      Sweden. I'm quite impressed by their openness about government documents, and the very modest size and power of their government. They do have extensive social services, but they're very open and public about their public servants and policies.

    2. Re:is there a NON autocratic government? by Kjella · · Score: 2

      Autocratic governments? I'm trying real hard to think of a government that would NOT do such things. Maybe Norway?

      I'd say we're doing pretty good on the rest, but even in Norway there's a constant push for more data and more tracking usually with some form of regulation in mind. Probably the biggest debate right now is whether businesses should be forced to continue taking payments in cash. Between a high degree of online banking (>90%) and electronic invoicing, a very cheap national debit card (BankAxept) and most recently a very successful friend-to-friend payment system (Vipps) via phone numbers (which are all linked to national IDs, no anonymous phones) cash use is in extreme decline. If you pay a business more than $1200 in cash you can become guilty of assisting in tax fraud. A lot of public transport has made buying tickets in cash extremely expensive and only single trips, the rest is electronic tickets. At the doctor's office now you can't pay in cash, you can technically get a paper bill that you can go to the post office and pay in cash for a huge fee but it's getting increasingly impractical and expensive.

      A lot of stores now actually want to stop taking cash altogether, for now they're forced to accept it. Basically the costs of handling cash are higher than electronic payments and the loss of business would be trivial in many sectors, it's not something the market will fix. Maybe not grocery stores but finer restaurants, dentists etc. where you get a service and taking payment is a very small bit of what they do. Of course everything that's e-tail is already overwhelmingly electronic, technically you can pay at the post office but for a $6 fee to businesses, as a private person I'd have to pay $25 for a package where the recipient is paying me. On top of the actual delivery charge, that is. Even if we do get to keep it it's almost only as a last resort when everything else is down.

      --
      Live today, because you never know what tomorrow brings
    3. Re:is there a NON autocratic government? by NettiWelho · · Score: 1

      Sweden. I'm quite impressed by their openness about government documents, and the very modest size and power of their government. They do have extensive social services, but they're very open and public about their public servants and policies.

      You sound like someone who hasn't been or even know anyone whos been in a conflict with authorities.
      The cake is a lie.

    4. Re:is there a NON autocratic government? by Antique+Geekmeister · · Score: 1

      My knowledge of Sweden's government behavior is based on reports from some business colleagues and residents. Are you saying that _Sweden_ is abusive to civil rights and has excessive government regulation? They do have extensive regulation, but according to the residents I've spoken with it's clear, consistent, and publicly accessible. The secrecy of a hidden intellligence-gathering with NSA style monitoring would seem to be in direct violation of the Swedish constitution, specifically the "Public Access to Information and Secrecy Act".

  15. How to build your nations collection system by AHuxley · · Score: 2

    For an NSA you will need a list of nations that can support your staging servers and collection sites.
    Start with a 5 eyes and grow it to NATO size.
    Make sure the nations are globally located to ensure world wide collect it all. Hide them for decades under UK/US names like Langeleben, Masirah Island, Mutlah Ridge, Silvermine, Two Boats, Windmill, Daniels Head. The media will never believe a whistleblower with names like that over the decades.
    Collect it all globally and when interesting people are found 4 hops from other interesting people use the power of the
    ANT catalog https://en.wikipedia.org/wiki/...
    Shop for some COTTONMOUTH, DROPOUTJEEP. Go full quantum insert.

    Problems with your global NSA style network.
    People notice the UK/US base building and expansion. Water use, cooling , power, Room 641A https://en.wikipedia.org/wiki/....
    Having private sector security guards run out and question people with a camera on public land in the area also draws internet attention to a sensitive site.
    Ex mil who take up the first amendment audit hobby know who your contractors are and will tell the world about communications front companies.
    Having to use the other domestic law enfacement "agencies" to provide domestic color of law when spying within the USA.
    Too many people have to know and support global collect it all. Courts, telcos, contractors, lawyers, big brands, junk OS developers, tame AV brands, mil, federal investigators and police. Ex and former staff then tell their faith, cult, new boss, criminal groups, other governments for cash.
    Problems like SISMI-Telecom scandal https://en.wikipedia.org/wiki/... , Greek wiretapping case 2004–05 https://en.wikipedia.org/wiki/...–05 start to happen as too many people have the trapdoor, back door to junk encryption.
    The global collection network gets too big and is then discovered, access is sold to criminals, shared with faith groups.
    People who really map and understand the "internet" start to find the security services once hidden staging servers and copy out all the gov/mil grade malware.
    Too many contractors trying to keep too many secrets that still have to give full access to the US gov and mil in real time.
    Having to tell political leaders success stories to get next years budget. Political leaders then tell the media of winning. Secrets get told and the media spreads the best collection methods to anyone who can follow the news.
    Low pay for gov and mil workers. Contractors getting more pay. Criminals, cults and other nations walk in and help with cash payments and an understanding converstaion. Too many internal spies are created as too many people know too much and cant cover their living costs.

    How to make a GCHQ.
    Follow the US idea of global collection but put a lot more effort into the actual interesting people.
    Dont tell your contractors, lawyers, courts, police, media of the results, methods, tools.
    Pay your mil and select contractors really well. Dont let trusted staff talk to the media, human rights lawyers, courts.
    No need to mention car, van, helicopter, aircraft tracking for any reason to anyone. The results of pushing malware into any cell phone.
    Just pass the results onto a select few trusted mil and police units. Set up something within your own police like the Royal Ulster Constabulary Special Branch. Get them to work with the mil and social forces. Stay away from all other police, lawyers, courts. Act on results using the special forces and very select loyal police units only.

    Such secrecy is now needed as telcos, courts, police, some in mil, gov, political parties, NGO, human rights groups are now flooded with people who have never had background investigations.

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re: How to build your nations collection system by AHuxley · · Score: 1

      Exchange of documents was on an eye for an eye basis.
      The 4 other nations stayed in the dark on what the US could see.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:How to build your nations collection system by AHuxley · · Score: 1

      FIRSTFRUITS needs all cap names so it can track when a whistleblower sends files to a member of the media.

      --
      Domestic spying is now "Benign Information Gathering"
  16. RTFA by MrKaos · · Score: 1, Informative

    Adobe Flash is mentioned about 10 times as an attack vector. Try reading the article.

    --
    My ism, it's full of beliefs.
    1. Re:RTFA by pedz · · Score: 1

      Did I misread it? My interpretation was that it wasn't actually Adobe Flash but an infected piece of software pretending to be Adobe Flash.

      Don't misunderstand. I 100% agree that Adobe Flash (and Adobe itself) need to die.

  17. Re:If you're not breaking the law... by mschwanke97402 · · Score: 3, Informative

    Litlle passage in the Constitution about being secure in our persons and papers. The government needing a warrant, etc.

  18. Re:If you're not breaking the law... by Anonymous Coward · · Score: 1

    It is illegal to tell someone, even a member of family, why someone has been arrested by a secret service. Strict liability applies and the sentence is 5 year jail. That's why there is no evidence and thats the reason why your statement is ignorantly idiotic.

  19. Is this why 85% of humanity... by wisebabo · · Score: 1

    ... doesn't live in a full democracy? Or is it because 85% of humanity doesn't live in a full democracy that these systems are being sold?

    http://www.atlantic-community....

  20. Sounds familiar by sjames · · Score: 3, Insightful
    Cyberbit said they were not responsible with what others do with their software, arguing that "governmental authorities and law enforcement agencies are responsible to ensure that they are legally authorized to use the products in their jurisdictions."

    Said the crack dealer behind the middle school.

    1. Re:Sounds familiar by CaptainDork · · Score: 1

      Said the gun manufacturers.

      --
      It little behooves the best of us to comment on the rest of us.
  21. I'm not afraid of government by rsilvergun · · Score: 1

    I'm afraid of the aristocracy. Those are different things. And while the aristocracy has better tools to keep the working class down so too has the working class gained it's own tools. Knowledge mostly. As people learn more and become more grounded in reason and a belief in science and cause/effect it becomes harder to manipulate them. China's experiencing this with a growing middle class. America is seeing it with a general mellowing out of our religious zealots. It'll continue to spread making it harder and harder for the aristocracy to use their old standbys for controlling the rabble (wedge issues and racism).

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  22. Re: Fuck all of you assholes! by Anonymous Coward · · Score: 1

    As many as Trump says he lost? Vs the actual number, zero.

    Statistically, the TSA i posed delays have stolen more man hour's worth of life than the terrorists did.

  23. Re: You faggots and your tinfoil hats... by PopeRatzo · · Score: 2

    I think you mean that your hat has feathers and it helps everyone see that you're a fruit.

    I didn't hear you complaining last night.

    --
    You are welcome on my lawn.
  24. Normalization of Data Collection by JabrTheHut · · Score: 1

    Elbit employees probably believe that this is normal and routine, given the spying Israel does on the Palestinians. Elbit employees will be routinely involved in helping to target, blackmail and implicate Palestinians regularly. Why should they believe that does this is not normal, and therefore why would they oppose the sale to any authoritarian government, regardless of what they do with it?

    --
    Work like no one is watching. Dance like you've never been hurt. Make love like you don't need the money.
  25. Subject to concern by Impy+the+Impiuos+Imp · · Score: 2

    I've poster a dozen times how ourbown government, wanting backdoors into everything, was instantiating 1984 for billions worldwide as dictatorships used it for its real purpose, to keep their political opponents down.

    Yey, we catch a few crooks. For every notch in the fed's belt, envision 100,000,000 or more with a boot on their neck...forever.

    It's also not in accordance with the design principles of the US government, where the Constitution is concerned with forbidding the tools of tyrrany to begin with.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  26. Re: If you're not breaking the law... by mschwanke97402 · · Score: 1

    Your email isn't on paper, and it isn't on your person. Fair game.

    The Constitution was written before email and electronic documents could even be imagined as you certainly know. The thing is that with the Constitution we also got a Supreme Court to help us interpret it. The court has held that it doesn't have to be on paper to be considered to be as if it were. Police still need a warrant. If you don't like that the Constitution also provided that you could get an amendment passed that would override the court's rulings. Oh, BTW, being secure in our person doesn't have anything to do with documents or items in our pockets. It is a protection from arbitrary arrest.