Original URL: http://www.theregister.co.uk/2011/12/01/security_firms_compete_to_sell_snoopware_to_repressive_governments/

Inside the shadow world of commercialised spook spyware

'We'll penetrate commsats, undersea cables, Skype ...'

By Duncan Campbell

Posted in Developer, 1st December 2011 10:52 GMT

Exclusive Western and Chinese high-tech companies are competing aggressively to sell, install and manage intrusive and dangerous internet surveillance and communications control equipment for the world’s most brutal regimes, a six-month investigation has found.

During 2011, investigators from Privacy International, a London-based NGO, infiltrated a circuit of closed international surveillance equipment marketing conferences, obtaining private briefings and technical product specifications from contract-hungry sales executives. The group will publish its data and document haul on the net today, in conjunction with other campaigners.

The scale and audacity of the proposals in many of the companies’ documents and hand-out DVDs is breathtaking. They describe and offer for unrestricted sale technologies which were in existence a decade ago, but which were held in utmost secrecy by major intelligence agencies such as the US National Security Agency (NSA) and Britain’s GCHQ.

Over 150 international companies now trading in this sector have been identified during the research. The majority of them did not exist or were not offering electronic surveillance products, even in the early noughties.

Companies exhibiting at the shows now openly offer to target and break specific international commercial communications satellites, including Thuraya (covering the Middle East), Iridium satellite phones, and Marlink’s VSAT. Commercial satellite intercept was previously the almost exclusive turf of GCHQ and NSA’s Echelon satellite interception network.

Other companies offer routinely to install malware on phones and PCs, to break SSL encryption on web connections and A5 crypto on mobile phones, or to break into high-capacity optical fibre networks.

Glimmerglass Networks Inc from Silicon Valley presented in Washington last month on “optical cyber solutions”. These include splicing into optical fibres at “submarine cable landing stations”, “international gateways” and POP or peering points. The techniques used for these operations were developed secretly by the NSA in the 1990s, and have hitherto been a closely guarded secret.

Pushing their “Intelligent Optical System” surveillance system last month, Glimmerglass claimed that its customer intelligence agencies “gain rapid access, not just to signals, but to individual wavelengths on those signals. An LEA [Law Enforcement Agency] operator can quickly and easily select any signal from hundreds, send that signal to a de-multiplexer for access to one of the many wavelengths inside, and then distribute the desired wavelengths as needed. The IOS can make perfect photonic copies of optical signals for simultaneous distribution to grooming equipment and probes for comprehensive analysis”.

Their show included “probes and sniffers” that started with “photonic copies” and ended up with huge personal network displays, including personal connectivity analysis from web logs, webmail and Facebook.

To monitor all of everyone’s communications traffic, the company has claimed, “you need to do much of it optically ... You can pick some off cell phones. But the top of the [intelligence gathering] funnel is coming through optically ... you need to manage that.”

Glimmerglass was formed in 2000. In the same year, long before 9/11 and on the opposite bank of San Francisco Bay, AT&T engineers working for NSA were installing optical fibre taps inside a major San Francisco city internet exchange, tapping into US west coast peering points and switches for the global internet.

In European and US shows over the last six months, Hacking Team of Milan and Gamma International, a controversial British company, have offered customers including police and intelligence agencies explicit hacking attacks including “stealth spyware for infecting and monitoring computers and smartphones” and lectures on “applied hacking techniques used by government agencies”.

Next week at the latest ISSWorld show in Kuala Lumpur, Hacking Team will be pushing its “Remote Control System 7 – the ultimate cyber-intelligence solution for covertly monitoring computers and smartphones”. They have also provided “in-depth, live demonstration(s) of infection vectors and attack techniques”.

RCS7 is claimed to be “invisible to most protection systems”, “resistant to system restoration technologies” and “proven” to be able to intercept mail and web traffic including Skype and PGP.

In Britain in January, at a government invitation-only Farnborough show, Security and Policing 2012, organised by the Home Office’s Centre for Applied Science and Technology (CAST), Gamma Group are billed as presenting their “unique” “FinFisher IT Intrusion products”, which they claim “contain the most comprehensive online research and infection functionality found in any other solution [sic]".

FinFisher also claim that their “superior training at Gamma’s IT Intrusion Training Institute" differentiates Gamma International as the leading company in the field of cyber surveillance and counter surveillance. In fact, the company appears to be operating from a tiny trading estate warehouse in Andover (Google Earth document).

andover_screenshot

A little warehouse in Hampshire... Investigators have pinpointed the location of FinFisher's HQ (Google Earth document).

Since the PI investigation was planned a year ago, equipment, plans and manufacturers’ braggadocio about the power of their kit has have been recovered by Arab insurgents who have toppled governments in Cairo, Tripoli and elsewhere. More revelations are expected as the Arab Spring progresses.

After the collapse of the Mubarak regime in Egypt in April, insurgents broke into the State Security Investigations (SSI) branch. Among the batons and torture equipment recovered was a €250,000 proposal from Finfisher to install its “Finspy” hacker kit.

Mubarak regime offered 'full control' of computers of 'targeted elements'

After being offered a free trial, SSI investigators reported in seized Arabic documents (PDF) that the software “could get into email accounts of Hotmail, Gmail and Yahoo", as well as allowing "full control" of the computers of "targeted elements". SSI also reported “success in breaking through personal accounts on Skype network, which is considered the most secure method of communication used by members of the elements of the harmful activity because it is encrypted".

Gamma International has claimed to the press that it “has not supplied any of its Finfisher suite of products or related training to the Egyptian government". It has refused to comment on the documents recovered in Cairo.

'How many dictatorships did they think I was representing?' – PI investigator Eric King

In France last month, PI lead investigator Eric King netted the offer of an expenses-paid trip to Beijing to visit China Top Communications (CTC), a government-owned company whose overt product range includes China’s version of GPS and military communications hardware.

Privately, CTC claims to be “devoted to high-tech special equipments for security agency, interior department, police, and military” and to employ 400 engineers. If he came to Beijing, King was told, he would receive private demonstrations of Wind Catcher, a mobile phone surveillance system and Internet Watcher, which automatically attacks web security systems.

The Beijing company claimed that Wind Catcher can decrypt the A5.1 cypher used in all GSM mobile phones in 0.3 of a second, covering 11 or more channels at once, with a success rate of 90 per cent. Working in conjunction with direction-finding systems, CTC claims that phone users can be located and their conversations monitored over a 1km radius, even in a city centre.

CTC’s Internet Watcher claims to be able to provide real time decryption of https web connections in order to attack the privacy of Gmail and Hotmail users.

“The shock of the Chinese offer was not what they were trying to sell me,” King told The Register. “It was the fact that they were only one of several dozen companies all making the same claims and pushing their own brand of repressive technologies. How many dictatorships did they think I was representing?”

Privacy International will be relaunching their Big Brother Incorporated project, intended to highlight the menace of the new surveillance companies that are trying to profit from the previously dark and secret arts of hackers and signals intelligence agencies alike.

One target will be the 2012 Farnborough show, which the government claims “gives companies a platform to show the global policing and security community their equipment and capability".

“Why is the government allowing space to people like Gamma Group, whose equipment helps destroy human rights abroad?” King asked.

“They should have learned from what happened in Egypt and Libya that equipment like that is just as lethal to life and liberty as looking down the barrel of a gun.”

The investigators

Privacy International investigator Eric King worked for a year with the legal action charity Reprieve international human rights organisation while still a law undergraduate at LSE. He enlarged his focus on privacy after graduating.

King and his PI colleagues came up with the idea of penetrating the new global surveillance industry during a 2010 visit to the Googleplex. Although the Tech Talk fellow privacy activists then gave to Google was amiable, they decided they were fed up “banging heads” with the giant new net companies.

They realised that focusing on the relative intransigence of Facebook and Google on personal privacy was distracting the more important focus on the use of the same and more advanced technologies for social and political repression, as the discoveries of the Arab Spring soon revealed.

The PI team asked the assorted search engine luminaries if they actually knew what governments could do and were doing with their tapping, intercepting, locating and processing capabilities – and how that was being linked in some states to deliberate and intended harm.

“Even Google couldn’t give the answer to that question.” ®