Subscribe and receive Middle East and North Africa CyberWatch in your inbox.

Table of Contents

• Censorship and Filtering
• Surveillance
• Blogger and Netizen Arrests
• Cyber Attacks
• Technology

CENSORSHIP AND FILTERING

TUNISIA: Interior Minister calls for new Internet monitoring body

Tunisian Minister of the Interior Lotfi Ben Jeddou has proposed that Tunisia establish an Internet monitoring body to investigate cybercrime and other Internet violations in coordination with the Tunisian Ministry of Communication Technologies. In this proposal, the Tunisian Internet Agency (ATI), which had previously monitored Internet content, would be relegated to focusing on the development of Tunisia’s Internet services. The proposal has been met with criticism from groups such as Anonymous Tunisia and the Tunisian Pirate Party who fear it could lead to a revitalization of online censorship in the country.

UAE: Emirati telecom provider unblocks Skype

UAE based telecommunications operator Etisalat announced in early April that they had unblocked Skype, allowing users the ability to access the website. The government’s Telecommunications Regulatory Authority (TRA) did make a statement, however, that Skype was still prohibited in the country. Defending its decision, Etisalat claimed that the TRA had stated in 2010 that telecommunications operators could offer Skype without submitting requests to the regulatory authority.

EGYPT: US embassy pulls down Twitter feed

The United States’ Egyptian Embassy recently pulled down its Twitter feed temporarily after the office of President Mohammed Morsi raised objections to a controversial tweet. The former tweeted a link to a video of US comedian Jon Stewart, who criticized the Egyptian government’s arrest of satirist Bassem Yousef. Morsi’s Twitter account responded by chastising the embassy for engaging in “political propaganda.” Since 2011, many Egyptian online political critics and activists have faced government prosecution.

IRAN: Filtering of 1,500 anti-Islamic websites per month

(Note: Cross posted at iranmediaresearch.org)
Mohammad Reza Aghamiri, a member of the Committee to Determine Instances of Criminal Content, stated [Farsi] that an average of 1,500 websites with anti-Islamic content are filtered on a monthly basis. Aghamiri added that “the monitoring of websites is done manually, so in comparison to automatic monitoring of the content, it is less probable that we make mistakes.” Aghamiri also referred to discussions regarding filters within the National Information Network (NIN). He clarified that the NIN will not be monitored and content blockage will be unnecessary because the network operates as a “pure” system.

IRAN: Filtering of ‘Rise of Morning Hope’ websites

(Note: Cross posted at iranmediaresearch.org)
Two websites were launched by The Rise of Morning Hope (Aftab-e Sobh-e Omid) campaign in support of Mohammad Khatami, an Iranian scholar and former president. SalamKhatami.com [Farsi] was developed to gather signatures from Khatami’s supporters and encourage him to run again for the presidency. The second website, SalamKhatami.org [Farsi], serves to cover the latest news related to his possible candidacy. Both websites were filtered [Farsi] shortly after being launched by the order of Iran’s filtering committee.

IRAN: Baztab-e Emrooz news website filtered

News website Baztab-e Emrooz was filtered [Farsi] after reporting [Farsi] that President Mahmoud Ahmadinejad had threatened to release confidential conversations between himself and election officials in 2009 if the Guardian Council failed to approve the candidacy of Esfandiar Rahim Mashaei, the current Chief of Staff. The conversations allegedly reveal that election officials falsely reported that Ahmadinejad won by 24 million votes, when in fact he won by 16 million, in order to prevent a recount. The report, which was deleted 50 minutes after it was posted on April 27th, claimed Ahmadinejad contacted officials and argued that voting results should not be rigged. After the story was removed from the Baztab-e Emrooz website, others such as Digarban [Farsi] and Balatarin [Farsi] circulated the story, leading Baztab to once again publish the report on April 28. Baztab-e Emrooz has faced filtering [Farsi] several times during the past year and was not accessible for users inside Iran. After publishing news about Ahmadinejad’s claims that the regime defrauded the voters in the 2009 presidential election, Baztab-e Emrooz was completely shut down.

Back to top

SURVEILLANCE

SAUDI ARABIA: Criticizing new monitoring scheme

Global Voices Advocacy reported on the Saudi Arabian government’s intention to surveil online communications over platforms like Skype. While the news was originally reported in the form of a leaked memo [Arabic] on Twitter, the state’s Communications and Information Technology Commission confirmed its veracity on March 31. The Commission asserted that communications surveillance would be aimed at “preserving values and principles, protecting the rights of everyone and protecting society from any negative aspects that could undermine the public well-being.” Companies that do not comply with government directives risk being blocked entirely. Last month, Saudi Arabia threatened to ban messaging applications like Skype, Viber, and WhatsApp in light of its inability to adequately monitor their use.

IRAN: Election headquarters organized by police forces to monitor cyberspace

(Note: cross posted at iranmediaresearch.org)
Newspapers Jam-e Jam and Kayhan reported [Farsi] that the Islamic Republic of Iran Police (NAJA) has formed an election headquarters named Fajr. Social Deputy of Police Forces Saeed Montazer al-Mahdi announced that, in order to ensure the “security and safety of the election process,” Fajr will monitor satellite channels, anti-regime websites, and social networking sites. Since Iranians previously used Facebook to organize rallies after the disputed 2009 elections, Fajr will monitor [Farsi] social networking websites closely to find and restrict similar instances.

IRAN: 20 new regulations for Internet cafés

Iran’s Cyber Police (FATA) issued [Farsi] a new set of 20 rules that Internet cafés are to abide by. According to this new set of guidelines, owners of cybercafés should be “committed, married individuals who have no criminal records” and must set up 24-hour surveillance cameras in their cafés. Staff at Internet cafes must start collecting the details of their customers’ identities,  address, national ID number, and telephone number. Businesses have also been asked to keep detailed records of when and how their customers use the internet, including a list of the websites they visited. In addition, the government has emphasized that the use of VPNs and any other types of circumvention tools is forbidden. The full list of regulations can be found here.

Back to top

BLOGGER AND NETIZEN ARRESTS

IRAN: Pro-Khamenei blogger arrested for criticizing Supreme Leader

(Note: Cross posted at iranmediaresearch.org)
A pro-Khamenei cyber activist Mojtaba Daneshtalab was sentenced to six months in prison and 35 dollars in fines over charges of “propaganda against the regime” and “insulting Ali Khamenei.” A day before his imprisonment, Daneshtalab wrote [Farsi] in his blog that he has not become an “anti-revolutionary” person and that he did not have any “bad intentions.” Many of Daneshtalab’s fellow bloggers and other pro-Khamenei cyber activists have used social media to show their disapproval of Daneshtalab’s conviction.

IRAN: Arrest of a circumvention tool distributor

FATA’s chief police officer in the province of Ghazvin announced [Farsi] that, in accordance with FATA’s mission to identify cyber criminals and monitor cyberspace, the organization had arrested a person accused of marketing and selling circumvention tools online. It is reported that the arrested individual was not aware that the sale of circumvention tools is illegal. The Computer Crimes Law dictates that the sale and marketing of circumvention tools and the teaching of methods to bypass censorship is illegal.

UAE: Arrest of an activist for tweeting from a courtroom

Abdullah al-Hadidi, an activist based in the UAE, was recently sentenced to 10 months in jail for live-tweeting his father’s trial from an Abu Dhabi courtroom. He was arrested on March 22 and charged with “disseminating false information.” His father had been detained for “plotting the overthrow of the government” in collaboration with a cell of 94 other people.

BAHRAIN: Bahraini prosecution appeals decision to acquit activist

The Arabic Network for Human Rights Information (ANHRI) has voiced concerns over attempts by the Bahraini prosecution to appeal a decision by the Supreme Criminal Court. The decision would acquit Said Yousif Al-Muhafdah, Vice-President of the Bahrain Center for Human Rights. Al-Muhafdah was charged with tweeting “false information” that security forces had used birdshot against protesters in December 2012.

MOROCCO: Atheist blogger in hiding

Imad Iddine Habib, a Moroccan blogger and self-identified atheist, has gone into hiding due to concerns over his personal safety. Habib had voiced concerns that Moroccan police wanted to arrest him and that his life was “at high risk.” In March, Habib created the Council of Ex-Muslims of Morocco (CeMM), described as “the first public atheist and non-religious organisation in a country with Islam as its state religion.”

Back to top

CYBER ATTACKS

ISRAEL: Israeli Hackers vs. Anonymous

Israeli hackers and Anonymous have been embroiled in an ongoing cyber battle. On April 7, pro-Palestinian hackers targeted Israeli websites using DDoS attacks and defacements, but failed to make a significant impact. Targets included the Ministry of Foreign Affairs and the website of Israel’s Holocaust memorial. Prior to the attacks, Anonymous had announced its intention to “disrupt and erase Israel from cyberspace” in response to Israeli policies toward Palestinians. Days later, OpIsrael.com—a website allegedly belonging to Anonymous—was defaced by Israeli hackers, who posted pro-Israel propaganda and taunted the hacktivist collective.

SYRIA: Syrian Electronic Army targets CBS and NPR Twitter accounts

The Syrian Electronic Army (SEA) attacked a number of high-profile Twitter accounts over the past month. On April 15, the organization attacked NPR.org and its Twitter account in response to the broadcaster’s coverage of the Syrian conflict. Days later, it gained access to CBS’ 60 Minutes Twitter account. The hackers posted messages accusing the United States of cooperating with terrorists and later took responsibility for the attack via a YouTube video. The SEA also claimed responsibility for compromising the Twitter account of the Associated Press and posting a fake news story about a bombing at the White House on April 23. The group has regularly hacked Twitter accounts in the past, including those of Al Jazeera.

OMAN: Moroccan hackers attack sites in Oman via DNS poisoning

On April 21, hackers from Morocco gained access to the Oman Telecommunication Company’s servers and defaced the website of Google Oman (google.com.om). Two people under the handles “Z0mbi3_Ma” and “SQL_Master” diverted traffic from Google Oman’s URL to an outside website via DNS poisoning, whereby hackers alter information on a DNS server’s database. A similar attack occurred on Google Bosnia.

Back to top

TECHNOLOGY

IRAN: Iran plans ‘Islamic Google Earth’

(Note: cross posted at iranmediaresearch.org)

Iran’s Minister for Information and Communications Technology, Mohammad Hassan Nami, announced that “Iran is developing a 3D world map project similar to Google Earth, which will be launched in the next four months as a national portal, providing service on a global scale.” Nami stated that this new service will be created with “Islamic views.” Several Iranian officials have commented that Google Earth is in fact a spying tool and it is often blocked in Iran. Experts have expressed doubt that the Iranian government will be able to accomplish a project on such a large scale over the next four months in the current economy.

Back to top

Read previous editions of the Middle East and North Africa CyberWatch.

Subscribe and receive the Middle East and North Africa CyberWatch in your inbox.

The post Middle East and North Africa CyberWatch – April 2013 appeared first on The Citizen Lab.

Subscribe and receive Middle East and North Africa CyberWatch in your inbox.

Table of Contents

• Censorship and Surveillance
• Blogger and Netizen Arrests
• Cyber Attacks
• Technology

CENSORSHIP AND SURVEILLANCE

MIDDLE EAST AND NORTH AFRICA: Blue Coat used in several countries in the region

This month, the Citizen Lab released a report detailing the extent to which products created by Blue Coat Systems, an American network security company, are used in many countries across the world, including several in the Middle East and North Africa. In 2011, the Citizen Lab found evidence that Blue Coat devices capable of censorship and surveillance were actively in use in in Syria and Burma. This latest report reveals the presence of Blue Coat in Bahrain, Kuwait, Qatar, Saudi Arabia, Egypt, the United Arab Emirates, Iraq, Turkey, and Lebanon, among other countries. ProxySG and PacketShaper, the two technologies covered in the report, are capable filtering websites, blocking content according to category, and monitoring Internet traffic. While these devices may have legitimate uses, the report raises concerns that technology possessing “dual-use” functionality (i.e., both a commercial and possible military or surveillance application) may be used to undermine human rights in countries where basic freedoms are frequently curtailed by state authorities.

IRAN: New directives for monitoring text messages

With the approaching presidential election, Iranian authorities are taking measures to avoid a recurrence of the 2009 post-election unrest. The Ministry of Culture and Islamic Guidance has urged [Farsi] mobile operators to start monitoring the content of text messages. The Ministry’s statement went viral on social networking websites. A few hours later, the Deputy of Iran’s Communications Regulatory Authority clarified that only text messages sent by corporations as advertisement would be monitored. In addition, the Communication and Information Technology News Agency, an online news agency, has speculated [Farsi] that text message filtration in Iran happens at the key word level. For example, messages containing words like “currency” and “dollar” were filtered during the last year’s currency crisis. Recently, it appears that text messages with the word “institute” have been filtered.

IRAN: Filtering of popular online computer games

Travian, the most popular online game in Iran, was filtered [Farsi] on January 1 by order of the Commission to Determine Instances of Criminal Content. Although the government lifted [Farsi] the block on January 9, this incident showed how Iranian censors have increasingly targeted online computer games. According to a report by Gerdab website [Farsi], owned and run by the  Iranian Revolutionary Guard Corps Cyber Command, computer games aim to “introduce Islam as the origin of terrorism, and against the other religions in the world.” Travian has been particularly criticized because the game’s objective is to build a powerful and prosperous city and to control as many cities as possible. Fars News Agency also published [Farsi] a statement by a group of computer game developers, who support the filtering of non-Iranian computer games to support domestic game developers.

JORDAN: Jordanian upcoming elections highlight concerns over Internet Freedom

As Jordan heads toward parliamentary elections at the end of January, Internet freedom activists have raised concerns over the possibility that the post-election government will move forward with media censorship laws. Of particular note is a legislation that would force media sites to register with Jordan’s Ministry of Press and Publication and require service providers to implement centralized filtering of pornographic websites. January 18 marked the deadline for websites to register with the Ministry. Administrators who failed to register were supposed to go offline, although the majority of sites have not done so. As previously reported, a grassroots movement in Jordan has developed in opposition to this set of legislation.

GAZA and the WEST BANK: Facebook “censors” Israeli-Arab journalist

Facebook deactivated the account of Khaled Abu Toameh, an Israeli-Arab journalist, for what it describes as “terms of use” violations. The deactivation occurred after complaints from the Palestinian Authority and Jordanian Security Services, which Abu Toameh alleged were a result of articles posted on his page criticizing the Palestinian Authority. In the past, the Palestinian Authority has arrested its citizens for posting criticism about the government on their respective Facebook pages.

SYRIA: YouTube accidentally closes accounts of human rights group

YouTube admitted to accidentally shutting down accounts belonging to the Syrian Observatory for Human Rights, a group monitoring violence relating to the ongoing civil war in Syria. The group had received messages from YouTube that those accounts were posting violent and “offensive” videos. All accounts associated with the group have subsequently been reinstated.

Back to top

BLOGGER AND NETIZEN ARRESTS

ALGERIA: Hacker arrested in Thailand

Hamza Bendelladj, an Algerian hacker who allegedly stole millions of dollars from private bank accounts and financial institutions using a trojan/botnet known as Zeus, was arrested by Thai police at the airport on January 6. According to Thailand’s immigration police, the United States requested his arrest on charges of banking fraud. He will likely be extradited to the US, where he has been on the FBI’s wanted list for several years.

IRAN: Blogger arrested for insulting a governmental organization

Mohammad Reza Jahanshiri, chief of Bushehr Province’s branch of Iran’s Cyber and Information Exchange Police (FATA), reported [Farsi] that a blogger has been arrested for publishing posts deemed offensive to a Bushehri government organization. According to Jahanshiri, the arrested blogger has confessed to his “alleged offence” and is now awaiting trial.

KUWAIT: Arrests of online activists over Twitter comments

Ayyad al-Harbi, a Kuwaiti blogger, was sentenced to two years in jail for criticizing the government on his Twitter account. The government also handed out a jail sentence to opposition activist Rashed al-Enezi, who has been accused of insulting the Kuwaiti Emir on Twitter. Arresting Kuwaiti citizens for online comments is not unknown in the country; several members of the Kuwaiti royal family have been arrested for posting anti-government views through social media.

OMAN: Jail terms upheld for bloggers

An Omani court has upheld jail terms between one year and 18 months for eight bloggers and writers accused of defaming the monarchy. As previously reported, lèse majesté arrests in Oman were common in 2012. State prosecution of “online crimes” has been made significantly easier through Oman’s Cyber Crime Law enacted in 2011.

TUNISIA: Blogger stands trial for accusing foreign minister

The public prosecutor’s office in Tunisia is investigating Olfa Riahi, a blogger and independent journalist, for alleging that Foreign Minister Rafik Abdessalem misused public funds to pay for personal accommodations at the Sheraton Hotel. The Tunisian press has named the incident “Sheraton Gate.” Riahi also posted leaked communication implicating Abdessalem in the acceptance of “a one million dollar gift from the state of China” without proper budgetary oversight. The minister’s legal team has accused Riahi of “violating article 86 of the telecommunications code, articles 89 and 90 of Law 63-2004 on the protection of privacy, articles 126, 148 and 253 of the criminal code, and finally article 54 of [the new press law].” Reporters Without Borders condemned the use of criminal, telecommunications, and privacy laws to punish press freedom.

Back to top

CYBER ATTACKS

SAUDI ARABIA: Majority of Saudi companies at risk of cyberattack

According to a report published in Saudi newspaper Al-Eqtisadiah, Symantec, a global computer security company, has found that 69 percent of Saudi companies are unprepared for potential cyber attacks. A Symantec representative stated that Saudi companies’ “lack of data backup operations on a daily basis” is their biggest vulnerability to data loss or theft. Last August, Saudi Aramco, the country’s national oil company, was hit by a widely publicized virus called “Shamoon,” an attack that United States and Israeli officials blamed on Iran. Symantec also alleged in its annual Norton Cybercrime Report that cybercrime cost Saudi Arabian consumers some SR 2.6 billion in 2012, launched primarily via social network and mobile phone exploits.

SYRIA: Syrian Electronic Army leaks government documents

On January 21, Al-Akhbar, a Lebanese newspaper, reported that the Syrian Electronic Army (SEA) would soon release “secret documents from Turkey, Qatar, and Saudi Arabia” through its English language website. The collection of e-mail exchanges, contracts, and official papers purportedly clarify the role that foreign governments have played in the Syrian conflict. The first set of documents, taken from the Qatari Ministry of Foreign Affairs and dubbed “Qatar Leaks,” was released two days later on Al-Akhbar and the SEA’s website. The files include a transcript of a meeting between the Qatari Prime Minister Hamad bin Jassim and Egyptian President Muhammad Morsi in which the two intimate support for the Syrian opposition.

UAE: Activists hit with targeted malware

Bahrain Watch reports that an activist in the United Arab Emirates (UAE) was recently the target of a malware attack via a suspect e-mail. The e-mail text linked to a video containing an embedded Java applet. Days earlier, international news media reported a massively exploited Java vulnerability, causing the United States’ Department of Homeland Security to warn users to disable Java on their computers. In the UAE activist’s case, the exploit’s payload appeared to be a spyware program that would grant the attacker keylogging, password stealing, and screen viewing capabilities on the victim’s computer. Based on similar incidents that have occurred over the past several months, Bahrain Watch believes that the Emirati government is ultimately responsible for the targeted malware attacks.

IRAN: Unconfirmed cyber attacks against a petrochemical plant

Asr-e Ertebat [Farsi], a weekly online magazine, and Fars News Agency [Farsi] reported that 1,072 cyber attacks have been directed against a petrochemical plant. Based on government speculation, the news agencies believe that the attacks originated from Israel. Iran’s National Computer Emergency Response Team (MAHER) has not confirmed the news and the story has received little coverage in the international media.

Back to top

TECHNOLOGY

IRAN: Smart software to control social networking websites

Iran’s chief of police, Esmail Ahmadi Moghadam, announced [Farsi] that Iran plans to develop software for controlling social-networking sites. Ahmadi Moghadam believes that “smart control” of social-networking sites is more useful than filtering because the “harm of social networking websites would be avoided, and at the same time, people could benefit from their useful features.” However, Nima Rashedan, an Iranian tech expert based in Switzerland, expressed doubt that Iran has the adequate infrastructure and knowledge to produce such software. Rashedan believes that the announcement was made without “knowing the exact technical difficulties of the project.”

IRAN: Recent updates on the status of National Information Network

Iran’s Deputy of Communications and Technology at the Ministry of Information and Communications Technology stated [Farsi] that more governmental organizations are gradually being connected to the National Information Network (NIN). Deputy Communications Minister Ali Hakim Javadi also added that at this time the NIN is completing the data sharing system between organizations and making the single-window system for services operational. Javadi announced recently [Farsi] that the International Exchange Center will soon be launched. This centre would act as a “switch,” which connects governmental organizations to one another and enables them to share and transfer information.

IRAN: Planning the National Network of Cyber Defence

Alireza Rahai, chancellor of Amirkabir University of Technology, announced [Farsi] that, in collaboration with the Ministry of Information and Communications Technology, a national network of cyber defence will be launched. Rahai added that it is crucial to prepare for an increasing number of cyber attacks that could potentially target Iranian infrastructure. Rahai said that the recently formed Information Security group at Amirkabir University will engage in research and software development in the areas of cyber defence and information security.

Back to top

Read previous editions of the Middle East and North Africa CyberWatch.

Subscribe and receive the Middle East and North Africa CyberWatch in your inbox.

The post Middle East and North Africa CyberWatch – January 2013 appeared first on The Citizen Lab.

Read The New York Times article associated with this report.

The following individuals contributed to this report:
Morgan Marquis-Boire (lead technical research) and Jakub Dalek (lead technical research), Sarah McKune (lead legal research), Matthew Carrieri, Masashi Crete-Nishihata, Ron Deibert, Saad Omar Khan, Helmi Noman, John Scott-Railton, and Greg Wiseman.

Summary of Key Findings

• Blue Coat Devices capable of filtering, censorship, and surveillance are being used around the world. During several weeks of scanning and validation that ended in January 2013, we uncovered 61 Blue Coat ProxySG devices and 316 Blue Coat PacketShaper appliances, devices with specific functionality permitting filtering, censorship, and surveillance.

• 61 of these Blue Coat appliances are on public or government networks in countries with a history of concerns over human rights, surveillance, and censorship (11 ProxySG and 50 PacketShaper appliances). We found these appliances in the following locations:
  • Blue Coat ProxySG: Egypt, Kuwait, Qatar, Saudi Arabia, the UAE.
  • PacketShaper: Afghanistan, Bahrain, China, India, Indonesia, Iraq, Kenya, Kuwait, Lebanon, Malaysia, Nigeria, Qatar, Russia, Saudi Arabia, South Korea, Singapore, Thailand, Turkey, and Venezuela.

• Our findings support the need for national and international scrutiny of Blue Coat implementations in the countries we have identified, and a closer look at the global proliferation of “dual-use” information and communication technologies. Internet service providers responsible for these deployments should consider publicly clarifying their function, and we hope Blue Coat will take this report as an opportunity to explain their due diligence process to ensure that their devices are not used in ways that violate human rights.

Part I: Background and Context

Blue Coat Systems is a California-based provider of network security and optimization products. These products include: ProxySG devices that work with WebFilter,¹ which categorizes web pages to permit filtering of unwanted content; and PacketShaper, a cloud-based network management device that can establish visibility of over 600 web applications and control undesirable traffic.² ProxySG provides “SSL Inspection” services to solve “…issues with intercepting SSL for your end-users.”³ PacketShaper is integrated with WebPulse, Blue Coat Systems’ real-time network intelligence service that can filter application traffic by content category.⁴ Blue Coat Systems states that it “provides products to more than 15,000 customers worldwide,”⁵ and indeed, it maintains offices globally, including in Latin America, the Middle East, and the Asia Pacific region.⁶

In 2011, researchers (including a team from the Citizen Lab) found evidence of the use of Blue Coat Systems products in Syria. These findings raised concerns that Blue Coat products were being used as part of the network filtering and monitoring apparatus of the Syrian government, known for its violations of human rights and widely condemned crackdown against ongoing domestic opposition. In such provision of secure web gateway and filtration products, Blue Coat Systems exemplifies the manufacture and service of so-called “dual use” technology: information and communication technology (ICT) that may equally serve legitimate and positive purposes, or purposes resulting in adverse impact on human rights, depending on its deployment or particular “end use.”⁷

In August 2011, the website Reflets.info, in collaboration with Telecomix and Fhimt.com, began to release a series of blog posts concerning the use of Blue Coat Systems devices in Syria.⁸ Reflets.info documented the presence of Blue Coat devices through in-country testing done in collaboration with Telecomix,⁹ and in October 2011, Telecomix released 54 gigabytes of data purportedly consisting of Syrian censorship log files collected from Blue Coat devices active in Syria.¹⁰

Initially, Blue Coat Systems denied that its equipment had been sold to Syria,¹¹ a country subject to US sanctions.¹² Soon after, however, Blue Coat Systems acknowledged that at least thirteen of its devices were active in Syria and that these devices had been communicating with Blue Coat Systems-controlled servers. In October 2011, the company told the Wall Street Journal that it had shipped the devices to a distributor in Dubai, believing that they were destined for the Iraqi Ministry of Communications.¹³

In November 2011, following Blue Coat Systems’ admission, Citizen Lab researchers documented the use of Blue Coat Systems commercial filtering products in both Syria and Burma, in the report Behind Blue Coat: Investigations of commercial filtering in Syria and Burma.¹⁴ Employing network scans of publicly accessible servers in the IP address ranges of the Syrian Telecommunications Establishment, the Citizen Lab report identified devices in Syria not previously identified in the first Reflets and Telecomix release. In the case of Burma, the findings were gathered on the basis of data gathered from in-country field testing and research.¹⁵

Blue Coat Systems soon announced in a statement that it was no longer “providing support, updates or other services” to its ProxySG appliances in Syria. The company stated that its devices in Syria were no longer “able to use Blue Coat’s cloud-based WebPulse service” or “run the Blue Coat WebFilter database” and were now “operating independently.” Blue Coat Systems added they did not have a “kill switch” to remotely disable the devices.¹⁶ An experiment conducted by Citizen Lab researchers, over a period of three weeks in July 2012, revealed evidence that suggests Blue Coat devices in Syria were no longer ‘phoning home’ to Blue Coat Systems’ servers. Citizen Lab also found that many Blue Coat Systems domains were being blocked in Syria, perhaps to prevent existing devices from receiving updates.¹⁷

The US Department of Commerce launched an investigation to determine whether Blue Coat Systems had prior knowledge of the use of its equipment in Syria.¹⁸ The investigation was launched following a call from US Senators requesting an investigation into Blue Coat Systems and NetApp, another US company whose equipment had been implicated in Syria’s surveillance system as detailed by Bloomberg shortly before the publication of Citizen Lab’s Blue Coat reports.¹⁹ In December 2011, the US Department of Commerce’s Bureau of Industry and Security (BIS) added one individual and one company based in the United Arab Emirates to its Entity List for purchasing US commercial filtering products from Blue Coat and exporting the products to Syria.²⁰

Part II: Fingerprinting the Global Network of Blue Coat Systems Devices

A: Methodology

This project set out as an effort to understand the widespread nature and geographic spread of Blue Coat Systems’ commercial filtering and traffic inspection products, using several techniques to identify Blue Coat devices. It is not intended to provide an exhaustive enumeration of all Blue Coat hosts on the Internet.

From December 2012 to mid-January 2013, we used the Shodan Computer Search Engine to search for Blue Coat PacketShaper and Blue Coat ProxySG hosts.²¹ Results from the Shodan Computer Search Engine were subsequently verified by scanning²² and followed by manual inspection. In addition to surveying Shodan for Blue Cost hosts, we undertook substantial whole-country scanning from hosts in Europe and the US.

Our investigation yielded a significant number of hosts identifying themselves in ways that indicated they were a Blue Coat device, including Telnet and FTP banners, specific HTML pages, and so on. Because of our primary interest in devices that could be used for surveillance, filtering, and censorship, we narrowed in on PacketShaper and ProxySG Blue Coat appliances. We then worked through the results of our initial scanning, and excluded many devices from our final analysis that could not be identified with high confidence as PacketShaper and ProxySG appliances.

The installations included in the final report met the following criteria: (1) a Blue Coat Systems ProxySG or PacketShaper device on what we think is a public network (i.e. not a private company), (2) located in a country that is the subject of ongoing concern over compliance with international human rights law, legal due process, freedom of speech, surveillance, and censorship.

B: Results

The scanning and validation process yielded 61 Blue Coat ProxySG devices and 316 Blue Coat PacketShaper devices located all over the world. Of these, we identified 11 ProxySG and 50 PacketShaper devices on public or government networks in countries with a history of concerns over human rights, surveillance, and censorship. These hosts were present on either government networks or on netblocks associated with telecommunication companies that provide Internet access of some sort. Specific efforts were made to exclude devices we believed to be on health, education, or commercial networks not associated with providing Internet service or telecommunications. The only exception is a device we found on the “King Abdulaziz City for Science and Technology” network which, although it is an educational institution, is involved in the implementation of national filtering.²³

Hosts found to be used on health, education or commercial networks are included in the maps to display the widespread use of this technology, but will not be specifically discussed in this report.

We identified ProxySG installations in the following countries of interest: Egypt, Saudi Arabia, Kuwait, the United Arab Emirates, and Qatar. We have also noted that Shodan has reported Egyptian ISP Nile Online as having a ProxySG installation as recently as August 2012, although we were unable to identify it in our testing. Nevertheless, we have decided to include it in our results because of its recent detection by Shodan.

We discovered PacketShaper installations in the following countries of interest: Afghanistan, Bahrain, China, India, Indonesia, Iraq, Kenya, Kuwait, Lebanon, Malaysia, Nigeria, Qatar, Russia, Saudi Arabia, South Korea, Singapore, Thailand, Turkey, and Venezuela. We were able to visit these hosts and confirm that they were running the product. Bahrain is the only exception; however, Shodan has reported the presence of a PacketShaper installation as recently as December 31, 2012. This host was located on ASN named “BIX-AS Bahrain Internet Exchange.” Using the service provided by iplocation.net, the IP in question was listed as being on an ISP named the “Central Informatics Organisation” by two data location companies: maxmind and db4.

ProxySG and PacketShaper deployments:

Map of BlueCoat worldwide deployments in countries of interest. (Click image to enlarge)
(Basemap: Wikimedia Commons, Creative Commons License)
Graphics: John Scott-Railton & Greg Wiseman

View larger image.
View as PDF.
Explore the data further.

A summary of data is available for download in a variety of formats:
Google Doc:
https://docs.google.com/spreadsheet/pub?key=0AtJqKcMmUwTKdDRkU1BiMHc4UGdPaGtNWndiWm5RaEE&output=html
Excel: https://citizenlab.org/data/planetbluecoat_data.xlsx
CSV: https://citizenlab.org/data/planetbluecoat_data.csv

C: Summary of Country Results

The countries featured in this report are a subset of the cases where we identified Blue Coat Systems filtering and monitoring products (ProxySG and PacketShaper) on public networks. We’ve focused on a subset of cases where our scanning identified Blue Coat devices in countries with widely-reported concerns over legal due process, human rights, and transparency, especially pertaining to filtering, censorship or surveillance. What emerged is a picture of the global spread of Blue Coat devices to countries where their presence raises substantial concerns. The picture varies across regions and between countries, and we think these are a natural topic for further research, especially as this pertains to our findings.

We found Blue Coat devices in all countries of the Gulf Cooperation Council except Oman (Bahrain, Kuwait, Qatar, Saudi Arabia, and the United Arab Emirates). These states all have well known and pervasive regimes of Internet content filtering, so the presence of Blue Coat filtering products is not surprising. In several cases it has already been reported on.²⁴

The region is also experiencing massive growth in Internet penetration, triggering aggressive marketing efforts by Western technology companies, intent on accessing these new markets. Less well known, however, is the extent of domestic electronic surveillance regimes in these countries, particularly in light of crackdowns on domestic dissent in Bahrain and Saudi Arabia, and where the devices we found were in locations suggestive of national filtering.

The finding of a Blue Coat device in Egypt is noteworthy in light of the widespread condemnation of the Mubarak regime’s use of electronic surveillance to monitor activists that came to light after the 2011 Revolution.²⁵ The Egyptian government has reportedly continued to acquire the means to filter and surveil its national Internet using Deep Packet Inspection, and has recently proposed new online content regulations.²⁶

The case of Blue Coat products in Lebanon is interesting because, while the country does not have a history of Internet filtering,²⁷ the government has recently drafted online content regulations concerning public morals.²⁸ This makes Lebanon a good case for follow-up research to clarify the function of these devices.

Iraq and Afghanistan are especially noteworthy cases. As they undergo reconstruction, both countries are the subject of international concern and scrutiny for ongoing human rights abuses, including a trend towards greater regulation and criminalization of some aspects of free expression,²⁹ including freedom of the press.³⁰ Additional concerns have been raised over increasing pressure by these governments on ISPs to implement these controls and submit to monitoring requirements.³¹ In both cases, Blue Coat products have the necessary features to help ISPs comply with these requests. The presence of these devices raises serious concerns about “surveillance-by-design” being built in from the ground up as the countries undergo reconstruction and expansion in telecommunications sectors.

In China we found several Blue Coat devices on a state-controlled ISP. The country is known for its comprehensive and multifaceted Internet filtering and surveillance regime, often referred to as the “Great Firewall.”³²

Russia and Venezuela are noteworthy because of serious concerns about the regimes in power, and their track record of using unlawful surveillance along with non-technical means to control political dissent and opposition.³³

Elsewhere, Turkey has recently passed a series of laws empowering ISPs to filter a wide range of content,³⁴ and in India, government agencies are explicitly authorized to monitor and intercept Internet traffic and user information for purposes of national security or cyber security.³⁵

The government of South Korea, despite its sophisticated telecommunications sector, has an extensive set of legal and technical mechanisms to control online content and expression, although the overall rate of filtering is low.³⁶ Meanwhile, the case of Kenya is also potentially interesting as the government is reportedly in the process of implementing a domestic monitoring apparatus.³⁷

Blue Coat products emerged repeatedly in Southeast Asia, where technology sectors and Internet penetration are growing rapidly, and new forms of online activism pose challenges to ruling governments: Malaysia has a documented history of state control, regulation, and monitoring of online expression, and recent legislation in the country authorizes warrantless interception with a vaguely defined scope.³⁸ Thailand engages in widespread Internet filtering and blocking, supplemented with substantial non-technical legal mechanisms.³⁹ Currently, the Thai government is extending its ability to engage in surveillance and monitoring, explicitly for the purpose of unmasking those engaging in speech critical of the monarchy.⁴⁰

Indonesia employs widespread but inconsistent filtering that emphasizes blocking content featuring some sexual, gender, and religious themes, and access to circumvention tools.⁴¹ With respect to Singapore, which implements limited Internet filtering, but has broad general censorship focused on potentially divisive racial, political, or religious content, a 2006 Privacy International report found that Singaporean law permits government surveillance of Internet activity and “grants law enforcement broad power to access data and encrypted material when conducting an investigation.”⁴²

A more complete overview of each of the countries of interest can be found in Appendix A.

Part III: Export of Dual-Use Information and Communication Technologies—Ethical and Legal Considerations

The geographic spread of Blue Coat Systems technology outlined above, including within countries that have presented significant human rights concerns, highlights the importance of addressing at a number of levels the expanding dual-use ICT sector. Blue Coat Systems is only one of many participants in this industry, which includes numerous types of technologies and services utilized by governments as well as private actors. With respect to the market for secure web gateway solutions alone—which primarily include filtering software and related products such as those of Blue Coat Systems—analysts estimated the size of the market at nearly US$1.2 billion in 2012, and recognized five market leaders (Blue Coat Systems, Cisco, McAfee, Websense, and Zscaler), all of which are companies based in the US.⁴³ Accordingly, the role of Western companies in providing dual-use technologies is a crucial subject for discussion among governments and policy makers, civil society, and the private sector. Such discussion is currently under way in a variety of fora, raising complex questions to which there are no simple solutions.

One of the key goals of the debates surrounding dual-use technologies is to determine a method of crafting effective controls on such technology that simultaneously limit its sale and deployment for purposes that negatively impact human rights, while protecting those uses that serve legitimate purposes and result in benefits to society. Such an approach requires an understanding of the likely end use of the technology in any given scenario, as well as carefully crafted legal and regulatory language to prevent over- or under-inclusiveness by companies when assessing whether particular products and services fall within the scope of controls.

For example, the Electronic Frontier Foundation (EFF) has warned of potential problems with legislation that is based on pre-defining types of technology “because broadly written regulations could have a net negative effect on the availability of many general-purpose technologies and could easily harm the very people that the regulations are trying to protect.”⁴⁴ The EFF points out that legal terms to define harmful technology could encompass basic technologies such as web browsers, and would result in denying citizens of the use of basic technologies.⁴⁵ Therefore, rather than focusing on the technology, the EFF advocates for a “Know Your Customer” approach, encouraging companies to investigate a customer before and during a transaction.⁴⁶

Government use of sanctions to control the flow of dual-use and other sensitive technologies to repressive regimes has run up against this dilemma. For example, while US sanctions against Iran and Syria restrict the sale by US companies of most goods and services to these countries, in order to support freedom of expression and access to information among the Iranian and Syrian populations, the US has found it necessary to issue general licenses enumerating that some (but not all) services related to Internet-based communications and telecommunications are authorized.⁴⁷ Yet companies providing such services have in many instances erred on the side of caution and avoided providing technologies that would serve legitimate ends within these two countries altogether, given the possibility of significant penalties and reputational damage should they be found in violation of the sanctions.⁴⁸ This collateral effect of the sanctions has had the unintended consequence of pitting US goals regarding isolation of authoritarian regimes and promotion of Internet freedom against each other. The need for precise, strategic language surrounding controlled technologies was reiterated in the US State Department’s November 2012 call for comments on its draft “Guidance on the Provision of ‘Sensitive Technology’ to Iran and Syria,” which concerns the scope of the term “sensitive technology” as utilized in the language of Iran and Syria sanctions.⁴⁹

In addition to the matter of careful calibration of language to ensure clear and appropriate restrictions on dual-use technologies, is the matter of determining appropriate methods of control. While sanctions are perhaps one of the most potent methods of control given the significant penalties and policy interests at stake, their application is typically limited to those few countries that members of the international community generally agree represent threats to international order. Thus, the use of Blue Coat Systems technologies highlighted in this report is largely beyond the scope of sanctions, as, with the exception of certain limited sanctions applicable to Iraq⁵⁰ and Lebanon,⁵¹ the countries in which Blue Coat Systems products were found are not currently subject to US sanctions—yet significant human rights concerns regarding the application of these technologies remain. Moreover, government entities involved in sanctions regimes that cover a wide variety of critical products and services, such as banking, petroleum products, insurance, etc., across multiple countries, may allocate a smaller percentage of their institutional resources to the matter of dual-use technologies, both in the drafting and enforcement of sanctions. Dual-use technologies employed in both the sanctioned and unsanctioned world therefore require further methods of attention, inquiry, and control.

Export control frameworks offer an additional method for control of dual-use technologies, if effectively adapted to the issue. Export controls generally restrict the transfer of products that are “dual use” in the classic sense of having both commercial and military application, in order to protect national security, though other products may be covered as well. At the international level, the Wassenaar Arrangement covers dual use goods and technologies in the US, Canada, European Union, and other countries with participating countries committing to maintain national export controls on listed items—which include items related to “telecommunications” (Category 5, Part 1) and “information security” (Category 5, Part 2).⁵² Notably, the Wassenaar Arrangement served as grounds for the UK government to assert that FinFisher spyware reported by Citizen Lab and others⁵³ was subject to export controls, arguing that the technology made use of controlled cryptography as listed Category 5, Part 2.⁵⁴

Generally, however, international and national export controls have not proven applicable to so-called dual-use ICTs, given that many such products and services fall within the realm of commercial application or public security rather than military application or national security. For example, at the national level in the US, while a number of different agencies are involved in export control administration,⁵⁵ licensing of most items of commercial nature is carried out by the Bureau of Industry and Security at the US Department of Commerce pursuant to the Export Administration Regulations.⁵⁶ Depending on their destination, items on the Commerce Control List⁵⁷ require a license to export if they fall within a designated “reason for control”—namely, if they are linked to chemical and biological weapons, nuclear nonproliferation, national security, missile technology, regional stability, firearms convention, crime control, or anti-terrorism.⁵⁸ It appears unlikely that technologies such as the Blue Coat Systems ProxySG or PacketShaper products would fit these criteria to trigger the licensing requirement.

If export control frameworks are adapted to better incorporate dual-use ICTs, however, they might serve as a method to restrict provision of technologies that have potential to negatively impact human rights, on the basis of the characteristics of the technology in question and its ultimate destination. Such an approach would require political commitment by governments to develop significant additions to their export control regulations, a process that may also be complicated by necessary export control reforms already in progress on different fronts.⁵⁹ Yet if companies were required to build compliance with export regulations into trade of dual-use ICTs, such mandate could serve as an important stimulus to internalization of human rights risk assessments in the surveillance and filtration technology industry, as well as overall corporate social responsibility (CSR) efforts. As with sanctions, the effectiveness of export control frameworks will depend on how carefully such regulations are calibrated.

While the applicability of export controls in this industry is a matter for ongoing discussion, noteworthy steps in that direction are taking place within the EU, including with respect to its “Community regime for the control of exports, transfer, brokering and transit of dual-use items.”⁶⁰ In September 2011, the European Parliament passed a resolution to prohibit authorization of the export of telecommunications technologies to certain specified countries if they are used “in connection with a violation of human rights, democratic principles or freedom of speech (…) by using interception technologies and digital data transfer devices for monitoring mobile phones and text messages and targeted surveillance of Internet use.”⁶¹ In October 2012, the European Parliament expanded upon its earlier effort, approving proposals put forward by Dutch Member of Parliament Marietje Schaake that would require authorization for any sale of dual-use technologies designated by European authorities as violative of human rights, democratic principles, or freedom of speech.⁶² Finally, the European Parliament passed a resolution in December 2012 on a “Digital Freedom Strategy,” which, inter alia, called for “a ban on exports of repressive technologies and services to authoritarian regimes” and establishment of a list of countries to which exports of “single-use” technologies (those that inherently threaten human rights) should be banned.⁶³

Such multilateral efforts are essential to the success of export controls in curbing the inappropriate use of ICTs. A common justification of companies supplying such technology is that “if we don’t sell it, someone else will.” Coordinated international measures would help prevent problematic sales of dual-use technology by industry leaders in multiple countries, limiting the availability of top-of-the-line equipment and software that could effectively advance the state of surveillance and filtration within authoritarian regimes. It is noteworthy, therefore, that the European Parliament’s “Digital Freedom Strategy” also “calls for the inclusion of targeted repression technologies in the Wassenaar Arrangement,”⁶⁴ which would extend the effort beyond the EU to the US, Canada, the Russian Federation, and other countries.

Corporate social responsibility measures are another method relevant to control of dual-use technologies. Inappropriate use of a technology may stem from its technical attributes as well as the behavior of the company supplying or employing it, and it is essential that companies themselves take steps to prevent complicity in human rights compromise. ICT companies can draw on the significant progress that has been made on CSR standards over time, including the UN Guiding Principles on Business and Human Rights⁶⁵ and the ICT sector guidance currently in development in the EU.⁶⁶

Moreover, companies such as Blue Coat Systems that make their profits in surveillance and filtering technology would be well-served to explore possibilities for effective self-regulation through CSR if they are indeed concerned about human rights, the possibility of onerous government requirements being imposed on them, or soured public relations. If, for example, Blue Coat Systems had conducted a human rights impact assessment or other due diligence measures regarding the use of its technology by client King Abdulaziz City for Science and Technology (KACST), perhaps it would have come to the conclusion that KACST was an agent of the government in national-level filtering, including of content related to political reform and human rights issues.⁶⁷ It appears Blue Coat Systems may not have fully appreciated or addressed the ramifications of such deployment of its technology, given its inclusion in marketing materials of KACST as a client “success story.”⁶⁸ On the other end of the spectrum, Websense, previously noted as one of the market leaders in secure web gateway solutions, has already taken steps toward CSR integration: it joined the Global Network Initiative (GNI) in December 2011, thus committing to the GNI’s freedom of expression and privacy principles and accountability framework.⁶⁹ The more companies take proactive measures to prevent complicity in human rights abuses, the more normalization of corporate social responsibility will take place within the industry.

A combination of the methods described above and other measures is essential to addressing the human rights impact of the booming market for surveillance, filtration, and other sensitive technologies, including dual-use ICTs. Scrutiny and foresight regarding what this market has and has yet to become are critical, as the societal and political ramifications will only grow more profound as technologies develop and use becomes more widespread. Proposals on a framework for control (through sanctions, export regulations, and other methods) of dual-use and other technologies that may compromise human rights are forthcoming in a future blog post by Citizen Lab.

Part IV: Areas for Further Research and Policy Discussions

This report raises several issues for further research and policy discussion:

There is a need for more transparency around censorship and surveillance practices as well as dialogue among states, ISPs, civil society, and the private sector. States and large ISPs have tended toward a lack of transparency when it comes to their capabilities for censorship and interception of network traffic. Their silence, however, should not be mistaken for the absence of such activity; indeed, many of them have moved to acquire and deploy powerful filtering and monitoring infrastructure, including Blue Coat Systems technology, as our report makes clear. Some countries have had elements of a public dialogue over network monitoring and filtering, others have not. In the US, for example, a raucous debate continues over whether ISPs should be able to massively filter network traffic based on content and type. These public debates have also emerged in Germany and France.⁷⁰ Similarly, some debates have taken place over state surveillance and ISP participation in monitoring, although these are often hampered by limited public evidence of the scope and scale of these practices. Yet, as this report shows, even in countries where ISPs or governments may not have publicly declared their ability to exercise this kind of control and little public notice or debate has taken place, opponents of Internet filtering and massive interception should be aware that the infrastructure may already be present — and in some cases, built from the ground up as a kind of “surveillance-by-design.” By providing this overview, we hope to encourage civil society groups, governments, and researchers to take a closer look at why these devices are present in their country. We also hope that this report will encourage ISPs, manufacturers, and other actors involved in deployment of these products to consider publicly clarifying their scale and function.

More independent, evidence-based research on the global spread and use of censorship, surveillance, and other “dual-use” technologies is essential. Providing a clearer picture of the global presence of Blue Coat Systems devices highlights how widely such technologies are used and how technical interrogation methods can be used to determine their presence in specific instances. We see our methodology as an important component of the civil society toolkit (including academia) for engaging in ongoing debates over the proliferation of censorship and intercept technologies, among others. We hope to stimulate dialogue surrounding deployment of dual-use technologies, and provide empirical support for ongoing efforts to develop appropriate control strategies. It is important to note that our methodology does not reveal the intentions or exact uses of the Blue Coat Systems devices in question. We expect these to be different in each case, and think this is an important area for future research. If such contributions are going to be credible, however, it is important that the research be independently conducted and based on open and reproducible methods and empirical evidence.

It is time to examine the appropriate course of action for companies that participate in the industry for network surveillance, censorship and other sensitive technologies. While the pursuit and development of new markets and products is naturally a priority to for-profit companies, they remain obliged at all times to respect human rights and avoid activities that would infringe upon them.⁷¹ The events of the Arab Spring have raised awareness that the products and services of this sector can and will be used to advance illegitimate ends that violate international human rights law. Companies can no longer simply assert that it is acceptable to provide their technology to any prospective client, no matter how questionable, until their home governments instruct them otherwise. Civil society and academic groups have indicated this is an area of high concern, key governments have begun pursuing this issue, and it is time for the private sector to join the dialogue and commit to finding solutions.

To that end, we pose the following questions to Blue Coat Systems, which we hope will spark further constructive dialogue:

• What human rights policy commitments and due diligence measures does Blue Coat Systems have in place concerning the development and sales of its products and services?

• In designing its products, does Blue Coat Systems assess their potential human rights impact? Have product designs ever been considered “off-limits” given inherent capabilities to undermine privacy or freedom of expression?

• What if any resources does Blue Coat Systems devote to human rights compliance at the operational level? For example, what percentage of the annual budget is allocated to human rights programs, investigations or training? What human rights training is provided to staff in each department of the company (including executive leadership as well as engineering, sales and legal departments)? What is staff awareness of the human rights implications of deployment of Blue Coat Systems products?

• Does Blue Coat Systems attempt to integrate a “know your customer” standard into its business practices? Does it attempt to discern the purpose for which a client seeks to purchase its products or services? If so, how (for example, in the case of the services provided to King Abdulaziz City for Science and Technology Internet Services Unit)? If the potential client is a government or located in a country known to have experienced unrest, does Blue Coat Systems investigate the human rights track record of that potential client? If human rights concerns are flagged, how does Blue Coat Systems act on such concerns?

• What is the process at Blue Coat Systems for evaluating compliance with US sanctions and export controls?

• What processes are in place for ensuring “downstream” compliance with human rights policy commitments and due diligence by resellers, distributors and other third parties with whom Blue Coat Systems contracts? Particularly after the discovery of Blue Coat devices in Syria as described in Part I of this report, were any changes made concerning such processes?

We commit to publishing in full Blue Coat System’s reply.

Our work supports the need for an effective framework for control of technologies that have significant potential to undermine human rights. It is important to emphasize that the questions posed to Blue Coat Systems (above) are pertinent as well for all other companies active in this industry. Given the many documented instances of advanced information communication technologies put to use by governments and other actors for the purpose of maintaining power and control at the expense of human rights, and the rapid, lucrative growth of the market, it is clear that this industry cannot continue to operate in a largely unregulated atmosphere. While control of dual-use and other sensitive technologies raises significant complexities (see Part III above), some form of check on this industry is essential—whether it be proactive self-regulation, export controls, sanctions, or a combination of these and other efforts. We hope that more companies will step forward to discuss how such controls can be applied in a pragmatic manner. The input of civil society is likewise crucial, as is the leadership of governments in developing multilateral approaches for effective control.

Acknowledgements

Thanks to Eireann Leverett and Shawn Merdinger for pointing the way.

Media Coverage

Media coverage of the report includes IT World; Salon; Ars Technica; Slate; ComputerWorld; TTV, MacFound, AllGov and Internet Law Center.

Footnotes

¹“WebFilter,” Blue Coat, http://www.bluecoat.com/products/proxysg/addons.
²“Blue Coat PacketShaper Application List,” Blue Coat, http://www.bluecoat.com/sites/default/files/documents/files/PacketShaper_Application_List.c.pdf.
³“The Growing Need for SSL Inspection”, Blue Coat, https://www.bluecoat.com/security/security-archive/2012-06-18/growing-need-ssl-inspection.
⁴“PacketShaper,” Blue Coat, http://www.bluecoat.com/products/packetshaper.
⁵http://www.bluecoat.com/products/packetshaper.
⁶“Company,” Blue Coat, http://www.bluecoat.com/company.
⁷Some ISPs in the Middle East and North Africa and other regions in the developing world deploy Blue Coat Systems appliances such as Blue Coat CacheFlow mainly to reduce bandwidth costs, which tend to be expensive in these countries. Lebanon Online for example is one of the region’s ISPs using Blue Coat CacheFlow for this purpose. “Lebanon Online Deploys Blue Coat CacheFlow Appliance to Reduce Bandwidth Costs and Enhance End-User Experience,” Blue Coat, August 15, 2011, http://www.bluecoat.com/company/press-releases/lebanon-online-deploys-blue-coat-cacheflow-appliance-reduce-bandwidth-costs.
⁸“Web Censorship Technologies in Syria Revealed,” Reflets.info, August 12, 2011, http://reflets.info/opsyria-web-censorship-technologies-in-syria-revealed-en.
⁹“Blue Coat’s Role in Syria Censorship and Nationwide Monitoring System,” Reflets.info, September 1, 2011, http://reflets.info/bluecoats-role-in-syrian-censorship-and-nationwide-monitoring-system.
¹⁰“#OpSyria: Syrian Censorship Logs (Season 3),” Reflets.info, October 4, 2011, http://reflets.info/opsyria-syrian-censoship-log.
¹¹Sari Horwitz, “Syria Using American Software to Censor Internet, Experts Say,” Washington Post, October 23, 2011, http://www.washingtonpost.com/world/national-security/syria-using-american-software-to-censor-internet-experts-say/2011/10/22/gIQA5mPr7L_story.html.
¹²See U.S. Executive Order 13582, which prohibits “the exportation, reexportation, sale, or supply, directly or indirectly, from the United States, or by a United States person, wherever located, of any services to Syria.” Executive Order 13582: Blocking Property of the Government of Syria and Prohibiting Certain Transactions With Respect to Syria, August 17, 2011, at Sec. 2(b), available at http://www.treasury.gov/resource-center/sanctions/Programs/Documents/syria_eo_08182011.pdf.
¹³Nour Malas, Paul Sonne, and Jennifer Valentino-Devries, “U.S. Firm Acknowledges Syria Uses Its Gear to Block Web,” Wall Street Journal, October 29, 2011, http://online.wsj.com/article/SB10001424052970203687504577001911398596328.html.
¹⁴“Behind Blue Coat: Investigations of Commercial Filtering in Syria and Burma,” Citizen Lab, November 9, 2011, https://citizenlab.org/2011/11/behind-blue-coat; and “Behind Blue Coat: An Update from Burma,” Citizen Lab, November 29, 2011, https://citizenlab.org/2011/11/behind-blue-coat-an-update-from-burma.
¹⁵“Behind Blue Coat: An update from Burma.”
¹⁶“Update on Blue Coat Devices in Syria,” Blue Coat Systems, December 15, 2011, http://www.bluecoat.com/update-blue-coat-devices-syria.
¹⁷For details see “Update: Are Blue Coat Devices Phoning Home?” Citizen Lab, https://citizenlab.org/2011/11/behind-blue-coat/#update.
¹⁸Shyamantha Asokan, “U.S. Probing Use of Surveillance Technology in Syria,” Washington Post, November 17, 2011, http://articles.washingtonpost.com/2011-11-17/world/35283442_1_blue-coat-systems-syrian-government-syrian-president-bashar.
¹⁹Ben Elgin and Vernon Silver, “Syria Crackdown Gets Italy Firm’s Aid With U.S.-Europe Spy Gear,” Bloomberg, November 3, 2011, http://www.bloomberg.com/news/2011-11-03/syria-crackdown-gets-italy-firm-s-aid-with-u-s-europe-spy-gear.html.
²⁰“BIS Adds Two Parties to Entity List for Sending Internet Filtering Equipment to Syria,” U.S. Department of Commerce Bureau of Industry and Security, December 15, 2011, http://www.bis.doc.gov/news/2011/bis_press12152011.htm.
²¹The Shodan search engine provides information on devices connected to the Internet, including industrial control systems, web filtering, and network security and optimization products. See: http://www.shodanhq.com/help/tour.
²²Nmap (network mapper) was the primary scanning tool used in surveying large parts of the global internet. See http://nmap.org.
²³Introduction to Content Filtering,” King Abdulaziz City for Science and Technology, Internet Services Unit, http://www.isu.net.sa/saudi-internet/contenet-filtring/filtring.htm.
²⁴Paul Sonne and Steve Stecklow. “U.S. Products Help Block Mideast Web.” Wall Street Journal, March 27, 2011. http://online.wsj.com/article/SB10001424052748704438104576219190417124226.html.
²⁵“Egypt,” OpenNet Initiative, August 6, 2009, http://opennet.net/research/profiles/egypt.
²⁶“Freedom on the Net 2012: Egypt,” Freedom House, http://www.freedomhouse.org/report/freedom-net/2012/egypt.
²⁷“Lebanon,” OpenNet Initiative, August 6, 2009, http://opennet.net/research/profiles/lebanon.
²⁸Khodor Salameh, “Lebanese Internet Law Attacks Last Free Space of Expression,” Al Akhbar, March 9, 2012, http://english.al-akhbar.com/node/4997.
²⁹See, for example, Iraq’s Information Crimes Law: “Iraq’s Information Crimes Law: Badly Written Provisions and Draconian Punishments Violate Due Process and Free Speech,” Human Rights Watch, July 12, 2012, http://www.hrw.org/sites/default/files/reports/iraq0712webwcover.pdf.
³⁰World Report – Iraq,” in Press Freedom Index 2011-2012, Reporters Without Borders, http://en.rsf.org/report-iraq,152.html.
³¹In Afghanistan: Danny O’Brien and Bob Dietz, “Using New Internet Filters, Afghanistan Blocks News Site,” Yahoo! Business and Human Rights Program, October 6, 2010, http://www.yhumanrightsblog.com/blog/2010/10/12/using-new-internet-filters-afghanistan-blocks-news-site/.
³²“China,” OpenNet Initiative, August 9, 2012, http://opennet.net/research/profiles/china.
³³Andrei Soldatov and Irina Borogan,“The Kremlin’s New Internet Surveilance Plan Goes Live Today,” Wired, November 1, 2012, http://www.wired.com/dangerroom/2012/11/russia-surveillance/all/; and “Countries Under Surveillance – Venezuela,” Reporters Without Borders, http://en.rsf.org/surveillance-venezuela,39770.html.
³⁴“Freedom on the Net 2011: Turkey,” Freedom House, http://www.freedomhouse.org/report/freedom-net/2012/turkey.
³⁵Information Technology (Amendment) Act 2008, http://www.mit.gov.in/sites/upload_? les/
dit/? les/downloads/itact2000/it_amendment_act2008.pdf.
³⁶See: “South Korea,” OpenNet Initiative, August 6, 2012, http://opennet.net/research/profiles/south-korea.
³⁷Okuttah Mark, “CCK Sparks Row with Fresh Bid to Spy on Internet Users,” Business Daily, March 20, 2012, http://www.businessdailyafrica.com/Corporate-News/CCK-sparks-row-with-fresh-bid-to-spy-on-Internet-users-/-/539550/1370218/-/item/2/-/edcfmqz/-/index.html; and Winfred Kagwe, “Kenya: CCK Defends Plan to Monitor Private Emails,” All Africa, May 17, 2012, http://allafrica.com/stories/201205181170.html.
³⁸“Freedom on the Net 2012: Malaysia,” Freedom House, http://www.freedomhouse.org/report/freedom-net/2012/malaysia; and “Malaysia: Security Bill Threatens Basic Liberties,” Human Rights Watch, April 10, 2012, http://www.hrw.org/news/2012/04/10/malaysia-security-bill-threatens-basic-liberties.
³⁹“Thailand,” OpenNet Initiative, August 7, 2012, http://opennet.net/research/profiles/thailand.
⁴⁰“Web Censor System Hits Protest Firewall,” Bangkok Post, December 15, 2011, http://www.bangkokpost.com/learning/learning-from-news/270926/new-web-censorship-worries.
⁴¹“Indonesia,” OpenNet Initiative, August 9, 2012, http://opennet.net/research/profiles/indonesia.
⁴²Privacy International, “Chapter II. Surveillance Policy,” Singapore, December 12, 2006, https://www.privacyinternational.org/reports/singapore/ii-surveillance-policy.
⁴³Lawrence Orans and Peter Firstbrook, “Magic Quadrant for Secure Web Gateways,” Gartner Inc., May 24, 2012, available at http://www.gartner.com/technology/research/methodologies/magicQuadrants.jsp.
⁴⁴Trevor Timm, “Time to Act on Companies Selling Mass Spy Gear to Authoritarian Regimes,” Electronic Frontier Foundation, February 7, 2012, https://www.eff.org/deeplinks/2012/02/time-act-companies-selling-mass-spy-gear-authoritarian-regimes.
⁴⁵Trevor Timm, “Time to Act on Companies Selling Mass Spy Gear to Authoritarian Regimes,” Electronic Frontier Foundation, February 7, 2012, https://www.eff.org/deeplinks/2012/02/time-act-companies-selling-mass-spy-gear-authoritarian-regimes.
⁴⁶Cindy Cohn and Jillian C. York, “’Know Your Customer’ Standards for Sales of Surveillance Equipment,” Electronic Frontier Foundation, October 24, 2011, https://www.eff.org/deeplinks/2011/10/it’s-time-know-your-customer-standards-sales-surveillance-equipment.
⁴⁷See U.S. Department of the Treasury Office of Foreign Assets Control, “Iran: General License Related to Personal Communication Services,” March 3, 2010, available at http://www.treasury.gov/resource-center/sanctions/Programs/Documents/soc_net.pdf; United States Department of the Treasury Office of Foreign Assets Control, Interpretive Guidance and Statement of Licensing Policy on Internet Freedom in Iran, March 20, 2012, http://www.treasury.gov/resource-center/sanctions/Programs/Documents/internet_freedom.pdf; “General License No. 5: Exportation of Certain Services Incident to Internet-Based Communications Authorized” (Syria), U.S. Department of the Treasury, August 18, 2011, available at http://www.treasury.gov/resource-center/sanctions/Programs/Documents/syria_gl5.pdf; United States Department of the Treasury Office of Foreign Assets Control, General License No. 14: Transactions Related to Telecommunications Authorized (Syria), October 3, 2011, available at http://www.treasury.gov/resource-center/sanctions/Programs/Documents/syria_gl14.pdf.
⁴⁸For examples, see Jillian C. York, “EFF Signs Joint Coalition Letter Urging Companies to be Proactive on Export Regulations,” Electronic Frontier Foundation, June 27, 2012, https://www.eff.org/deeplinks/2012/06/eff-signs-joint-coalition-letter-urging-companies-be-proactive-export-regulations.
⁴⁹“State Department Sanctions Information and Guidance,” U.S. Department of State, November 8, 2012, http://www.state.gov/e/eb/tfs/spi/iran/fs/200316.htm.
⁵⁰It must be noted that the United States have imposed limited sanctions on Iraq and Lebanon. In Iraq, the United States has placed “certain prohibitions and asset freezes against specific individuals and entities associated with the former Saddam Hussein regime, as well as parties determined to have committed, or to pose a significant risk of committing, an act of violence that has the purpose or effect of threatening the peace or stability of Iraq or the Government of Iraq or undermining efforts to promote economic reconstruction and political reform in Iraq or to provide humanitarian assistance to the Iraqi people.” See U.S. Department of the Treasury Office of Foreign Assets Control, Iraq: An Overview of the Iraq Stabilization and Insurgency Sanctions Regulations, September 15, 2010, available at http://www.treasury.gov/resource-center/sanctions/Programs/Documents/iraq.pdf; and “Iraq-Related Sanctions,” U.S. Department of the Treasury, December 5, 2012, http://www.treasury.gov/resource-center/sanctions/Programs/pages/iraq.aspx.
⁵¹In 2007, President George W. Bush signed Executive Order 13441, “Blocking the Property of Certain Persons Undermining the Sovereignty of Lebanon or its Democratic Processes or Institutions and Certain Other Persons.” See “Lebanon-Related Sanctions,” U.S. Department of the Treasury, December 5, 2012, http://www.treasury.gov/resource-center/sanctions/Programs/pages/leb.aspx.
⁵²“How Does the Wassenaar Arrangement Work?,” Wassenaar Arrangement, http://www.wassenaar.org/introduction/howitworks.html.
⁵³“The SmartPhone Who Loved Me: FinFisher Goes Mobile?,” Citizen Lab, August 29, 2012. https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile; “From Bahrain With Love: FinFisher’s Spy Kit Exposed?,” Citizen Lab, July 25, 2012, https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed; and “Privacy International Commences Legal Action Against British government for failure to Control Exports of Surveillance Technologies,” Privacy International, July 19, 2012, https://www.privacyinternational.org/press-releases/privacy-international-commences-legal-action-against-british-government-for-failure.
⁵⁴See “Electronic Surveillance: Export Controls” in http://www.publications.parliament.uk/pa/cm201213/cmhansrd/cm120907/text/120907w0002.htm#12090723000801; and “British Government Admits It Has Already Started Controlling Exports of Gamma International’s FinSpy,” Privacy International, September 10, 2012, https://www.privacyinternational.org/press-releases/british-government-admits-it-has-already-started-controlling-exports-of-gamma.
⁵⁵See “Resource Links: United States Government Departments and Agencies with Export Control Responsibilities,” U.S. Department of Commerce Bureau of Industry and Security, http://www.bis.doc.gov/about/reslinks.htm.
⁵⁶“Introduction to Commerce Department Export Controls,” U.S. Department of Commerce Bureau of Industry and Security, http://www.bis.doc.gov/licensing/exportingbasics.htm.
⁵⁷15 C.F.R. pt. 774 (The Commerce Control List), available at http://www.ecfr.gov/cgi-bin/retrieveECFR?gp=&SID=ec4619c9b370f71ebcbaf93b0a25e619&n=15y2.1.3.4.45&r=PART&ty=HTML.
⁵⁸15 C.F.R. pt. 738, supp. no. 1 (Commerce Country Chart), available at http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&sid=59ee1d5eeb8f1d444ba88927fa1eaaff&rgn=div9&view=text&node=15:2.1.3.4.24.0.1.5.27&idno=15.
⁵⁹See, e.g., Ian F. Fergusson and Paul K. Kerr, The U.S. Export Control System and the President’s Reform Initiative, Congressional Research Service, May 18, 2012, http://www.fas.org/sgp/crs/natsec/R41916.pdf.
⁶⁰Council of the European Union, Council Regulation (EC) No 428/2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items, May 5, 2009, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:134:0001:0269:en:PDF.
⁶¹See Annex IIe, Union General Export Authorisation No EU005, Part 3, Sec. 1(1)(d) in European Parliament, European Parliament Legislative Resolution of 27 September 2011 on the Proposal for a Regulation of the European Parliament and of the Council Amending Regulation (EC) No 1334/2000 Setting Up A Community Regime for the Control of Exports of Dual-Use Items and Technology (COM(2008)0854 – C7-0062/2010 – 2008/0249(COD)), September 27, 2011, available at: http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2011-0406+0+DOC+XML+V0//EN&language=EN; and European Parliament, Controlling Dual-Use Exports, September 27, 2011, http://www.europarl.europa.eu/news/en/pressroom/content/20110927IPR27586/html/Controlling-dual-use-exports.
⁶²See European Parliament, European Parliament Legislative Resolution of 23 October 2012 on the Proposal for a Regulation of the European Parliament and of the Council Amending Regulation (EC) No 428/2009 Setting Up a Community Regime for the Control of Exports, Transfer, Brokering and Transit of Dual-Use Items (COM(2011)0704 – C7-0395/2011 – 2011/0310(COD)), October 23, 2012, available at: http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2012-0383&language=EN&ring=A7-2012-0231 (Note the amendment to Article 4 of Regulation (EC) No 428/2009: “An authorisation shall also be required for the export of dual-use items not listed in Annex I if the exporter has been informed by the authorities referred to in points 1 and 2 or by the Commission that the items in question are or may be intended, in their entirety or in part, for use in connection with a violation of human rights, democratic principles or freedom of speech as defined by the Charter of Fundamental Rights of the European Union, by using interception technologies and digital data transfer devices for monitoring mobile phones and text messages and targeted surveillance of internet use (e.g. via monitoring centres or lawful interception gateways).”); and “European Parliament Endorses Stricter European Export Control of Digital Arms,” Marietje Schaake, October 23, 2012, http://www.marietjeschaake.eu/2012/10/ep-steunt-d66-initiatief-controle-europese-export-digitale-wapens.
⁶³European Parliament, European Parliament Resolution of 11 December 2012 on a Digital Freedom Strategy in EU Foreign Policy (2012/2094(INI)), December 11, 2012, available at http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2012-0470+0+DOC+XML+V0//EN&language=EN.
⁶⁴See Para. 43 in European Parliament, European Parliament Resolution of 11 December 2012 on a Digital Freedom Strategy in EU Foreign Policy (2012/2094(INI)), December 11, 2012, available at http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2012-0470+0+DOC+XML+V0//EN&language=EN.
⁶⁵“UN Guiding Principles on Business and Human Rights,” Business & Human Rights Resource Centre, http://www.business-humanrights.org/Documents/UNGuidingPrinciples. The UN Guiding Principles note as a basic foundational principle, “Business enterprises should respect human rights. This means that they should avoid infringing on the human rights of others and should address adverse human rights impacts with which they are involved” (see Principle 11). Furthermore, companies should “[s]eek to prevent or mitigate adverse human rights impacts that are directly linked to their operations, products or services by their business relationships, even if they have not contributed to those impacts” (see Principle 13(b)). The document details how companies should carry out such obligations.
⁶⁶“Draft Guidance Consultation (Dec. 2012 – Feb. 2013),” Institute for Human Rights and Business, http://www.ihrb.org/project/eu-sector-guidance/draft-guidance-consultation.html. (Discussing corporate policy commitments, human rights due diligence measures, and remediation mechanisms).
⁶⁷“Introduction to Content Filtering,” King Abdulaziz City for Science & Technology Internet Services Unit, http://www.isu.net.sa/saudi-internet/contenet-filtring/filtring.htm. (“The [KACST] Internet Services Unit oversees and implements the filtration of web pages in order to block those pages of an offensive or harmful nature to the society, and which violate the tenants of the Islamic religion or societal norms. This service is offered in fulfillment of the directions of the government of Saudi Arabia and under the direction of the Permanent Security Committee chaired by the Ministry of the Interior. . . . KACST maintains a central log and specialized proxy equipment, which processes all page requests from within the country and compares them to a black list of banned sites. If the requested page is included in the black list then it is dropped, otherwise it is executed, then the request is archived. These black lists are purchased from commercial companies and renewed on a continuous basis throughout the year. This commercial list is then enhanced with various sites added locally by trained staff.”). See also “Saudi Arabia,” OpenNet Initiative, August 6, 2009, http://opennet.net/research/profiles/saudi-arabia; and Noman and York, “West Censoring East.”
⁶⁸“KACST Deploys Blue Coat Appliances to Provide Secure and Productive Web Access in the Kingdom of Saudi Arabia,” Blue Coat, http://www.bluecoat.com/company/customers/kacst-deploys-blue-coat-appliances-provide-secure-and-productive-web-access.
⁶⁹“Websense Joins the Global Network Initiative,” Global Network Initiative, December 8, 2011, http://www.globalnetworkinitiative.org/newsandevents/Websense_Joins_the_Global_Network_Initiative.php.
⁷⁰Jillian C. York, “EFF Signs Joint Coalition Letter Urging Companies to be Proactive on Export Regulations,” Electronic Frontier Foundation, June 27, 2012, https://www.eff.org/deeplinks/2012/06/eff-signs-joint-coalition-letter-urging-companies-be-proactive-export-regulations.
⁷¹See “UN Guiding Principles on Business and Human Rights,” Business & Human Rights Resource Centre, http://www.business-humanrights.org/Documents/UNGuidingPrinciples.

The post Planet Blue Coat: Mapping Global Censorship and Surveillance Tools appeared first on The Citizen Lab.

Subscribe and receive Middle East and North Africa CyberWatch in your inbox.

Table of Contents

• Censorship and Filtering
• Blogger and Netizen Arrests
• Internet and Social Media Use
• Technology

CENSORSHIP AND FILTERING

EGYPT: Court prosecutor orders ban on pornography

The Prosecutor General has ordered government ministries to enforce a ban on pornography in the country. The prosecutor, Abdel Maguid Mahmoud, stated that the order was based on a 2009 court decision to block pornographic sites. The Ministry of Communications and Information Technology (MCIT) claimed that the ban is unfeasible for many reasons, including the difficulty of maintaining an inventory of millions of sites to be blacklisted. The MCIT also stated that the government has worked with service providers in the past to promote options for families to block inappropriate sites at home.

IRAN: Filtering of pro-Ahmadinejad blogs continues

As previously reported, the Iranian government has embarked on a new wave of censorship and filtering, specifically targeting pro-Ahmadinejad blogs. According to the pro-Ahmadinejad blog Armanshahr [Farsi], seven blogging sites that support Ahmadinejad have recently been filtered and two have been completely removed.

SYRIA: Backlash against Facebook over controversial photo ban

Facebook has removed photos from a group called “The uprising of women in the Arab world” after reports that the pictures were in violation of Facebook’s community standards. The photos depict Syrian group member Dana Bakdounes with her hair uncovered while she holds up her passport containing a picture of her with a headscarf. Underneath the passport is a written message stating, “I’m with the uprising of women in the Arab world because for 20 years I wasn’t allowed to feel the wind in my hair and my body.” Facebook initially stated that the suspension was an error. They later banned the photograph again, maintaining that the photo was in violation of their community standards while giving no further details. The group has criticized the decision as a form of censorship, possibly motivated by repeated complaints from those they describe as “fundamentalists and misogynists” who are upset with the nature of the photos.

UAE: Concerns voiced over Emirati Cybercrime Law

Freedom House has voiced its concerns over new revisions to the United Arab Emirate’s (UAE) 2006 “Cybercrime Law,” which it says will further curtail free expression in the country. The revisions include penalizing online comments deemed insulting to Islam and other religions, criticism of the country’s leaders, and activity seen as threatening to state security. The amendments also provide punishments for illegal privacy violations and unwarranted online surveillance. The UAE has faced criticism in the past for widespread online censorship.

Back to top

BLOGGER AND NETIZEN ARRESTS

IRAN: Criticisms of the government by blogger results in his death

Sattar Beheshti, a young blogger and Facebook activist, was arrested [Farsi] on October 30 by Iran’s Cyber and Information Exchange Police (FATA), who charged him with “actions against national security on social networks”. He was reported dead a few days later. A number of opposition websites, such as Kaleme, quoted [Farsi] Beheshti’s fellow prisoners, who alleged that he was physically tortured during interrogations. Beheshti’s death not only raises concerns over the treatment of prisoners in the Islamic Republic, but also demonstrates increased scrutiny and attention toward the online activities of Iranian users.

Back to top

INTERNET AND SOCIAL MEDIA USE

GAZA STRIP: Social media plays key role in Israel-Gaza conflict

On November 14, the Israel Defense Forces (IDF) announced on Twitter (@IDFSpokersperson) that they had begun a “widespread campaign on terror sites & operatives in the #Gaza Strip, chief among them #Hamas & Islamic Jihad targets.” Just before the announcement, an Israeli missile strike in Gaza killed Ahmed al-Jabari, chief of Hamas’ Al-Qassam Brigade. Hamas’ military wing subsequently took to Twitter (@AlqassamBrigade) and confirmed the assassination of al-Jabari. Both sides of the conflict have since used Twitter as a platform to publish propaganda, threats, and live updates on the conflict. Israel also posted a video [video] of the air strike against al-Jabari on its YouTube page.

KUWAIT: Twitter users call for protests against electoral law

Last month, 150,000 Kuwaitis took to the streets in response to a call for “A Nation’s Dignity” march by the Twitter account @KarametWatan [Arabic]. The protest, which sought to oppose a change in the electoral law that would reduce the number of parliamentary candidates for which a citizen can vote for from four to one, was considered the largest in the nation’s history. On November 4, Kuwaitis once again took to the streets, prompting the government to respond by using tear gas and detaining demonstrators. The handlers of @KarametWatan have remained anonymous throughout both protests. Despite social unrest, the Kuwaiti emir has continued to support the amendment.

MAURITANIA: Bloggers protest foreign mining companies online

Several Mauritanian bloggers have launched an online campaign aimed at criticizing foreign mining companies for exploiting the country’s natural resource endowments. Blog posts [Arabic] have criticized foreign companies for legal violations, environmental destruction, discriminatory employment practices, and for giving as little as four percent [Arabic] of mineral profits to Mauritania. In addition to whistle-blowing blog posts, the campaigners took to Facebook and Twitter, using the hashtag “ضد_نهب_معادننا#” (against_mining our minerals).” According to Freedom House, Mauritania’s legislation has no specific provisions for online journalism.

Back to top

TECHNOLOGY

IRAN: Launch of a national search engine

The pilot phase of the Parsijoo [Farsi] search engine has recently begun [Farsi], with the project estimated to be operational by March 2013. The project currently covers [Farsi] 120 million web pages, and aims to gradually increase the number of web pages in its index to 300 million. According to Reza Taqipour, Iran’s Minister of Information and Communications Technology, the Ministry fully supports Parsijoo and other national search engine projects.

Back to top

Read previous editions of the Middle East and North Africa CyberWatch.

Subscribe and receive the Middle East and North Africa CyberWatch in your inbox.

The post Middle East and North Africa CyberWatch – November 3-16, 2012 – Citizen Lab appeared first on The Citizen Lab.

The United Arab Emirates this week introduced sweeping new regulations that forbid web users from criticizing the government and organizing protests online. According to state news agency WAM, the laws explicitly prohibit users from publishing any material that would “endanger the security of the state and its supreme interests,” including any content that calls for regime change or mocks national leaders. President Sheikh Khalifa bin Zayed al-Nahayan announced the regulations in a decree issued Monday, introducing them as amendments to an existing law on cybercrime.

As Reuters reports, the amendments outlaw a wide range of activities, including using the internet for prostitution and human trafficking. Yet those pertaining to online dissent are by far the most expansive, calling for “penalties of imprisonment on any person who creates or runs an electronic website or uses any information technology medium” to criticize or deride the government. This extends to criticism or caricatures of political leaders, emirate rulers, the national flag, and any national symbols. The law also punishes anyone who uses the internet to criticize Islam, as well as those who organize demonstrations without first obtaining a license.

Although the UAE wasn’t touched by the Arab Spring protests that spread across the Middle East in 2011, critics say the country’s stance on human rights has deteriorated in recent months.

For the full article, see here.

The post United Arab Emirates outlaws online criticism of the government appeared first on The Citizen Lab.

A prominent activist from the UAE has been targeted by surveillance malware likely to have been created by an Italian company, with a French exploit seller implicated too, according to researchers.

Ahmed Mansoor, a blogger and part of the UAE Five, a group of Emirati activists who were imprisoned from April to November 2011 on charges of insult, was targeted by surveillance malware, according to Citizen Lab.

Mansoor was sent an email with a malicious attachment, which appeared to be a Microsoft Word file called ‘veryimportant.doc’, but was really an RTF file containing an exploit which allows the execution of code that downloads surveillance malware.

The exploit, which causes a buffer overflow in the RTF format to let the malware’s code be written onto a system’s memory, has been linked to the French exploit seller VUPEN.

The malware has been linked to Italian firm Hacking Team, which was implicated in creating a Mac OS Trojan, which was allegedly based on its Da Vinci cyber espionage tool.

“This information indicates that the sample matching ‘veryimportant.doc’ may be a demo copy of the Hacking Team RCS [Remote Control System] backdoor,” the researchers said. They pointed to promotional materials for the backdoor, which claim to offer surveillance on various communications, including email, instant messaging and Skype.

For the full article, see here.

The post Surveillance malware targets UAE activist as exploit sellers implicated appeared first on The Citizen Lab.

Read Bloomberg news article

In this report, Citizen Lab Security Researcher Morgan Marquis-Boire describes analysis performed on malicious software used to compromise a high profile dissident residing in the United Arab Emirates. The findings indicate that the software is a commercial surveillance backdoor distributed by an Italian company known as Hacking Team. The report also describes the potential involvement of vulnerabilities sold by the French company, VUPEN.

Introduction

In July of this year, Morgan Marquis-Boire and Bill Marczak published analysis of what appeared to be FinSpy, a commercial trojan from the FinFisher suite of surveillance tools sold by Gamma Group International. Their report, From Bahrain with Love: FinFisher’s Spykit Exposed?, presented evidence consistent with the use of FinSpy to target Bahraini dissidents, both within Bahrain and abroad.

A range of other companies sell surveillance backdoors and vulnerabilities for what they describe as “lawful intercept tools.” Recently CSO magazine published an article reporting on claims by anti-virus company Dr Web that a backdoor known as “Crisis” or “DaVinci” was, in fact, the commercial surveillance tool “Remote Control System” sold by Milan, Italy-based lawful intercept vendor Hacking Team.¹ According to an article published by Slate, the same backdoor was used to target Moroccan citizen journalist group Mamfakinch.²

This report examines the targeting of Mamfakinch and evidence suggesting that the same commercial surveillance toolkit described in these articles appears to have also been used in a recent campaign targeting Ahmed Mansoor, a human rights activist based in the United Arab Emirates (UAE). Additionally, it examines the possibility that a vulnerability linked to the French company VUPEN was used as the vector for intrusion into Ahmed Mansoor’s online presence.

The findings of this report contribute to a body of evidence of a growing commercial market for offensive computer network intrusion capabilities developed by companies in Western democratic countries. While the majority of these companies claim to sell their products to a restricted client base of law enforcement, military, and intelligence agencies, this report shows another example of commercial network intrusion tools being used against dissidents in countries with poor human rights records.

The market for commercial computer network intrusion capabilities has become a focus of controversy and debate about regulatory and legal controls that might be exercised over sales to such regimes or uses of the technology to target dissidents. Following the publication of From Bahrain with Love: FinFisher’s Spykit Exposed, the UK government reaffirmed that existing controls restricting the export of cryptographic systems apply to the Gamma Group’s exports of FinSpy.

In general, targeted malware attacks are an increasing problem for human rights groups, who can be particularly vulnerable to such attacks due to limited resources or lack of security awareness.

Recent Background: Da Vinci and Mamfakinch.com

On Friday the 13th of July 2012, the Moroccan citizen media and journalism project Mamfakinch³ was targeted by an electronic attack that used surveillance malware. Mamfakinch.com, a website that is frequently critical of the Moroccan government, received a message via their website directing recipients to a remote webpage:

The text, which hints at a sensitive scoop or lead translates roughly as “please don’t mention my name and don’t say anything at all [about me] I don’t want to get mixed up in this”.

The logs of the website reveal this message was sent from Moroccan IP space:

The IP from which the targeting message was uploaded (41.137.57.198) is from a Moroccan range dedicated to mobile 3G Internet users in the capital Rabat and its surroundings:

The page, found at http://freeme.eu5.org/scandale%20(2).doc prompted the user for the installation of malicious java, file, “adobe.jar”:

This file then facilitated the installation of a multi-platform (OSX and Windows) backdoor.

In the contents of the .jar you can see files called “win” and “mac” which correspond to Windows and OSX backdoors respectively:

The Windows backdoor contains a variety of clear-text strings which are found in the SSH-client, “Putty”. The OSX version of the backdoor, however, contains what appear to be to debug strings referencing the name of the developer, ‘Guido’:

Execution of the Windows backdoor writes the following files to disk:

The file ‘ZsROY7X.-MP’ appears to provide the main backdoor functionality:

It is executed via rundll32 and the following registry entry created to ensure persistence:

Processes such as iexexplorer.exe and wscntfy.exe are infected. Examination of loaded modules for “wscntfy.exe” reveals:

The backdoor has been identified as a variant of a commercial backdoor sold by the Italian Company “Hacking Team”. First identified by Russian Antivirus company Dr Web on July 25th, 2012, the backdoor has been called “Remote Control System,” “Crisis” and “DaVinci”.

The Hacking Team Remote Control System (RCS) is described in a leaked copy of their promotional literature as:
“A stealth, spyware-based system for attacking, infecting and monitoring computers and smartphones. Full intelligence on target users even for encrypted communications (Skype, PGP, secure web mail, etc.)”⁴

The Hacking Team public website stipulates that their technology is sold only to a restricted customer base:
“…we provide effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities.”⁵

UAE Human Rights Activist Compromised

Ahmed Mansoor is a prominent UAE blogger and one of the ‘UAE Five’, a group of Emirati activists who were imprisoned from April to November 2011 on charges of insulting President Khalifa bin Zayed Al Nahyan, Vice President Mohammed bin Rashid Al Maktoum, and Crown Prince Mohammed bin Zayed Al Nahyan of the United Arab Emirates.⁶

On the 23rd of July, he received the following email (click image to enlarge):

This email, sent from a suggestively titled e-mail address, urges the recipient to read a ‘very important message’ and it contained the following attachment:

The attachment is malicious. To the user it appears to be a Microsoft Word document, however it in fact is an RTF file containing an exploit which allows the execution of code that downloads surveillance malware.

This document exploits a stack-based buffer overflow in the RTF format that has been previously characterized:
“Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka “RTF Stack Buffer Overflow Vulnerability.”⁷

When Ahmed Mansoor opened the document, his suspicions were aroused due to garbled text displayed. His email account was later accessed from the following suspicious IPs:

Analysis of “veryimportant.doc”

The file “veryimportant.doc” is a downloader that downloads the second stage of the malware via HTTP:

Examination of the sample displays use of the windows API to download the 2nd stage (click image to enlarge):

The 2nd stage is called “veryimportant.doc2”:

This is also a downloader that downloads the 3rd stage which appears to be the actual backdoor (click image to enlarge):

The executable code is downloaded from: http://ar-24.com/0000000031/veryimportant.doc3

Similar in behavior and appearance to the windows version of the RCS backdoor which targeted Mamfakinch, ‘veryimportant.doc3’ contains a variety of clear-text strings which are found in the SSH-client, “Putty”. On execution, “veryimportant.doc3” writes the following files to disk:

The following command is run, executing the file: “V46lMhsH.shv”

This then infects the following processes:

For example if we examine the process ‘wscntfy.exe” the following modules are loaded:

Examination of this process in the memory of an infected machine reveals the following functions are hooked by the malware:

We can see the malware infecting the process “wscntfy.exe”, visible in the memory region of the process which is marked as executable and writeable (click image to enlarge):

Here we see inline hooking of “NtQuerySystemInformation” performed by the malware, a technique frequently used to allow process hiding (click image to enlarge):

A registry key is added which ensures the persistence of the backdoor after reboot:

The file “V46lMhsH.shv” appears to perform the main backdoor functionality:

Further investigation of the implant reveals strings relating to popular anti-rootkit and anti-virus software, suggesting evasion of specific products:

We can also see the targeting of popular browsers:

And popular messaging clients:

The Windows implant includes a signed AMD64 driver. The certificate was issued by Verisign to “OPM Security Corporation”.

OPM security appears to be a Panama based company:⁸

From their website:⁹
“From Panama to the World, OPM Security Corporation provides personal and institutional security tools and anonymity to you and your business.”

OPM Security is an OPM Corporation company.¹⁰ On their website, http://taxhaven.us, OPM Corporation states:
“O.P.M. CORPORATION, has been one of the leading providers of Offshore services since 1992 (check 266794). Through our headquarters in Panama, our Caporaso & Partners Law Office (check 25210) and correspondent offices in South America and Caribbean, we offer the best offshore packages.”

Command and Control

This malware calls back to the command and control domain: ar-24.com

This domain is registered through GoDaddy:

As of October 1st, 2012 this domain appears to be pointing to a Linode¹¹ instance:

During August 2012, for a short period, this domain resolved to 83.111.56.188:

The physical address in the domain record (P.O. Box 5151, Abu Dhabi, UAE) matches the address for the corporate headquarters of Royal Group, which is a conglomerate of companies based in the UAE.

Identification

This malware contains the following strings:

The strings describing the Virtual Machine infection are the same as those described in the Symantec report on the Moroccan malware.

In addition to the similarities between the sample that Symantec and Dr. Web identified as being written by Hacking Team, “veryimportant.doc” is very structurally similar to this sample found on Virus Total.

This sample uses the following domain for command and control: rcs-demo.hackingteam.it

This information indicates that the sample matching “veryimportant.doc” may be a demo copy of the Hacking Team RCS backdoor. Promotional materials for this backdoor advertise the following features:¹²

The same promotional document mentions “Zero-day exploits” as a possible remote infection vector.

An additional sample with structural similarities to the 1st and 2nd stages was discovered in Virus Total.

This sample uses an exploit that has similarities in shellcode with “veryimportant.doc” however, the exploit it uses is newer, the Adobe Flash Player “Matrix3D” Integer Overflow.¹³ Searching for the origin of this exploit revealed a public mailing list post taking credit for discovery of this bug stating: “This vulnerability was discovered by Nicolas Joly of VUPEN Security”.

VUPEN are a French Security company who provide a variety of services including the sale of:
“…extremely sophisticated and government grade exploits specifically designed for offensive missions.”¹⁴

They claim to have discovered the vulnerability in January of this year at which point they shared this with their customers, prior to public disclosure in August:

The sample appears to have been created in May of 2012 prior to public disclosure:

While VUPEN take public credit for the discovery of this bug, it is possible that the exploit used here was not written by VUPEN but was independently discovered and weaponized by another party.

Recommendations

The use of social engineering and commercial surveillance software attacks against activists and dissidents is becoming more commonplace.

For at risk communities, gaining awareness of targeted threats and exercising good security practices when using email, Skype, or any other communication mechanism are essential. Users should be vigilant concerning all e-mails, attached web links, and files. In particular, carefully assess the authenticity of any such materials referencing sensitive subject matter, activities, or containing misspellings or unusual diction. If you believe that you are being targeted be especially cautious when downloading files over the Internet, even from links that are purportedly sent by friends.

For further tips on detecting potential malware attacks and preventing compromise, see Citizen Lab’s recommendations for defending against targeted attacks.

Acknowledgements

Malware analysis and report by Morgan Marquis-Boire.
Additional analysis by Andrew Lyons, Bill Marczak and Seth Hardy.

Additional Thanks

Thanks to Eva Galperin of the Electronic Frontier Foundation for activist outreach work with Mamfakinch.

Thanks to Chris Davis and The Secure Domain Foundation for malware and DNS information.

Additional thanks to John Scott-Railton.

Footnotes

¹ http://hackingteam.it/
² https://www.mamfakinch.com/
³ https://www.mamfakinch.com/
⁴ http://wikileaks.org/spyfiles/files/0/31_200810-ISS-PRG-HACKINGTEAM.pdf
⁵ http://hackingteam.it/index.php/about-us
⁶ https://en.wikipedia.org/wiki/UAE_Five
⁷ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333
⁸ http://www.opmsecurity.com/security-tools/who-we-are.html
⁹ http://www.opmsecurity.com/
¹⁰ http://taxhavens.us/
¹¹ https://www.linode.com/ – A company which provides virtual server hosting.
¹² http://wikileaks.org/spyfiles/files/0/31_200810-ISS-PRG-HACKINGTEAM.pdf
¹³ http://www.securityfocus.com/archive/1/524143/30/60/threaded
¹⁴ http://www.vupen.com/english/

Back to top

Media Coverage

• The Globe and Mail
• Slate
• New York Times
• eWeek
• InfoSecurity Magazine
• TechWeek Europe
• Liquida Magazine (Italian)

The post Backdoors are Forever: Hacking Team and the Targeting of Dissent? appeared first on The Citizen Lab.

On a Monday in July, Ahmed Mansoor sat in his study in Dubai and made the mistake of clicking on a Microsoft Word attachment that arrived in an e-mail, labeled “very important” in Arabic, from a sender he thought he recognized.

With that click, the pro-democracy activist unwittingly downloaded spyware that seized on a flaw in the Microsoft Corp. (MSFT) program to take over his computer and record every keystroke. The hackers infiltrated his digital life so deeply they still accessed his personal e-mail even after he changed his password.

Since then, Mansoor, 42, an electrical engineer and father of four, says he has suffered two beatings by thugs in September during his campaign for citizens’ civil rights in the Persian Gulf federation of the United Arab Emirates. While those assailants remain unknown, researchers say they’ve figured out what was behind the virtual assault.

The spyware that penetrated his laptop appears to be a Western-made surveillance tool sold to police and intelligence agencies that’s so powerful it can turn on webcams and microphones and grab documents off hard drives, according to the findings of a study being published today by the University of Toronto Munk School of Global Affairs’ Citizen Lab.

For the full article, see here.

The post Spyware leaves trail to beaten activist through Microsoft flaw appeared first on The Citizen Lab.

This post describes our work analyzing several samples which appear to be mobile variants of the FinFisher Toolkit, and ongoing scanning we are performing that has identified more apparent FinFisher command and control servers.

Introduction

Earlier this year, Bahraini Human Rights activists were targeted by an email campaign that delivered a sophisticated Trojan. In From Bahrain with Love: FinFisher’s Spy Kit Exposed? we characterized the malware, and suggested that it appeared to be FinSpy, part of the FinFisher commercial surveillance toolkit. Vernon Silver concurrently reported our findings in Bloomberg, providing background on the attack and the analysis, and highlighting links to FinFisher’s parent company, Gamma International.

After these initial reports, Rapid7, a Boston-based security company, produced a follow-up analysis that identified apparent FinFisher Command and Control (C&C) servers on five continents. After the release of the Rapid7 report, Gamma International representatives spoke with Bloomberg and The New York Times’ Bits Blog, and denied that the servers found in 10 countries were instances of their products.

Following these analyses, we were contacted by both the security and activist communities with potentially interesting samples. From these, we identified several apparent mobile Trojans for the iOS, Android, BlackBerry, Windows Mobile and Symbian platforms. Based on our analysis, we found these tools to be consistent in functionality with claims made in the documentation for the FinSpy Mobile product, a component of the FinFisher toolkit. Several samples appear to be either demo versions or “unpackaged” versions ready to be customized, while others appear to be samples in active use.

Promotional literature describes this product as providing:

• Recording of common communications like Voice Calls, SMS/MMS and Emails
• Live Surveillance through silent calls
• File Download (Contacts, Calendar, Pictures, Files)
• Country Tracing of Target (GPS and Cell ID)
• Full Recording of all BlackBerry Messenger communications
• Covert Communications with Headquarters

In addition to analysis of these samples, we are conducting an ongoing scan for FinFisher C&C servers, and have identified potential servers in the following countries: Bahrain, Brunei, the Czech Republic, Ethiopia, Indonesia, Mongolia, Singapore, the Netherlands, Turkmenistan, and the United Arab Emirates (UAE).

Mobile Trojans

iOS

It was developed for Arm7, built against iOS SDK 5.1 on OSX 10.7.3 and it appears that it will run on iPhone 4, 4S, iPad 1, 2, 3, and iPod touch 3, 4 on iOS 4.0 and up.

The bundle is called “install_manager.app” and the contents of it are:

Investigation of the Mach-0 binary ‘install_manager’ reveals the text “FinSpy”:

Further references to “FinSpy” were identified in the binary:

Additionally, it appears that a developer’s certificate belonging to Martin Muench, who is described in The New York Times as Managing Director of Gamma International GmbH and head of the FinFisher product portfolio, is used:

An ad-hoc distribution profile is present: “testapp”:

The code signature contains 3 certificates:

The Application has been provisioned to run on the following devices, represented here by their Unique Device Identifiers (UDID):

The file is hidden using Spring Board options, and on execution the sample writes out logind.app to /System/Library/CoreServices. ‘logind’ exists on OSX but not normally on iOS.

It then installs: /System/Library/LaunchDaemons/com.apple.logind.plist

This creates persistence on reboot. It launches the logind process, then deletes install_manager.app.

On reboot it runs early in the boot process with ID 47:

This then drops SyncData.app. This application is signed, and the provisioning stipulates:

“Reliance on this certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certificate policy and certification practice statements.”

Further legal analysis would be necessary to determine whether the program violated the terms of use at the time of its creation.

This application appears to provide functionality for call logging:

Exfiltration of contacts:

Target location enumeration:

As well as arbitrary data exfiltration, SMS interception and more.

SyncData.app exfiltrates base64 encoded data about the device (including the IMEI, IMSI etc) to a remote cellular number.

The ‘logind’ process attempts to talk to a remote command and control server, the configuration information for which appears to be stored in base64 encoded form in “SyncData.app/84C.dat”.

The _CodeSignature/CodeResources file suggests that install manager drops logind.app, SyncData.app and Trampoline.app (Trampoline.app has not been examined).

Android

The Android samples identified come in the form of APKs.

The application appears to install itself as “Android Services”:

It requests the following permissions:

The first 200 files in the apk are named “assets/Configurations/dummsX.dat”, where X is a number from 0-199. The files are 0 bytes in length. The file header entries in the compressed file are normal, but the directory header entries contain configuration information.

The code in the my.api.Extractor.getConfiguration() method opens up the APK file and searches for directory entry headers (PK\x01\x02) then copies 6 bytes from the entry starting at offset 36. These are the “internal file attributes” and “external file attributes” fields. The code grabs these sequences until it hits a 0 value.This creates a base64 encoded string.

The app decodes this string and stores it in a file named 84c.dat (similar to the iOS sample discussed earlier).

Here’s the output from one of the samples:

The Base64 decoded hexdump is:

Note that the hostnames demo-de.gamma-international.de and ff-demo.blogdns.org are suggestive of a demo or pre-customisation version of the FinSpy Mobile tool and are similar to domains identified in our previous report.

We identified samples structurally similar to this sample that spoke to servers in the United Kingdom and the Czech Republic:

Note that the Czech sample speaks to the same command and control server previously identified by Rapid7.

Symbian

Samples for Nokia’s Symbian platform were identified:

1e7e53b0d5fabcf12cd1bed4bd9ac561a3f4f6f8a8ddc5d1f3d2f3e2e9da0116 Symbian.sisx
eee80733f9664384d6bac4d4e27304748af9ee158d3c2987af5879ef83a59da0 mysym.sisx

The first sample (“Symbian.sisx”) identifies itself as “System Update” and appears to have been built on the 29th of May 2012, at 14:20:57 UTC.

Click to enlarge

The certificate is registered to a jd@cyanengineeringservices.com. WHOIS information indicates that www.cyanengineeringservices.com was anonymously registered (date of first registration: 07-Mar-07) with GoDaddy using Domains By Proxy. Although it includes an attractive front page that states “Mobile Software Development” for “Windows Mobile, iPhone, Android, Symbian and Blackberry,” all links (e.g. “Products” “About Us” or “Contacts”) lead to an “under construction” blank page.

The sample contains the following components:

Click to enlarge

The file “c:\sys\bin\updater.exe” provides the main implant functionality. This requests the following capabilities¹:

Of special note is the use of TrustedUI. As mentioned in the security section of the Nokia developer notes for Symbian:

“Trusted UI dialogs are rare. They must be used only when confidentiality and security are critical: for instance for password dialogs. Normal access to the user interface and the screen does not require this.”

The second sample (“mysym.sisx”) identifies itself as “Installation File” and appears to be signed by the “Symbian CA I” for “Cyan Engineering Services SAL (offshore),” unlike the previous sample, which was registered to jd@cyanengineeringservices.com.

Click to enlarge

We identified “Cyan Engineering Services SAL (offshore)” as also listed as the registrant on the parked domain www.it-intrusion.com, (Created: 08-Dec-11, also with GoDaddy). However, it-intrusion.com does not have a protected registrant. The registrant is listed² as a company based in Beirut, Lebanon:

The registrant information for Cyan Engineering Services SAL also connects to Gamma: the name “Johnny Debs” is associated with Gamma International: a Johnny Debs was listed as representing Gamma at the October 2011 Milpol in Paris, and the name occurs elsewhere in discussions of FinFisher.

Examination of this sample reveals the domain demo-01.gamma-international.de potentially indicating a demo or pre-customisation copy.

The phone number +60123839897 also shows up in the sample. It has a Malaysian country code.

Blackberry

The identified samples contained the following files:

The .cod files are signed by RIM’s RBB, RCR, and RRT keys. RBB stands for “RIM BlackBerry Apps API,” which allows manipulation of BlackBerry apps, RCR stands for “RIM Crypto API,” which allows access to crypto libraries, and RRT stands for “RIM Runtime API,” which allows access to other phone functionality such as sending SMS messages.

The signature process is described in RIM’s documentation [pdf] about the Blackberry Signing Authority. First, a developer registers a public key with the Blackberry Signing Authority. In order to obtain a signed application, the developer submits a signature request (including his identity and a hash of the binary) signed with his private key to the Signing Authority. The Signing Authority verifies that the signer is authorized to make requests, and, if so, replies with a copy of the hash signed with the relevant RIM private key. The developer then appends the signature to his binary.

The .jad file contains the following hashes for the .cod files:

The .jad file also contains a blob of base64 encoded data with the key “RIM-COD-Config.” This data contains the URL of the command & control server, TCP ports, phone numbers to exfiltrate data to via SMS, identifiers for the Trojan and target, active modules, and various other configuration parameters.

Decoding this reveals the following servers and phone numbers:

Upon installation, the user is presented with the following screen:

As evidenced by the above screenshot, the app is listed as:

Directly after installing, the application requests enhanced permissions:

The following screen pops up showing the requested permissions:

Scrolling down reveals:

After the user accepts these permissions, the sample attempts to connect to both Internet-based and SMS-based command & control servers. Another sample we analyzed appeared to write a debug log to the device’s filesystem. The following information was observed written to the log regarding communication with command & control services.

We decompiled the Blackberry sample. We provide a high-level overview of the more interesting classes that we successfully decompiled:

net.rmi.device.api.fsmbb.config.ApnDatabase
net.rmi.device.api.fsmbb.config.ApnDatabase$APN

These appeared to contain a database comprising the following GSM APNs. The significance of this database is that it only includes a small set of countries and providers:

net.rmi.device.api.fsmbb.core.AppMain

This appears to do the main app installation, as well as uninstallation. Installation includes negotiating for enhanced permissions, base64-decoding the “RIM-COD-Config” configuration, and setting up and installing the Configuration. If the configuration contains a “removal date,” then automatic removal is scheduled for this time. Installation also involves instantiating “listener” modules, as specified below:

net.rmi.device.api.fsmbb.core.listener.AddressBookObserver

This appears to listen for changes to the address book. It implements the net.rim.blackberry.api.pim.PIMListListener interface.

net.rmi.device.api.fsmbb.core.listener.CallObserver.*

This implements:

net.rim.blackberry.api.phone.PhoneListener
net.rim.blackberry.api.phone.phonelogs.PhoneLogListener
net.rim.device.api.system.KeyListener

This module logs and manipulates phone events, and appears to enable “remote listening” functionality, where the FinSpy Master can silently call an infected phone to listen to conversation in its vicinity (this is referred to as a SpyCall in the code). The module has a facility to hide incoming calls by manipulating the UI, cancelling buzzer and vibration alerts, and toggling the backlight. Upon instantiation, the module calls “*43#” to enable call waiting. If a remote listening call from the master is active, then legitimate incoming calls will trigger call waiting. The module detects these legitimate incoming calls, and places the SpyCall call on call waiting, presenting the legitimate incoming call to the user.

net.rmi.device.api.fsmbb.core.listener.EmailObserver

This appears to record sent and received email messages.

net.rmi.device.api.fsmbb.core.listener.MessengerObserver (Module #68)

This seems to record BBM messages. It appears to do this by periodically checking the path “file:///store/home/user/im/BlackBerry Messenger/”

net.rmi.device.api.fsmbb.core.listener.SMSObserver

This module implements:

net.rim.blackberry.api.sms.SendListener
net.rim.blackberry.api.sms.OutboundMessageListener

Contrary to its name, OutboundMessageListener allows listening for both incoming and outgoing SMS messages. This module also checks for incoming SMS commands from the FinSpy Master. These commands can include an “emergency configuration” update, that can include new addresses and phone numbers for the FinSpy Master.

net.rmi.device.api.fsmbb.core.listener.WAObserver (Module #82)

This appears to monitor WhatsApp, the popular proprietary cross-platform messaging application. It locates the WhatsApp process ID by searching for module names that contain the string “WhatsApp.”

At some point, the module calls getForegroundProcessId to see if the WhatsApp process ID is in the foreground. If so, it seems to take a screenshot of the WhatsApp application, via Display.Screenshot. It appears that this screenshot is checked via “.equals” to see if there is any new information on the WhatsApp screen. If there is new information, the screenshot is then JPEG encoded via JPEGEncodedImage.encode.

net.rmi.device.api.fsmbb.core.com.*

Appears to contain the mechanics of communication with the command & control server, including the plaintext TLV-based wire protocol.

Windows Mobile

The Windows Mobile samples we identified are:

2ccbfed8f05e6b50bc739c86ce4789030c6bc9e09c88b7c9d41cbcbde52a2455
507e6397e1f500497541b6958c483f8e8b88190407b307e997a4decd5eb0cd3a
1ff1867c1a55cf6247f1fb7f83277172c443442d174f0610a2dc062c3a873778

All the samples appeared similar, most likely belonging to the same branch release. The relevant parts of the binary are stored in five different resources:

• The first resource contains an OMA Client Provisioning XML file, which is used to store root certificates for running privileged/unprivileged code on the device. In this case it only contained some default example values shipped with Microsoft Windows Mobile SDK.
• The second resource contains the actual dropped payload which contains all the Trojan functionalities.
• The third resource contains a binary configuration file.
• The fourth and fifth resources contain two additional DLL files which are dropped along with the payload.

The main implant is dropped as “services.exe” with the libraries dropped as mapiwinarm.dll and mswservice.dll.

The payload has the following attributes:

File size: 186640 bytes
SHA256: 4b99053bc7965262e8238de125397d95eb7aac5137696c7044c2f07b175b5e7c

This is a multi-threaded and modular engine which is able to run and coordinate a series of events providing interception and monitoring capabilities. When the application starts, a core initialization function is invoked, responsible for preparing execution and launching the main thread.

The main thread consequently runs a set of core components on multiple threads:

• Routines responsible for handling the “heartbeat” notifications.
• Routines which control the execution of the Trojan and its components while monitoring the status of the device.
• A routine which can be used to “wake up” the device.
• A component which handles emergency SMS communications.
• A routine that initializes the use of the Radio Interface Layer.
• A core component that manages a set of surveillance modules.

The Trojan utilises a “Heartbeat Manager”, which is a set of functions and routines that, depending on the status of the device or monitored events, communicates notifications back to the command and control server.

These beacons are sent according the following events:

• First beacon.
• A specified time interval elapsing.
• The device has low memory.
• The device has low battery.
• The device changed physical location.
• The Trojan has recorded data available.
• The device has connected to a cellular network.
• The device has a data link available.
• The device connects to a WiFi network.
• An incoming / outgoing call starts.
• The Mobile Country Code (MCC) or Mobile Network Code (MNC) ID changed.
• The Trojan is being uninstalled.
• The SIM changes.

Notifications are sent via SMS, 3G and WiFi, according to availability. Consistent with other platforms, the windows mobile version appears to use base64 encoding for all communications.

In response to such notifications, the implant is able to receive and process commands such as:

The command and control server is defined in the configuration file found in the third resource of the dropper. In this sample, the sample connected to the domain: demo-04.gamma-international.de

This suggests that such sample is either a demo version or “unpackaged” version ready to be customized.

Together with a DNS or IP command and control server, each sample appears to be provided with two phone numbers which are used for SMS notifications.

The core surveillance and offensive capabilities of the Trojan are implemented through the use of several different modules. These modules are initialized by a routine we called ModulesManager, which loads and launches them in separate threads:

There are multiple modules available, including:

• AddressBook: Providing exfiltration of details from contacts stored in the local address book.
• CallInterception: Used to intercept voice calls, record them and store them for later transmission.
• PhoneCallLog: Exfiltrates information on all performed, received and missed calls stored in a local log file.
• SMS: Records all incoming and outgoing SMS messages and stores them for later transmission.
• Tracking: Tracks the GPS locations of the device.

Call Interception

In order to manipulate phone calls, the Trojan makes use of the functions provided by RIL.dll, the Radio Interface Layer.

Some of the functions imported and used can be observed below:

PhoneCallLog

In order to exfiltrate call logs, the Trojan uses functions provided by the Windows Mobile Phone Library.

Using PhoneOpenCallLog() and PhoneGetCallLogEntry(), the implant is able to retrieve the following struct for each call being registered by the system:

This contains timestamps, numbers, names and other data associated with a call.

Tracking

The physical tracking of the device uses the GPS Intermediate Driver functions available on the Windows Mobile/CE platform:

Click to enlarge

After a successful GPSOpenDevice() call, it invokes GPSGetPosition() which gives access to a GPS_POSITION struct containing the following information:

This provides the latitude and longitude of the current location of the device.

Command and Control Server Scanning Results

Following up on our earlier analysis, we scanned IP addresses in several countries looking for FinSpy command & control servers. At a high level, our scans probed IP addresses in each country, and attempted to perform the handshake distinctive to the FinSpy command and control protocol. If a server responded to the handshake, we marked it as a FinSpy node. We expect to release our scanning tools with a more complete description of methodology in a follow-up blog post.

Our scanning yielded two key findings. First, we have identified several more countries where FinSpy Command and Control servers were operating. Scanning has thus far revealed two servers in Brunei, one in Turkmenistan’s Ministry of Communications, two in Singapore, one in the Netherlands, a new server in Indonesia, and a new server in Bahrain.

Second, we have been able to partially replicate the conclusions of an analysis by Rapid7, which reported finding FinSpy command & control servers in ten countries: Indonesia, Australia, Qatar, Ethiopia, Czech Republic, Estonia, USA, Mongolia, Latvia, and the UAE. We were able to confirm the presence of FinSpy on all of the servers reported by Rapid7 that were still available to be scanned. We confirmed FinSpy servers in Indonesia, Ethiopia, USA, Mongolia, and the UAE. The remaining servers were down at scanning time. We also noted that the server in the USA appeared to be an IP-layer proxy (e.g., in the style of Network Address Translation)³.

Rapid7’s work exploited a temporary anomaly in FinSpy command & control servers. Researchers at Rapid7 noticed that the command & control server in Bahrain responded to HTTP requests with the string “Hallo Steffi.” This behavior did not seem to be active on Bahrain’s server prior to the release of our analysis. Rapid7 looked at historical scanning information, and noticed that servers in ten other countries had responded to HTTP requests with “Hallo Steffi” at various times over the previous month. While the meaning of this string and the reason for the temporary anomaly are unknown, a possible explanation is that this was a testing deployment of a server update, and the “Hallo Steffi” message indicated successful receipt of the update. After the publication of Rapid7’s analysis, the behavior began to disappear from FinSpy servers.

Details of Observed Servers

Table 1: New Servers

Table 2: Confirmed Rapid7 Servers

It is interesting to note that the USA server on EC2 appeared to be an IP-layer proxy. This judgment was made on the basis of response time comparisons⁴.

Conclusions + Recommendations

The analysis we have provided here is a continuation of our efforts to analyze what appear to be parts of the FinFisher product portfolio. We found evidence of the functionality that was specified in the FinFisher promotional materials. The tools and company names (e.g. Cyan Engineering Services SAL) found in their certificates also suggest interesting avenues for future research.

These tools provide substantial surveillance functionality; however, we’d like to highlight that, without exploitation of the underlying platforms, all of the samples we’ve described require some form of interaction to install. As with the previously analyzed FinSpy tool this might involve some form of socially engineered e-mail or other delivery, prompting unsuspecting users to execute the program. Or, it might involve covert or coercive physical installation of the tool, or use of a user’s credentials to perform a third-party installation.

We recommend that all users run Anti-Virus software, promptly apply (legitimate) updates when they become available, use screen locks, passwords and device encryption (when available). Do not run untrusted applications and do not allow third parties access to mobile devices.

As part of our ongoing research, we have notified vendors, as well as members of the AV community.

Footnotes

¹ A list of Nokia capabilities can be found here.
² http://www.whoisentry.com/domain/it-intrusion.com
³ See Appendix A.
⁴ See Appendix A.

Appendix A

The server was serving FinSpy on port 80, and SSH on port 22. We measured the SYN/ACK RTT on both ports and compared. The results for port 80:

The results for port 22:

The comparison reveals that port 80 TCP traffic was likely being proxied to a different computer.

Acknowledgements

This is a Morgan Marquis-Boire and Bill Marczak production.

Windows mobile sample analysis by Claudio Guarnieri.

Additional Analysis

Thanks to Pepi Zawodsky for OSX expertise and assistance.
Thanks to Jon Larimer and Sebastian Porst for Android expertise.

Additional Thanks

Special thanks to John Scott-Railton.
Additional thanks to Marcia Hofmann and the Electronic Frontier Foundation.
Tip of the hat to John Adams for scanning advice.

Media Coverage

Bloomberg
The Next Web
Financial Post (The National Post)
Washington Post

The post The SmartPhone Who Loved Me: FinFisher Goes Mobile? appeared first on The Citizen Lab.

Table of Contents

• Blogger and Netizen Arrests
• Internet and Social Media Use
• Censorship and Filtering
• Hacktivism
• Government Control
• Cyber Warfare

BLOGGER AND NETIZEN ARRESTS

IRAN: Journalists in jail – As of July 2012, 30 print and 24 online journalists are currently under arrest [Farsi] in Iran. The Committee to Protect Journalists’ (CPJ) 2011 census reported that Iran had the highest number of jailed journalists in the world, with 42 journalists in prison as of December 2011. According to CPJ Deputy Director Robert Mahoney, Iran imprisoned journalists to quash critical news coverage as reformist publications are often banned and their staff sent to prison.

OMAN: Court sentences six netizens to jail for lèse majesté crimes – An Omani court has given jail terms to netizens Mohammed Al-Badi, Mohammed Al-Habsi, Abdullah Al-Siyani, Talib Al-Abry, Abdullah Al-Araimi and Mona Hardan for publishing defamatory comments against ruling Sultan Qaboos bin Said al Said. As previously reported, the Cyber Crime Law has been used to justify the arrests of poets and writers accused of defaming the Sultan on social media.  Reporters Without Borders has described the “persecution of netizens and local journalists” in Oman as having reached “alarming proportions.”

SAUDI ARABIA: Human Rights Watch condemns arrest of website editor – On July 17, Human Rights Watch issued a press release demanding the release of Ra’if Badawi, editor of the Free Saudi Liberals [Arabic] website. Badawi was arrested in June and has been charged under the Anti-Cybercrime Law [pdf] for infringing on religious values by providing an online platform for people to debate religious issues. Badawi has long been a target of Saudi authorities. In 2008, he was accused of “setting up an electronic site that insults Islam”.

UNITED ARAB EMIRATES (UAE): Government cracks down on netizens – Last month, Ahmed Abdul Khaleq, one of the human rights activists arrested and tried last year, was given a choice of where to be deported — Bangladesh, India, Iran, Pakistan or Thailand. He chose Thailand, though he had no relations there. Khaleq, a member of the stateless bidoon people, had long run a popular blog advocating for bidoon rights in the United Arab Emirates (UAE) and has been associated with the Reform and Social Guidance Association (al-Islah), a collective described by Amnesty International (AI) as a “non-violent political group which has been engaged in peaceful political debate and discussion in the UAE for many years.” This deportation coincided with a three-day sweep of online journalists, bloggers, and other Emirati activists.

Back to top

INTERNET AND SOCIAL MEDIA USE

MIDDLE EAST and NORTH AFRICA: Social media use growing rapidly in the Arab world – The Arab Social Media Report, produced by the Dubai School of Government’s Governance and Innovation Program, revealed that as of June 2012, Facebook had reached 45.2 million active users, Twitter had over two million, and LinkedIn had four million. Yet the growth in social media use has not corresponded with an easing of censorship of online content by many governments in the region.

IRAN: Citizens use Facebook to say ‘No’ to compulsory hijab – Thousands of Iranians living in and outside of the country have joined a Facebook group, “Unveil Women’s Rights to Unveil,” calling for an end to mandatory hijab. The group was launched on July 11 and received more than 10,000 likes in a few days. Many women and even some men have posted pictures on the page with the movement’s slogan, declaring that women should have the right to choose.

IRAN: Social media not illegal, but users can still be punished – General Kamal Hadianfar, Chief of the Cyber and Information Exchange Police (FATA), announced [Farsi] that signing up for social networks is not legally prohibited in Iran. He warned, however, that police will be diligent in tracking and arresting those who “commit cyber crimes”. Hadianfar went on to say that “Iran’s enemies” are attempting to use cyberspace and social media websites [Farsi] “to change the religious beliefs of youth in the country”.

IRAN: Conflicting reports on Internet penetration – Recent reports from Statistics Iran and Donya-e-Eqtesad newspaper have shown that only 15 percent of the population have access to the Internet and they mostly use dial-up services to connect from their homes. Also, the report stated that 27 percent of families living in major urban centres are able to connect to the Internet, versus only five percent of families in rural areas. A conflicting report from the National Internet Development Agency of Islamic Republic of Iran, however, claimed that Internet penetration rates in the country recently reached 43 percent. These differing statistics are likely due to disagreements over how to define an Internet user.

Back to top

CENSORSHIP AND FILTERING

IRAN: Public requests for Internet filtering – Mehdi Sarami, CEO of the Association of Information Technology and Digital Media, stated that approximately 90 percent of censored websites have been filtered due to requests from the public. According to Sarami, there was a time that the Association received 2,000-3,000 complaints from people about improper and criminal website content.

JORDAN: Citizens demand pornography filtering - In February 2012, a group of Jordanian citizens launched [Arabic] the “Campaign to Block Pornography Websites from the Internet in Jordan”, which has lobbied the government to issue an official decree that pornography websites be permanently and effectively filtered. Atef al-Tal, the Minister of Information and Communications Technology, revealed on July 19 that the Ministry was in the process of amending the country’s telecoms law by adding provisions that guarantee “clean” internet services and working with an Australian company to develop an Internet filtering solution, while the Telecommunications Regulatory Commission has requested that key ISPs block pornography websites.

SAUDI ARABIA: Censorship continues as Twitter use soars – The government has proposed a new law that could impose harsh penalties on social media users who insult Islam, including the Prophet Mohammed, early Muslim figures, and clerics. This is a concern given that Saudi Arabia is Twitter’s fastest growing market month-on-month.

Back to top

HACKTIVISM

YEMEN: Anonymous exposes government-run censorship – The hacker group Anonymous recently released details of the government-run Internet filtering system. Content targeted for blocking includes websites and pages critical of the government, pornographic material, and VoIP services. OpenNet Initiative research in Yemen has found that although censorship is pervasive, many users are able to easily circumvent the controls.

SYRIA: Anonymous takes down website of the Syrian Electronic Army – Anonymous claimed to have taken down the website of the pro-government Syrian Electronic Army (SEA) with a distributed denial-of-service (DDoS) attack on July 17. The SEA had apparently taunted Anonymous a day earlier, accusing them of spreading lies and issuing empty threats. For the past year, Anonymous has displayed strong opposition to the Syrian regime and recently took credit for providing WikiLeaks with over two million confidential e-mails from “Syrian political figures, ministries, and associated companies.”

Back to top

GOVERNMENT CONTROL

IRAN: Internet cafe owners must check identity of users – Sattar Khosravi, Chief of Isfahan Province branch of FATA, has said [Farsi] that Internet cafes must check the national identity cards of users and have their information retained for use by authorities before providing them with access to computers. Khosravi warned that using VPNs and proxies are illegal and that cafe owners could face punishment if users are found violating regulations.

IRAN: Experts warn about the security of national Internet – As previously reported, the government has pushed Iranians to use “.ir” e-mail addresses and has obligated state organizations, universities, and research centres to use locally hosted domains for all websites and portals. In response, a number of IT experts and scholars published a statement outlining the security challenges of a national Internet. Noting several security holes in the proposed national email service, experts warned that forcing people to use insecure email and Internet services not only increases the risk of users’ private data being stolen, but also reduces user’s trust in other kinds of national technologies and products.

SYRIA: Internet cut off for 40 minutes – On July 19, Internet security firm Renesys reported that all networks routed through the Syrian Telecommunications Establishment (61 of the 66 networks) were withdrawn from the global routing table, effectively cutting off Internet connectivity throughout the country for 40 minutes. Five networks operated by Tata, an Indian multinational telecommunications firm, were unaffected. Until that point, Internet outages had been relatively uncommon during the period of civil strife in Syria. The last major disruptions occurred in June and October 2011, each affecting around 40 networks. The July 2012 outages came only one day after Syrian rebels bombed the National Security building in Damascus.

SYRIA: Satellite channels to be hijacked by Western powers – Syrian Arab News Agency (SANA), a state media outlet, reported on July 22 that Western intelligence agencies and “some Arab parties” were planning to hijack the frequencies of Syrian satellite television channels to broadcast misinformation, possibly about a coup d’etat, defections, the fall of cities, or other subjects that might be damaging to the regime. Syrian citizens were therefore encouraged to regard all suspect information as completely baseless fabrications. The Ministry of Information issued similar warnings through other national media channels such as Syria TV, al-Dunia TV, and Sham FM.

Back to top

CYBER WARFARE

IRAN: The “Mahdi” malware – Internet security experts have found that a malware named “Mahdi” is being used to attack computers in Middle Eastern countries. A report by Iran’s Computer Emergency Response Team Coordination Center [Farsi] revealed that Russia’s Kaspersky Lab first discovered the malware approximately eight months ago. More than 800 computers, the majority of which are located in Israel and Iran, have since been infected, although it did not gain significant media attention until only recently. Mahdi Behrouzi, Vice Chancellor of the Academic Protection and Awareness Professional Center, stated in an interview [Farsi] that the increased publicity is likely an attempt to make a connection between Iran and the malware developers, and that “Iran’s enemies”, such as Israel, are accusing the country of deliberately using this malware to steal data from Internet users.

IRAN: Government plans to resist cyber attacks - As Iran continues to stress the importance of setting up a defensive position vis-a-vis cyber attacks, the state-sponsored Mehr News Agency has reported that the Amirkabir University of Technology will soon initiate a new mega-project for this purpose. The project, called the Program of Supreme Council of Science, Information and Technology, is designed to be a cyber defence network and aims to protect Iran from the increasing number of cyber attacks.

IRAN: US has not revealed the IP addresses of hackers – Last month, a cyber attack was reported against Iran that allegedly led to the disconnection of the servers of the Ministry of Oil and four of its subsidiary companies. At the time, General Kamal Hadianfar, Chief of Cyber and Information Exchange Police (FATA), claimed that the attack had spread through an IP address located in the US. Hadianfar said that Iran has submitted an official legal request to the US to reveal the IP addresses of the suspected hackers, but US officials have not yet responded.

Back to top

Read previous editions of the Middle East and North Africa Cyber Watch.

Read previous editions of the Iran Cyber Watch (discontinued as of June 15, 2012).

Subscribe and receive the Middle East and North Africa CyberWatch in your inbox.

The post Middle East and North Africa CyberWatch: July 14 – July 27, 2012 appeared first on The Citizen Lab.