- Spitfire List - http://spitfirelist.com -

The Spywarepocalypse Cometh. Lock the Backdoor.

With last week’s Snowden-leak that the NSA can break a large amount of the encryption used across the web using a variety of backdoors and secret agreements with manufacturers, there’s now a push in Congress for legal restrictions on the use of these backdoors [1]:

The New York Times
Legislation Seeks to Bar N.S.A. Tactic in Encryption

By SCOTT SHANE and NICOLE PERLROTH
Published: September 6, 2013

After disclosures about the National Security Agency’s stealth campaign to counter Internet privacy protections, a congressman has proposed legislation that would prohibit the agency from installing “back doors” into encryption, the electronic scrambling that protects e-mail, online transactions and other communications.

Representative Rush D. Holt, a New Jersey Democrat who is also a physicist, said Friday that he believed the N.S.A. was overreaching and could hurt American interests, including the reputations of American companies whose products the agency may have altered or influenced.

“We pay them to spy,” Mr. Holt said. “But if in the process they degrade the security of the encryption we all use, it’s a net national disservice.”

Mr. Holt, whose Surveillance State Repeal Act would eliminate much of the escalation in the government’s spying powers undertaken after the 2001 terrorist attacks, was responding to news reports about N.S.A. documents showing that the agency has spent billions of dollars over the last decade in an effort to defeat or bypass encryption. The reports, by The New York Times, ProPublica and The Guardian, were posted online on Thursday.

The agency has encouraged or coerced companies to install back doors in encryption software and hardware, worked to weaken international standards for encryption and employed custom-built supercomputers to break codes or find mathematical vulnerabilities to exploit, according to the documents, disclosed by Edward J. Snowden, the former N.S.A. contractor.

The documents show that N.S.A. cryptographers have made major progress in breaking the encryption in common use for everyday transactions on the Web, like Secure Sockets Layer, or SSL, as well as the virtual private networks, or VPNs, that many businesses use for confidential communications among employees.

Intelligence officials say that many of their most important targets, including terrorist groups, use the same Webmail and other Internet services that many Americans use, so it is crucial to be able to penetrate the encryption that protects them. In an intense competition with other sophisticated cyberespionage services, including those of China and Russia, the N.S.A. cannot rule large parts of the Internet off limits, the officials argue.

A statement from the director of national intelligence, James R. Clapper Jr., criticized the reports, saying that it was “not news” that the N.S.A. works to break encryption, and that the articles would damage American intelligence collection.

The reports, the statement said, “reveal specific and classified details about how we conduct this critical intelligence activity.”

“Anything that yesterday’s disclosures add to the ongoing public debate,” it continued, “is outweighed by the road map they give to our adversaries about the specific techniques we are using to try to intercept their communications in our attempts to keep America and our allies safe and to provide our leaders with the information they need to make difficult and critical national security decisions.”

But if intelligence officials felt a sense of betrayal by the disclosures, Internet security experts felt a similar letdown — at the N.S.A. actions.

“There’s widespread disappointment,” said Dan Kaminsky, a prominent security researcher. “This has been the stuff of wild-eyed accusations for years. A lot of people are heartbroken to find out it’s not just wild-eyed accusations.”

Sascha Meinrath, the director of the Open Technology Institute, a research group in Washington, said the reports were “a startling indication that the U.S. has been a remarkably irresponsible steward of the Internet,” which he said the N.S.A. was trying to turn into “a massive platform for detailed, intrusive and unrestrained surveillance.”

Companies like Google and Facebook have been moving to new systems that, in principle, would make government eavesdropping more difficult. Google is in the process of encrypting all data that travels via fiber-optic lines between its data centers. The company speeded up the process in June after the initial N.S.A. disclosures, according to two people who were briefed on Google’s plans but were not authorized to speak publicly about them. The acceleration of the process was first reported Friday by The Washington Post.

For services like Gmaili, once data reaches a user’s computer it has been encrypted. But as messages and other data like search queries travel internally among Google’s data centers they are not encrypted, largely because it is technically complicated and expensive to do.

Facebook announced last month that it would also transition to a novel encryption method, called perfect forward secrecy, that makes eavesdropping far more difficult.

But the perception of an N.S.A. intrusion into the networks of major Internet companies, whether surreptitious or with the companies’ cooperation, could hurt business, especially in international markets.

“What buyer is going to purchase a product that has been deliberately made less secure?” asked Mr. Holt, the congressman. “Even if N.S.A. does it with the purest motive, it can ruin the reputations of billion-dollar companies.”

In addition, news that the N.S.A. is inserting vulnerabilities into widely used technologies could put American lawmakers and technology companies in a bind with regard to China.

Over the last two years, American lawmakers have accused two of China’s largest telecommunications companies, Huawei Technologies and ZTE, of doing something parallel to what the N.S.A. has done: planting back doors into their equipment to allow for eavesdropping by the Chinese government and military.

Both companies have denied collaborating with the Chinese government, but the allegations have eliminated the companies’ hopes for significant business growth in the United States. After an investigation last year, the House Intelligence Committee concluded that government agencies should be barred from doing business with Huawei and ZTE, and that American companies should avoid buying their equipment.

Some foreign governments and companies have also said that they would not rely on the Chinese companies’ equipment out of security concerns. Last year, Australia barred Huawei from bidding on contracts in Australia’s $38 billion national broadband network. And this year, as part of its effort to acquire Sprint Nextel, SoftBank of Japan pledged that it would not use Huawei equipment in Sprint’s cellphone network.

Part of what makes a backdoor-decryption ban so intriguing is that the nature of the encryption techniques employed today is such that, without a backdoor or some other algorithmic “cheat” of some sort it’s theoretically really really really hard for even an intelligence agency with the capabilities of the NSA to break the encryption. It’s one of those realities of the digital age that German security officials reminded us of in 2007, when policy experts requested a backdoor into users’s computer to get around Skype’s encryption [2]:

TechDirt
German Proposal Gives A New Perspective On ‘Spyware’
from the big-brother-is-hacking-yo dept

by Timothy Lee

Tue, Nov 27th 2007 5:10pm

A VoIP expert has unveiled new proof-of-concept software that allows an attacker to monitor other peoples’ VoIP calls [3] and record them for later review. Unencrypted VoIP really isn’t very secure; if you have access to the raw network traffic of a call, it’s not too hard to reconstruct the audio. Encrypted traffic is another story. German officials have discovered that when suspects use Skype’s encryption feature, they aren’t able to decode calls even if they have a court order authorizing them to do so. Some law enforcement officials in Germany apparently want to deal with this problem by having courts give them permission to surreptitiously install spying software on the target’s computer. To his credit, Joerg Ziercke, president of Germany’s Federal Police Office, says that he’s not asking Skype to put back doors in its software. But the proposal still raises some serious question. Once the installation of spyware becomes a standard surveillance method, law enforcement will have a vested interest in making sure that operating systems and VoIP applications have vulnerabilities they can exploit. There will inevitably be pressure on Microsoft, Skype, and other software vendors to provide the police with backdoors. And backdoors are problematic because they can be extremely difficult to limit to authorized individuals. It would be a disaster if the backdoor to a popular program like Skype were discovered by unauthorized individuals. A similar issue applies to anti-virus software. If anti-virus products detect and notify users when court-ordered spyware is found on a machine, it could obviously disrupt investigations and tip off suspects. On the other hand, if antivirus software ignores “official” spyware, then spyware vendors will start trying to camouflage their software as government-installed software to avoid detection. Ultimately, there may be no way for anti-spyware products to turn a blind eye to government-approved spyware without undermining the effectiveness of their products.

Hence, I’m skeptical of the idea of government-mandated spyware, although I don’t think it should be ruled out entirely. That may sound like grim news for law enforcement, which does have a legitimate need to eavesdrop on crime suspects. But it’s important to keep in mind that law enforcement officials do have other tools at their disposal. If they’re not able to install software surveillance tools, it’s always possible to do it the old-fashioned way–in hardware. Law enforcement agencies can always sneak into a suspect’s home (with a court order, of course) and install bugging devices. That tried and true method works regardless of the communications technology being used.

The battle over backdoors is an ongoing issue [4] that isn’t going away any time soon. And as the above article indicated, one of the reasons that backdoors installed into hardware and software for use by law enforcement is guaranteed to be an ongoing issue is because encryption done right can’t be cracked. At least not in a reasonable time frame. It’s a reflection of the asymmetric nature of the mathematics behind encryption: it’s a lot easier to hide a needle in a haystack than find it. At least in theory [5]:

Ars Technica
Crypto experts issue a call to arms to avert the cryptopocalypse
Nobody can crack important algorithms yet, but the world needs to prepare for that to happen.

by Peter Bright – Aug 1 2013, 10:49pm CST

At the Black Hat security conference in Las Vegas, a quartet of researchers, Alex Stamos, Tom Ritter, Thomas Ptacek, and Javed Samuel, implored everyone involved in cryptography, from software developers to certificate authorities to companies buying SSL certificates, to switch to newer algorithms and protocols, lest they wake up one day to find that all of their crypto infrastructure is rendered useless and insecure by mathematical advances.

We’ve written before about asymmetric encryption [6] and its importance to secure communication. Asymmetric encryption algorithms have pairs of keys: one key can decrypt data encrypted with the other key, but cannot decrypt data encrypted with itself.

The asymmetric algorithms are built on an underlying assumption that certain mathematical operations are “hard,” which is to say, that the time it takes to do the operation increases proportional to some number raised to the power of the length of the key (“exponential time”). This assumption, however, is not actually proven, and nobody knows for certain if it is true. The risk exists that the problems are actually “easy,” where “easy” means that there are algorithms that will run in a time proportional only to the key length raised to some constant power (“polynomial time”).

The most widely used asymmetric algorithms (Diffie Hellman, RSA, and DSA) depend on the difficulty of two problems: integer factorization [7], and the discrete logarithm [8]. The current state of the mathematical art is that there aren’t—yet—any easy, polynomial time solutions to these problems; however, after decades of relatively little progress in improlving algorithms related to these problems, a flurry of activity in the past six months has produced faster algorithms for limited versions of the discrete logarithm problem.

At the moment, there’s no known way to generalize these improvements to make them useful to attack real cryptography, but the work is enough to make cryptographers nervous. They draw an analogy with the BEAST, CRIME, and BREACH [9] attacks used to attack SSL. The theoretical underpinnings for these attacks are many years old, but for a long time were dismissed as merely theoretical and impossible to use in practice. It took new researchers and new thinking to turn them into practical attacks.

When that happened, it uncovered a software industry ill-prepared to cope. A lot of software, rather than allowing new algorithms and protocols to be easily plugged in, has proven difficult or impossible to change. This means that switching to schemes that are immune to the BEAST, CRIME, and BREACH attacks is much more difficult than it should be. Though there are newer protocols and different algorithms that avoid the problems that these attacks exploit, compatibility concerns mean that they can’t be rapidly rolled out and used.

The attacks against SSL are at least fairly narrow in scope and utility. A general purpose polynomial time algorithm for integer factorization or the discrete logarithm, however, would not be narrow in scope or utility: it would be readily adapted to blow wide open almost all SSL/TLS, ssh, PGP, and other encrypted communication. (The two mathematical problems, while distinct, share many similarities, so it’s likely that an algorithm that solved integer factorization could be adapted in some way to solve the discrete logarithm, and vice versa).

Worse, it would make updating these systems in a trustworthy manner nearly impossible: operating systems such as Windows and OS X depend on digital signatures that in turn depend on these same mathematical underpinnings to protect against the installation of fraudulent or malicious updates. If the algorithms were undermined, there would be no way of verifying the authenticity of the updates.

While there’s no guarantee that this catastrophe will occur—it’s even possible that one day it might be proven that the two problems really are hard—the risk is enough to have researchers concerned. The difficulties of change that BEAST et al. demonstrated mean that if the industry is to have a hope of surviving such a revolution in cryptography, it must start making changes now. If it waits for a genius mathematician somewhere to solve these problems, it will be too late to do anything about it.

Fortunately, a solution of sorts does exist. A family of encryption algorithms called elliptic curve cryptography (ECC) exists. ECC is similar to the other asymmetric algorithms, in that it’s based on a problem that’s assumed to be hard (in this case, the elliptic curve discrete logarithm). ECC, however, has the additional property that its hard problem is sufficiently different from integer factorization and the regular discrete logarithm that breakthroughs in either of those shouldn’t imply breakthroughs in cracking ECC.

However, support for ECC is still very problematic. Much of the technology is patented by BlackBerry, and those patents are enforced [10]. There are certain narrow licenses available for implementations of ECC that meet various US government criteria, but the broader patent issues have led some vendors to refuse to support [11] the technology.

Further, support of protocols that can use ECC, such as TLS 1.2 (the latest iteration of SSL technology) is still not widely available. Certificate authorities have also been slow to offer ECC certificates.

As such, the researchers are calling for the computer industry as a whole to do two things. First, embrace ECC today. Second, ensure that systems that use cryptography are agile. They must not be lumbered with limited sets of algorithms and obsolete protocols. They must instead make updating algorithms and protocols quick and easy, to ensure that software systems can keep pace with the mathematical research and adapt quickly to new developments and techniques. The cryptopocalypse might never happen—but we should be prepared in case it does.

Note that the above article was published August 1st, a month before the latest Snowden leak about the advances in NSA techniques that includes both backdoors but also advances in decryption algorithms. So the references to algorithmic risks (because we don’t know how “hard [12]” the underlying mathematical algorithms truly are) in the above article might relate to the recent advances in the NSA’s decryption algorithms. This could even include turning theoretically “hard” (non-polynomial-time) mathematical problems into somewhat less hard problems that can be cracked without the NSA’s backdoors (or anyone else’s [13] backdoors). In other words, while the concerns about the NSA or some other allied intelligence agency abusing those encryption backdoors are valid [14], there’s also the very real possibility that other 3rd parties (rival intelligence agencies, organized crime, private parties, etc) are also using the new algorithmic hacks where no backdoors are required. The algorithm is effectively defeated. So even if those NSA backdoors (or anyone else’s backdoors) didn’t exists there is still the possibility that the underlying mathematical algorithms currently used to encrypt the bulk of the internet communications have already been mathematically effectively hacked. And if those algorithms have already been hacked (in the sense that code-breakers have found a method of finding the correct keys within a predictable timeframe [12]) then it might just be a matter of time before that algorithm gets out into “the wild” and anyone with the computing resources will be able to decrypt conventionally encrypted data. No backdoors or secret manufacturer agreements needed. Just a powerful enough computer and the knowledge about the flaws int the encryption algorithm. That’s the ‘cryptopocalypse’.

But there’s another interesting possibility that could emerge in the medium-term: Right now it’s known that NSA uses custom-built chips to break the encryption and it’s believed that these chips can decrypt any of the traffic on Tor that doesn’t use the most advanced “elliptic curve cryptography” encryption described above [15]. Tor is supposed to be anonymous.

So we should probably expect to see a broad shift towards these newer kinds of encryption methods. And if that shift towards using these newer methods takes place without those NSA backdoors we could start seeing truly secure encryption methods employed – methods that no spy agency, anywhere, will be able to decrypt. At least not unless there’s some super secret powerful computing technology hiding somewhere. If that encrypted future is what’s in store for us we should probably expect a dramatic expansion of traditional spying: human intelligence will simply become much more important because there won’t be other options. Traditional hacking will also become paramount. When a backdoor closes, a job opportunity for a hacker opens [16].

But also note that the FinFisher tool is reportedly to be able to hack your Blackberry [17] which uses “elliptic curve cryptography” [17]. Same with the NSA and GCHQ [18]. So whatever secure encryption method the world eventually settles upon will have to be more secure that currently recommended secure methods. Give it time.

Beware Software Updates Bearing Gifts
If we do eventually see an encrypted future – one where direct hacking with the benefit of pervasive backdoors or algorithmic trickery is no longer an option – we should expect an explosion of Trojan spyware and custom hacks [18]. Even with the pervasive backdoors and algorithmic trickery we should still expect an explosion of spyware because that’s what’s already happening. So whole the NSA hardware and software backdoor network is the spy scandal of the moment, perhaps the UK/German Bundestrojaner [19]/FinFisher/FinSpy [20] spyware scandals [21] should be considered liklier spy scandal templates for tomorrow [22]:

Slate
U.S. and Other Western Nations Met With Germany Over Shady Computer-Surveillance Tactics

By Ryan Gallagher

Posted Tuesday, April 3, 2012, at 11:51 AM

Infecting a computer with spyware in order to secretly siphon data is a tactic most commonly associated with criminals. But explosive new revelations in Germany suggest international law enforcement agencies are adopting similar methods as a form of intrusive suspect surveillance, raising fresh civil liberties concerns.

Information released last month by the German government shows that between 2008-2011, representatives from the FBI; the U.K.’s Serious Organised Crime Agency (SOCA); and France’s secret service, the DCRI, were among those to have held meetings with German federal police about deploying “monitoring software” used to covertly infiltrate computers.

The disclosure was made in response to a series of questions tabled by Left Party Member of Parliament Andrej Hunko and reported by German-language media [23]. It comes on the heels of an exposé by the Chaos Computer Club, a Berlin-based hacker collective, which revealed [24] in October that German police forces had been using a so-called “Bundestrojaner” (federal Trojan) to spy on suspects.

The Bundestrojaner technology could be sent disguised as a legitimate software update and was capable of recording Skype calls, monitoring Internet use, and logging messenger chats and keystrokes. It could also activate computer hardware such as microphones or webcams and secretly take snapshots or record audio before sending it back to the authorities.

German federal authorities initially denied [25] deploying any Bundestrojaner, but it soon transpired that courts had in fact approved requests from officials to employ such Trojan horse programs more than 50 times [26]. Following a public outcry over the use of the technology, which many believe breached the country’s strict privacy laws, further details have surfaced.

Inquiries by Green Party MP Konstantin von Notz revealed in January [27] that, in addition to the Bundestrojaner discovered by the CCC, German authorities had also acquired a license in early 2011 to test a similar Trojan technology called “FinSpy,”manufactured by England-based firm Gamma Group. FinSpy enables clandestine access to a targeted computer, and was reportedly used for five months [28] by Hosni Mubarak’s Egyptian state security forces in 2010 to monitor personal Skype accounts and record voice and video conversations over the Internet.

But it is the German government’s response to a series of questions recently submitted by Hunko that is perhaps the most revealing to date. In a letter from Secretary of State Ole Schröder [29] on March 6, which I have translated, Hunko was informed that German federal police force, the Bundeskriminalamt (BKA), met to discuss the use of monitoring software with counterparts from the U.S., Britain, Israel, Luxemburg, Liechtenstein, the Netherlands, Belgium, France, Switzerland, and Austria. The meetings took place separately between Feb. 19, 2008, and Feb. 1, 2012. While this story has been covered in the German media, it hasn’t received the English-language attention it deserves.

Both the FBI and Britain’s SOCA are said to have discussed with the Germans the “basic legal requirements” of using computer-monitoring software. The meeting with SOCA also covered the “technical and tactical aspects” of deploying computer infiltration technology, according to Schröder’s letter. France’s secret service and police from Switzerland, Austria, Luxemburg, and Liechtenstein were separately briefed by the BKA on its experiences using Trojan computer infiltration.

Interestingly, at a meeting in October 2010 attended by police from Germany, the Netherlands, and Belgium, representatives from the Gamma Group were present and apparently showcased their shadowy products. It is possible that the Germans decided at this meeting to proceed with the FinSpy trial we now know took place in early 2011.

If nothing else, these revelations confirm that police internationally are increasingly looking to deploy ethically contentious computer intrusion techniques that exist in a legal gray area. The combination of the rapid development of Internet technologies and persistent fears about national security seem to have led to a paradigm shift in police tactics—one that appears, worryingly, to be taking place almost entirely behind closed doors and under cover of state secrecy.

Your Passwords Can Be Stolen. So Can Your Spyware
The world continues to freak out about NSA and UK possessing the centralized mass-surveillance capabilities that come from the power to collect and decrypt massive volumes of internet traffic. Such a freak out is understandable because, hey, centralized mass internet traffic surveillance is kind of creepy. It’s also understandable that the global debate would be almost exclusively focused on spying by the NSA because that’s been the focus of the Snowden leaks. But it might be worth incorporating into an ongoing global debate about the balance privacy, security, and government accountability the fact that extremely powerful spyware is being peddled by major governments [30] and is currently used by governments [31] all over the globe. It might also be used by unknown parties all over the globe, because spyware can be stolen [32]:

Bloomberg
FinFisher Spyware Reach Found on Five Continents: Report
By Vernon Silver – Aug 8, 2012 6:34 AM CT

The FinFisher spyware made by U.K.- based Gamma Group likely has previously undisclosed global reach, with computers on at least five continents showing signs of being command centers that run the intrusion tool, according to cybersecurity experts.

FinFisher can secretly monitor computers — intercepting Skype calls, turning on Web cameras and recording every keystroke. It is marketed by Gamma for law enforcement and government use.

Research published last month based on e-mails obtained by Bloomberg News showed activists from the Persian Gulf kingdom of Bahrain were targeted by what looked like the software, sparking a hunt for further clues to the product’s deployment.

In new findings, a team, led by Claudio Guarnieri of Boston-based security risk-assessment company Rapid7, analyzed how the presumed FinFisher samples from Bahrain communicated with their command computer. They then compared those attributes with a global scan of computers on the Internet.

The survey has so far come up with what it reports as matches in Australia, the Czech Republic, Dubai, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar and the U.S.

Guarnieri, a security researcher based in Amsterdam, said that the locations aren’t proof that the governments of any of these countries use Gamma’s FinFisher. It’s possible that Gamma clients use computers based in other nations to run their FinFisher systems, he said in an interview.

‘Active Fingerprinting’

“They are simply the results of an active fingerprinting of a unique behavior associated with what is believed to be the FinFisher infrastructure,” he wrote in his report, which Rapid7 is publishing today on its blog at https://community.rapid7.com/community/infosec/blog.

The emerging picture of the commercially available spyware’s reach shines a light on the growing, global marketplace for cyber weapons with potential consequences.

Once any malware is used in the wild, it’s typically only a matter of time before it gets used for nefarious purposes,” Guarnieri wrote in his report. “It’s impossible to keep this kind of thing under control in the long term.”

In response to questions about Guarnieri’s findings, Gamma International GmbH managing director Martin J. Muench said a global scan by third parties would not reveal servers running the FinFisher product in question, which is called FinSpy.

“The core FinSpy servers are protected with firewalls,” he said in an Aug. 4 e-mail.

Gamma International

Muench, who is based in Munich, has said his company didn’t sell FinFisher spyware to Bahrain. He said he’s investigating whether the samples used against Bahraini activists were stolen demonstration copies or were sold via a third party.

Gamma International GmbH in Germany is part of U.K.-based Gamma Group. The group also markets FinFisher through Andover, England-based Gamma International UK Ltd. Muench leads the FinFisher product portfolio.

Muench says that Gamma complies with the export regulations of the U.K., U.S. and Germany.

It was unclear which, if any, government agencies in the countries Guarnieri identified are Gamma clients.

A U.S. Federal Bureau of Investigation spokeswoman in Washington declined to comment.

Officials in Ethiopia’s Communications Minister, Qatar’s foreign ministry and Mongolia’s president’s office didn’t immediately return phone calls seeking comment or respond to questions. Dubai’s deputy commander of police said he has no knowledge of such programs when reached on his mobile phone.

Australia’s department of foreign affairs and trade said in an e-mailed statement it does not use FinFisher software. A spokesman at the Czech Republic’s interior ministry said he has no information of Gamma being used there, nor any knowledge of its use at other state institutions.

Violating Human Rights?

At Indonesia’s Ministry of Communications, head of public relations Gatot S. Dewa Broto said that to his knowledge the government doesn’t use that program, or ones that do similar things, because it would violate privacy and human rights in that country. The ministry got an offer to purchase a similar program about six months ago but declined, he said, unable to recall the name of the company pitching it.

The Estonian Information Systems Authority RIA has not detected any exposure to FinSpy, a spokeswoman said. Neither has Latvia’s information technologies security incident response institution, according to a technical expert there.

If the above description of the emerging global spyware-surviellance state sounds a little unsettling, keep in mind that FinFisher/FinSpy is just one toolkit. There could be all sorts of other spyware “products” out there.

Also don’t forget that the world is still learning about the FinFisher/FinSpy spyware’s capability: For instance, it appears that a “FinIntrusion” tool made by the same company can be used to collect WiFi signals. Part of the FinIntrusion suite includes decryption capabilities so all that WiFi traffic can be picked up. It’s a reminder that, whether or not the centralized mass-surviellance state on the wane, the global decentralized spyware party is still going strong [33]:

ITNews.com
Further details of FinFisher govt spyware leaked
By Juha Saarinen on Sep 2, 2013 6:04 AM
Filed under Security

Claims it can break encryption.

Sales brochures and presentations leaked online have shed further light on the FinFisher malware and spyware toolkit that is thought to be used by law enforcement agencies worldwide.

FinFisher is made by the Anglo-German Gamma International and is marketed to law enforcement agencies arould the world. It is also known as FinSpy and the sales presentation traces its origins to BackTrack Linux, an open source penetration testing Linux distribution.

The spyware can record screen shots, Skype chats, operate built-in web cams and microphones on computers and is able to capture a large range of user data.

Last year, an internet scan by a security company showed up FinFisher control nodes in eleven countries, including Australia. The malware has been analysed [pdf] by the Citizen Lab project in which the University of Toronto, Munk School of Global Affairs and the Canada Centre for Global Studies participate in.

In July this year, the Australia Federal Police turned down a Freedom of Information Act request from the director of the OpenAustralia Foundation, Henare Degan, about the use of FinFisher by the country’s top law enforcement agency.

The spyware runs on all versions of Windows newer than Windows 2000, and can infect computers via USB drivers, drive-by web browser exploits or with the help of local internet providers that inject the malware when users visit trusted sites such as Google Gmail or YouTube.

The FinSpy Mobile versions works on Blackberry, Apple IOS, Google Android and Microsoft’s Windows Mobile and Windows Phone operating systems, the documents claim. On these, it can record incoming and outgoing calls, track location with cellular ID and GPS data, and surveillance by making silent calls and more.

According to the documents found by security firm F-Secure, the FinIntrusion portable hacking kit can break encryption and record all traffic, and steal users’ online banking and social media media credentials.

Really protecting data privacy involves a lot more than just protecting internet traffic or stopping and of the NSA or GCHQ’s custom backdoors. That was a intelligence-convenience that’s now been thwarted but the spying will continue. If effectively-unbreakable encryption is truly implemented espionage activities will merely shifted to spying on data after it’s been decrypted by the intended recipient. And if the entire history of spying scandals have taught us anything it’s that governments are going to be tempted to spread spyware around like a rapid zombie. Barring a truly populist global revolution that somehow leads to a golden age of shared prosperity and minimal suffering Governments around the world will be spying on other countries’ citizens all over the globe [34] for a whole lot of valid and invalid reasons. Governments can be kind of crazy and so can people. So the spying will continue. And don’t forget that as spyware spreads more and more it’ll be harder to tell apart the state-sponsored spyware from their private/criminal counterparts and all that private spying will warrant more public spying to stop the private spying. Achieving digital privacy isn’t just a matter slaying the NSA-mass-wiretapping-dragon in the modern age and sealing those backdoors. The public/private global spyware chimera also roams the forest and it can make backdoors too.