[liberationtech] Stephan Faris: The Hackers of Damascus b� Businesweek
ilf
ilf at zeromail.org
Thu Nov 15 04:02:45 PST 2012
http://www.businessweek.com/articles/2012-11-15/the-hackers-of-damascus
Taymour Karim didnb�t crack under interrogation. His Syrian captors beat
him with their fists, with their boots, with sticks, with chains, with the
butts of their Kalashnikovs. They hit him so hard they broke two of his
teeth and three of his ribs. They threatened to keep torturing him until he
died. b�I believed I would never see the sun again,b� he recalls. But Karim,
a 31-year-old doctor who had spent the previous months protesting against
the government in Damascus, refused to give up the names of his friends.
It didnb�t matter. His computer had already told all. b�They knew everything
about me,b� he says. b�The people I talked to, the plans, the dates, the
stories of other people, every movement, every word I said through Skype.
They even knew the password of my Skype account.b� At one point during the
interrogation, Karim was presented with a stack of more than 1,000 pages of
printouts, data from his Skype chats and files his torturers had downloaded
remotely using a malicious computer program to penetrate his hard drive.
b�My computer was arrested before me,b� he says.
Much has been written about the rebellion in Syria: the protests, the
massacres, the car bombs, the house-to-house fighting. Tens of thousands
have been killed since the war began in early 2011. But the struggle for
the future of the country has also unfolded in another arenab�on a
battleground of Facebook (FB) pages and YouTube accounts, of hacks and
counterhacks. Just as rival armies vie for air superiority, the two sides
of the Syrian civil war have spent much of the last year and a half locked
in a struggle to dominate the Internet. Pro-government hackers have
penetrated opposition websites and broken into the computers of Reuters
(TRI) and Al Jazeera to spread disinformation. On the other side, the
hacktivist group Anonymous has infiltrated at least 12 Syrian government
websites, including that of the Ministry of Defense, and released millions
of stolen e-mails.
The Syrian conflict illustrates the extent to which the very tools that
rebels in the Middle East have employed to organize and sustain their
movements are now being used against them. It provides a glimpse of the
future of warfare, in which computer viruses and hacking techniques can be
as critical to weakening the enemy as bombs and bullets. Over the past
three months, I made contact with and interviewed by phone and e-mail
participants on both sides of the Syrian cyberwar. Their stories shed light
on a largely hidden aspect of a conflict with no end in sightb�and show how
the Internet has become a weapon of war.
The cyberwar in Syria began with a feint. On Feb. 8, 2011, just as the
Arab Spring was reaching a crescendo, the government in Damascus suddenly
reversed a long-standing ban on websites such as Facebook, Twitter,
YouTube, and the Arabic version of Wikipedia. It was an odd move for a
regime known for heavy-handed censorship; before the uprising, police
regularly arrested bloggers and raided Internet cafes. And it came at an
odd time. Less than a month earlier demonstrators in Tunisia, organizing
themselves using social networking services, forced their president to flee
the country after 23 years in office. Protesters in Egypt used the same
tools to stage protests that ultimately led to the end of Hosni Mubarakb�s
30-year rule. The outgoing regimes in both countries deployed riot police
and thugs and tried desperately to block the websites and accounts
affiliated with the revolutionaries. For a time, Egypt turned off the
Internet altogether.
Syria, however, seemed to be taking the opposite tack. Just as protesters
were casting about for the means with which to organize and broadcast their
messages, the government appeared to be handing them the keys.
Dlshad Othman, a 25-year-old computer technician in Damascus, immediately
grew suspicious of the regimeb�s motives. Young, Kurdish, and recently
finished with his mandatory military service, Othman opposed President
Bashar al-Assad. Working for an Internet service provider, he knew that
Syriab�like many other countries, including China, Iran, Saudi Arabia, and
Bahrainb�controlled its citizensb� access to the Web. The same technology the
government used to censor websites allowed it to monitor Internet traffic
and intercept communications. Popular services such as Facebook, Skype,
Google Maps, and YouTube gave Syriab�s revolutionaries capabilities that
until a couple of decades ago would have been available only to the worldb�s
most sophisticated militaries. But as long as Damascus controlled the
Internet, theyb�d be using these tools under the eye of the government.
Shortly after the Syrian revolution began in March 2011, Othmanb�s
political views cost him his job. He decided to dedicate himself full time
to the opposition, joining the Syrian Center for Media and Freedom of
Expression in Damascus to document violence against journalists in the
country. He also began teaching his fellow activists ways to stay safe
online. Othman instructed them how to encrypt e-mails and encouraged them
to use tools like Tor software, which enables anonymous Web browsing by
rerouting traffic through a series of distant servers. When Tor turned out
to be too slow to live-stream protests or scenes of government attacks
against civilians, Othman began purchasing accounts on virtual private
networks (VPNs) and sharing them with his friends and contacts. A VPN is
basically a tunnel inside the public Internet that allows users to
communicate in a secure fashion. For a monthly fee, you can buy access to
servers that create encrypted paths between computers; the VPN also
disguises the identities and locations of your machine and others on the
network. Spies canb�t read e-mails sent via VPN, and they have a hard time
figuring out where they came from.
Othmanb�s efforts worked at first, but very quickly Damascus blocked
off-the-shelf VPNs and upgraded its Internet filters in ways that made the
VPNs inoperative. By the summer of 2011, Othman had become frustrated with
the Western VPN providers, which he felt were too slow to adapt to the
governmentb�s crackdowns. He bought space on outside servers, set up VPNs of
his own, and began actively managing them to make sure safe connections
remained available.
Othman was still training and equipping activists in October 2011 when he
made a nearly fatal mistake. He gave an on-camera interview to a British
journalist who was later arrested with the footage on his laptop. Warned by
a friend through a Facebook message, Othman turned off his phone, removed
its SIM cardb�a precaution to avoid being trackedb�and hid in a friendb�s
Damascus apartment. He never went home. A month and a half later, at the
urging of activists who worried his arrest would compromise their entire
network, he escaped across the border to Lebanon. b�I had been a source of
safety for my friends,b� he says. b�I didnb�t want to become a source of
danger.b�
The struggle for Syria has transcended borders. In early 2011, from his
office at the University of California at Los Angeles, John Scott-Railton,
a 29-year-old graduate student in Urban Planning, joined the revolutions in
North Africa and the Middle East. Scott-Railton, working on a dissertation
on how poor communities in Senegal were adapting to climate change, had
spent time in Egypt and had close friends there. When revolutionaries in
Cairo occupied Tahrir Square, he set his studies aside. Working through his
contacts in the country, he helped Egyptians evade Internet censors and get
their message out to the world by calling protesters on the phone,
interviewing them, and publishing their views on Twitter. Later, when the
Arab Spring spread to Libya, he did the same, this time working with
Libyans in the diaspora to broaden his reach.
In Syria, Scott-Railton recognized that the task would be different. Once
Assadb�s government lifted restrictions on the Internet, activists were
having little trouble getting their voices heard; graphic videos alleging
government atrocities were lighting up Facebook and YouTube. The challenge
would be keeping them safe. b�If web�re going to talk about how important the
Internet has been in the Arab Spring, we need to think about how it also
brings a whole new set of vulnerabilities,b� says Scott-Railton. b�Otherwise,
web�re going to be much too optimistic about what can be done.b�
The first documented attack in the Syrian cyberwar took place in early May
2011, some two months after the start of the uprising. It was a clumsy one.
Users who tried to access Facebook in Syria were presented with a fake
security certificate that triggered a warning on most browsers. People who
ignored it and logged in would be giving up their user name and password,
and with them, their private messages and contacts.
In response, Scott-Railton began nurturing contacts in the Syrian
opposition, people like Othman with wide networks of their own. b�It wasnb�t
that different from the strategy I had worked out in Libya: Figure out who
was trustworthy and then slowly build up,b� he says. In the meantime, he
contacted security teams at major American technology companies whom he
could alert when an attack was detected. Scott-Railton declined to name
specific companies but confirmed he was in touch with security experts at
some of the biggest brand names. In the past year and a half,
pro-government hackers have successfully targeted Facebook pages, YouTube
accounts, and logins on Hotmail, Yahoo! (YHOO), Gmail, and Skype.
Scott-Railtonb�s involvement in the Syrian cyberwar wasnb�t high-tech. Over
several months, he set himself up as a bridge between two worlds, passing
reports of hacking on to various companies who could investigate attacks on
their users, take down bogus websites, and configure browsers to flag
suspect sites as potential threats.
For Syrians, the system provided a quick, sure way to limit damage as
attempts to break into accounts affiliated with the opposition became more
sophisticated. For tech companies, it was an opportunity to address
violations as they happenedb�though those violations have also exposed the
vulnerabilities of some of the worldb�s most popular social networking
services.
Facebook, which in 2011 responded to hacking attempts in Tunisia by
routing communications through an encrypted server and asking users to
identify friends when logging in, wouldnb�t comment on what, if anything,
the company is doing in Syria. Contacted by Bloomberg Businessweek, a
spokesperson provided a statement saying: b�Security is a top priority for
Facebook and we devote significant resources to helping people protect
their accounts and information, wherever they live and whatever the
circumstances.b b&b We will respond quickly to reportsb�whether from formal or
informal channelsb�about worrying and problematic security threats from
groups, organizations and, on occasion, from governments.b�
As the war intensified, the cyberattacks waged by pro-government Syrian
hackers became more ambitious. In the weeks before his arrest in December
2011, Karim, the young doctor, had begun to suspect his hard drive had been
compromised. His Internet billb�which in Syria varies according to the
traffic being usedb�had more than quadrupled, though he still isnb�t sure
exactly how his computer was infected. He suspects the malware may have
been transmitted by a woman using the name Abeer who contacted him on Skype
last autumn and sent him photos of herself. Another possibility is a man
who sent Karim an Excel spreadsheet and said he could provide monetary
support for the revolution.
In prison, Karimb�s captors mentioned both people. His interrogators knew
about his high Internet bills, as well: b�The policeman told me, b�Do you
remember when you were talking to your friend and you told him you had
something wrong and paid a lot of money? At that time we were taking
information from your laptop.b�b b�
Before the Syrian revolution, Karim had never participated in politics. b�I
would just go to work and then go home,b� he says. But the Arab Spring
awakened something inside him, and when demonstrators gathered for a
second week of major demonstrations, Karim joined them. The first protest
he attended was also the first in which the regime deployed the army to
crush dissent, killing dozens of demonstrators across the country. Shortly
afterward, Karim signed up to man field hospitals, caring for wounded
activists. The worst injuries were from snipers, he recalls. b�Sometimes
people would be shot in the back, and theyb�d be paralyzed. Sometimes we
found bullets in the face, and all the bones in the face were broken. When
we found people shot in the abdomen, sometimes we couldnb�t do anything
because we didnb�t have the proper equipment.b�
When it came to the Internet, Karim was typical of many of his fellow
activists: enthusiastic, naive, and all too often complacent where
security was concerned. b�Sometimes web�d say to each other, b�If there was
no Internet, there would be no revolution,b�b b� he says.
Just 18 percent of Syrians use the Internet, and government restrictions
along with sanctions by the U.S. and Europe have limited Syriansb� access
to updated software and antivirus programs. Karim occasionally used the
Tor application recommended by Othman but found the connection too slow
for video. A friend in Qatar sent him a link to a secure VPN, but he
wasnb�t able to download the necessary software.
On Dec. 25, 2011, Karim met with a group of doctors to put the final
touches on a plan to better coordinate the oppositionb�s field hospitals.
The next day he spoke with a friend on Skype and agreed to meet him to
film a Christmas video he hoped would be a show of unity between faiths.
When he left his safe house, the police were waiting for him. They knew
where they would find him and where he was going. b�Skype was the best way
for us, for communication,b� he says. b�We heard that Skype was very safe and
that nobody can hack it, and there is no virus for Skype. But
unfortunately, I was the first victim of it.b�
In a statement to Bloomberg Businessweek, a spokesperson for Skype, which
is owned by Microsoft (MSFT), said, b�Much like other Internet
communication tools with a very large user baseb�be it e-mail, IM, or
Voipb�Skype has been used by persons with malicious intent to trick or
manipulate people into following nefarious links.b b&b This is an ongoing,
industrywide issue faced by all peer-to-peer software companies. Skype is
committed to the safety and security of its users, and we are taking steps
to help protect them.b�
Karim spent 71 days in Syrian detention before being released on bail
pending a military trial. After his release he fled the country, sneaking
from village to village until he arrived in Jordan. There he discovered
that many other activists had been contacted by the woman named Abeer. A
few weeks after his release, he received a message from her on Facebook
offering to send him more pictures. He refused.
In January 2012, less than a month after Karimb�s arrest, Othmanb�by then in
Lebanonb�came across a laptop belonging to an international aid worker. The
worker believed the laptop had been compromised. After making a preliminary
analysis, Othman sent an image of the entire hard drive to Scott-Railton.
Among the people Scott-Railton reached out to was a dreadlocked New
Zealander named Morgan Marquis-Boire, a security engineer at Google (GOOG)
in California. In his spare time, Marquis-Boire had begun investigating
cyberattacks on opposition figures in the Middle East after being
approached by activists who saw him speak at a conference. b�Ib�m a firm
believer in the facilitation of freedom of expression on the Internet,b� he
says. b�The censorship that occurs when people are afraid to speak is
actually the most powerful type of censorship thatb�s available.b�
Marquis-Boire, 33, wasnb�t the first person to analyze the infected hard
drive, but his examination was deep and thorough. The laptop, he
determined, had been successfully hacked three times in rapid succession.
The first piece of malware had arrived on Dec. 26, 2011, during the early
hours of Karimb�s detention. It had been sent to the computerb�s owner
through Karimb�s Skype account, embedded in the proposal for the
coordination of field hospitals he had finalized the night before his
arrest.
The malware, DarkComet, was a remote access b�trojan.b� It allowed its
sender to take screenshots of the victimb�s computer, monitor her through
the video camera, and log what she typed. Every digital move the laptopb�s
owner made was being recordedb�and the reports were being routed back to an
IP address in Damascus.
The network Scott-Railton had set up was faced with a new challenge. The
people behind the attacks were no longer casting a wide net and waiting to
see who they caught. They were specifically targeting revolutionaries such
as Karim and his contacts. Security experts at major tech companies can
restore access to hacked accounts or issue takedown orders when hackers set
up fake versions of their websites. But thereb�s little they can do for a
user whose computer has been captured by hackers.
Scott-Railton and his collaborators began to study their opponent. Syrians
like Othman with close contacts to the opposition began gathering
suspicious files that might contain malware and funneling them to
Scott-Railton. He passed them on to Marquis-Boire, who published his
findings in blog posts for the Electronic Frontier Foundation, an advocacy
organization based in San Francisco that promotes civil liberties on the
Internet. A pattern soon emerged. The attacks used code widely available
online. In the case of the DarkComet trojan that had been sent from Karimb�s
computer, the malware had been developed by a French hacker in his twenties
named Jean-Pierre Lesueur who offered it as a free download on his website.
What made the hacks so effective was their deviousness. Malware was
discovered in a fake plan to help protesters besieged in the city of
Aleppo; in a purported proposal for the formation of a post-revolution
government; and on Web pages that claimed to show women being raped by
Syrian soldiers.
Whenever possible, the people behind the attacks would use a compromised
account to spread the malware further. In April 2012, the Facebook account
of Burhan Ghalioun, then the head of the Syrian opposition, was taken over
and used to encourage his more than 6,000 followers to install a trojan
mocked up to look like a security patch for Facebook.
Scott-Railtonb�s network allowed antivirus companies to update their
software so it would recognize the malware and warn Syrian activists. Once
Marquis-Boire identified DarkComet, a group of hackers who went by the name
Telecomix began putting pressure on its creator, Lesueur, to take it down.
In February 2012, less than a month after the trojan had been discovered,
he released a patch that would remove his program from an infected
computer. b�i was totally shocked to see that the syrian gouv used my tool
to spy other people,b� he wrote in a typo-laden post on his personal blog.
b�Since now 4 years i code DarkComet for people that are interested about
security, people that wanb�t to get an eye on what their childs doing on the
internet, for getting an eye to notified employees, to administrate their
own machines, for pen testing but NOT AS A WAR WEAPON.b�
In July, Lesueur took the program down altogether. The weapon that had
been launched from Karimb�s computerb�and very likely the one that landed
him in jailb�had been disarmed.
The cyberwar in Syria rages on. Othman and others like him spend hours
fending off attacks on their VPNs. He says he knows of at least two
activists who were detained and killed after their computers were
undermined. Scott-Railton continues to relay reports of compromised
accounts and fake Web pages to contacts in the tech industry. b�Every day, I
get contacted by Syrians with security concerns,b� he says. Marquis-Boire is
doing his best to trace the attacks back to their source.
Since Karimb�s release from detention and his escape from Syria earlier
this year, he has lived in Jordan. When he recently ran a scan on his new
computer, he found he had been infected once again. b�I receive thousands of
e-mails, videos, and requests and images from activists and friends,b� he
says. b�And there are a lot of people who I donb�t know who they are.b� In
July the Syrian Electronic Army, a pro-government group, released what it
said were 11,000 user names and passwords of b�NATO supporters,b� meaning
members of the Syrian opposition.
In October, I attempted to contact the Syrians involved in the
governmentb�s cyberwar. Before doing so, I changed most of my passwords. I
set up two-step verification on my Gmail account, an extra layer of
security that makes it harder for hackers to take over an account
remotely. I installed the Tor Browser Bundle and updated the WordPress
software on my website. And then I dropped a line on Twitter to
@Th3Pr0_SEA, an account that describes itself as belonging to the leader
of the Special Operations Department of the Syrian Electronic Army, the
most visible virtual actor on the government side. @Th3Pr0_SEA wrote back
soon after, and we agreed to meet on Google Chat. Minutes later, somebody
tried to reset the password of my Yahoo Mail account.
@Th3Pr0_SEA wouldnb�t tell me much about himself. Two members of his
organization had been kidnapped and murdered by members of the opposition,
he said, after posting under their real names on Facebook. He told me he
had been a student when the uprising began. When I asked his religion, he
answered, b�ib�m Syrian :)b�
Researchers have described the Syrian Electronic Army as a
paramilitary-style group working in coordination with the countryb�s secret
services and linked to the Syrian Computer Society, a government
organization once headed by Assad himself before he became president. In
our chat, @Th3Pr0_SEA denied the connection, repeating the groupb�s claims
that itb�s not an official entity and that its membership is unpaid,
motivated only by patriotism. When I asked why the groupb�s website was
hosted on servers owned by the Syrian Computer Society, he answered that
his group paid for the service. b�If we host our website outside of Syria
servers, it will get deleted and probably hacked,b� he wrote.
Before I finished my interview with @Th3Pr0_SEA, I asked him whether he
had been the one who tried to reset my Yahoo password. He denied it. b�i
think someone saw you,b� he said, b�when you talked me on twitter.b� He also
told me, b�there is a big surprise from Special Operations Department coming
soon, but i canb�t tell you anything about it.b�
--
ilf
C�ber 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
-- Eine Initiative des Bundesamtes fC<r Tastaturbenutzung
--
Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list