[liberationtech] Baku attendees compromised

Wed Nov 21 13:24:31 PST 2012

11 days later and Ryan Heath has not provided any proof of this
incident, not screenshot, or even a description of the symptoms. He
has stated on Twitter that there will be an analysis of the laptop,
but nadda yet.

11 days later and all we know is that:
- On 8 of Dec RyanHeathEU Tweeted: @RyanHeathEU: Great, now my Mac has
been hacked. Also @msprotonneutron - I wonder who could have done
that? #Azerbaijan
https://twitter.com/RyanHeathEU/status/266454748016820224

- He had a Macbook, which he claimed was "taken over" via the hotel
wifi. @RyanHeathEU: @superglaze Hacked @ hotel rather than at #IGF12.
Someone else took over my personal MacBook. Can't determine more yet.
Cc @msprotonneutron
https://twitter.com/RyanHeathEU/status/266476918344384512

- News media says that Heath used a Mac Book and "Security messages
from Apple revealed that "third parties" had accessed the machines"
http://www.bbc.co.uk/news/technology-20308939

- He had to make an account to use the hotel wifi, and was thus
operating through some kind of paid wifi with a captive portal and
user registration:
@RyanHeathEU: @katypearce @msprotonneutron - remotely, i guess by the
via hotel wifi network thru which i was obloged to identify. computer
2b analysed https://twitter.com/RyanHeathEU/status/266642914535424000

Heath was not using a VPN, and was initially more concerned with
protecting his paperwork: @RyanHeathEU: @katypearce no VPN, was
focussed on protecting my paper files. a good lesson in need be
careful. https://twitter.com/RyanHeathEU/status/266643674966929408

Heath also tweeted on the 18th of November:
‏@RyanHeathEU: wow. a little hacking trouble really bumps up your
follower count. thanks guys. ;)
https://twitter.com/RyanHeathEU/status/266642914535424000
and has since deleted the Tweet
( https://twitter.com/RyanHeathEU/status/266644617502547968 and
http://webcache.googleusercontent.com/search?q=cache:wNAr76QR6MsJ:https://twitter.com/RyanHeathEU/status/266644617502547968
)

It has no doubt bumped up his follower count. The story has made it
rounds from Neelie Kroes's blog
http://blogs.ec.europa.eu/neelie-kroes/malala-day-power-internet/ to
the BBC http://www.bbc.co.uk/news/technology-20308939 the register and
countless other sites
http://www.theregister.co.uk/2012/11/13/ec_kroes_hack_azerbaijan_igf_macbook/

He has stated a few times on Twitter a forensic report is coming, so I
will wait.

I am not defending the Azerbaijani government, and nor do I think that
Heath's allegations are a mere fabrication I was at the IGF, I
understood that the government there engages in electronic surveilance
of their citizens, who often have their human rights violated for what
they say online. I knew that surveilance was a possibility, I assumed
the worst and took precautions, I even bought a months access to a VPN
for this very trip.

Heath and Kroes did astounding work at the IGF and used it an
opportunity to speak freely about threats to freedom of expression and
association in that country both online and on the internet.

I would have in sensitive situations like these expected Neelie and
Ryan to take a cybersecurity incident seriously, and deal with it
diplomatically; balancing disclosure and discretion, and if deciding
to disclose, then having firm and transparent evidence to go public
with.

This they did not, and they should be held to account for it.

We also need to learn from this and not allow diplomats/government
officials to cry wolf regarding hacking.

A quick question, does anyone know what type of false positives on a
Mac Book could obtain; similar to what Heath described could arise
from paid Hotel Wifi?

regards,
Alex Comninos
On 10 November 2012 23:43, John Scott-Railton
<john.scott.railton at gmail.com> wrote:
> If this isn't already on your radar, AP and others are reporting that EU
> Officials at the Baku conference report being hacked in their hotel.
>
> SNIP
> "...spokesman Ryan Heath told The Associated Press that the attack occurred
> while they were in their hotel. He declined to say who might be responsible,
> adding that the computers would be analyzed for clues.
>
> It wasn’t immediately clear whether the attack resulted in theft of any
> information.
>
> Kroes criticized her hosts during the forum Wednesday, attacking the Azeri
> government for allegedly spying on activists online and “violating the
> privacy of journalists and their sources.”...
>
> SNIP
>
> Link is:
> http://www.salon.com/2012/11/10/eu_officials_we_were_hacked_at_web_conference/
>
>
>
> John Scott-Railton
> www.johnscottrailton.com
>
> PGP key ID: 0x3e0ccb80778fe8d7
> Fingerprint: FDBE BE29 A157 9881 34C7  8FA6 3E0C CB80 778F E8D7
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech