[liberationtech] Stephan Faris: The Hackers of Damascus – Businesweek

Mon Nov 26 08:39:19 PST 2012

Hey John, thanks for this, a much appreciated (and needed) sharing of
credit. Too often the press focuses on individual "heroes" to make a better
story - community knows the reality is a massive, decentralized effort, and
we shouldn't get sucked in to that narrative. More! ;-)

On Mon, Nov 26, 2012 at 6:26 AM, John Scott-Railton <railton at ucla.edu>wrote:

> Hi All,
>
> A few thoughts on the article. It uses a thread of one process of dealing
> with malware and attacks in Syria to tell its story, and highlights a
> couple of people who collaborate with each other and some of what they have
> been doing.  It makes for an engaging read.  But for someone who reads it
> and doesn't know the space this article could be read as suggesting that
> this group of people is the only game in town.  It isn't.  By far.
>
>  The reality is decentralized, diverse and very collaborative.  A
> community, in other words. And these communities are what make things
> happen.  There are many networks of Syrians, technologists and folks in the
> community of activists working on identifying and responding to malware and
> other electronic attacks against the Syrian opposition. Or those working on
> analyzing the techniques and tools of surveillance deployed at the network
> level in SY.  The community process by which Dark Comet was first
> identified after some false starts and unknown binaries first started
> floating around the community are a great example. So was the later
> discussion of Dark Comet and the ethical dimensions of the tool. Props to
> TCX and their collaborators here, for example. There are many others who've
> chosen to keep their names out of the media. The work of all of these
> people contributes to all we know now, and serious progress on a lot of
> fronts.
>
> A final note: I also wanted to acknowledge a particular person whose name
> was surprisingly missing from the group specifically mentioned in the
> Bloomberg piece, and who deserves credit for her role:  Eva
> Galperin, International Freedom of Expression Coordinator  and prolific
> blogger at EFF who will be familiar to many you as the co-author
> with Morgan Marquis-Boire on every piece of blogging on SY malware that EFF
> has posted to date.
>
> J
>
>
> On Nov 15, 2012, at 12:02 PM, ilf <ilf at zeromail.org> wrote:
>
> http://www.businessweek.com/articles/2012-11-15/the-hackers-of-damascus
>
> Taymour Karim didn’t crack under interrogation. His Syrian captors beat
> him with their fists, with their boots, with sticks, with chains, with the
> butts of their Kalashnikovs. They hit him so hard they broke two of his
> teeth and three of his ribs. They threatened to keep torturing him until he
> died. “I believed I would never see the sun again,” he recalls. But Karim,
> a 31-year-old doctor who had spent the previous months protesting against
> the government in Damascus, refused to give up the names of his friends.
>
> It didn’t matter. His computer had already told all. “They knew everything
> about me,” he says. “The people I talked to, the plans, the dates, the
> stories of other people, every movement, every word I said through Skype.
> They even knew the password of my Skype account.” At one point during the
> interrogation, Karim was presented with a stack of more than 1,000 pages of
> printouts, data from his Skype chats and files his torturers had downloaded
> remotely using a malicious computer program to penetrate his hard drive.
> “My computer was arrested before me,” he says.
>
> Much has been written about the rebellion in Syria: the protests, the
> massacres, the car bombs, the house-to-house fighting. Tens of thousands
> have been killed since the war began in early 2011. But the struggle for
> the future of the country has also unfolded in another arena—on a
> battleground of Facebook (FB) pages and YouTube accounts, of hacks and
> counterhacks. Just as rival armies vie for air superiority, the two sides
> of the Syrian civil war have spent much of the last year and a half locked
> in a struggle to dominate the Internet. Pro-government hackers have
> penetrated opposition websites and broken into the computers of Reuters
> (TRI) and Al Jazeera to spread disinformation. On the other side, the
> hacktivist group Anonymous has infiltrated at least 12 Syrian government
> websites, including that of the Ministry of Defense, and released millions
> of stolen e-mails.
>
> The Syrian conflict illustrates the extent to which the very tools that
> rebels in the Middle East have employed to organize and sustain their
> movements are now being used against them. It provides a glimpse of the
> future of warfare, in which computer viruses and hacking techniques can be
> as critical to weakening the enemy as bombs and bullets. Over the past
> three months, I made contact with and interviewed by phone and e-mail
> participants on both sides of the Syrian cyberwar. Their stories shed light
> on a largely hidden aspect of a conflict with no end in sight—and show how
> the Internet has become a weapon of war.
>
> The cyberwar in Syria began with a feint. On Feb. 8, 2011, just as the
> Arab Spring was reaching a crescendo, the government in Damascus suddenly
> reversed a long-standing ban on websites such as Facebook, Twitter,
> YouTube, and the Arabic version of Wikipedia. It was an odd move for a
> regime known for heavy-handed censorship; before the uprising, police
> regularly arrested bloggers and raided Internet cafes. And it came at an
> odd time. Less than a month earlier demonstrators in Tunisia, organizing
> themselves using social networking services, forced their president to flee
> the country after 23 years in office. Protesters in Egypt used the same
> tools to stage protests that ultimately led to the end of Hosni Mubarak’s
> 30-year rule. The outgoing regimes in both countries deployed riot police
> and thugs and tried desperately to block the websites and accounts
> affiliated with the revolutionaries. For a time, Egypt turned off the
> Internet altogether.
>
> Syria, however, seemed to be taking the opposite tack. Just as protesters
> were casting about for the means with which to organize and broadcast their
> messages, the government appeared to be handing them the keys.
>
> Dlshad Othman, a 25-year-old computer technician in Damascus, immediately
> grew suspicious of the regime’s motives. Young, Kurdish, and recently
> finished with his mandatory military service, Othman opposed President
> Bashar al-Assad. Working for an Internet service provider, he knew that
> Syria—like many other countries, including China, Iran, Saudi Arabia, and
> Bahrain—controlled its citizens’ access to the Web. The same technology the
> government used to censor websites allowed it to monitor Internet traffic
> and intercept communications. Popular services such as Facebook, Skype,
> Google Maps, and YouTube gave Syria’s revolutionaries capabilities that
> until a couple of decades ago would have been available only to the world’s
> most sophisticated militaries. But as long as Damascus controlled the
> Internet, they’d be using these tools under the eye of the government.
>
> Shortly after the Syrian revolution began in March 2011, Othman’s
> political views cost him his job. He decided to dedicate himself full time
> to the opposition, joining the Syrian Center for Media and Freedom of
> Expression in Damascus to document violence against journalists in the
> country. He also began teaching his fellow activists ways to stay safe
> online. Othman instructed them how to encrypt e-mails and encouraged them
> to use tools like Tor software, which enables anonymous Web browsing by
> rerouting traffic through a series of distant servers. When Tor turned out
> to be too slow to live-stream protests or scenes of government attacks
> against civilians, Othman began purchasing accounts on virtual private
> networks (VPNs) and sharing them with his friends and contacts. A VPN is
> basically a tunnel inside the public Internet that allows users to
> communicate in a secure fashion. For a monthly fee, you can buy access to
> servers that create encrypted paths between computers; the VPN also
> disguises the identities and locations of your machine and others on the
> network. Spies can’t read e-mails sent via VPN, and they have a hard time
> figuring out where they came from.
>
> Othman’s efforts worked at first, but very quickly Damascus blocked
> off-the-shelf VPNs and upgraded its Internet filters in ways that made the
> VPNs inoperative. By the summer of 2011, Othman had become frustrated with
> the Western VPN providers, which he felt were too slow to adapt to the
> government’s crackdowns. He bought space on outside servers, set up VPNs of
> his own, and began actively managing them to make sure safe connections
> remained available.
>
> Othman was still training and equipping activists in October 2011 when he
> made a nearly fatal mistake. He gave an on-camera interview to a British
> journalist who was later arrested with the footage on his laptop. Warned by
> a friend through a Facebook message, Othman turned off his phone, removed
> its SIM card—a precaution to avoid being tracked—and hid in a friend’s
> Damascus apartment. He never went home. A month and a half later, at the
> urging of activists who worried his arrest would compromise their entire
> network, he escaped across the border to Lebanon. “I had been a source of
> safety for my friends,” he says. “I didn’t want to become a source of
> danger.”
>
> The struggle for Syria has transcended borders. In early 2011, from his
> office at the University of California at Los Angeles, John Scott-Railton,
> a 29-year-old graduate student in Urban Planning, joined the revolutions in
> North Africa and the Middle East. Scott-Railton, working on a dissertation
> on how poor communities in Senegal were adapting to climate change, had
> spent time in Egypt and had close friends there. When revolutionaries in
> Cairo occupied Tahrir Square, he set his studies aside. Working through his
> contacts in the country, he helped Egyptians evade Internet censors and get
> their message out to the world by calling protesters on the phone,
> interviewing them, and publishing their views on Twitter. Later, when the
> Arab Spring spread to Libya, he did the same, this time working with
> Libyans in the diaspora to broaden his reach.
>
> In Syria, Scott-Railton recognized that the task would be different. Once
> Assad’s government lifted restrictions on the Internet, activists were
> having little trouble getting their voices heard; graphic videos alleging
> government atrocities were lighting up Facebook and YouTube. The challenge
> would be keeping them safe. “If we’re going to talk about how important the
> Internet has been in the Arab Spring, we need to think about how it also
> brings a whole new set of vulnerabilities,” says Scott-Railton. “Otherwise,
> we’re going to be much too optimistic about what can be done.”
>
> The first documented attack in the Syrian cyberwar took place in early May
> 2011, some two months after the start of the uprising. It was a clumsy one.
> Users who tried to access Facebook in Syria were presented with a fake
> security certificate that triggered a warning on most browsers. People who
> ignored it and logged in would be giving up their user name and password,
> and with them, their private messages and contacts.
>
> In response, Scott-Railton began nurturing contacts in the Syrian
> opposition, people like Othman with wide networks of their own. “It wasn’t
> that different from the strategy I had worked out in Libya: Figure out who
> was trustworthy and then slowly build up,” he says. In the meantime, he
> contacted security teams at major American technology companies whom he
> could alert when an attack was detected. Scott-Railton declined to name
> specific companies but confirmed he was in touch with security experts at
> some of the biggest brand names. In the past year and a half,
> pro-government hackers have successfully targeted Facebook pages, YouTube
> accounts, and logins on Hotmail, Yahoo! (YHOO), Gmail, and Skype.
>
> Scott-Railton’s involvement in the Syrian cyberwar wasn’t high-tech. Over
> several months, he set himself up as a bridge between two worlds, passing
> reports of hacking on to various companies who could investigate attacks on
> their users, take down bogus websites, and configure browsers to flag
> suspect sites as potential threats.
>
> For Syrians, the system provided a quick, sure way to limit damage as
> attempts to break into accounts affiliated with the opposition became more
> sophisticated. For tech companies, it was an opportunity to address
> violations as they happened—though those violations have also exposed the
> vulnerabilities of some of the world’s most popular social networking
> services.
>
> Facebook, which in 2011 responded to hacking attempts in Tunisia by
> routing communications through an encrypted server and asking users to
> identify friends when logging in, wouldn’t comment on what, if anything,
> the company is doing in Syria. Contacted by Bloomberg Businessweek, a
> spokesperson provided a statement saying: “Security is a top priority for
> Facebook and we devote significant resources to helping people protect
> their accounts and information, wherever they live and whatever the
> circumstances. … We will respond quickly to reports—whether from formal or
> informal channels—about worrying and problematic security threats from
> groups, organizations and, on occasion, from governments.”
>
> As the war intensified, the cyberattacks waged by pro-government Syrian
> hackers became more ambitious. In the weeks before his arrest in December
> 2011, Karim, the young doctor, had begun to suspect his hard drive had been
> compromised. His Internet bill—which in Syria varies according to the
> traffic being used—had more than quadrupled, though he still isn’t sure
> exactly how his computer was infected. He suspects the malware may have
> been transmitted by a woman using the name Abeer who contacted him on Skype
> last autumn and sent him photos of herself. Another possibility is a man
> who sent Karim an Excel spreadsheet and said he could provide monetary
> support for the revolution.
>
> In prison, Karim’s captors mentioned both people. His interrogators knew
> about his high Internet bills, as well: “The policeman told me, ‘Do you
> remember when you were talking to your friend and you told him you had
> something wrong and paid a lot of money? At that time we were taking
> information from your laptop.’ ”
>
> Before the Syrian revolution, Karim had never participated in politics. “I
> would just go to work and then go home,” he says. But the Arab Spring
> awakened something inside him, and when demonstrators gathered for a second
> week of major demonstrations, Karim joined them. The first protest he
> attended was also the first in which the regime deployed the army to crush
> dissent, killing dozens of demonstrators across the country. Shortly
> afterward, Karim signed up to man field hospitals, caring for wounded
> activists. The worst injuries were from snipers, he recalls. “Sometimes
> people would be shot in the back, and they’d be paralyzed. Sometimes we
> found bullets in the face, and all the bones in the face were broken. When
> we found people shot in the abdomen, sometimes we couldn’t do anything
> because we didn’t have the proper equipment.”
>
> When it came to the Internet, Karim was typical of many of his fellow
> activists: enthusiastic, naive, and all too often complacent where security
> was concerned. “Sometimes we’d say to each other, ‘If there was no
> Internet, there would be no revolution,’ ” he says.
>
> Just 18 percent of Syrians use the Internet, and government restrictions
> along with sanctions by the U.S. and Europe have limited Syrians’ access to
> updated software and antivirus programs. Karim occasionally used the Tor
> application recommended by Othman but found the connection too slow for
> video. A friend in Qatar sent him a link to a secure VPN, but he wasn’t
> able to download the necessary software.
>
> On Dec. 25, 2011, Karim met with a group of doctors to put the final
> touches on a plan to better coordinate the opposition’s field hospitals.
> The next day he spoke with a friend on Skype and agreed to meet him to film
> a Christmas video he hoped would be a show of unity between faiths. When he
> left his safe house, the police were waiting for him. They knew where they
> would find him and where he was going. “Skype was the best way for us, for
> communication,” he says. “We heard that Skype was very safe and that nobody
> can hack it, and there is no virus for Skype. But unfortunately, I was the
> first victim of it.”
>
> In a statement to Bloomberg Businessweek, a spokesperson for Skype, which
> is owned by Microsoft (MSFT), said, “Much like other Internet communication
> tools with a very large user base—be it e-mail, IM, or Voip—Skype has been
> used by persons with malicious intent to trick or manipulate people into
> following nefarious links. … This is an ongoing, industrywide issue faced
> by all peer-to-peer software companies. Skype is committed to the safety
> and security of its users, and we are taking steps to help protect them.”
>
> Karim spent 71 days in Syrian detention before being released on bail
> pending a military trial. After his release he fled the country, sneaking
> from village to village until he arrived in Jordan. There he discovered
> that many other activists had been contacted by the woman named Abeer. A
> few weeks after his release, he received a message from her on Facebook
> offering to send him more pictures. He refused.
>
> In January 2012, less than a month after Karim’s arrest, Othman—by then in
> Lebanon—came across a laptop belonging to an international aid worker. The
> worker believed the laptop had been compromised. After making a preliminary
> analysis, Othman sent an image of the entire hard drive to Scott-Railton.
> Among the people Scott-Railton reached out to was a dreadlocked New
> Zealander named Morgan Marquis-Boire, a security engineer at Google (GOOG)
> in California. In his spare time, Marquis-Boire had begun investigating
> cyberattacks on opposition figures in the Middle East after being
> approached by activists who saw him speak at a conference. “I’m a firm
> believer in the facilitation of freedom of expression on the Internet,” he
> says. “The censorship that occurs when people are afraid to speak is
> actually the most powerful type of censorship that’s available.”
>
> Marquis-Boire, 33, wasn’t the first person to analyze the infected hard
> drive, but his examination was deep and thorough. The laptop, he
> determined, had been successfully hacked three times in rapid succession.
> The first piece of malware had arrived on Dec. 26, 2011, during the early
> hours of Karim’s detention. It had been sent to the computer’s owner
> through Karim’s Skype account, embedded in the proposal for the
> coordination of field hospitals he had finalized the night before his
> arrest.
>
> The malware, DarkComet, was a remote access “trojan.” It allowed its
> sender to take screenshots of the victim’s computer, monitor her through
> the video camera, and log what she typed. Every digital move the laptop’s
> owner made was being recorded—and the reports were being routed back to an
> IP address in Damascus.
>
> The network Scott-Railton had set up was faced with a new challenge. The
> people behind the attacks were no longer casting a wide net and waiting to
> see who they caught. They were specifically targeting revolutionaries such
> as Karim and his contacts. Security experts at major tech companies can
> restore access to hacked accounts or issue takedown orders when hackers set
> up fake versions of their websites. But there’s little they can do for a
> user whose computer has been captured by hackers.
>
> Scott-Railton and his collaborators began to study their opponent. Syrians
> like Othman with close contacts to the opposition began gathering
> suspicious files that might contain malware and funneling them to
> Scott-Railton. He passed them on to Marquis-Boire, who published his
> findings in blog posts for the Electronic Frontier Foundation, an advocacy
> organization based in San Francisco that promotes civil liberties on the
> Internet. A pattern soon emerged. The attacks used code widely available
> online. In the case of the DarkComet trojan that had been sent from Karim’s
> computer, the malware had been developed by a French hacker in his twenties
> named Jean-Pierre Lesueur who offered it as a free download on his website.
>
> What made the hacks so effective was their deviousness. Malware was
> discovered in a fake plan to help protesters besieged in the city of
> Aleppo; in a purported proposal for the formation of a post-revolution
> government; and on Web pages that claimed to show women being raped by
> Syrian soldiers.
>
> Whenever possible, the people behind the attacks would use a compromised
> account to spread the malware further. In April 2012, the Facebook account
> of Burhan Ghalioun, then the head of the Syrian opposition, was taken over
> and used to encourage his more than 6,000 followers to install a trojan
> mocked up to look like a security patch for Facebook.
>
> Scott-Railton’s network allowed antivirus companies to update their
> software so it would recognize the malware and warn Syrian activists. Once
> Marquis-Boire identified DarkComet, a group of hackers who went by the name
> Telecomix began putting pressure on its creator, Lesueur, to take it down.
> In February 2012, less than a month after the trojan had been discovered,
> he released a patch that would remove his program from an infected
> computer. “i was totally shocked to see that the syrian gouv used my tool
> to spy other people,” he wrote in a typo-laden post on his personal blog.
> “Since now 4 years i code DarkComet for people that are interested about
> security, people that wan’t to get an eye on what their childs doing on the
> internet, for getting an eye to notified employees, to administrate their
> own machines, for pen testing but NOT AS A WAR WEAPON.”
>
> In July, Lesueur took the program down altogether. The weapon that had
> been launched from Karim’s computer—and very likely the one that landed him
> in jail—had been disarmed.
>
> The cyberwar in Syria rages on. Othman and others like him spend hours
> fending off attacks on their VPNs. He says he knows of at least two
> activists who were detained and killed after their computers were
> undermined. Scott-Railton continues to relay reports of compromised
> accounts and fake Web pages to contacts in the tech industry. “Every day, I
> get contacted by Syrians with security concerns,” he says. Marquis-Boire is
> doing his best to trace the attacks back to their source.
>
> Since Karim’s release from detention and his escape from Syria earlier
> this year, he has lived in Jordan. When he recently ran a scan on his new
> computer, he found he had been infected once again. “I receive thousands of
> e-mails, videos, and requests and images from activists and friends,” he
> says. “And there are a lot of people who I don’t know who they are.” In
> July the Syrian Electronic Army, a pro-government group, released what it
> said were 11,000 user names and passwords of “NATO supporters,” meaning
> members of the Syrian opposition.
>
> In October, I attempted to contact the Syrians involved in the
> government’s cyberwar. Before doing so, I changed most of my passwords. I
> set up two-step verification on my Gmail account, an extra layer of
> security that makes it harder for hackers to take over an account remotely.
> I installed the Tor Browser Bundle and updated the WordPress software on my
> website. And then I dropped a line on Twitter to @Th3Pr0_SEA, an account
> that describes itself as belonging to the leader of the Special Operations
> Department of the Syrian Electronic Army, the most visible virtual actor on
> the government side. @Th3Pr0_SEA wrote back soon after, and we agreed to
> meet on Google Chat. Minutes later, somebody tried to reset the password of
> my Yahoo Mail account.
>
> @Th3Pr0_SEA wouldn’t tell me much about himself. Two members of his
> organization had been kidnapped and murdered by members of the opposition,
> he said, after posting under their real names on Facebook. He told me he
> had been a student when the uprising began. When I asked his religion, he
> answered, “i’m Syrian :)”
>
> Researchers have described the Syrian Electronic Army as a
> paramilitary-style group working in coordination with the country’s secret
> services and linked to the Syrian Computer Society, a government
> organization once headed by Assad himself before he became president. In
> our chat, @Th3Pr0_SEA denied the connection, repeating the group’s claims
> that it’s not an official entity and that its membership is unpaid,
> motivated only by patriotism. When I asked why the group’s website was
> hosted on servers owned by the Syrian Computer Society, he answered that
> his group paid for the service. “If we host our website outside of Syria
> servers, it will get deleted and probably hacked,” he wrote.
>
> Before I finished my interview with @Th3Pr0_SEA, I asked him whether he
> had been the one who tried to reset my Yahoo password. He denied it. “i
> think someone saw you,” he said, “when you talked me on twitter.” He also
> told me, “there is a big surprise from Special Operations Department coming
> soon, but i can’t tell you anything about it.”
>
> --
> ilf
>
> Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
>  -- Eine Initiative des Bundesamtes für Tastaturbenutzung
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
> John Scott-Railton
> www.johnscottrailton.com
>
> PGP key ID: 0x3e0ccb80778fe8d7
> Fingerprint: FDBE BE29 A157 9881 34C7  8FA6 3E0C CB80 778F E8D7
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20121126/a23f688c/attachment.html>