[liberationtech] Stephan Faris: The Hackers of Damascus – Businesweek

Mon Nov 26 14:03:20 PST 2012

I've forwarded this thread to Stephan, who was a 2008-2009 Knight Fellow at
Stanford (as I was). He's a smart, diligent reporter and I'm sure will
appreciate the added context.

- Andrew

On Mon, Nov 26, 2012 at 10:39 AM, Peter Fein <pete at wearpants.org> wrote:

> Hey John, thanks for this, a much appreciated (and needed) sharing of
> credit. Too often the press focuses on individual "heroes" to make a better
> story - community knows the reality is a massive, decentralized effort, and
> we shouldn't get sucked in to that narrative. More! ;-)
>
>
>
> On Mon, Nov 26, 2012 at 6:26 AM, John Scott-Railton <railton at ucla.edu>wrote:
>
>> Hi All,
>>
>> A few thoughts on the article. It uses a thread of one process of dealing
>> with malware and attacks in Syria to tell its story, and highlights a
>> couple of people who collaborate with each other and some of what they have
>> been doing.  It makes for an engaging read.  But for someone who reads it
>> and doesn't know the space this article could be read as suggesting that
>> this group of people is the only game in town.  It isn't.  By far.
>>
>>  The reality is decentralized, diverse and very collaborative.  A
>> community, in other words. And these communities are what make things
>> happen.  There are many networks of Syrians, technologists and folks in the
>> community of activists working on identifying and responding to malware and
>> other electronic attacks against the Syrian opposition. Or those working on
>> analyzing the techniques and tools of surveillance deployed at the network
>> level in SY.  The community process by which Dark Comet was first
>> identified after some false starts and unknown binaries first started
>> floating around the community are a great example. So was the later
>> discussion of Dark Comet and the ethical dimensions of the tool. Props to
>> TCX and their collaborators here, for example. There are many others who've
>> chosen to keep their names out of the media. The work of all of these
>> people contributes to all we know now, and serious progress on a lot of
>> fronts.
>>
>> A final note: I also wanted to acknowledge a particular person whose name
>> was surprisingly missing from the group specifically mentioned in the
>> Bloomberg piece, and who deserves credit for her role:  Eva
>> Galperin, International Freedom of Expression Coordinator  and prolific
>> blogger at EFF who will be familiar to many you as the co-author
>> with Morgan Marquis-Boire on every piece of blogging on SY malware that EFF
>> has posted to date.
>>
>> J
>>
>>
>> On Nov 15, 2012, at 12:02 PM, ilf <ilf at zeromail.org> wrote:
>>
>> http://www.businessweek.com/articles/2012-11-15/the-hackers-of-damascus
>>
>> Taymour Karim didn’t crack under interrogation. His Syrian captors beat
>> him with their fists, with their boots, with sticks, with chains, with the
>> butts of their Kalashnikovs. They hit him so hard they broke two of his
>> teeth and three of his ribs. They threatened to keep torturing him until he
>> died. “I believed I would never see the sun again,” he recalls. But Karim,
>> a 31-year-old doctor who had spent the previous months protesting against
>> the government in Damascus, refused to give up the names of his friends.
>>
>> It didn’t matter. His computer had already told all. “They knew
>> everything about me,” he says. “The people I talked to, the plans, the
>> dates, the stories of other people, every movement, every word I said
>> through Skype. They even knew the password of my Skype account.” At one
>> point during the interrogation, Karim was presented with a stack of more
>> than 1,000 pages of printouts, data from his Skype chats and files his
>> torturers had downloaded remotely using a malicious computer program to
>> penetrate his hard drive. “My computer was arrested before me,” he says.
>>
>> Much has been written about the rebellion in Syria: the protests, the
>> massacres, the car bombs, the house-to-house fighting. Tens of thousands
>> have been killed since the war began in early 2011. But the struggle for
>> the future of the country has also unfolded in another arena—on a
>> battleground of Facebook (FB) pages and YouTube accounts, of hacks and
>> counterhacks. Just as rival armies vie for air superiority, the two sides
>> of the Syrian civil war have spent much of the last year and a half locked
>> in a struggle to dominate the Internet. Pro-government hackers have
>> penetrated opposition websites and broken into the computers of Reuters
>> (TRI) and Al Jazeera to spread disinformation. On the other side, the
>> hacktivist group Anonymous has infiltrated at least 12 Syrian government
>> websites, including that of the Ministry of Defense, and released millions
>> of stolen e-mails.
>>
>> The Syrian conflict illustrates the extent to which the very tools that
>> rebels in the Middle East have employed to organize and sustain their
>> movements are now being used against them. It provides a glimpse of the
>> future of warfare, in which computer viruses and hacking techniques can be
>> as critical to weakening the enemy as bombs and bullets. Over the past
>> three months, I made contact with and interviewed by phone and e-mail
>> participants on both sides of the Syrian cyberwar. Their stories shed light
>> on a largely hidden aspect of a conflict with no end in sight—and show how
>> the Internet has become a weapon of war.
>>
>> The cyberwar in Syria began with a feint. On Feb. 8, 2011, just as the
>> Arab Spring was reaching a crescendo, the government in Damascus suddenly
>> reversed a long-standing ban on websites such as Facebook, Twitter,
>> YouTube, and the Arabic version of Wikipedia. It was an odd move for a
>> regime known for heavy-handed censorship; before the uprising, police
>> regularly arrested bloggers and raided Internet cafes. And it came at an
>> odd time. Less than a month earlier demonstrators in Tunisia, organizing
>> themselves using social networking services, forced their president to flee
>> the country after 23 years in office. Protesters in Egypt used the same
>> tools to stage protests that ultimately led to the end of Hosni Mubarak’s
>> 30-year rule. The outgoing regimes in both countries deployed riot police
>> and thugs and tried desperately to block the websites and accounts
>> affiliated with the revolutionaries. For a time, Egypt turned off the
>> Internet altogether.
>>
>> Syria, however, seemed to be taking the opposite tack. Just as protesters
>> were casting about for the means with which to organize and broadcast their
>> messages, the government appeared to be handing them the keys.
>>
>> Dlshad Othman, a 25-year-old computer technician in Damascus, immediately
>> grew suspicious of the regime’s motives. Young, Kurdish, and recently
>> finished with his mandatory military service, Othman opposed President
>> Bashar al-Assad. Working for an Internet service provider, he knew that
>> Syria—like many other countries, including China, Iran, Saudi Arabia, and
>> Bahrain—controlled its citizens’ access to the Web. The same technology the
>> government used to censor websites allowed it to monitor Internet traffic
>> and intercept communications. Popular services such as Facebook, Skype,
>> Google Maps, and YouTube gave Syria’s revolutionaries capabilities that
>> until a couple of decades ago would have been available only to the world’s
>> most sophisticated militaries. But as long as Damascus controlled the
>> Internet, they’d be using these tools under the eye of the government.
>>
>> Shortly after the Syrian revolution began in March 2011, Othman’s
>> political views cost him his job. He decided to dedicate himself full time
>> to the opposition, joining the Syrian Center for Media and Freedom of
>> Expression in Damascus to document violence against journalists in the
>> country. He also began teaching his fellow activists ways to stay safe
>> online. Othman instructed them how to encrypt e-mails and encouraged them
>> to use tools like Tor software, which enables anonymous Web browsing by
>> rerouting traffic through a series of distant servers. When Tor turned out
>> to be too slow to live-stream protests or scenes of government attacks
>> against civilians, Othman began purchasing accounts on virtual private
>> networks (VPNs) and sharing them with his friends and contacts. A VPN is
>> basically a tunnel inside the public Internet that allows users to
>> communicate in a secure fashion. For a monthly fee, you can buy access to
>> servers that create encrypted paths between computers; the VPN also
>> disguises the identities and locations of your machine and others on the
>> network. Spies can’t read e-mails sent via VPN, and they have a hard time
>> figuring out where they came from.
>>
>> Othman’s efforts worked at first, but very quickly Damascus blocked
>> off-the-shelf VPNs and upgraded its Internet filters in ways that made the
>> VPNs inoperative. By the summer of 2011, Othman had become frustrated with
>> the Western VPN providers, which he felt were too slow to adapt to the
>> government’s crackdowns. He bought space on outside servers, set up VPNs of
>> his own, and began actively managing them to make sure safe connections
>> remained available.
>>
>> Othman was still training and equipping activists in October 2011 when he
>> made a nearly fatal mistake. He gave an on-camera interview to a British
>> journalist who was later arrested with the footage on his laptop. Warned by
>> a friend through a Facebook message, Othman turned off his phone, removed
>> its SIM card—a precaution to avoid being tracked—and hid in a friend’s
>> Damascus apartment. He never went home. A month and a half later, at the
>> urging of activists who worried his arrest would compromise their entire
>> network, he escaped across the border to Lebanon. “I had been a source of
>> safety for my friends,” he says. “I didn’t want to become a source of
>> danger.”
>>
>> The struggle for Syria has transcended borders. In early 2011, from his
>> office at the University of California at Los Angeles, John Scott-Railton,
>> a 29-year-old graduate student in Urban Planning, joined the revolutions in
>> North Africa and the Middle East. Scott-Railton, working on a dissertation
>> on how poor communities in Senegal were adapting to climate change, had
>> spent time in Egypt and had close friends there. When revolutionaries in
>> Cairo occupied Tahrir Square, he set his studies aside. Working through his
>> contacts in the country, he helped Egyptians evade Internet censors and get
>> their message out to the world by calling protesters on the phone,
>> interviewing them, and publishing their views on Twitter. Later, when the
>> Arab Spring spread to Libya, he did the same, this time working with
>> Libyans in the diaspora to broaden his reach.
>>
>> In Syria, Scott-Railton recognized that the task would be different. Once
>> Assad’s government lifted restrictions on the Internet, activists were
>> having little trouble getting their voices heard; graphic videos alleging
>> government atrocities were lighting up Facebook and YouTube. The challenge
>> would be keeping them safe. “If we’re going to talk about how important the
>> Internet has been in the Arab Spring, we need to think about how it also
>> brings a whole new set of vulnerabilities,” says Scott-Railton. “Otherwise,
>> we’re going to be much too optimistic about what can be done.”
>>
>> The first documented attack in the Syrian cyberwar took place in early
>> May 2011, some two months after the start of the uprising. It was a clumsy
>> one. Users who tried to access Facebook in Syria were presented with a fake
>> security certificate that triggered a warning on most browsers. People who
>> ignored it and logged in would be giving up their user name and password,
>> and with them, their private messages and contacts.
>>
>> In response, Scott-Railton began nurturing contacts in the Syrian
>> opposition, people like Othman with wide networks of their own. “It wasn’t
>> that different from the strategy I had worked out in Libya: Figure out who
>> was trustworthy and then slowly build up,” he says. In the meantime, he
>> contacted security teams at major American technology companies whom he
>> could alert when an attack was detected. Scott-Railton declined to name
>> specific companies but confirmed he was in touch with security experts at
>> some of the biggest brand names. In the past year and a half,
>> pro-government hackers have successfully targeted Facebook pages, YouTube
>> accounts, and logins on Hotmail, Yahoo! (YHOO), Gmail, and Skype.
>>
>> Scott-Railton’s involvement in the Syrian cyberwar wasn’t high-tech. Over
>> several months, he set himself up as a bridge between two worlds, passing
>> reports of hacking on to various companies who could investigate attacks on
>> their users, take down bogus websites, and configure browsers to flag
>> suspect sites as potential threats.
>>
>> For Syrians, the system provided a quick, sure way to limit damage as
>> attempts to break into accounts affiliated with the opposition became more
>> sophisticated. For tech companies, it was an opportunity to address
>> violations as they happened—though those violations have also exposed the
>> vulnerabilities of some of the world’s most popular social networking
>> services.
>>
>> Facebook, which in 2011 responded to hacking attempts in Tunisia by
>> routing communications through an encrypted server and asking users to
>> identify friends when logging in, wouldn’t comment on what, if anything,
>> the company is doing in Syria. Contacted by Bloomberg Businessweek, a
>> spokesperson provided a statement saying: “Security is a top priority for
>> Facebook and we devote significant resources to helping people protect
>> their accounts and information, wherever they live and whatever the
>> circumstances. … We will respond quickly to reports—whether from formal or
>> informal channels—about worrying and problematic security threats from
>> groups, organizations and, on occasion, from governments.”
>>
>> As the war intensified, the cyberattacks waged by pro-government Syrian
>> hackers became more ambitious. In the weeks before his arrest in December
>> 2011, Karim, the young doctor, had begun to suspect his hard drive had been
>> compromised. His Internet bill—which in Syria varies according to the
>> traffic being used—had more than quadrupled, though he still isn’t sure
>> exactly how his computer was infected. He suspects the malware may have
>> been transmitted by a woman using the name Abeer who contacted him on Skype
>> last autumn and sent him photos of herself. Another possibility is a man
>> who sent Karim an Excel spreadsheet and said he could provide monetary
>> support for the revolution.
>>
>> In prison, Karim’s captors mentioned both people. His interrogators knew
>> about his high Internet bills, as well: “The policeman told me, ‘Do you
>> remember when you were talking to your friend and you told him you had
>> something wrong and paid a lot of money? At that time we were taking
>> information from your laptop.’ ”
>>
>> Before the Syrian revolution, Karim had never participated in politics.
>> “I would just go to work and then go home,” he says. But the Arab Spring
>> awakened something inside him, and when demonstrators gathered for a second
>> week of major demonstrations, Karim joined them. The first protest he
>> attended was also the first in which the regime deployed the army to crush
>> dissent, killing dozens of demonstrators across the country. Shortly
>> afterward, Karim signed up to man field hospitals, caring for wounded
>> activists. The worst injuries were from snipers, he recalls. “Sometimes
>> people would be shot in the back, and they’d be paralyzed. Sometimes we
>> found bullets in the face, and all the bones in the face were broken. When
>> we found people shot in the abdomen, sometimes we couldn’t do anything
>> because we didn’t have the proper equipment.”
>>
>> When it came to the Internet, Karim was typical of many of his fellow
>> activists: enthusiastic, naive, and all too often complacent where security
>> was concerned. “Sometimes we’d say to each other, ‘If there was no
>> Internet, there would be no revolution,’ ” he says.
>>
>> Just 18 percent of Syrians use the Internet, and government restrictions
>> along with sanctions by the U.S. and Europe have limited Syrians’ access to
>> updated software and antivirus programs. Karim occasionally used the Tor
>> application recommended by Othman but found the connection too slow for
>> video. A friend in Qatar sent him a link to a secure VPN, but he wasn’t
>> able to download the necessary software.
>>
>> On Dec. 25, 2011, Karim met with a group of doctors to put the final
>> touches on a plan to better coordinate the opposition’s field hospitals.
>> The next day he spoke with a friend on Skype and agreed to meet him to film
>> a Christmas video he hoped would be a show of unity between faiths. When he
>> left his safe house, the police were waiting for him. They knew where they
>> would find him and where he was going. “Skype was the best way for us, for
>> communication,” he says. “We heard that Skype was very safe and that nobody
>> can hack it, and there is no virus for Skype. But unfortunately, I was the
>> first victim of it.”
>>
>> In a statement to Bloomberg Businessweek, a spokesperson for Skype, which
>> is owned by Microsoft (MSFT), said, “Much like other Internet communication
>> tools with a very large user base—be it e-mail, IM, or Voip—Skype has been
>> used by persons with malicious intent to trick or manipulate people into
>> following nefarious links. … This is an ongoing, industrywide issue faced
>> by all peer-to-peer software companies. Skype is committed to the safety
>> and security of its users, and we are taking steps to help protect them.”
>>
>> Karim spent 71 days in Syrian detention before being released on bail
>> pending a military trial. After his release he fled the country, sneaking
>> from village to village until he arrived in Jordan. There he discovered
>> that many other activists had been contacted by the woman named Abeer. A
>> few weeks after his release, he received a message from her on Facebook
>> offering to send him more pictures. He refused.
>>
>> In January 2012, less than a month after Karim’s arrest, Othman—by then
>> in Lebanon—came across a laptop belonging to an international aid worker.
>> The worker believed the laptop had been compromised. After making a
>> preliminary analysis, Othman sent an image of the entire hard drive to
>> Scott-Railton. Among the people Scott-Railton reached out to was a
>> dreadlocked New Zealander named Morgan Marquis-Boire, a security engineer
>> at Google (GOOG) in California. In his spare time, Marquis-Boire had begun
>> investigating cyberattacks on opposition figures in the Middle East after
>> being approached by activists who saw him speak at a conference. “I’m a
>> firm believer in the facilitation of freedom of expression on the
>> Internet,” he says. “The censorship that occurs when people are afraid to
>> speak is actually the most powerful type of censorship that’s available.”
>>
>> Marquis-Boire, 33, wasn’t the first person to analyze the infected hard
>> drive, but his examination was deep and thorough. The laptop, he
>> determined, had been successfully hacked three times in rapid succession.
>> The first piece of malware had arrived on Dec. 26, 2011, during the early
>> hours of Karim’s detention. It had been sent to the computer’s owner
>> through Karim’s Skype account, embedded in the proposal for the
>> coordination of field hospitals he had finalized the night before his
>> arrest.
>>
>> The malware, DarkComet, was a remote access “trojan.” It allowed its
>> sender to take screenshots of the victim’s computer, monitor her through
>> the video camera, and log what she typed. Every digital move the laptop’s
>> owner made was being recorded—and the reports were being routed back to an
>> IP address in Damascus.
>>
>> The network Scott-Railton had set up was faced with a new challenge. The
>> people behind the attacks were no longer casting a wide net and waiting to
>> see who they caught. They were specifically targeting revolutionaries such
>> as Karim and his contacts. Security experts at major tech companies can
>> restore access to hacked accounts or issue takedown orders when hackers set
>> up fake versions of their websites. But there’s little they can do for a
>> user whose computer has been captured by hackers.
>>
>> Scott-Railton and his collaborators began to study their opponent.
>> Syrians like Othman with close contacts to the opposition began gathering
>> suspicious files that might contain malware and funneling them to
>> Scott-Railton. He passed them on to Marquis-Boire, who published his
>> findings in blog posts for the Electronic Frontier Foundation, an advocacy
>> organization based in San Francisco that promotes civil liberties on the
>> Internet. A pattern soon emerged. The attacks used code widely available
>> online. In the case of the DarkComet trojan that had been sent from Karim’s
>> computer, the malware had been developed by a French hacker in his twenties
>> named Jean-Pierre Lesueur who offered it as a free download on his website.
>>
>> What made the hacks so effective was their deviousness. Malware was
>> discovered in a fake plan to help protesters besieged in the city of
>> Aleppo; in a purported proposal for the formation of a post-revolution
>> government; and on Web pages that claimed to show women being raped by
>> Syrian soldiers.
>>
>> Whenever possible, the people behind the attacks would use a compromised
>> account to spread the malware further. In April 2012, the Facebook account
>> of Burhan Ghalioun, then the head of the Syrian opposition, was taken over
>> and used to encourage his more than 6,000 followers to install a trojan
>> mocked up to look like a security patch for Facebook.
>>
>> Scott-Railton’s network allowed antivirus companies to update their
>> software so it would recognize the malware and warn Syrian activists. Once
>> Marquis-Boire identified DarkComet, a group of hackers who went by the name
>> Telecomix began putting pressure on its creator, Lesueur, to take it down.
>> In February 2012, less than a month after the trojan had been discovered,
>> he released a patch that would remove his program from an infected
>> computer. “i was totally shocked to see that the syrian gouv used my tool
>> to spy other people,” he wrote in a typo-laden post on his personal blog.
>> “Since now 4 years i code DarkComet for people that are interested about
>> security, people that wan’t to get an eye on what their childs doing on the
>> internet, for getting an eye to notified employees, to administrate their
>> own machines, for pen testing but NOT AS A WAR WEAPON.”
>>
>> In July, Lesueur took the program down altogether. The weapon that had
>> been launched from Karim’s computer—and very likely the one that landed him
>> in jail—had been disarmed.
>>
>> The cyberwar in Syria rages on. Othman and others like him spend hours
>> fending off attacks on their VPNs. He says he knows of at least two
>> activists who were detained and killed after their computers were
>> undermined. Scott-Railton continues to relay reports of compromised
>> accounts and fake Web pages to contacts in the tech industry. “Every day, I
>> get contacted by Syrians with security concerns,” he says. Marquis-Boire is
>> doing his best to trace the attacks back to their source.
>>
>> Since Karim’s release from detention and his escape from Syria earlier
>> this year, he has lived in Jordan. When he recently ran a scan on his new
>> computer, he found he had been infected once again. “I receive thousands of
>> e-mails, videos, and requests and images from activists and friends,” he
>> says. “And there are a lot of people who I don’t know who they are.” In
>> July the Syrian Electronic Army, a pro-government group, released what it
>> said were 11,000 user names and passwords of “NATO supporters,” meaning
>> members of the Syrian opposition.
>>
>> In October, I attempted to contact the Syrians involved in the
>> government’s cyberwar. Before doing so, I changed most of my passwords. I
>> set up two-step verification on my Gmail account, an extra layer of
>> security that makes it harder for hackers to take over an account remotely.
>> I installed the Tor Browser Bundle and updated the WordPress software on my
>> website. And then I dropped a line on Twitter to @Th3Pr0_SEA, an account
>> that describes itself as belonging to the leader of the Special Operations
>> Department of the Syrian Electronic Army, the most visible virtual actor on
>> the government side. @Th3Pr0_SEA wrote back soon after, and we agreed to
>> meet on Google Chat. Minutes later, somebody tried to reset the password of
>> my Yahoo Mail account.
>>
>> @Th3Pr0_SEA wouldn’t tell me much about himself. Two members of his
>> organization had been kidnapped and murdered by members of the opposition,
>> he said, after posting under their real names on Facebook. He told me he
>> had been a student when the uprising began. When I asked his religion, he
>> answered, “i’m Syrian :)”
>>
>> Researchers have described the Syrian Electronic Army as a
>> paramilitary-style group working in coordination with the country’s secret
>> services and linked to the Syrian Computer Society, a government
>> organization once headed by Assad himself before he became president. In
>> our chat, @Th3Pr0_SEA denied the connection, repeating the group’s claims
>> that it’s not an official entity and that its membership is unpaid,
>> motivated only by patriotism. When I asked why the group’s website was
>> hosted on servers owned by the Syrian Computer Society, he answered that
>> his group paid for the service. “If we host our website outside of Syria
>> servers, it will get deleted and probably hacked,” he wrote.
>>
>> Before I finished my interview with @Th3Pr0_SEA, I asked him whether he
>> had been the one who tried to reset my Yahoo password. He denied it. “i
>> think someone saw you,” he said, “when you talked me on twitter.” He also
>> told me, “there is a big surprise from Special Operations Department coming
>> soon, but i can’t tell you anything about it.”
>>
>> --
>> ilf
>>
>> Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
>>  -- Eine Initiative des Bundesamtes für Tastaturbenutzung
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>>
>> John Scott-Railton
>> www.johnscottrailton.com
>>
>> PGP key ID: 0x3e0ccb80778fe8d7
>> Fingerprint: FDBE BE29 A157 9881 34C7  8FA6 3E0C CB80 778F E8D7
>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20121126/f298ebd5/attachment.html>