• United States



Secret Snoop Conference for Gov’t Spying: Go Stealth, Hit a Hundred Thousand Targets

Nov 10, 20116 mins
Data and Information SecurityData BreachEnterprise Applications

Forget passive monitoring; go stealth to hit your target says the Hacking Team which sells hacking techniques and tools for invasive surveillance of the masses. Better yet, hit a hundred thousand targets. As the Police once sang, "Every breath you take and every move you make...I'll be watching you," and that seems to sum up the Italian vendor Hacking Team and what it pimps at Intelligence Support Systems (ISS) conferences.

Forget passive monitoring for government spying; go stealth to hit your target says the Hacking Team which sells hacking techniques and tools for invasive surveillance of the masses. Better yet, hit a hundred thousand targets. We looked at legal means, with a Trojan horse warrant for remote computer searches. But what about those areas of mass surveillance without a warrant that seem shaded grey and lawfully questionable to many of us concerned about privacy? There are interesting conferences in which the doors are locked to Joe and Jane Doe, but thrown wide open for intelligence agencies and law enforcement. So what goes on behind those doors that are shut to the general public? IIS World Americas is open only to “law enforcement, intelligence, homeland security analysts and telecom operators responsible for lawful interception, electronic investigations and network intelligence.” There are many vendors of products that assist the government in spying, but the Hacking Team should send an eerie eavesdropping chill up your spine.

As the Police once sang, “Every breath you take and every move you make…I’ll be watching you,” and that seems to sum up the Italian Hacking Team services and what it pimps at Intelligence Support Systems (ISS) conferences. While there are many vendors at such conferences offered worldwide and allegedly for “lawful interception, criminal investigation and intelligence gathering,” some stand out as ethically and legally questionable. We know cyber cops need ways to go after the evil cybercriminal elements hiding in cyberspace, but it’s the “mass surveillance” and “without a warrant” that sets our privacy hackles on edge as that seems to assume anyone may be a bad guy needing monitored.

According to the spy-conference brochure [PDF], the Hacking Team Cyber Intelligence solutions include remote control systems that offer “total invisibility” and “total control over desktops and smartphones” as well as “the widest selection of infection vectors” and “easy installation on target devices.” According to the company’s brochure [PDF], different tools promise to “bypasses protection systems such as antivirus, antispyware and personal firewalls.” The Hacking Team website proudly proclaims a wide variety of extra creepy and invasive surveillance tools for Big Brother:

  • Deploy a secret agent – Total control over your targets. Log everything you need. Always. Anywhere they are.
  • Go stealth and untraceable – Invisible to the target. Evade computer security.
  • Acquire relevant data – Interesting data never gets to the web, it stays on the device.
  • Defeat encryption – Thousands of encrypted communications per day. Get them in the clear.

Monitor a hundred thousand targets? Grrr, who exactly are the targets here, truly cybercriminals, terrorists or cyberspies? This is supposed to be legal, so are there a hundred thousand warrants? In Operation Ghost Click, the FBI busted seven cybercriminals who managed to infect 4 million computers with malware. 7, not 100,000 cyberthugs. Another nugget from the Hacking Team’s brochure states [PDF], “Sensitive data is often exchanged using encrypted channels. Most of it never goes on the net. Sometimes your target is even outside your monitoring domain. You need something more.” Or how about this one? “Attack your target either remotely or locally using several installation vectors. Do that while the target is browsing the internet, opening a document file, receiving an SMS or crossing the borders with his laptop.”

At the ISS conference that was in Washington, the brochure [PDF] advertised the Hacking Team would present:

  • Empowering Cyber Intelligence Operations: a stealth, spyware-like software to attack, infect and collect evidence from Computers and Smartphones
  • Remote Control System 7: The ultimate cyber-intelligence solution for covertly monitoring Computers and Smartphones
  • Remote Control System 7: an in-depth, live demonstration of infection vectors and attack techniques for targeting Computers and Smartphones!

The Hacking Team is not alone and by far not the only vendor selling monitoring tools to intelligence agencies or teaching law enforcement the ‘best’ snooping methods. Some vendors, tools, and presentations stressed “lawful.” For example, Telesoft Technologies provides “lawful intercept” and presented Understanding Passive Monitoring Techniques for Mass Intercept and Mass Location Tracking. Gigamon held a session covering You Can’t Catch What You Can’t See: Traffic Visibility-The Cornerstone of Lawful Intercept. While the Gamma Group offered Government IT Intrusion: Applied Hacking Techniques Used by Government Agencies, it also sells handy-dandy surveillance vans and equipment. Vupen which exclusively sells exploits to the government was also present at the ISS conference where it presented Exploiting Computer and Mobile Vulnerabilities for Electronic Surveillance.

As security is a one-way paradigm pointed out, cybercriminals “hide behind a confusing web of cyber laws” and “rely on the anonymous function” of the Internet. In many cases, it ties the hands of law enforcement. These creepy people are what threatens anonymity in cyberspace. Ntrepid is a bit infamous for the Pentagon’s sock puppets, despite DHS documentation that “actual terrorists already assume online communications are compromised.” Ntrepid taught Countermeasures to Identify Cybercriminals Hiding on the Internet.

We looked at this ISS World Americas conference and Big Browser hiding in your browser a bit last year. As for the Certified Lies…well this year we’ve seen plenty of major CA players that fell victim to this. There’s not much you can do, if for some reason you are a target, except wait until whomever is snooping realizes you are dull and boring; that there’s nothing to see here, and moves on to spy on someone else. I have no big gripe with lawful intercepts, as in with a warrant, to catch the real bad guys. Cybersecurity is challenging to say the least, but let’s hope the government only aims at the bad guys with eavesdropping tools such as those sold by the Hacking Team.

‘Fair Use’ – image by The Hacking Team brochure

Like this? Here’s more posts:

  • Fourth Amendment’s Future if Gov’t Uses Virtual Force and Trojan Horse Warrants?
  • 4th Amendment vs Virtual Force by Feds, Trojan Horse Warrants for Remote Searches?
  • Facebook Wants to Issue Your IRL Offline ID & Internet Driver’s License
  • Skype Exploits: I know where you are, what you are sharing, and how to best stalk you
  • FBI rolling out nationwide face search and recognition system
  • Alabama Sheriff Demands Go Daddy Kill AntiSec Hackers’ Websites for Data Dumps
  • Privacy Nightmare: Data Mine & Analyze all College Students’ Online Activities
  • Double Security Whammy, No Patches: Killer SSL DDoS Attack, XML Encryption Broken
  • Not Without a Warrant: Privacy Upgrade and Digital Liberty from Surveillance
  • Duqu Malware Exploits Windows Zero-Day Kernel Bug, Attacks Via Microsoft Word Document
  • PROTECT-IP or control freaks? Monster Cable blacklists Sears, Facebook as rogue sites
  • 4Chan Founder Moot Cherishes Choices: ‘Facebook and Google Do Identity Wrong’
  • Visa, MasterCard may take offline buying history and drag it online for targeted ads

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.