[kictanet] FinFisher, how the government contacted a Germany company to spy on its citizens

John Kieti jkieti at gmail.com
Fri Oct 16 22:25:32 EAT 2015 

Use of sophisticated spy-ware software by NIS will invite commensurate
effort among researchers, developers and others of the profession to offer
anti-spyware solutions that work - all in the name of human rights and
fundamental privacy protection.

On Fri, Oct 16, 2015 at 8:59 PM, Mwendwa Kivuva via kictanet <
kictanet at lists.kictanet.or.ke> wrote:

> Whose communication is safe? It seems nobody if the research below by
> CitizenLab is to go by. If you are a person of interest, the government
> reads everything you read and write.
>
> Where is the threat if government uses hacking to safeguard it's citizens?
> Here is a short answer; "research and revelations about Hacking Team’s
> Remote Control System (RCS), a competitor product, have also made it clear
> that some government customers used these tools to target their political
> opponents, rather than security threats to their citizens."
>
> This is how the government is spying on you.
>
> https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/
>
> This post describes the results of Internet scanning we recently conducted
> to identify the users of FinFisher, a sophisticated and user-friendly
> spyware suite sold exclusively to governments.  We devise a method for
> querying FinFisher’s “anonymizing proxies” to unmask the true location of
> the spyware’s master servers.  Since the master servers are installed on
> the premises of FinFisher customers, tracing the servers allows us to
> identify which governments are likely using FinFisher.  In some cases, we
> can trace the servers to specific entities inside a government by
> correlating our scan results with publicly available sources.  Our results
> indicate 32 countries where at least one government entity is likely using
> the spyware suite, and we are further able to identify 10 entities by
> name.  Despite the 2014 FinFisher breach, and subsequent disclosure of
> sensitive customer data, our scanning has detected more servers in more
> countries than ever before.
>
> *Executive Summary*
>
> FinFisher is a sophisticated computer spyware suite, written by
> Munich-based FinFisher GmbH, and sold exclusively to governments for
> intelligence and law enforcement purposes.  Although marketed as a tool for
> fighting crime,1
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#1> the
> spyware has been involved in a number of high-profile surveillance abuses.
> Between 2010 and 2012, Bahrain’s government used FinFisher to monitor some
> of the country’s top law firms, journalists, activists, and opposition
> political leaders.2
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#2> Ethiopian
> dissidents in exile in the United Kingdom3
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#3> and
> the United States4
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#4> have
> also been infected with FinFisher spyware.
>
> In 2012 and 2013, Citizen Lab researchers and collaborators,5
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#5>published
> several reports analyzing FinFisher spyware, and conducted scanning that
> identified FinFisher command and control (C&C) servers in a number of
> countries.  In our previous research, we were not yet able to differentiate
> between FinFisher *anonymizing proxies *and *master* servers, a
> distinction that we make in this work.
>
> When a government entity purchases FinFisher spyware, they receive a *FinSpy
> Master*—a C&C server that is installed on the entity’s premises.6
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#6>  The
> entity may then set up *anonymizing proxies* (also referred to as “
> *proxies*” or “*FinSpy Relays*” in the FinFisher documentation), to
> obscure the location of their master.  Infected computers communicate with
> the anonymizing proxy, which is “usually”7
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#7> set
> up on a Virtual Private Server (VPS) provider in a third country.  The
> proxy then forwards communications between a victim’s computer and the
> Master server.
>
> We first describe how we scanned the Internet for FinFisher servers and
> distinguished masters from proxies (*Part 1: Fishing for FinFisher*).  We
> then outline our findings regarding 32 governments and 10 specific
> government entities that we believe are using FinFisher (*Part 2: Country
> Findings*).  Finally, we highlight several cases that illuminate
> connections between different threat actors (*Part 3: A Deeper Analysis
> of Several Cases*), before concluding (*Conclusion*).
>
> *Kenya*
>
> *National Intelligence Service*
>
> We found a FinFisher server in a range of IP addresses registered to a
> Kenyan user named “National Security Intelligence.”  Kenya’s National
> Intelligence Service (NIS) was formerly known as the National Security
> Intelligence Service (NSIS).
>
> Kenya’s NSIS replaced the former Directorate of Security Intelligence
> (DSI), commonly known as the “Special Branch”.52
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#52>The
> NIS is known as one of Kenya’s security institutions with the biggest
> budgetary allocation—along with the Kenya National Defence Forces and the
> National Police Service—and considered to be among the country’s critical
> security organs in the new constitution.53
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#53> In
> 2014, Human Rights Watch named the NIS, as well as the Anti-Terrorism
> Police Unit and other Kenyan intelligence agencies, as being implicated in
> abuses including torture, disappearances, and extrajudicial killings.54
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#54>
>
> The powers of the NIS were expanded significantly in December 2014 when
> the Parliament of Kenya rushed to pass the controversial Security Laws
> (Amendment) Bill.55
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#55> The
> amendments came following a series of deadly terrorist attacks by the
> militant group al-Shabab, including the 2013 killing of 67 people at the
> Westgate shopping mall in Nairobi.56
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#56>This
> bill expanded the powers of the NIS to monitor communications without a
> warrant, as well as expanding their powers to search and seize private
> property.57
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#57> Article
> 62 of the amended bill authorized NIS agents to “do anything necessary to
> preserve national security” and to detain individuals on simply the
> suspicion of engaging in acts which pose a threat to national security.58
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#58> Section
> 66 of the bill amended the National Intelligence Services Act, permitting
> the Director General of the NIS to monitor communications or “obtain any
> information, material, record, document or thing” in order to protect
> national security, without court oversight, leading rights organization
> Article 19 to argue that the amendment “effectively [gives]*carte blanche* to
> the Director-General to order mass surveillance of online communications”.
> 59
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#59> While
> a court ruling in February 2015 struck down some provisions of the
> amendment, the provisions enhancing the powers of the NIS remained.60
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#60>
>
> More here:
> https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/jkieti%40gmail.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>



-- 

John Kieti
Phone: +254-735-764242 // +254-722-764242
Twitter: @johnKieti // Skype:  jkieti
Blog: gmeltdown.com <http://www.gmeltdown.com> // LinkedIn:
https://ke.linkedin.com/in/*kieti* <https://ke.linkedin.com/in/kieti>

The ordinary just won't do
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20151016/a37164c5/attachment.htm>

More information about the KICTANet mailing list