[kictanet] kictanet Digest, Vol 101, Issue 34

Fri Oct 16 23:18:31 EAT 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

We saw what the Kenyan government testing site was when they were
thinking of getting Hacking Team surveillance software: kahawatungu, a
website focused on reporting corruption.

That is why the Kenyan judiciary should have oversight over the
operations of security agencies especially when interception of
communication is involved.

There have been sustained efforts for the last 5 years by the NIS
especially to bypass judicial warrants in their operations.

Privacy online is not about something to hide. It is about something
to lose. Freedom to be who you are.

Freedom online is a continuation of freedom offline. Encrypt encrypt encrypt.

On 16 October 2015 at 22:41, <kictanet-request at lists.kictanet.or.ke> wrote:

> Send kictanet mailing list submissions to
>         kictanet at lists.kictanet.or.ke
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> or, via email, send a message with subject or body 'help' to
>         kictanet-request at lists.kictanet.or.ke
>
> You can reach the person managing the list at
>         kictanet-owner at lists.kictanet.or.ke
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of kictanet digest..."
>
> Today's Topics:
>
>    1. FinFisher, how the government contacted a Germany company to
>       spy on its citizens (Mwendwa Kivuva)
>    2. Re: FinFisher, how the government contacted a Germany company
>       to spy on its citizens (John Kieti)
>
>
> ---------- Forwarded message ----------
> From: Mwendwa Kivuva <Kivuva at transworldafrica.com>
> To: "Security Forum All information security discussions in Africa are
> done here (Hacking, Decryptions, Security management, physical security,
> Disastor Recovery, Security Assessments etc etc)" <security at lists.my.co.ke>,
> KICTAnet ICT Policy Discussions <kictanet at lists.kictanet.or.ke>
> Cc:
> Date: Fri, 16 Oct 2015 20:59:18 +0300
> Subject: [kictanet] FinFisher, how the government contacted a Germany
> company to spy on its citizens
>
> Whose communication is safe? It seems nobody if the research below by
> CitizenLab is to go by. If you are a person of interest, the government
> reads everything you read and write.
>
> Where is the threat if government uses hacking to safeguard it's citizens?
> Here is a short answer; "research and revelations about Hacking Team’s
> Remote Control System (RCS), a competitor product, have also made it clear
> that some government customers used these tools to target their political
> opponents, rather than security threats to their citizens."
>
> This is how the government is spying on you.
>
> https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/
>
> This post describes the results of Internet scanning we recently conducted
> to identify the users of FinFisher, a sophisticated and user-friendly
> spyware suite sold exclusively to governments.  We devise a method for
> querying FinFisher’s “anonymizing proxies” to unmask the true location of
> the spyware’s master servers.  Since the master servers are installed on
> the premises of FinFisher customers, tracing the servers allows us to
> identify which governments are likely using FinFisher.  In some cases, we
> can trace the servers to specific entities inside a government by
> correlating our scan results with publicly available sources.  Our results
> indicate 32 countries where at least one government entity is likely using
> the spyware suite, and we are further able to identify 10 entities by
> name.  Despite the 2014 FinFisher breach, and subsequent disclosure of
> sensitive customer data, our scanning has detected more servers in more
> countries than ever before.
>
> *Executive Summary*
>
> FinFisher is a sophisticated computer spyware suite, written by
> Munich-based FinFisher GmbH, and sold exclusively to governments for
> intelligence and law enforcement purposes.  Although marketed as a tool for
> fighting crime,1
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#1> the
> spyware has been involved in a number of high-profile surveillance abuses.
> Between 2010 and 2012, Bahrain’s government used FinFisher to monitor some
> of the country’s top law firms, journalists, activists, and opposition
> political leaders.2
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#2> Ethiopian
> dissidents in exile in the United Kingdom3
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#3> and
> the United States4
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#4> have
> also been infected with FinFisher spyware.
>
> In 2012 and 2013, Citizen Lab researchers and collaborators,5
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#5>published
> several reports analyzing FinFisher spyware, and conducted scanning that
> identified FinFisher command and control (C&C) servers in a number of
> countries.  In our previous research, we were not yet able to differentiate
> between FinFisher *anonymizing proxies *and *master* servers, a
> distinction that we make in this work.
>
> When a government entity purchases FinFisher spyware, they receive a *FinSpy
> Master*—a C&C server that is installed on the entity’s premises.6
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#6>  The
> entity may then set up *anonymizing proxies* (also referred to as “
> *proxies*” or “*FinSpy Relays*” in the FinFisher documentation), to
> obscure the location of their master.  Infected computers communicate with
> the anonymizing proxy, which is “usually”7
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#7> set
> up on a Virtual Private Server (VPS) provider in a third country.  The
> proxy then forwards communications between a victim’s computer and the
> Master server.
>
> We first describe how we scanned the Internet for FinFisher servers and
> distinguished masters from proxies (*Part 1: Fishing for FinFisher*).  We
> then outline our findings regarding 32 governments and 10 specific
> government entities that we believe are using FinFisher (*Part 2: Country
> Findings*).  Finally, we highlight several cases that illuminate
> connections between different threat actors (*Part 3: A Deeper Analysis
> of Several Cases*), before concluding (*Conclusion*).
>
> *Kenya*
>
> *National Intelligence Service*
>
> We found a FinFisher server in a range of IP addresses registered to a
> Kenyan user named “National Security Intelligence.”  Kenya’s National
> Intelligence Service (NIS) was formerly known as the National Security
> Intelligence Service (NSIS).
>
> Kenya’s NSIS replaced the former Directorate of Security Intelligence
> (DSI), commonly known as the “Special Branch”.52
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#52>The
> NIS is known as one of Kenya’s security institutions with the biggest
> budgetary allocation—along with the Kenya National Defence Forces and the
> National Police Service—and considered to be among the country’s critical
> security organs in the new constitution.53
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#53> In
> 2014, Human Rights Watch named the NIS, as well as the Anti-Terrorism
> Police Unit and other Kenyan intelligence agencies, as being implicated in
> abuses including torture, disappearances, and extrajudicial killings.54
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#54>
>
> The powers of the NIS were expanded significantly in December 2014 when
> the Parliament of Kenya rushed to pass the controversial Security Laws
> (Amendment) Bill.55
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#55> The
> amendments came following a series of deadly terrorist attacks by the
> militant group al-Shabab, including the 2013 killing of 67 people at the
> Westgate shopping mall in Nairobi.56
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#56>This
> bill expanded the powers of the NIS to monitor communications without a
> warrant, as well as expanding their powers to search and seize private
> property.57
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#57> Article
> 62 of the amended bill authorized NIS agents to “do anything necessary to
> preserve national security” and to detain individuals on simply the
> suspicion of engaging in acts which pose a threat to national security.58
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#58> Section
> 66 of the bill amended the National Intelligence Services Act, permitting
> the Director General of the NIS to monitor communications or “obtain any
> information, material, record, document or thing” in order to protect
> national security, without court oversight, leading rights organization
> Article 19 to argue that the amendment “effectively [gives]*carte blanche* to
> the Director-General to order mass surveillance of online communications”.
> 59
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#59> While
> a court ruling in February 2015 struck down some provisions of the
> amendment, the provisions enhancing the powers of the NIS remained.60
> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#60>
>
> More here:
> https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/
>
>
> ---------- Forwarded message ----------
> From: John Kieti <jkieti at gmail.com>
> To: KICTAnet ICT Policy Discussions <kictanet at lists.kictanet.or.ke>
> Cc:
> Date: Fri, 16 Oct 2015 22:25:32 +0300
> Subject: Re: [kictanet] FinFisher, how the government contacted a Germany
> company to spy on its citizens
> Use of sophisticated spy-ware software by NIS will invite commensurate
> effort among researchers, developers and others of the profession to offer
> anti-spyware solutions that work - all in the name of human rights and
> fundamental privacy protection.
>
> On Fri, Oct 16, 2015 at 8:59 PM, Mwendwa Kivuva via kictanet <
> kictanet at lists.kictanet.or.ke> wrote:
>
>> Whose communication is safe? It seems nobody if the research below by
>> CitizenLab is to go by. If you are a person of interest, the government
>> reads everything you read and write.
>>
>> Where is the threat if government uses hacking to safeguard it's
>> citizens? Here is a short answer; "research and revelations about Hacking
>> Team’s Remote Control System (RCS), a competitor product, have also made it
>> clear that some government customers used these tools to target their
>> political opponents, rather than security threats to their citizens."
>>
>> This is how the government is spying on you.
>>
>>
>> https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/
>>
>> This post describes the results of Internet scanning we recently
>> conducted to identify the users of FinFisher, a sophisticated and
>> user-friendly spyware suite sold exclusively to governments.  We devise a
>> method for querying FinFisher’s “anonymizing proxies” to unmask the true
>> location of the spyware’s master servers.  Since the master servers are
>> installed on the premises of FinFisher customers, tracing the servers
>> allows us to identify which governments are likely using FinFisher.  In
>> some cases, we can trace the servers to specific entities inside a
>> government by correlating our scan results with publicly available
>> sources.  Our results indicate 32 countries where at least one government
>> entity is likely using the spyware suite, and we are further able to
>> identify 10 entities by name.  Despite the 2014 FinFisher breach, and
>> subsequent disclosure of sensitive customer data, our scanning has detected
>> more servers in more countries than ever before.
>>
>> *Executive Summary*
>>
>> FinFisher is a sophisticated computer spyware suite, written by
>> Munich-based FinFisher GmbH, and sold exclusively to governments for
>> intelligence and law enforcement purposes.  Although marketed as a tool for
>> fighting crime,1
>> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#1> the
>> spyware has been involved in a number of high-profile surveillance abuses.
>> Between 2010 and 2012, Bahrain’s government used FinFisher to monitor some
>> of the country’s top law firms, journalists, activists, and opposition
>> political leaders.2
>> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#2> Ethiopian
>> dissidents in exile in the United Kingdom3
>> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#3> and
>> the United States4
>> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#4> have
>> also been infected with FinFisher spyware.
>>
>> In 2012 and 2013, Citizen Lab researchers and collaborators,5
>> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#5>published
>> several reports analyzing FinFisher spyware, and conducted scanning that
>> identified FinFisher command and control (C&C) servers in a number of
>> countries.  In our previous research, we were not yet able to differentiate
>> between FinFisher *anonymizing proxies *and *master* servers, a
>> distinction that we make in this work.
>>
>> When a government entity purchases FinFisher spyware, they receive a *FinSpy
>> Master*—a C&C server that is installed on the entity’s premises.6
>> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#6>  The
>> entity may then set up *anonymizing proxies* (also referred to as “
>> *proxies*” or “*FinSpy Relays*” in the FinFisher documentation), to
>> obscure the location of their master.  Infected computers communicate with
>> the anonymizing proxy, which is “usually”7
>> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#7> set
>> up on a Virtual Private Server (VPS) provider in a third country.  The
>> proxy then forwards communications between a victim’s computer and the
>> Master server.
>>
>> We first describe how we scanned the Internet for FinFisher servers and
>> distinguished masters from proxies (*Part 1: Fishing for FinFisher*).
>> We then outline our findings regarding 32 governments and 10 specific
>> government entities that we believe are using FinFisher (*Part 2:
>> Country Findings*).  Finally, we highlight several cases that illuminate
>> connections between different threat actors (*Part 3: A Deeper Analysis
>> of Several Cases*), before concluding (*Conclusion*).
>>
>> *Kenya*
>>
>> *National Intelligence Service*
>>
>> We found a FinFisher server in a range of IP addresses registered to a
>> Kenyan user named “National Security Intelligence.”  Kenya’s National
>> Intelligence Service (NIS) was formerly known as the National Security
>> Intelligence Service (NSIS).
>>
>> Kenya’s NSIS replaced the former Directorate of Security Intelligence
>> (DSI), commonly known as the “Special Branch”.52
>> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#52>The
>> NIS is known as one of Kenya’s security institutions with the biggest
>> budgetary allocation—along with the Kenya National Defence Forces and the
>> National Police Service—and considered to be among the country’s critical
>> security organs in the new constitution.53
>> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#53> In
>> 2014, Human Rights Watch named the NIS, as well as the Anti-Terrorism
>> Police Unit and other Kenyan intelligence agencies, as being implicated in
>> abuses including torture, disappearances, and extrajudicial killings.54
>> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#54>
>>
>> The powers of the NIS were expanded significantly in December 2014 when
>> the Parliament of Kenya rushed to pass the controversial Security Laws
>> (Amendment) Bill.55
>> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#55> The
>> amendments came following a series of deadly terrorist attacks by the
>> militant group al-Shabab, including the 2013 killing of 67 people at the
>> Westgate shopping mall in Nairobi.56
>> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#56>This
>> bill expanded the powers of the NIS to monitor communications without a
>> warrant, as well as expanding their powers to search and seize private
>> property.57
>> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#57> Article
>> 62 of the amended bill authorized NIS agents to “do anything necessary to
>> preserve national security” and to detain individuals on simply the
>> suspicion of engaging in acts which pose a threat to national security.58
>> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#58> Section
>> 66 of the bill amended the National Intelligence Services Act, permitting
>> the Director General of the NIS to monitor communications or “obtain any
>> information, material, record, document or thing” in order to protect
>> national security, without court oversight, leading rights organization
>> Article 19 to argue that the amendment “effectively [gives]*carte
>> blanche* to the Director-General to order mass surveillance of online
>> communications”.59
>> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#59> While
>> a court ruling in February 2015 struck down some provisions of the
>> amendment, the provisions enhancing the powers of the NIS remained.60
>> <https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/#60>
>>
>> More here:
>> https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/
>>
>> _______________________________________________
>> kictanet mailing list
>> kictanet at lists.kictanet.or.ke
>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>
>> Unsubscribe or change your options at
>> https://lists.kictanet.or.ke/mailman/options/kictanet/jkieti%40gmail.com
>>
>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>> for people and institutions interested and involved in ICT policy and
>> regulation. The network aims to act as a catalyst for reform in the ICT
>> sector in support of the national aim of ICT enabled growth and development.
>>
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people's times and bandwidth,
>> share knowledge, don't flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
>>
>
>
>
> --
>
> John Kieti
> Phone: +254-735-764242 // +254-722-764242
> Twitter: @johnKieti // Skype:  jkieti
> Blog: gmeltdown.com <http://www.gmeltdown.com> // LinkedIn:
> https://ke.linkedin.com/in/*kieti* <https://ke.linkedin.com/in/kieti>
>
> The ordinary just won't do
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>
>

-- 
Mose Karanja
+254 724 162536 | @Mose_Karanja <https://twitter.com/Mose_Karanja>
PGP: 0x1529552F
<https://twitter.com/Mose_Karanja>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20151016/8e6b5e39/attachment.htm>