8 March 2011, F-Secure.com: Gamma: FinFisher (PDF)
http://www.washingtontimes.com/news/2011/apr/25/british-firm-offered-spy-software-to-egypt/
British firm offered spy software to Egypt
Activists say they were the targets
By Eli Lake
The Washington Times
April 25, 2011
Egyptian anti-regime activists found a startling document last month during a raid inside the headquarters of the country's state security service: A British company offered to sell a program that security experts say could infect dissidents' computers and gain access to their email and other communications.
The discovery highlights the emerging market of Western companies that sell software to security services from the Middle East to China to spy on the kinds of social media activists who recently toppled regimes in Egypt and Tunisia.
Amid the scattered papers, interrogation devices and random furniture found during the raid, the activists uncovered a proposed contract dated June 29 from the British company Gamma International that promised to provide access to Gmail, Skype, Hotmail and Yahoo conversations and exchanges on computers targeted by the Interior Ministry of ousted President Hosni Mubarak.
The proposal from Gamma International was posted online by Cairo physician Mostafa Hussein, a blogger who was among the activists who seized the ministry's documents.
"It is important evidence of the intent of the state security and investigation division not to respect our privacy," Mr. Hussein said.
"This proposal was sent to a notorious department known for torture, spying on citizens to help Mubarak's regime," Mr. Hussein said, referring to the State Security Investigations Service. "The company Gamma, I consider them to be partners in the crime of trying to invade our privacy and arrest activists."
The document was then noticed by a top cybersecurity company called F:Secure, which placed on its website the scanned proposal for the software, called FinFisher.
The Gamma document exemplifies a new commercial market involving private companies who sell malicious software or malware that provides "back door" or remote access to computers without being detected by the machine's user.
Sometimes called worms, this kind of computer software-based attacker had been used mainly by government intelligence agencies and organized crime groups as well as private hackers.
Today, malware increasingly is sold by security firms to governments and law enforcement agencies seeking to track not just criminals but also political dissidents.
"No longer do activists against repressive regimes have to only worry about Web censorship. Today they must worry about something far more insidious and hard to detect, malware that is coming from Western companies in countries that promote freedom and democracy," said Robert Guerra, project director of Freedom House's Internet freedom program.
According to Gamma's promotional literature, the FinFisher software is capable of "remote monitoring and infection solutions" that can provide "full access to stored information with the ability to take control of" the targeted computer, including the ability to "captur[e] encrypted data and communication."
The worm attack entices the targeted computer user, such as an Egyptian blogger, to unwittingly download the malware through a thumb drive, or another seemingly harmless download such as a video game or piece of digital music.
Then, without the user knowing, the software sets up a hidden remote access point that would let the attacker -- in this case, Egypt's security services -- to acquire information including the user's social media passwords and the files stored on a hard drive.
Peter Lloyd, an attorney for Gamma International, told The Washington Times that the company never sold the FinFisher software to the Egyptian security ministry.
But the lawyer declined to answer questions about the company's malware division, or the detailed proposal found in the Egyptian ministry.
"Gamma complies in all its dealings with all applicable U.K. laws and regulations," Mr. Lloyd said. "Gamma did not supply to Egypt but in any event it would not be appropriate for Gamma to make public details of its transactions with any customer."
The Egyptian activists that found the FinFisher proposal also found transcripts of encrypted Skype chats between dissidents in the abandoned security ministry. Skype is a video telephone system.
"I have seen my Gmails and Skype chats printed out in transcripts from the headquarters the day we went into those offices," said Sherif Mansour, senior program officer for Freedom House who worked on the organization's Egypt program.
The malware industry is big business. The proposed contract offered Egypt's State Security Investigations Service a suite of software products, along with training in its use, for more than $525,000.
"FinFisher is a company that is producing the malware for money and that is the innovation," said Mikko Hypponen, the chief research officer for F:Secure. "We have enough headaches just fighting the criminals."
Gamma International and FinFisher are not alone.
In February, internal emails between cybersecurity company HBGary and law firm Hunton and Williams, representing Bank of America, discussed the prospect of infecting computers affiliated with Anonymous, the hacker group affiliated with WikiLeaks.
Anonymous claimed credit for disclosing those emails. WikiLeaks has threatened to disclose internal documents of Bank of America that it says would be damaging.
The bank-related email exchanges mentioned a Georgia-based company called Endgames Solutions and included promotional materials advertising Computer Network Attack or Computer Network Exploitation as part of its Maui suite of software. A public relations specialist hired by Endgames Solutions declined to discuss the matter.
Endgame is known within computer security circles as being on the cutting edge of so-called "offensive" security efforts, mainly for corporate customers.
Rafal Rohozinski, the CEO of the SecDev Group, a cybersecurity consulting firm, said the new malware industry is troubling.
"In North America, you are starting to see an industry in the cybersecurity [field] which is offering ethically questionable product and service offerings," he said. "HBGary is a good example of this. There are others who do this at a technical level."
"Malware is a growing industry," said Noah Shachtman, a nonresident fellow at the Brookings Institution and editor of Wired's Danger Room. "The cliche that this was a couple of kids doing this in their parents' basement was never true in the first place. Now it's totally wrong, now the suits and the MBAs are peddling this stuff both to crooks and to wannabe Big Brothers."
One example of this kind of systematic attack was called Ghostnet, a cyberoperation connected to servers in China and Taiwan that was discovered in 2009 by security specialists with the private Infowar Group.
The discovery of Ghostnet found that a number of opponents of the Chinese government, such as the Dalai Lama's network, had been infected for at least five years.
Mr. Hypponen said, "Ghostnet is the first case of this kind of thing on a broad scale." He added that "Ghostnet and similar related attacks are probably not done in practice by the government, but they work through independent hackers."
Former Homeland Security Secretary Michael Chertoff said computer-based technology that used to be in the hands of the government have quickly made their way into the commercial sector.
"The most sophisticated tools at the very, very leading edge are still, I think, in the hands of the government," he said in an interview last week after a panel appearance at the National Press Club. "But I think there is a lot of stuff out there. Look at the capability that private people have to get commercial encryption products which are pretty robust. This issue of trickling down from the very high-end technology down into the commercial space, I think that is a very fast process these days."