Lawful Interception-Government Spyware – FinFisher

gAtO fOuNd-  Lawful Interception (LI) is a new-old cyber weapon for governments to use to not just monitor people keystrokes but their geo-location. FinFisher was found in the Egyptian Secret Police Spy headquarters used to track people down during the revolution. How much blood was spilled with this spy-ware and how much money did the legal business make without any consequences from the UK.

gAtO mAd this came out in December 2011 and nothing was done

America has SS8 that does the same thing we just haven’t found anyone but our own government that is once again spying on us. All this is done by governments since the terrorist attacks of Sept. 11, 2001.

gATo has found that Gamma International, Finfisher and SS8 web sites are all open to hacking: I will update after I give them a chance to patch up these holes.

Government Monitoring Solutions
The techniques described in the trove of 200-plus marketing documents include hacking tools that enable governments to break into people’s computers and cellphones, and “illegally” install gear that can gather all Internet communications in a person, group and country. They call it finfisher, fintrack, finspy, finintrusion, finfly, remote forensic, interception, countersurveillance, infection solutions, sigint, signal intelligence all in all it’s nothing but a way for governments to get into your computer and spy on you.

How can the keepers of the FinFisher have their website – unsecured

“Democracy and free speech activists worldwide have something new to worry about your governments Lawful Interception of your signal (data, mouse clicks, keystrokes)”

finfisher- fintrack, finspy, finintrusion, finusb, finfly, finfirewire, it intrusion, remote forensic, security interception, counter surveillance, sigint,
signal intelligence,

We have companies like Gamma International Ltd that sell this spy-ware to oppressive countries and make tons of money will they use it to kill and shutdown dissidents.

Gamma International Ltd. for the so-called “source telecommunication
surveillance” (“source-interception”).

When citizens overthrew the dictatorships in Egypt and Libya this year,
they uncovered listening rooms where devices from Gamma corporation of
the UK, Amesys of France, VASTech of South Africa and ZTE Corp of China
monitored their every move online and on the phone.
Surveillance companies like SS8 in the U.S., Hacking Team in Italy and
Vupen in France manufacture viruses (Trojans) that hijack individual
computers and phones (including iPhones, Blackberries and Androids),
take over the device, record its every use, movement, and even the
sights and sounds of the room it is in.

FinFisher is security software that has stirred controversy because Gamma International marketed it to government security officials who were told it could be covertly installed on suspects’ computers through exploiting security lapses in the update procedures of non-suspect software.[1][2][3] Egyptian dissidents who ransacked the office’s of Egypt’s secret police following the overthrow of Egyptian President Hosni Mubarak reported they discovered a contract with Gamma International for £287,000 for a license to run the FinFisher software.[4]
A security flaw in Apple’s iTunes allowed unauthorized third parties to use iTunes online update procedures to install unauthorized programs.[2][3] Gamma International offered presentations to government security officials at security software trade shows where they described to security officials how to covertly install the FinFisher spy software on suspect’s computers using iTunes’ update procedures.

http://en.wikipedia.org/wiki/FinFisher

Below I have complied some information on how this is done: We have five general categories: hacking, intercept, data analysis, web scraping and anonymity. Below, explore highlights related to each type of surveillance.

The  Australian government is buying computer security weaknesses found by hackers before they are sold on the black market, as part of its defence strategy, claim those at the coal face of cyber security.
http://www.smh.com.au/it-pro/security-it/australian-spies-buying-computer-bugs-sources-20120307-1ujlb.html

Hacking:

Several companies offer tools that use techniques commonly associated with “black-hat hacking” and “malware” — methods and software that often are used to steal data such as financial information. Here, a company called HackingTeam is emphasizing that its tools can be used to target very large numbers of people — “hundreds of thousands.”
?

To infect target computers, gAtO sAyS -it seeks vulnerabilities in some of the most popular software in the world, including software that typically runs on servers as well as personal computers. The company says it has restrictions on where it sells its products and that its research must be used for national-security purposes only. But it was found in Syria and Egypt.
?
FinFisher documentation says the product can infect computers by falsifying websites or updates of popular software and getting the user to download its software. This remote monitoring software can then monitor what the user is doing on the Internet — including emails, Web surfing and even transfer of sensitive documents.
?

FinFisher documentation says its tools can be used to break into systems by companies such as Microsoft Corp. and Apple Inc. An Apple spokeswoman told the Journal that the company “actively works to find and fix any issues that could compromise their systems.” Microsoft declined to comment.

Intercept:

As the Internet has grown to handle more data, monitoring companies have had to keep up. Interception now can mean taking all the traffic from the Internet backbone and funneling it through devices that inspect the packets of data, determine what is inside them, and make decisions about whether to copy them for law enforcement.
?
Law enforcement agents are pushing for products that are more portable, surveillance industry experts say. Deep packet inspection, in which monitors can look into the individual packets of data traveling across the Internet, apparently is getting more portable as well. Arizona-based Packet Forensics says its LI-5 is “one of the most widely-deployed tactical probes worldwide” and is “small enough to fit in a backpack.”

Location tracking via cellphones is a key tool for law enforcement. Such systems often rely on something called “triangulation” to locate the phone. Triangulation evaluates the strength of signals between the phone and nearby cellphone towers and uses those calculations to determine the phone’s location.

?

“Man in the middle” is a type of computer attack in which the perpetrator inserts himself between two computers that are communicating. This way the attacker can monitor or alter the communications, possibly inserting malicious software into the data transmissions or tricking the parties into believing they are communicating over a safe channel.
Other tools can find cellphones by detecting the signal themselves and finding the phones’ location.

Data Analysis:

The large amount of data being collected through surveillance and other methods now means that powerful software is required to sort, store and analyze all the information. Data analysis companies often emphasize their ability to sift data from a variety of sources and put it together to make a complete picture of suspects or find patterns that might not be noticeable from just one set of data.
?

Linguistic analysis is a hot area in national security, where agents must comb through mountains of documents from online and elsewhere. Among the challenges: automatically parsing the meaning of identical words depending on context, and handling a variety of languages.
?
Social network analysis is key in finding new suspects and relationships in complicated groups. This type of analysis doesn’t necessarily involve Facebook or other sites that many people think of as a “social network.” In fact, a social network can be determined by analyzing things like emails or other communications as well.
When wiretaps are done at a massive scale, computers are required to sift through the voices and determine what is being discussed. Software makers advertise their programs’ ability to decipher speech in different languages and determine the specific words being said, as well as the general topic being discussed and in some cases who is talking.
Web Scraping
OSINT, or open source intelligence, involves gathering and analyzing data from publicly available sources, such as government records, media, and social-networking and user-generated Web content. The “Deep Web” or “Invisible Web” refers to content on the Internet that isn’t indexed by search engines. This can include documents as well as Web pages.
?
Web scrapers must gather massive amounts of information, store it and sort it so it can be used by analysts. Among the most important types of data: social networking sites.
Anonymity
Anonymity products are a niche market in the surveillance field; The Wall Street Journal saw only one company focusing on this type of software at a recent industry conference. But it’s important for some investigations. This type of software allows investigators to view websites or develop online profiles without disclosing their locations. Instead, investigators will appear to come from somewhere else — enabling them to more easily monitor their targets.
?

One of the roles of anonymity software is to disguise Internet Protocol (IP) addresses. These addresses are unique numbers assigned to devices that connect to the Internet, and they can identify where a user is coming from. In this example, IP addresses show that the person is logging in from Department of Homeland Security customs and border protection — a location that investigators might not want to reveal.
?

Here, FinFisher documentation claims the tools can use the Web to remotely install monitoring software on users’ computers. Such techniques have been used in the past by hackers to install spyware. Such techniques can involve making a fake website that contains malicious code, or inserting such code into existing sites.
An ISP is an Internet Service Provider. This FinFisher product provides a persistent Internet service that allows remote access to systems that have been infected via other FinFisher products.
An ISP is an Internet Service Provider. This FinFisher product provides a persistent Internet service that allows remote access to systems that have been infected via other FinFisher products.
Gamma says it’s possible to target “every person” who visits these websites.
FinFisher documentation says the product can infect computers by falsifying websites or updates of popular software and getting the user to download its software. This remote monitoring software can then monitor what the user is doing on the Internet — including emails, Web surfing and even transfer of sensitive documents.

These images show examples of the ways Gamma says FinFisher can infect target computers. Here, a website designed by the team could use images and text about Adobe Flash to falsely indicate that new software needs to be downloaded.
?

“Democracy and free speech activists worldwide have something new to worry about — cyberwarfare via iTunes. The Telegraph reports that Gamma International sells computer hacking services to governments, offering ‘zero day’ security flaws that allow access to target computers ‘with the ability to take control of the target systems functions to the point of capturing encrypted data and communications.’ FinFisher spyware, known to be used by British agencies and offered to Egypt’s feared secret police, takes advantage of an unencrypted HTTP request that is filed by iTunes when Apple Software Updater is inactive. It redirects users’ web browsers to a customized web page that pretends Flash is not installed on the user’s computer, then installs a sophisticated piece of spyware that sends info on a user’s activities directly to foreign intelligence services. The latest iTunes software update, 10.5.1, released on November 14, appears to have fixed the exploit FinFisher used. A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet Apple ‘waited more than 1,200 days to fix the flaw,’ writes security researcher Brian Krebs.”

The secret is out and someone -Governments or Criminals or State Spy’s have already setup a C&C servers for this job:

finfisher – Command and Control for North America – Europe and Asia

74.50.53.120
Added on 08.01.2011
Dallas

HTTP/1.0 200 OK ?Date: Sat, 08 Jan 2011 22:22:23 GMT ?Server: Apache ?Set-Cookie: bb2_screener_=1294525343+96.9.174.54; path=/ ?Set-Cookie: PHPSESSID=clpn3e4j3cf6418nvm3tdd4f85; path=/ ?Expires: Thu, 19 Nov 1981 08:52:00 GMT ?Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 ?Pragma: no-cache ?X-Pingback: http://finfish.org/xmlrpc.php ?Connection: close ?Transfer-Encoding: chunked ?Content-Type: text/html; charset=UTF-8
IP Address:
74.50.53.120
IP Address Country:
? United States (US)
IP Address Region:
TX Texas
IP Address City:
Dallas
IP Postal Code
75247
IP Address Area Code
214
IP Metro Code
623
IP Address Latitude:
32.8148002625
IP Address Longitude:
-96.8704986572
IP Address ISP:
RimuHosting
Organisation:
RimuHosting
IP Address Proxy:

IP Address Host:
74.50.53.120

germany
83.169.47.15
Added on 09.10.2010
Höst

lvps83-169-47-15.dedicated.hosteurope.de
HTTP/1.0 302 Found ?Date: Sat, 09 Oct 2010 11:44:18 GMT ?Server: Apache ?X-Powered-By: PHP/5.2.6-1+lenny8 ?Location: http://www.finfisher.com/FinFisher/en/index.php ?Vary: Accept-Encoding ?Content-Length: 0 ?Content-Type: text/html
FinSpy

59.106.75.145
Added on 30.11.2010
Osaka

145.l-wing.com
HTTP/1.0 200 OK ?Date: Tue, 30 Nov 2010 08:53:43 GMT ?Server: Apache/2.2.14 (FreeBSD) DAV/2 SVN/1.6.6 mod_ssl/2.2.14 OpenSSL/0.9.8e ?X-Powered-By: PHP/5.2.11 ?Expires: Thu, 19 Nov 1981 08:52:00 GMT ?Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 ?Pragma: no-cache ?Set-Cookie: DokuWiki=fpjg3brp9q68finspi70is1ca4; path=/; HttpOnly ?Set-Cookie: DW68700bfd16c2027de7de74a5a8202a6f=deleted; expires=Mon, 30-Nov-2009 08:53:42 GMT; path=/; httponly ?Transfer-Encoding: ch…

Want to see how open this security company is: this shows the code in the website that can be exploited:

http://www.finfisher.com/FinFisher/Scripts/scripts.js.php

References:

http://www.finfisher.com/FinFisher/en/index.php

http://www.ss8.com/products-overview.php

http://www.wikileaks.org/The-Spyfiles.html

http://en.wikipedia.org/wiki/FinFisher

http://www.shodanhq.com/search?q=finfish

http://www.ietf.org/rfc/rfc3924.txt

Tweet