Lawful Interception: Technology that is legally watching youby Steve Ragan - Jun 28 2011, 17:15
Technology is a powerful tool. It can be used to create chaos, and leveraged to bring order and justice. Law enforcement and government intelligence services have been using technology to their advantage for years, but the majority of the public is sheltered when it comes to understanding how this happens and who enables it.
Lawful Interception and IT Intrusion technologies are nearly as old as the laws allowing their usage. The existence of these tools has created a billion dollar industry, attracting organizations large and small, offering an assortment of wares to monitor communications and people. By and large, the technologies are used legally by those controlling them, but there have been a few noted examples where that isn’t the case.
In April, it was widely reported that activists stormed the offices of the Egyptian State Security Investigations Service (Mabahith Amn al-Dawla) in March. It was during this raid that a proposal offering SSIS access to IT intrusion tools used for surveillance was discovered. [Story]
The proposal came from Gamma International, offering what is pitched as an IT Intrusion system named FinFisher. Based on translations of the documents recovered from what was left of the SSIS offices, the Egyptian government tested FinFisher for at least three weeks, but no longer than five months.
“The five month free trial showed the following [results]: The system has a high-level penetration of any type of email (Hotmail, Google, Yahoo). It’s also successful in penetration of Skype,” the memo explains.
“It also has the option of leaving a Trojan Horse, which enables recording of voice and video chats; recording the movement of the target by using his computer and even recording him if the computer has a camera; full control of the target computer and the ability to copy anything on his computer.”
Over the years, the SSIS has been linked to torture, by both international watchdogs and citizens alike, as well as several other human rights violations. During the Egyptian Revolution, there were countless reports from Egypt of protesters who were intimidated, arrested, beaten, and killed for their actions.
The SSIS didn’t purchase FinFisher. It’s clear, based on the personal and media reports from the region, what the trial period was used for. Still, the fact that a free trial of FinFisher was granted to the SSIS isn’t illegal. At the time, the SSIS was a valid government agency.
The injected code was discovered on login pages for Gmail, Yahoo, and Facebook. It was blamed for a rash of account hijackings reported by Tunisian protesters, many of whom were arrested for blog postings, emails, and messages sent to Facebook.
In these examples, it’s plain to see how intrusion and interception technology was horrendously abused. However, the companies who developed it are blameless. They are only trying to stay in business, and valid government organizations are fair game, no matter how offensive they are to some.
So what are the different types of interception and intrusion technologies available to law enforcement and government intelligence services? While on the topic, who produces them?
To give you and idea, there's a rough list on page three. What some of these vendors are able to do might come as a surprise.
Page two of this report looks at the laws governing intercept and intrusion technologies, and how they are used.
Interception and intrusion technologies, along with the laws that enforce them, got their start nearly forty years ago. At the time, President Nixon declared a war on drugs, a war similar to the one President Bush declared on terror. Both of these wars have had an impact on how law enforcement and intelligence services use technology to do their jobs.
Nixon’s war for example, created the need for law enforcement to use wiretaps to catch drug dealers and their suppliers. In the 90’s, The Communications Assistance for Law Enforcement Act (CALEA) was created to help them in this task.
CALEA, passed during the Clinton years, requires telecom carriers and manufacturers build a method of surveillance into their infrastructures and equipment, allowing easy compliance with intercept-based court orders. CALEA was strengthened in 2005, by adding broadband and VoIP providers to the roster of organizations that needed to comply with the act.
In 2001, the Patriot Act amended the Foreign Intelligence Surveillance Act (FISA) of 1978, granting more surveillance power to law enforcement and intelligence services. FISA was amended again in 2008, and it has its own critics to this day, but the Patriot Act gets the most attention.
Over the years, the Patriot Act has been the subject of much debate; it’s either loved or hated. Lately, there have been three provisions earning the most attention. Moreover, it was recently extended for another four years, which has enraged civil liberty supporters.
The first contested provision is for a roving wiretap, meaning that the FBI can use secret FISA courts, to obtain a wiretap without identifying the target, or the type of communication to be monitored.
The second, known as the business records provision, also centers on FISA courts, and will grant law enforcement (the FBI mainly) the ability to obtain a warrant for any type of document available, including the ones stored digitally - leveraging intrusion technologies if needed - without the need to connect the information requested to terrorism or espionage activities.
Finally, the third hotly contested provision is the lone wolf provision. With this, FISA courts can issue a warrant allowing anyone - for any reason - to be electronically monitored. There is no requirement to show that the target of the warrant is connected to a terror plot, terror group, or foreign power, they simply need to be a person of interest.
The third provision, according to the Department of Justice, has never been used. Yet, the Obama administration and 74 Senators simply refused to let it go. Only eight people in the Senate voted for debates on the contested measures.
Based on the law as it stands, you will likely never know if law enforcement or intelligence services are using intercept or intrusion technologies against you. If you do, then it may be accidental or long after the fact.
A recent example of intrusion technology usage without notice, centers on the FBI placing a GPS device on a car to track a person, without a warrant, for a full month. The device was discovered by accident, leading to a public outcry over Fourth Amendment violations. The good news is that the U.S. Supreme Court will hear the case, and address the issue of warrantless GPS tracking.
There is public concern that interception and intrusion technology could be abused. It has, both at home and around the globe. It’s true, there are laws in place to protect the average person, and law enforcement officers follow them to the letter each day. Yet, sometimes even when the law is followed, citizens are caught in the middle.
When it comes to domestic surveillance, using intercept or intrusion technologies, the rules favor the intelligence and law enforcement community. There’s nothing wrong with that really, as long as there is oversight and no abuse, but because of the gaps within the current laws and established level of secrecy, it’s rare to catch abuse in the first place.
This is where critics get vocal, pointing out that the system is wrong, and there’s a serious problem.
“The lack of public information about surveillance is a problem because the United States is a democracy, and a core democratic value is that the people get to set the boundaries within which government operates. The rapid pace of technological change has made it difficult for people to understand, let alone make decisions about, the nature and extent of government surveillance,” commented Catherine Crump of the ACLU recently, while writing about secret surveillance programs.
“Everyone recognizes that temporary and limited secrecy is sometimes necessary to protect the integrity of ongoing investigations. But when law enforcement adopts new surveillance technologies or techniques that impact personal privacy, the public should know about it, and should have a say in whether the benefits outweigh the costs.”
It’s been said before, but it’s worth repeating. If you want the law changed, you have to put people in office to make it happen.
The first step to address intrusion and intercept technologies is to learn what they are and how they are used. After that, contact your elected representatives and make them hear you, tell them what you want done. If all else fails, vote them out of office, and put someone in there that represents your interests and privacy.
[This editorial is the opinion of Steve Ragan and does not necessarily reflect the opinions of the staff on The Tech Herald or the Monsters and Critics (M&C) network. Comments are welcome, and can be left below or sent to [email protected]]
The following is an outline of just some of the companies who develop and distribute interception and intrusion technologies to law enforcement and government intelligence services.
Note: Thuraya is a satellite communication provider covering Europe, the Middle East, North, Central and East Africa, Asia and Australia. Inmarsat is a British satellite telecommunications company, and VSAT is a small two-way satellite ground station.
ELAMAN is German-based firm that specializes in security and communications monitoring. They have headquarters in Munich, and a subsidiary in Dubai (UAE).
According to the company, they offer law enforcement and governments the ability to intercept “…all kinds of communication within different telecommunication networks and carriers inside and outside a country’s borders.”
They can monitor PSTN, private networks (PABX), wireless communications (WIFI & WIMAX), cellular communications (GSM, GPRS, CDMA, UMTS), and satellite communications (VSAT, Thuraya, Inmarsat).
Security Software International (SSI)
They offer tactical and strategic intelligence solutions to governments and law enforcement. Offices are located in Paris, Melbourne, and New Zealand.
“SSI and its partners have been in the business of lawful interception since 1994 and has installed LI Management Systems in more than forty countries around the world,” the company explains.
They offer the ability to monitor more than 200 different network nodes (switches, routers, gateways, application servers) developed by all of the top vendors. In addition, their LIMS offering enables real-time monitoring of telephony, fax, SMS, MMS, e-mail, VoIP, Push-to-Talk and other IP-based communication services.
They also offer IT Intrusion products, but will not discuss them publically.
Not much is known about this company. Their name originally appeared in Spam leaked from HB Gary and HB Gary Federal after the attack by Anonymous.
Located in the U.K., they deal with the government only, and offer a range of surveillance and monitoring products. Examples include, covert audio and video systems, GSM and Thuraya interception systems, and personal tracking devices.
Their featured product of the moment is a watch that is both a video and audio surveillance tool.
Intercept Monitoring Solutions (Discovery Telecom Technologies)
DTT was established in Salt Lake City, and does business globally. The website offerings are priced in Euros, and visitors can browse using either English or Russian language formats. Strange, considering it was founded in the U.S., but it's possible they are more interested in global business.
They offer tools intended both for active and passive interception of voice communications from all types of GSM, CDMA, and Satellite platforms.
Shoghi Communications Ltd.
Focused on communications and signals intelligence, this firm is located in northern India, rather close to Pakistan. They work with governments mainly, based on company information, but offer some solutions to law enforcement as well.
Some of the technology available includes voice analysis, which goes hand in hand with the interception products that can listen to conversations on any platform. In addition to the voice-based monitoring and interception products, Shoghi offers the ability for agencies to collect, decode and analyze Wi-Fi IP traffic.
“The system can decode and re-construct captured IP packets like HTTP, FTP, SMTP, POP, chat and IP telephony etc. (Further protocols can be made available on request), from all 802.11x channel in stealth mode… The system is capable of capturing traffic on all fourteen 802.11x channels simultaneously [with or without] applying any capture filter,” product data explains.
“The system is capable of recovering WEP, WPA, WPA2-PSK keys. The SCL- 2052 has an additional option for an FPGA based key recovery accelerator capable of retrieving WPA keys at extremely high speeds. Multiple FPGA cards can be added to further boost the speed of key retrieval.”
Utimaco (Sophos Group)
There are plenty of documents available for Utimaco’s Lawful Interception Management System. It works hand in hand with GSM, GPRS, UMTS, LTE, PSTN, DSL, Cable, WLAN, and WiMAX networks, allowing law enforcement and governments to intercept “…all types of communication technologies including VoIP, NGN, e-mail, SMS, MMS, [and] telephony.”
With offices in the Netherlands, Switzerland, Norway, and the U.S., Group 2000 offers LIMA to law enforcement and intelligence services when they need to monitor communications.
Currently, LIMA is available for Broadband, VoIP, Email, Mobile, and PSTN platforms. In addition, Group 2000 has deep packet inspection available, which can be combined with their LIMA offerings.
More details and product information is online.
Located in France, Vupen has a reputation in the security industry. VUPEN is known for exploit and vulnerability research. When they discover a flaw, they often tell the vendor last (if at all), but offer protection from the zero-day threats to customers who subscribe to their services.
However, what many may not know is that - in their own words - VUPEN “…provides exclusive research and highly sophisticated exploits specifically designed for the Intelligence community and national security organizations to help them achieve their offensive missions using tailored and unique codes created in-house…”
Access to VUPEN’s custom Malware and exploits is highly restricted. Only countries, members, or partners of NATO, ANZUS and ASEAN can take part.
As we mentioned previously, Gamma’s FinFisher was used in Egypt by the SSIS. Not much is known about the firm, and they were under the radar until the story in Egypt broke. Their website, seen here, contains only the basics, and emails from the public are ignored. When it comes to those they work with, the client list is restricted to intelligence and law enforcement.
Located in Milano, Italy, Hacking Team is another company that many outside of the intelligence and law enforcement world might not know. They offer both offensive and defensive security services to clients, including penetration testing. They offer to test wireless networks, databases, VMware and ESX, VoIP, and SAP environments, as well as mobile applications.
According to company documentation, they count Barclays, ING, Deutsche Bank, Gucci, AGFA Healthcare, and ABI among their clients.
Based on emails leaked after the Anonymous attack, HBGary can be counted as an intrusion vendor. They developed a rootkit that is able to “exfiltrate information past personal firewalls without detection” noting that the elegance of their rootkit’s design means more reliability and less detection footprint.
The design logs keyboard activities, and uses compression and encryption when sending data - leveraging outbound communications only. Small, the rootkit itself could be attached to any EXE without worry.
Information on HBGary’s other offerings to law enforcement and intelligence agencies can be seen here.
Endgame Systems, the company referenced in the leaked HBGary emails as not wanting to be publically known - is actually recognized as one of the U.S. government’s top cyberdefense contractors.
Endgame’s mission is to “leverage its world-class capabilities in the fields of computer vulnerability research and global network awareness to enhance the overall Information Operations capability of the United States intelligence and military organizations,” company documents explain.
Endgame offers the government subscription-based solutions. One of them, called Maui in company documents, includes vulnerability research, as well as custom exploit toolkit development. It isn’t cheap however, with prices reaching more than $2.5 million dollars per year.
Founded in 2008, the company is headquartered out of Atlanta, Georgia. However, given the recent attention focused on them from the HBGary incident, the company has withdrawn from the public. Their website has been removed, and cached copies of it have been scrubbed as well.
Other vendors of interest: