Dissidents Fight Back as Governments Step Up Spyware Attacks

By Olga Khazan
4549419838_5316c07a8b_z.jpg
(Feggy Art/Flickr)

OSLO, Norway -- One of the first times hackers tried to infiltrate Danny O'Brien through his email inbox, it was in the guise of a human-rights event invitation from what appeared to be a friend.

"It included a PDF, which, when clicked on, would log all your keystrokes, record audio, and download documents from your hard drive," said O'Brien, the international director of the Electronic Frontier Foundation, who has since found himself a repeat target of cyber attacks.

(He didn't click on it, luckily.)

Such "spear-phishing" attempts -- which take the form of an email from a hacker posing as an acquaintance -- are hardly rare among human-rights workers. Lobsang Sangay, the prime minister of Tibet, told an audience at the Oslo Freedom Forum last week that once, after arranging an interview with a Time journalist, he received a follow-up email with an attachment titled "interview questions."

He called the reporter, who said no email had ever been sent.

"The Chinese government tries to monitor me, destroy my computer, make my life difficult," Sangay said.

Spear-phishing attempts represent just one of the many kinds of cyber attacks that government agents are increasingly deploying in order to keep tabs on dissidents.

While digging through an Angolan dissident's MacBook last week, security researcher Jacob Appelbaum uncovered a new strain of spyware. Its purpose? To capture screenshots and beam them back to servers based in France, the Netherlands, and elsewhere.

The Democracy Report

"They can intercept text messages, and even worse, they can triangulate your position very accurately," said Nasser Weddady, director of civil rights outreach for the American Islamic Congress. "They can remotely turn your smartphone into a microphone."

This phenomenon isn't new, as protesters taking part in the Arab Spring protests discovered the hard way, but the frequency and cleverness of the attacks are on the rise. In March of 2011, one activist raided the headquarters of Egypt's state security agency and found online call files describing his own love life and trips to the beach. In 2012, an Internet-freedom report from the advocacy group Freedom House found that in 12 of 37 countries, state cyber attacks against regime critics were "intensifying."

A spyware tool called FinSpy, made by the British company Gamma Group, can clandestinely turn on Web cams and read documents as they're being typed. It has been linked to servers in more than two dozen countries, including Bahrain, where an active uprising continues to simmer. (At times, the software has even masqueraded as the browser Firefox, which prompted an angry rebuke from the Mozilla Foundation.)

A number of Western companies manufacture the technology these governments use for online monitoring, but most of the manufacturers claim to have no control over how foreign agents use their software. Reporters Without Borders went so far as to write to Skype in January and ask for better transparency about the security of Skype calls.

But as activists have become increasingly aware of such Internet strikes, they've also become savvier about the information trails they leave in the digital world.

"The states we live under have an incredibly unparalleled access to a level of data," O'Brien said at a recent talk in Oslo. "On the standard Internet, they know who you're speaking to. On the mobile internet, they know who you are. With mobile devices as they're currently designed, we have no idea what kinds of hardware or software are being installed."

Activists have fought back using the basic protections: stronger passwords, two-step verification, and security questions with wrong answers to fool the more familiar (or Wikipedia-reading) hackers, O'Brien said.

Then there are hard drives, which must be encrypted so they can't be read even if the bad guys get hold of a computer or mobile device. Without encryption, sensitive evidence can be easily compromised.

"One documentary filmmaking group that was in Syria was filming a lot of activists in that civil war," O'Brien explained. "As they left the country, the computer was taken, and that content was seized, and it revealed everything -- all those peoples' activities. "

Cell phones are the most risky -- if you ask some activists, they're little more than pocket-sized spies loaded with GPS signals that track our locations constantly. As a result, it's now common for those who don't want to be found to leave their phones at home when they attend meetings, or to take the batteries out so they can't be tracked, Weddady said.

The most discreet activists have satellite pagers, passive devices that don't broadcast their owner's signals and thus can be left on throughout top-secret meetings.

Some are also using secure software such as TOR, a "network of virtual tunnels" that prevents surveillance during Web browsing or online chatting. Activists can use it to blog from danger zones, and tens of thousands of Chinese netizens use it to scale the Great Firewall regularly.

All of this represents a stark shift from the predominant narrative of the Arab Spring, in which open communication on social media allowed demonstrators to coordinate protests and, eventually, to topple dictators. I asked Weddady if the activist world is moving away from the days of blasting out protest coordinates over Twitter, and toward a future of hush-hush conversations over encrypted technology.

Not so, he said -- the two strategies are starting to complement, but not replace, one another.

"The fact that we have platforms that allow us to discuss and openly voice dissent is very valuable, and we should not give it up," he said. "But we want lots of our interpersonal communications to be secure."

According to Appelbaum, the security researcher, it's everyone's responsibility to use protected software -- even if you think no one's watching. One person's lapse might mean another's compromised data.

"We need to stop having unsafe communications just like people stopped having unsafe sex in the 1980s," he implored the Oslo audience.

And whatever you do, don't open that attachment.

This article available online at:

http://www.theatlantic.com/international/archive/2013/05/dissidents-fight-back-as-governments-step-up-spyware-attacks/276147/