Search Mailing List Archives
[liberationtech] [governance] Report: cyber-espionage against NGOs, activists and journalists
Carlos A. Afonso
ca at cafonso.ca
Mon Sep 27 03:40:33 PDT 2010
There is a legal foundation in the Brazilian constitution which
establishes that "confidentialy of correspondence is inviolable". The
latest major rewriting of our Constitution is from 1989, when email was
a little more than an experiment, but for all legal purposes email is
regarded as "correspondence" just as any common letter. If one encrypts
email therefore it becomes irrelevant to the Constitution, since its
contents are inviolable.
But, of course, a Court can legitimately require breach of
confidentiality by a designated law official if there is legal ground to
prove that this breaching is required as proof against a possible crime,
felony etc during a due process of law. However, as much as no one ca be
forced to read his or her own letter even if the style is impossible to
read by anyone else, so he/she cannot be forced to decode or facilitate
the decoding the encrypted content of any message or document. This is
also based in established law: no one can be forced to generate evidence
against him/herself in any circumstance, or, in other words, we all have
a right to remain silent.
In practice, a lot of illegal violations of confidentiality (either by
wiretapping or outright opening of any correspondence) is committed very
frequently by government officials or private entities with or without
government involvement, and usually the victim might never know if this
happened, how and why.
The question then is (assuming the same legal framework is valid in the
USA): is the government entitled to open any correspondence on suspicion
without a legal and explicit procedure? In other words: does government
spying violate those legal principles?
I think the conclusion is that, if the government can break this
confidentiality without due process of law (and spying is breaking this
without due process of law), basic rights are being automatically put at
grave risk. However, even if it cannot do that, we will all be at risk
of illegal violations by government or other agents. Encrypting digital
information seems to be the last resort a citizen has to ensure as much
as possible his/her constitutional right of confidentiality
I am not a lawyer, so my reasoning might be full of flaws, but this is
what I think.
On 09/27/2010 02:40 AM, Sivasubramanian M wrote:
> And, from the Privacy list: NYTimes: U.S. wants access to *all* encrypted
> Internet communications http://bit.ly/b7iSFC (New York Times)
> On Mon, Sep 27, 2010 at 10:38 AM, Sivasubramanian M<isolatedn at gmail.com>wrote:
>> In other parts of the world, it is not exactly torture and a prison term,
>> but activists, NGOs and journalists can't possibly be euphoric that their
>> communications are private and free of surveillance. China makes news, china
>> is loud in its methods, but elsewhere around the world the same is possibly
>> happening in a lesser degree in a more subtle, undetected form. Can it be
>> argued that other Governments anywhere do not use available technology to
>> monitor activists NGOs and journalists?
>> Sivasubramanian M
>> On Sun, Sep 26, 2010 at 9:09 PM, Rebecca MacKinnon<
>> rebecca.mackinnon at gmail.com> wrote:
>>> From the South China Morning Post Sunday Magazine.
>>> Chain of commands Mainland authorities are detaining individuals for
>>> perceived crimes committed online. But how do they access such incriminating
>>> information? Paul Mooney
>>> Updated on Sep 26, 2010When Norzin Wangmo used her computer and mobile
>>> phone two years ago to communicate with friends about protests in Tibet, she
>>> had no idea it would result in her torture and a five-year prison sentence.
>>> Detained soon after sending the messages, the 30-year-old Tibetan
>>> government worker and writer was accused by officials of using the
>>> technology to inform the outside world about civil unrest in Tibet.
>>> After months in detention, during which her friends said she was tortured,
>>> the five-year prison term was handed down. Few other details about Norzin
>>> Wangmo, who leaves behind a young son, are known.
>>> No one is sure how Chinese intelligence obtained the details of her
>>> communications. But the story is a frightening example of the dark side of
>>> internet espionage on the mainland, where people perceived to be a threat to
>>> the state are targeted, including ordinary Chinese citizens, scholars,
>>> human-rights workers, journalists, diplomats and businesspeople.
>>> Many security experts who study China believe the government is being fed
>>> information by a loose and shadowy network that includes the hacker
>>> community, organised crime and other parts of government, including security
>>> agencies and the People's Liberation Army (PLA).
>>> "The sheer amount of energy and resources the Chinese government has
>>> thrown at this is enormous," says Lhadon Tethong, director of the
>>> Canada-based Tibet Action Institute, which helps Tibetans fight for rights,
>>> primarily through the safe exchange of information, using sophisticated
>>> Many victims of internet espionage are quick to point a finger at the
>>> central government.
>>> "Who else would attack us?" asks Chine Chan, a researcher for Amnesty
>>> International Hong Kong. "It doesn't make sense unless it's the government."
>>> Security experts, however, are careful to explain that no smoking gun has
>>> yet been found linking the hacking and the use of malware - malicious
>>> software designed to secretly access a computer system - to Beijing.
>>> Greg Walton, an independent cyber security researcher based in Britain,
>>> believes the attacks are the work of groups of players. He points to
>>> Chongqing, where there is a concentration of internet espionage control and
>>> command centres, as an example.
>>> "Chongqing is interesting in that it's like a nexus of organised crime,
>>> the party, a big computer-hacking scene and all sorts of PLA installations,"
>>> he says. "It's a combination of many forces that do these attacks. It's not
>>> a secret that the data is ending up with the state. Any other explanation is
>>> Experts say the spying is highly organised and professional, with some
>>> hackers working in shifts, even making note of when targets are having lunch
>>> or taking breaks.
>>> It is also likely that many hackers are working independently and some
>>> targets are being compromised by more than one malware group, says Nart
>>> Villeneuve, a researcher at the Information Warfare Monitor (IWM), whose
>>> members include the Citizen Lab, Munk School of Global Affairs, the
>>> University of Toronto and the SecDev Group, a security consultancy based in
>>> Walton says patriotic hackers are probably selling information to the
>>> government, providing it with "another layer of deniability".
>>> Since last year, IWM has published two reports on cyber-espionage
>>> networks: "Tracking GhostNet: Investigating a Cyber Espionage Network" and
>>> "Shadows in the Cloud: An investigation into cyber espionage 2.0."
>>> GhostNet is the name investigators have given to a network of more than
>>> 1,200 compromised computers in 103 countries, including foreign affairs
>>> ministries, embassies, international organisations, news organisations and a
>>> computer in the headquarters of Nato. The network's command and control
>>> centre appears to be on Hainan Island, home of the Lingshui signals
>>> intelligence facility and the Third Department of the PLA.
>>> In September and October 2008, IWM investigated alleged cyber espionage on
>>> the computer systems in various offices related to the work of the Tibet
>>> government in exile and other Tibetan groups. These included the Office of
>>> His Holiness the Dalai Lama, in Dharamsala, India, organisations in the
>>> United States, Britain, France, Belgium and Switzerland, and the office of
>>> Drewla, an NGO which runs an online outreach project that uses young
>>> Chinese-speaking Tibetans to talk with people in the mainland about the
>>> situation in Tibet.
>>> The GhostNet report said some 70 per cent of the control servers behind
>>> the attacks on Tibetan organisations were located on IP addresses assigned
>>> to the mainland.
>>> During an investigation at the Dalai Lama's private office, Walton
>>> observed as documents were being pilfered from the computer network,
>>> including a file containing thousands of e-mail addresses and another
>>> detailing the negotiating position of the spiritual leader's envoy.
>>> During the investigation into the so-called Shadow Network, investigators
>>> were able to obtain data taken by the attackers, including some 1,500
>>> letters sent from the Dalai Lama's office between January and November last
>>> year. While the report said many of the letters did not contain sensitive
>>> information, it added that they allowed the attackers to collect information
>>> on anyone contacting the exiled spiritual leader's office.
>>> The team traced the attacks to hackers apparently in Chengdu, which is
>>> also the location of one of the PLA's technical reconnaissance bureaus
>>> charged with signals intelligence collection. Researchers said one hacker,
>>> who used the cyber name "lost33", had attended the University of Electronic
>>> Science and Technology of China, which publishes manuals on hacking and
>>> offers courses on network attack and defence security.
>>> The authors said an anomaly was detected when analysing traffic from the
>>> offices of the Tibet government in exile: computers in Dharamsala were
>>> checking in with a command and control server situated in Chongqing. Despite
>>> Chongqing Communist Party chief Bo Xilai's high-profile anti-corruption
>>> campaign, the city still has a high concentration of gangs said to have ties
>>> to the government and which have extended their traditional criminal
>>> activities to include cyber crime.
>>> While Walton admits no direct link to the central government has been
>>> detected, he does not seem to have any doubts about who is behind the
>>> "Some people shy away from saying it's the state," he says, "but there's a
>>> growing body of evidence. My own feeling is that sooner or later someone
>>> will be able to prove it."
>>> The "Shadows in the Cloud" report, which Walton contributed to, points to
>>> the existence of a vibrant hacker community in the mainland "that has been
>>> tied to targeted attacks in the past and has been linked, through informal
>>> channels, to elements of the Chinese state, although the nature and extent
>>> of the connections remains unclear".
>>> The authors allude to a "privateering" model in which the government
>>> authorises citizens to carry out attacks against "enemies of the state".
>>> However, the report referred to research by Scott Henderson, author ofThe
>>> Dark Visitor: Inside the World of Chinese Hackers. Henderson wrote that
>>> there was disagreement about the exact relationship between hackers and the
>>> state, running from "authorise" to "tacit consent" to "tolerate".
>>> The most plausible explanation, the report said, and the one supported by
>>> the evidence, is that the Shadow Network is based in the mainland and run by
>>> one or more people with close ties to the country's criminal underworld.
>>> The report concluded: "As a result, information that is independently
>>> obtained by the Chinese hacker community is likely to find its way to
>>> elements within the Chinese state."
>>> Lhadon Tethong says security experts she's spoken to consider the cyber
>>> war "a lost game" but that she takes a different approach - trying to remain
>>> one step ahead of the mainland authorities.
>>> "We're looking at new technologies that haven't come out yet and how they
>>> can be used in Tibet," she says. "The Chinese government can control your
>>> BlackBerry or laptop, but let's look beyond that, at iPads and Android
>>> technology [a mobile-phone operating system developed by Google]. You cannot
>>> stop it. The force is just too strong.
>>> "We worked with young and innovative technical experts and geeks from the
>>> beginning," she says. "The optimistic part is that the advances in
>>> communications technology are happening so quick that the Chinese
>>> bureaucracy can't keep up. Saying you can't do this or that because they're
>>> too good is just not true."
>>> She cites the microblogging service Twitter, which the authorities managed
>>> to block. Before that, Tibetan activists had found it a useful tool for
>>> getting their message across both within and outside the mainland.
>>> "You can block one site and another will pop up, and it won't take long
>>> before people find it," she says. "You can try to control it but there's no
>>> way to stop it and I think they know that."
>>> Chan agrees. "The trend can't go back. It's important to learn how to get
>>> around [the controls]. If civil society grows faster than the government
>>> controls, then you win."
>>> Meanwhile, the attacks are increasing in number and in sophistication.
>>> On March 18, people on the mailing list of Human Rights in China (HRIC)
>>> received an e-mail that appeared to be from director Sharon Hom. The subject
>>> line - "Microsoft, Stool Pigeon for the Cops and FBI" - convinced many
>>> recipients to take a look at the enclosed attachment. Within seconds the
>>> e-mail was flying around cyberspace, with thousands receiving it and passing
>>> it on to others.
>>> But the e-mail was not from Hom. It was a "spear phishing" e-mail that
>>> lured recipients to visit a compromised website in Taiwan. Those who clicked
>>> on the link unknowingly loaded malware that allowed the attackers to take
>>> control of their computers from a server in Jiangsu province.
>>> In a report on the HRIC attack, Villeneuve wrote that the malware spread
>>> via the e-mail was traced to a command and control centre in Jiangsu. He
>>> said the nature of the compromised entities and the data stolen by the
>>> attackers indicated correlations with the mainland's strategic interests.
>>> But he concluded that "we were unable to determine any direct connection
>>> between these attackers and elements of the Chinese state".
>>> Earlier this year, a foreign journalist was conducting a text conversation
>>> on Skype with Tsering Woeser, a Beijing-based Tibetan poet and commentator,
>>> when the journalist received an article over the internet service. When the
>>> suspicious reporter called Tsering Woeser to ask about the file, she was not
>>> even home. Someone had hijacked her account and started conversations with
>>> 30 of her Skype friends, several of them journalists. They even imitated the
>>> way the poet spoke. Some were tricked into downloading malware. This was the
>>> second hijacking of her Skype account in two years.
>>> Most cyber attacks rely on a tactic known as "social engineering",
>>> manipulating people to get them to provide computer access through trickery,
>>> rather than technical hacking.
>>> "At the root it's not technology," Walton says. "The deeper the
>>> penetration, the more intelligence they can feed into a social engineering
>>> attack. If I look at your computer, I can draft e-mails that you will trust
>>> more and more."
>>> Robbie Barnett, director of the Modern Tibet Studies programme at Columbia
>>> University, in the United States, says the attackers are getting
>>> increasingly sophisticated in their use of social engineering. They use the
>>> names of people you know, refer to an incident over the past 48 hours, often
>>> with a provocative subject, and may even have the actual sender's real
>>> e-mail address. He says no one can be 100 per cent safe, no matter what
>>> precautions are taken.
>>> "Eventually, they hit a bull's eye," Barnett says, "They send you a letter
>>> from a Tibetan who's just written to you and could easily be sending
>>> something to you. Even if you've been careful for years, you could fall for
>>> Typically the target receives an e-mail appearing to be from an
>>> acquaintance. Often it mentions some sensational detail that lures the
>>> victim into opening a file or visiting a website that opens a backdoor,
>>> where malware can be planted.
>>> Control is often maintained through the use of the Chinese Gh0st RAT
>>> (remote access tool). These trojans enable nearly unrestricted access to the
>>> infected system. The attacker can then carry out surveillance of the
>>> attacked computer, pilfer files and e-mails and send data to other
>>> computers, and use the infected computer as a platform to launch future
>>> attacks against computers around the world.
>>> "It's all part of a trend that I've been watching for a decade," says
>>> Walton, "pushing surveillance of the population from the network to the
>>> "Everything you can do, they can do - it's like they're sitting in front
>>> of your computer. They can turn on the webcam, the microphone and access
>>> documents. Someone is staring back at you through your webcam. It's
>>> While much of the activity seems focused on gathering intelligence and
>>> disruption of operations, in some cases the attacks are more dangerous. In
>>> July, the website of Chinese Human Rights Defenders was shut down several
>>> times by direct denial of service (DDOS) attacks. In April, the Foreign
>>> Correspondents' Club of China was forced to take its website offline
>>> temporarily after being repeatedly hit by DDOS attacks.
>>> In January, Google announced it had found "a highly sophisticated and
>>> targeted attack on our corporate infrastructure originating from China that
>>> resulted in the theft of intellectual property". The attack was said to have
>>> targeted the Google e-mail accounts of Chinese human-rights activists.
>>> Journalists have also become a target. In April, Andrew Jacobs, Beijing
>>> correspondent for The New York Times, wrote an article detailing how his
>>> computer had been hacked and e-mails redirected to an unknown address.
>>> Jacobs said scores of foreign reporters in the mainland had experienced
>>> similar intrusions.
>>> Last September, several foreign news bureaus in Beijing began receiving
>>> e-mails from "Pam", who said she was an economics editor. The e-mails, which
>>> were in well-written English and included a list of genuine contact names,
>>> detailed a proposed reporting trip. However, when the attached PDF was
>>> opened it unleashed malware.
>>> Walton and Villeneuve, who studied the virus, said in a report that the
>>> file appeared to be a legitimate document that had been stolen from a
>>> compromised computer, which was then modified to include malware and serve
>>> as a lure. While they said the malware could not be traced back to the
>>> central government, the recipients were Chinese news assistants, whose
>>> e-mail addresses were not widely known to the public, but were to the
>>> Ministry of Foreign Affairs.
>>> Richard Baum, moderator of Chinapol, an online community of more than 900
>>> China watchers, including journalists, lawyers and analysts, says the group
>>> has suffered "a certain amount of leakage" of membership lists and e-mail
>>> traffic. Members have also received phishing e-mails. Recently, an e-mail
>>> was sent to some members purporting to be the new member e-mail list, which
>>> had a malware attachment.
>>> Walton says data was being sent back to a computer in Chongqing within 30
>>> seconds of the malware being accepted.
>>> In the HRIC incident, a member of Chinapol sent the e-mail to all its
>>> members, some of whom in turn passed it on to their acquaintances.
>>> What's troubling is anti-virus software used by the general public is not
>>> always effective in catching these viruses. In the case of the HRIC attack,
>>> there was very low anti-virus cover, with only eight out of 42 anti-virus
>>> products detecting the file as malware, the investigation found. In the case
>>> of the news assistants who downloaded malware, only three of 41 anti-virus
>>> products used by VirusTotal, a service that analyses suspicious files and
>>> URLs, detected the malicious code embedded in the PDF file.
>>> Fake e-mails also create confusion. A human-rights activist in Hong Kong
>>> tells of an e-mail sent out in her name revealing certain information only
>>> known to people she worked closely with.
>>> "This is their way of saying, `We know who you are and what you're doing',
>>> to make you feel scared," she says. "Even if people know the e-mail is not
>>> from me, the damage is already done. The next time they'll ask if it's
>>> really from me."
>>> HRIC's Hom says: "This is seriously raising security issues for us. It
>>> makes every NGO, every journalist, every contact ask if they get an e-mail
>>> from me if it's real. As a small NGO we don't have the resources, technical
>>> expertise and capacity to guard ourselves against such high-level attacks.
>>> It makes it very difficult for us to do our work.
>>> "How can any organisation, company or government function if communication
>>> with other persons or organisations runs the risk of a malware attack that
>>> undermines the trust in the organisation? The biggest impact on us is we
>>> have to be extremely careful not to compromise the security of the people
>>> we're dealing with."
>>> One example of this, from the GhostNet report, is that of a young Tibetan
>>> woman who was returning to her village after having worked for two years in
>>> India. She was stopped at the Nepal-Tibet border by Chinese intelligence
>>> officers. The woman was taken to a detention centre, where she was
>>> interrogated about her connection with Drewla.
>>> She insisted she had gone to India just to study, denying any political
>>> involvement, but her claims were waved away. The officers then pulled out a
>>> dossier on her activities in India, including transcripts of her online
>>> chats about Tibet.
>>> She was held for two months and then allowed to return to her village.
>>> As a result, many activists are now reluctant to send information over the
>>> internet and even delete e-mails from people they don't know or that look
>>> suspicious. The result is less information is getting through to the people
>>> who need it.
>>> "It's caused a lot of problems for me," says Tsering Woeser, who is often
>>> under police surveillance. "First, because of my situation, I can only
>>> contact my friends through Skype and e-mail, and now some Tibetan friends
>>> are afraid to contact me. I'm getting much less information than before.
>>> It's a huge interference."
>>> Tsering Woeser says her internet activities are constantly probed. In a
>>> recent incident, she received an e-card from dissident writer Yu Jie, which
>>> turned out to be a phishing spear. She says that at least once a month a
>>> person pretending to be a Tibetan attempts to make contact with her online.
>>> "But what I worry about most is that the people who are in contact with me
>>> may get into trouble and I won't even know about it," she says.
>>> Barnett also depends on sources to provide him with news from tightly
>>> controlled Tibetan areas. He says he, too, is now receiving far less
>>> information than in previous years. "The deterrent effect on people sending
>>> information is very effective," he says. "This is having a massive effect on
>>> the limitation of outsiders finding out what's happening in China. A lot of
>>> it works by fear, intimidation and self-censorship. People are worried about
>>> Barnett says this climate of surveillance suggests to anyone considering
>>> sending information "that they should think twice".
>>> The culture of security in China, he says, means the government only has
>>> to go after a few people to have a deterrent effect.
>>> "You only have to pick up three people for passing on information and that
>>> will deter hundreds of thousands of others," he says. "The system may now be
>>> more powerful than us."
>>> Walton says there has been a clear increase in the number of incidents
>>> this year, although he cautions that this may be due to the fact people are
>>> more on the lookout for these things.
>>> "There's more awareness and people are suspicious of links and e-mails,"
>>> he says. "In terms of forward trends, I see a continuous escalation of these
>>> attacks. People are being compromised every day and I'm getting examples on
>>> a daily basis."
>>> Experts say that if Beijing is not responsible for the attacks, it has a
>>> responsibility to shut down hackers working within its borders.
>>> "I have never and still don't make the claim that it was the government,"
>>> Hom says. "But if China insists on internet sovereignty and sovereignty over
>>> its territory, it has to take responsibility for these kinds of cyber
>>> attacks. It has to show the international community that it has taken steps
>>> to investigate, track down and end these attacks."
>>> Rebecca MacKinnon
>>> Schwartz Senior Fellow, New America Foundation
>>> Co-founder, GlobalVoicesOnline.org
>>> Cell: +1-617-939-3493
>>> E-mail: rebecca.mackinnon at gmail.com
>>> Blog: http://RConversation.blogs.com
>>> Twitter: http://twitter.com/rmack
>>> You received this message as a subscriber on the list:
>>> governance at lists.cpsr.org
>>> To be removed from the list, send any message to:
>>> governance-unsubscribe at lists.cpsr.org
>>> For all list information and functions, see:
>>> Translate this email: http://translate.google.com/translate_t
Carlos A. Afonso
new/nuevo/novo e-mail: ca at cafonso.ca
More information about the liberationtech