Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Stephan Faris: The Hackers of Damascus – Businesweek

ilf ilf at zeromail.org
Thu Nov 15 04:02:45 PST 2012


http://www.businessweek.com/articles/2012-11-15/the-hackers-of-damascus

Taymour Karim didn’t crack under interrogation. His Syrian captors beat 
him with their fists, with their boots, with sticks, with chains, with 
the butts of their Kalashnikovs. They hit him so hard they broke two of 
his teeth and three of his ribs. They threatened to keep torturing him 
until he died. “I believed I would never see the sun again,” he recalls. 
But Karim, a 31-year-old doctor who had spent the previous months 
protesting against the government in Damascus, refused to give up the 
names of his friends.

It didn’t matter. His computer had already told all. “They knew 
everything about me,” he says. “The people I talked to, the plans, the 
dates, the stories of other people, every movement, every word I said 
through Skype. They even knew the password of my Skype account.” At one 
point during the interrogation, Karim was presented with a stack of more 
than 1,000 pages of printouts, data from his Skype chats and files his 
torturers had downloaded remotely using a malicious computer program to 
penetrate his hard drive. “My computer was arrested before me,” he says.

Much has been written about the rebellion in Syria: the protests, the 
massacres, the car bombs, the house-to-house fighting. Tens of thousands 
have been killed since the war began in early 2011. But the struggle for 
the future of the country has also unfolded in another arena—on a 
battleground of Facebook (FB) pages and YouTube accounts, of hacks and 
counterhacks. Just as rival armies vie for air superiority, the two 
sides of the Syrian civil war have spent much of the last year and a 
half locked in a struggle to dominate the Internet. Pro-government 
hackers have penetrated opposition websites and broken into the 
computers of Reuters (TRI) and Al Jazeera to spread disinformation. On 
the other side, the hacktivist group Anonymous has infiltrated at least 
12 Syrian government websites, including that of the Ministry of 
Defense, and released millions of stolen e-mails.

The Syrian conflict illustrates the extent to which the very tools that 
rebels in the Middle East have employed to organize and sustain their 
movements are now being used against them. It provides a glimpse of the 
future of warfare, in which computer viruses and hacking techniques can 
be as critical to weakening the enemy as bombs and bullets. Over the 
past three months, I made contact with and interviewed by phone and 
e-mail participants on both sides of the Syrian cyberwar. Their stories 
shed light on a largely hidden aspect of a conflict with no end in 
sight—and show how the Internet has become a weapon of war.

The cyberwar in Syria began with a feint. On Feb. 8, 2011, just as the 
Arab Spring was reaching a crescendo, the government in Damascus 
suddenly reversed a long-standing ban on websites such as Facebook, 
Twitter, YouTube, and the Arabic version of Wikipedia. It was an odd 
move for a regime known for heavy-handed censorship; before the 
uprising, police regularly arrested bloggers and raided Internet cafes. 
And it came at an odd time. Less than a month earlier demonstrators in 
Tunisia, organizing themselves using social networking services, forced 
their president to flee the country after 23 years in office. Protesters 
in Egypt used the same tools to stage protests that ultimately led to 
the end of Hosni Mubarak’s 30-year rule. The outgoing regimes in both 
countries deployed riot police and thugs and tried desperately to block 
the websites and accounts affiliated with the revolutionaries. For a 
time, Egypt turned off the Internet altogether.

Syria, however, seemed to be taking the opposite tack. Just as 
protesters were casting about for the means with which to organize and 
broadcast their messages, the government appeared to be handing them the 
keys.

Dlshad Othman, a 25-year-old computer technician in Damascus, 
immediately grew suspicious of the regime’s motives. Young, Kurdish, and 
recently finished with his mandatory military service, Othman opposed 
President Bashar al-Assad. Working for an Internet service provider, he 
knew that Syria—like many other countries, including China, Iran, Saudi 
Arabia, and Bahrain—controlled its citizens’ access to the Web. The same 
technology the government used to censor websites allowed it to monitor 
Internet traffic and intercept communications. Popular services such as 
Facebook, Skype, Google Maps, and YouTube gave Syria’s revolutionaries 
capabilities that until a couple of decades ago would have been 
available only to the world’s most sophisticated militaries. But as long 
as Damascus controlled the Internet, they’d be using these tools under 
the eye of the government.

Shortly after the Syrian revolution began in March 2011, Othman’s 
political views cost him his job. He decided to dedicate himself full 
time to the opposition, joining the Syrian Center for Media and Freedom 
of Expression in Damascus to document violence against journalists in 
the country. He also began teaching his fellow activists ways to stay 
safe online. Othman instructed them how to encrypt e-mails and 
encouraged them to use tools like Tor software, which enables anonymous 
Web browsing by rerouting traffic through a series of distant servers. 
When Tor turned out to be too slow to live-stream protests or scenes of 
government attacks against civilians, Othman began purchasing accounts 
on virtual private networks (VPNs) and sharing them with his friends and 
contacts. A VPN is basically a tunnel inside the public Internet that 
allows users to communicate in a secure fashion. For a monthly fee, you 
can buy access to servers that create encrypted paths between computers; 
the VPN also disguises the identities and locations of your machine and 
others on the network. Spies can’t read e-mails sent via VPN, and they 
have a hard time figuring out where they came from.

Othman’s efforts worked at first, but very quickly Damascus blocked 
off-the-shelf VPNs and upgraded its Internet filters in ways that made 
the VPNs inoperative. By the summer of 2011, Othman had become 
frustrated with the Western VPN providers, which he felt were too slow 
to adapt to the government’s crackdowns. He bought space on outside 
servers, set up VPNs of his own, and began actively managing them to 
make sure safe connections remained available.

Othman was still training and equipping activists in October 2011 when 
he made a nearly fatal mistake. He gave an on-camera interview to a 
British journalist who was later arrested with the footage on his 
laptop. Warned by a friend through a Facebook message, Othman turned off 
his phone, removed its SIM card—a precaution to avoid being tracked—and 
hid in a friend’s Damascus apartment. He never went home. A month and a 
half later, at the urging of activists who worried his arrest would 
compromise their entire network, he escaped across the border to 
Lebanon. “I had been a source of safety for my friends,” he says. “I 
didn’t want to become a source of danger.”

The struggle for Syria has transcended borders. In early 2011, from his 
office at the University of California at Los Angeles, John 
Scott-Railton, a 29-year-old graduate student in Urban Planning, joined 
the revolutions in North Africa and the Middle East. Scott-Railton, 
working on a dissertation on how poor communities in Senegal were 
adapting to climate change, had spent time in Egypt and had close 
friends there. When revolutionaries in Cairo occupied Tahrir Square, he 
set his studies aside. Working through his contacts in the country, he 
helped Egyptians evade Internet censors and get their message out to the 
world by calling protesters on the phone, interviewing them, and 
publishing their views on Twitter. Later, when the Arab Spring spread to 
Libya, he did the same, this time working with Libyans in the diaspora 
to broaden his reach.

In Syria, Scott-Railton recognized that the task would be different. 
Once Assad’s government lifted restrictions on the Internet, activists 
were having little trouble getting their voices heard; graphic videos 
alleging government atrocities were lighting up Facebook and YouTube. 
The challenge would be keeping them safe. “If we’re going to talk about 
how important the Internet has been in the Arab Spring, we need to think 
about how it also brings a whole new set of vulnerabilities,” says 
Scott-Railton. “Otherwise, we’re going to be much too optimistic about 
what can be done.”

The first documented attack in the Syrian cyberwar took place in early 
May 2011, some two months after the start of the uprising. It was a 
clumsy one. Users who tried to access Facebook in Syria were presented 
with a fake security certificate that triggered a warning on most 
browsers. People who ignored it and logged in would be giving up their 
user name and password, and with them, their private messages and 
contacts.

In response, Scott-Railton began nurturing contacts in the Syrian 
opposition, people like Othman with wide networks of their own. “It 
wasn’t that different from the strategy I had worked out in Libya: 
Figure out who was trustworthy and then slowly build up,” he says. In 
the meantime, he contacted security teams at major American technology 
companies whom he could alert when an attack was detected. Scott-Railton 
declined to name specific companies but confirmed he was in touch with 
security experts at some of the biggest brand names. In the past year 
and a half, pro-government hackers have successfully targeted Facebook 
pages, YouTube accounts, and logins on Hotmail, Yahoo! (YHOO), Gmail, 
and Skype.

Scott-Railton’s involvement in the Syrian cyberwar wasn’t high-tech. 
Over several months, he set himself up as a bridge between two worlds, 
passing reports of hacking on to various companies who could investigate 
attacks on their users, take down bogus websites, and configure browsers 
to flag suspect sites as potential threats.

For Syrians, the system provided a quick, sure way to limit damage as 
attempts to break into accounts affiliated with the opposition became 
more sophisticated. For tech companies, it was an opportunity to address 
violations as they happened—though those violations have also exposed 
the vulnerabilities of some of the world’s most popular social 
networking services.

Facebook, which in 2011 responded to hacking attempts in Tunisia by 
routing communications through an encrypted server and asking users to 
identify friends when logging in, wouldn’t comment on what, if anything, 
the company is doing in Syria. Contacted by Bloomberg Businessweek, a 
spokesperson provided a statement saying: “Security is a top priority 
for Facebook and we devote significant resources to helping people 
protect their accounts and information, wherever they live and whatever 
the circumstances. … We will respond quickly to reports—whether from 
formal or informal channels—about worrying and problematic security 
threats from groups, organizations and, on occasion, from governments.”

As the war intensified, the cyberattacks waged by pro-government Syrian 
hackers became more ambitious. In the weeks before his arrest in 
December 2011, Karim, the young doctor, had begun to suspect his hard 
drive had been compromised. His Internet bill—which in Syria varies 
according to the traffic being used—had more than quadrupled, though he 
still isn’t sure exactly how his computer was infected. He suspects the 
malware may have been transmitted by a woman using the name Abeer who 
contacted him on Skype last autumn and sent him photos of herself. 
Another possibility is a man who sent Karim an Excel spreadsheet and 
said he could provide monetary support for the revolution.

In prison, Karim’s captors mentioned both people. His interrogators knew 
about his high Internet bills, as well: “The policeman told me, ‘Do you 
remember when you were talking to your friend and you told him you had 
something wrong and paid a lot of money? At that time we were taking 
information from your laptop.’ ”

Before the Syrian revolution, Karim had never participated in politics. 
“I would just go to work and then go home,” he says. But the Arab Spring 
awakened something inside him, and when demonstrators gathered for a 
second week of major demonstrations, Karim joined them. The first 
protest he attended was also the first in which the regime deployed the 
army to crush dissent, killing dozens of demonstrators across the 
country. Shortly afterward, Karim signed up to man field hospitals, 
caring for wounded activists. The worst injuries were from snipers, he 
recalls. “Sometimes people would be shot in the back, and they’d be 
paralyzed. Sometimes we found bullets in the face, and all the bones in 
the face were broken. When we found people shot in the abdomen, 
sometimes we couldn’t do anything because we didn’t have the proper 
equipment.”

When it came to the Internet, Karim was typical of many of his fellow 
activists: enthusiastic, naive, and all too often complacent where 
security was concerned. “Sometimes we’d say to each other, ‘If there was 
no Internet, there would be no revolution,’ ” he says.

Just 18 percent of Syrians use the Internet, and government restrictions 
along with sanctions by the U.S. and Europe have limited Syrians’ access 
to updated software and antivirus programs. Karim occasionally used the 
Tor application recommended by Othman but found the connection too slow 
for video. A friend in Qatar sent him a link to a secure VPN, but he 
wasn’t able to download the necessary software.

On Dec. 25, 2011, Karim met with a group of doctors to put the final 
touches on a plan to better coordinate the opposition’s field hospitals. 
The next day he spoke with a friend on Skype and agreed to meet him to 
film a Christmas video he hoped would be a show of unity between faiths. 
When he left his safe house, the police were waiting for him. They knew 
where they would find him and where he was going. “Skype was the best 
way for us, for communication,” he says. “We heard that Skype was very 
safe and that nobody can hack it, and there is no virus for Skype. But 
unfortunately, I was the first victim of it.”

In a statement to Bloomberg Businessweek, a spokesperson for Skype, 
which is owned by Microsoft (MSFT), said, “Much like other Internet 
communication tools with a very large user base—be it e-mail, IM, or 
Voip—Skype has been used by persons with malicious intent to trick or 
manipulate people into following nefarious links. … This is an ongoing, 
industrywide issue faced by all peer-to-peer software companies. Skype 
is committed to the safety and security of its users, and we are taking 
steps to help protect them.”

Karim spent 71 days in Syrian detention before being released on bail 
pending a military trial. After his release he fled the country, 
sneaking from village to village until he arrived in Jordan. There he 
discovered that many other activists had been contacted by the woman 
named Abeer. A few weeks after his release, he received a message from 
her on Facebook offering to send him more pictures. He refused.

In January 2012, less than a month after Karim’s arrest, Othman—by then 
in Lebanon—came across a laptop belonging to an international aid 
worker. The worker believed the laptop had been compromised. After 
making a preliminary analysis, Othman sent an image of the entire hard 
drive to Scott-Railton. Among the people Scott-Railton reached out to 
was a dreadlocked New Zealander named Morgan Marquis-Boire, a security 
engineer at Google (GOOG) in California. In his spare time, 
Marquis-Boire had begun investigating cyberattacks on opposition figures 
in the Middle East after being approached by activists who saw him speak 
at a conference. “I’m a firm believer in the facilitation of freedom of 
expression on the Internet,” he says. “The censorship that occurs when 
people are afraid to speak is actually the most powerful type of 
censorship that’s available.”

Marquis-Boire, 33, wasn’t the first person to analyze the infected hard 
drive, but his examination was deep and thorough. The laptop, he 
determined, had been successfully hacked three times in rapid 
succession. The first piece of malware had arrived on Dec. 26, 2011, 
during the early hours of Karim’s detention. It had been sent to the 
computer’s owner through Karim’s Skype account, embedded in the proposal 
for the coordination of field hospitals he had finalized the night 
before his arrest.

The malware, DarkComet, was a remote access “trojan.” It allowed its 
sender to take screenshots of the victim’s computer, monitor her through 
the video camera, and log what she typed. Every digital move the 
laptop’s owner made was being recorded—and the reports were being routed 
back to an IP address in Damascus.

The network Scott-Railton had set up was faced with a new challenge. The 
people behind the attacks were no longer casting a wide net and waiting 
to see who they caught. They were specifically targeting revolutionaries 
such as Karim and his contacts. Security experts at major tech companies 
can restore access to hacked accounts or issue takedown orders when 
hackers set up fake versions of their websites. But there’s little they 
can do for a user whose computer has been captured by hackers.

Scott-Railton and his collaborators began to study their opponent. 
Syrians like Othman with close contacts to the opposition began 
gathering suspicious files that might contain malware and funneling them 
to Scott-Railton. He passed them on to Marquis-Boire, who published his 
findings in blog posts for the Electronic Frontier Foundation, an 
advocacy organization based in San Francisco that promotes civil 
liberties on the Internet. A pattern soon emerged. The attacks used code 
widely available online. In the case of the DarkComet trojan that had 
been sent from Karim’s computer, the malware had been developed by a 
French hacker in his twenties named Jean-Pierre Lesueur who offered it 
as a free download on his website.

What made the hacks so effective was their deviousness. Malware was 
discovered in a fake plan to help protesters besieged in the city of 
Aleppo; in a purported proposal for the formation of a post-revolution 
government; and on Web pages that claimed to show women being raped by 
Syrian soldiers.

Whenever possible, the people behind the attacks would use a compromised 
account to spread the malware further. In April 2012, the Facebook 
account of Burhan Ghalioun, then the head of the Syrian opposition, was 
taken over and used to encourage his more than 6,000 followers to 
install a trojan mocked up to look like a security patch for Facebook.

Scott-Railton’s network allowed antivirus companies to update their 
software so it would recognize the malware and warn Syrian activists. 
Once Marquis-Boire identified DarkComet, a group of hackers who went by 
the name Telecomix began putting pressure on its creator, Lesueur, to 
take it down. In February 2012, less than a month after the trojan had 
been discovered, he released a patch that would remove his program from 
an infected computer. “i was totally shocked to see that the syrian gouv 
used my tool to spy other people,” he wrote in a typo-laden post on his 
personal blog. “Since now 4 years i code DarkComet for people that are 
interested about security, people that wan’t to get an eye on what their 
childs doing on the internet, for getting an eye to notified employees, 
to administrate their own machines, for pen testing but NOT AS A WAR 
WEAPON.”

In July, Lesueur took the program down altogether. The weapon that had 
been launched from Karim’s computer—and very likely the one that landed 
him in jail—had been disarmed.

The cyberwar in Syria rages on. Othman and others like him spend hours 
fending off attacks on their VPNs. He says he knows of at least two 
activists who were detained and killed after their computers were 
undermined. Scott-Railton continues to relay reports of compromised 
accounts and fake Web pages to contacts in the tech industry. “Every 
day, I get contacted by Syrians with security concerns,” he says. 
Marquis-Boire is doing his best to trace the attacks back to their 
source.

Since Karim’s release from detention and his escape from Syria earlier 
this year, he has lived in Jordan. When he recently ran a scan on his 
new computer, he found he had been infected once again. “I receive 
thousands of e-mails, videos, and requests and images from activists and 
friends,” he says. “And there are a lot of people who I don’t know who 
they are.” In July the Syrian Electronic Army, a pro-government group, 
released what it said were 11,000 user names and passwords of “NATO 
supporters,” meaning members of the Syrian opposition.

In October, I attempted to contact the Syrians involved in the 
government’s cyberwar. Before doing so, I changed most of my passwords. 
I set up two-step verification on my Gmail account, an extra layer of 
security that makes it harder for hackers to take over an account 
remotely. I installed the Tor Browser Bundle and updated the WordPress 
software on my website. And then I dropped a line on Twitter to 
@Th3Pr0_SEA, an account that describes itself as belonging to the leader 
of the Special Operations Department of the Syrian Electronic Army, the 
most visible virtual actor on the government side. @Th3Pr0_SEA wrote 
back soon after, and we agreed to meet on Google Chat. Minutes later, 
somebody tried to reset the password of my Yahoo Mail account.

@Th3Pr0_SEA wouldn’t tell me much about himself. Two members of his 
organization had been kidnapped and murdered by members of the 
opposition, he said, after posting under their real names on Facebook. 
He told me he had been a student when the uprising began. When I asked 
his religion, he answered, “i’m Syrian :)”

Researchers have described the Syrian Electronic Army as a 
paramilitary-style group working in coordination with the country’s 
secret services and linked to the Syrian Computer Society, a government 
organization once headed by Assad himself before he became president. In 
our chat, @Th3Pr0_SEA denied the connection, repeating the group’s 
claims that it’s not an official entity and that its membership is 
unpaid, motivated only by patriotism. When I asked why the group’s 
website was hosted on servers owned by the Syrian Computer Society, he 
answered that his group paid for the service. “If we host our website 
outside of Syria servers, it will get deleted and probably hacked,” he 
wrote.

Before I finished my interview with @Th3Pr0_SEA, I asked him whether he 
had been the one who tried to reset my Yahoo password. He denied it. “i 
think someone saw you,” he said, “when you talked me on twitter.” He 
also told me, “there is a big surprise from Special Operations 
Department coming soon, but i can’t tell you anything about it.”

-- 
ilf

Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
		-- Eine Initiative des Bundesamtes für Tastaturbenutzung


More information about the liberationtech mailing list