
How foreign governments spy using PowerPoint and Twitter - peter_tonoli
https://www.washingtonpost.com/posteverything/wp/2016/08/02/how-foreign-governments-spy-using-email-and-powerpoint/
======
slr555
The malware known as PowerPoint has infected millions of systems worldwide and
has cost businesses, NGO’s and governments untold billions in lost
productivity. PowerPoint files seem to be self-spawning and capable of
infinite replication in the wild. Small variations in the PowerPoint files
forces administrators to keep endless permutations of these highly virulent
files.

PowerPoint is often introduced into an organization by highly sophisticated
threat actors using deeply customized versions of the software. McKinsey, BCG,
and Bain deploy the PowerPoint malware to a multiplicity of customers whose
human capital and infrastructure become mired in endless recursive loops known
as PowerPoint cycles.

The actual introduction of PowerPoint is typically merely incidental to these
threat actors ambitions. Most often they derive substantial portions of their
income by reselling organizations intellectual property which they already
own.

Once the organizations systems become bogged in ever more bloated PowerPoint
files productivity plummets. Morale drops among employees and management often
re-engages the threat actors to attempt to right the ship.

The PowerPoint Malware is seemingly unstoppable at this point. Any computers
that contain it should be air gapped and protected by highly restricted
physical access.

------
grecy
I like the word "foreign" in the title, which I assume is to imply the US
government is not doing this. It's also neat how they point out examples of
all the "bad" countries doing this, but of course none of the "good" ones.

Given I'm not American, so the US government is "foreign" to me.

~~~
rrggrr
I'll tell you what the USGOV isn't doing. They're not jailing twitter
dissidents. They're not sniping protestors from rooftops. They aren't
destroying the credit ratings of political dissenters. They aren't even doing
a very good job of using Twitter or other technologies to communicate all the
good humanitarian work the USGOV does in the world. There are times I wish the
US would disengage from the world so humanity can be reminded of what its like
to live without a generally benevolent hegemonic power.

~~~
Steer
I feel this is a straw man. I'm Swedish, but have always loved the US for some
strange reason. I still do, but that doesn't mean that the US is perfect in
any way, shape or form. It is a fantastic country with many flaws. You are
obviously right in much of what you write, but that does not excuse a lot of
the things that NSA et. al. does in the name of freedom. My point is just that
we should not hold ourselves to the lowest of standards ("We're better than
<non-democratic country" is not a good excuse).

~~~
kobayashi
Au contraire, it is actually you who is creating a Straw Man. rrggrr doesn't
write that the US is perfect, but rather, s/he writes that the US is a
"generally benevolent hegemonic power".

~~~
ionised
> generally benevolent

It's not benevolent, that's pure propaganda at work. It's a nation that acts
in its own interests like any other. It just disguises them extremely well.

------
Matt3o12_
> Among the malware was a malicious spyware, including a remote access tool
> called “Droidjack,” that allows attackers to silently control a mobile
> device. When Droidjack is installed, a remote user can turn on the
> microphone and camera, remove files, read encrypted messages, and send
> spoofed instant messages and emails.

How is this even possible? I have always considered phones to be more secure
then PC due to additional security measures (such as sandboxing for every app
as well as more fine granted permission systems).

I'm aware that malware can be installed on a phone but I always though I was
required to explicitly allow that (at least on android) and I thought it was
impossible on iOS without jail breaking.

Or does this app use some zero days, that have been discovered years ago but
have not been patched because of androids broken update policy?

More information on how this works would be highly appreciated.

~~~
fhood
I don't know about droidjack specifically, but your phone is not at all
secure, particularly for android. All it takes is a little bit of bad C code
to cause an overflow of some sort. Combine that with widely available
unencrypted firmware and you have a real vulnerability.

~~~
bitmapbrother
Are you implying that you could create an Android exploit with "little bit of
bad C code"? If so, I'm not sure you understand how exploits work and the work
required to get around all of the mitigations in place.

~~~
girvo
Depends. Once you get root--and as others have noted above, that's far easier
than it should be on most handsets--all bets are off really.

------
codelitt
I've been volunteering teaching Latin American journalists how to research,
communicate, and store data privately to protect themselves and their sources
against attackers. The threat against freedom of expression there is just as
real as it is with oppressive regimes in other parts of the world although
they don't get nearly as much attention as the Middle East. This article
doesn't highlight enough the need for volunteers and professionals to lend a
hand. Most recently I've been working with journalists in Venezuela. If you
know anything about Venezuela you should know that they have an incredibly
oppressive government and they also have had massive inflation further
eliminating their buying power. Things like a $3 (USD) a month VPN are hard
for a middle class citizen to afford.

I'm trying to remember where I saw it, but there was a journalist who showed
over the past year how much food 1000 bolivars bought. At the beginning of the
photo essay, she could have fed a family for a week. By the end, it was barely
enough for 1 person for a meal.

Anyone can really help out and make a difference too. Not just in LATAM, but
around the world. The amount of knowledge about cybersecurity, threat models,
and risks associated with electronic communications spans a wide range. Of
course you have civil society groups who know how to use PGP, but there are
others who still rely on Facebook Messenger to communicate with sources and
keep passwords sticky noted to their computer screen.

Edit: Also wanted to note that it's pretty great what Citizen Labs is doing.
Other great resources for learning/teaching/staying updated ( in both English
and Spanish and several others) can be found on the EFF's website -
[https://ssd.eff.org/en/playlist/journalist-
move](https://ssd.eff.org/en/playlist/journalist-move)

------
pcr0
Took a look at DroidJack[0], and it's impressively nefarious. Seems like
Android is Windows all over again when it comes to security. I already see
people running virus scanners on their phones.

[0]: [http://www.symantec.com/connect/blogs/droidjack-rat-tale-
how...](http://www.symantec.com/connect/blogs/droidjack-rat-tale-how-budding-
entrepreneurism-can-turn-cybercrime)

~~~
tdkl
OK, it's a RAT, but how do we get from receiving a supposed .ppt on email to
having DroidJack .apk installed on the system ? Assuming user isn't tricked
into confirming the install (not to mention disabling the manual apk install
protection).

~~~
Buge
I'm not sure if this was how it's done. But if the app is on the Play store,
it can be remotely installed on your Android device via the Play website.

~~~
tdkl
Ah, it's all described perfectly here [1] and Android specifically [2]:

[1]
[https://citizenlab.org/2016/08/group5-syria/](https://citizenlab.org/2016/08/group5-syria/)

[2]
[https://citizenlab.org/2016/08/group5-syria/#part4](https://citizenlab.org/2016/08/group5-syria/#part4)

Good old fake Flash update. But still relies on user to be installed, so
nothing sophisticated or "Android is bad" here.

If anything the Powerpoint malware looks interesting. The .ppsx extension
kinda gives it away, since it's unusual for casual presentations, but that's
hard to spot for Joe User.

~~~
duaneb
The fact that installing an app can give people arbitrary access to your phone
without understanding WHAT you installed definitely implies Android app
installation is broken in some way.

~~~
tdkl
Well, it's exactly what the warning popup when enabling side-loading states ;]
But it's still possible, so that's pretty fine in my book compared to the
fruit company.

~~~
duaneb
It's a little too easy for non-technical users to accidentally enable it. The
moms & pops of the world would probably never need to side-load.

~~~
Nullabillity
Who is the right person to decide who "needs" to side-load?

Besides, there are loads of legitimate reasons to, there's a reason Humble
Bundles aren't a thing on iOS.

~~~
duaneb
> Who is the right person to decide who "needs" to side-load?

The person who decides to explicitly opt in to allowing side-loading. Just
don't allow apps, web pages, etc etc to opt-in for you to ensure the
technically non-adept have a difficult time getting themselves into trouble.

~~~
Nullabillity
Which is already the case...?

------
walrus01
From an endpoint security perspective, 'activists' really need to be trained
not to just click on everything blindly and to open everything suspicious in a
sandbox.

Yes it's possible to escape from a VM, but it's significantly harder to code
executable malware that will escape from, for example, a Windows 10 VM running
inside Virtualbox on an XUbuntu/XFCE4 host laptop.

------
adrianN
Exporting software to spy on people should be regulated similarly to weapons
exports, I feel.

I wonder what kind of programmer works for companies that produce this
spyware...

~~~
mtgx
I have a feeling tech companies would oppose that, because there is little
difference between "governments spying on people" like this, and companies
tracking people everywhere, and building shadow profiles of them (like what
Facebook Like and Google Analytics are doing).

This is why Schneier is calling it "surveillance as a business model":

[https://www.schneier.com/blog/archives/2013/11/surveillance_...](https://www.schneier.com/blog/archives/2013/11/surveillance_as_1.html)

~~~
gbin
I don't agree, the intent has to be taken into account: hackers working at
Vupen for example don't work to make a better Google analytics, they work
exclusively to circumvent existing protections to expose private data to
random third parties whatever the human consequences are as long as they
profit from it.

~~~
posterboy
> the intent has to be taken into account

no offense intended, but ...

------
sandworm101
Puff piece. Despite "twitter" being in the title, the article doesn't discuss
twitter. The title's use of the word "how" also suggested i might read
something about the technology involved, something like a backdoor in the
twitter api. Nope. No discussion whatsoever about the hows. In short:
Governments use spyware. Thank you Washington post for that important public
service announcement.

~~~
justinlardinois
> Despite "twitter" being in the title, the article doesn't discuss twitter.

From the article:

> In May 2016, we uncovered a Twitter-based digital malware campaign seemingly
> orchestrated by the United Arab Emirates, which resulted in the arrest and
> torture of numerous activists and journalists there.

~~~
sandworm101
Yes. One mention. No discussion. No indication as to why Twitter is in the
title, as opposed to any other service. This is puff/clickbait.

------
themodelplumber
How do the Twitter attacks work? Just malware links on the Twitter service
that are working via the spear phish? The article didn't seem to go into any
detail there.

~~~
strictnein
Not entirely sure how that system worked, but a Russian attack used Twitter as
a sort of Command and Control system:

[https://www.fireeye.com/blog/threat-
research/2015/07/hammert...](https://www.fireeye.com/blog/threat-
research/2015/07/hammertoss_stealthy.html)

PDF has more details here: [https://www2.fireeye.com/APT29-HAMMERTOSS-
WEB-2015-RPT.html](https://www2.fireeye.com/APT29-HAMMERTOSS-
WEB-2015-RPT.html)

------
dbalan
The original report has much detailed explanation with all the facts[1]. I was
left wondering how an ppt downloaded an app into an Android phone.

[1]
[https://citizenlab.org/2016/08/group5-syria/](https://citizenlab.org/2016/08/group5-syria/)

