
Gamma FinFisher hacked: 40 GB of internal documents and source code published - srslack
https://netzpolitik.org/2014/gamma-finfisher-hacked-40-gb-of-internal-documents-and-source-code-of-government-malware-published/
======
o3877
Although many of the files in the leak are PGP encrypted, the files contained
the Key ID of the destination. I ran these through various keyservers to
determine who the recipient of the files happened to be, but the results were
not too interesting:

This key is a NL law enforcement officer: pub 1024D/5A14D578 2003-02-21 uid
Jochen van der Wal sub 2048g/00BE9690 2003-02-21

This key appears to be a part-owner of a German private contractor (VERVIS):
pub 1024D/66878388 2013-04-17 uid Alfons Rauscher <alfons.rauscher@vervis.de>
sub 2048g/8269976E 2013-04-17

This key is for a gentleman who describes himself as a "Senior Security
Specialist & Consultant for Law Enforcement and Intelligence Agencies around
the world." pub 2048R/3F895273 2013-03-05 [expires: 2018-03-04] uid Alexander
Hagenah <ah@primepage.de> sub 2048R/F166F2CA 2013-03-05 [expires: 2018-03-04]

This key turns up pretty much nothing: pub 2048D/89A4703C 2013-07-04 [expired:
2014-07-04] uid USB on Fire <usbonfire@gmail.com>

Same with this one: pub 1024D/85E86971 2009-06-12 uid campo@campinator.com
(New key 12/6/09) <campo@campinator.com> sub 4096g/C3F3EC1B 2009-06-12

These are obviously Gamma's (although the first has a typo): pub
2048R/D81082F4 2012-03-08 uid Melvin Teoh (Gamma Group) <mt@gammmagroup.com>
pub 2048R/A7A4AC21 2013-03-05 uid Hari Purnama (pgp) <hp@gammagroup.com>

The full list of keys, should you be able to correlate these with the
oppressive regime of your choice:

6ABDA7D0 4FB534CB 42C2DDCE E061DE51 0FEB4CFF 0FC82479 1B14387E 6D531E64
65BACA20 CBFF2AB4 BA87B977 8E037629 6ABDF71F 9C3E839A 331A704A 6225EAA0
780E8451 77B11C19 7704B771 A7A4AC21 2B9A229A 2C52A5C8 F166F2CA C47B1004
695D98C9 70A03877 C56A85E9 4E676679 7774F144 C3F3EC1B 9BBDD293 F5946EA8
F158ADF2 D81082F4 58143658 3471B217 06E990A5 8269976E 00BE9690 CF246B05
280AD26F B03A5EA9 977E9F54

------
dmix
Canadian IP addresses show up as 5% in June 2010 in the leaked web analytics
screenshots for FinFisher's support website:

[https://imgur.com/krvsa9F](https://imgur.com/krvsa9F)

This coincides with G20 Toronto in June 2010, where one of the largest amount
of mass-arrests happened in Canadian history (1100 people total were detained)
and where the Toronto police invested hundreds of millions of dollars in
survillence and security:
[https://en.wikipedia.org/wiki/2010_G-20_Toronto_summit](https://en.wikipedia.org/wiki/2010_G-20_Toronto_summit)

The Canadian gov has also recently attempted to make hacking peoples phones
with a warrant legal, part of a sprawling 'cyberbullying' law.

[http://news.nationalpost.com/2014/06/10/proposed-
cyberbullyi...](http://news.nationalpost.com/2014/06/10/proposed-
cyberbullying-law-would-let-police-remotely-hack-into-computers-mobile-
devices-or-cars/)

------
SchizoDuckie
Great... they have MBR infections too..

The SQL database contains a lot of support tickets detailing the internal
workings of some of the exploits and attacks:

    
    
      2x MBR Infection - Windows XP 32bit SP3 
      One of them is on 2.41 and one is on 2.51 
      Master is 3.0
    
      After the upgrade to v3 the targets are online and connectible. Very fine. And everything worked flawlessly until the upgrade.
      Except the fact, that *no* module is installed anymore and of course cannot be added. Means, no modules can be seen neither in live session nor in configuration.
      Therefore, the targets are useless since then.
    
      FYI: The attached error ./TargetActivity/$ID/$ID.log didnt show up anytime before and is Target reports error -10017 now reoccurring all the time.

~~~
SchizoDuckie
The exploit java code seems to have been taken straight from this article:

[http://www.exploit-db.com/papers/12991/](http://www.exploit-
db.com/papers/12991/)

[https://github.com/FinFisher/FinFly-
Web/commit/d4f184e394f6a...](https://github.com/FinFisher/FinFly-
Web/commit/d4f184e394f6a88f6d2a67ac6a70a187b4eed033)

------
rdl
I wonder how long until someone does "FinFisher, Community Edition".

While FinFisher was a huge threat to people like democracy advocates in
Bahrain (which is what I am hopefully speaking about at SXSW 2015...), now
it's out there and even FVEY friendly organizations need to fear it.

FFCE should be usable by pure criminal or even script kiddie type
organizations. FF was a pretty decent package, but freed of licensing
constraints and designed for more autonomous deployment, FFCE should rapidly
surpass it.

(EDIT: Apparently not too long:
[https://github.com/FinFisher](https://github.com/FinFisher))

~~~
higherpurpose
That's done by the company itself, though. Not sure how this is going to serve
them. Won't everyone (who cares about this) see exactly what they are trying
to do, and then fight against it? I saw Jake Appelbaum even ask the Chrome
team to pay attention to it, so they know how to protect users against it.

Also, the same way Popcorn Time repositories got banned from Github, couldn't
this be banned, too, for malware/cybercrime, etc? What's Github's policy on
that?

~~~
starnixgod
popcorntime was taken "banned" due to a DMCA take down requested by the
MPAA[1] and not for violating Github rules which are pretty permissive[2].

1\.
[https://github.com/github/dmca/blob/3ccbdf1e3d20c78616c9a095...](https://github.com/github/dmca/blob/3ccbdf1e3d20c78616c9a0953b387c6a0e6bfc52/2014-07-11-MPAA.md)

2\. See G7 - [https://help.github.com/articles/github-terms-of-
service](https://help.github.com/articles/github-terms-of-service)

~~~
jevinskie
Ah, what a "fun" repo. I feel somewhat proud to have contributed code to a
repo that was part of the first DMCA takedown that Github has in the dmca
repo.

[https://github.com/github/dmca/blob/master/2011-01-27-sony.m...](https://github.com/github/dmca/blob/master/2011-01-27-sony.markdown)

------
thefreeman
For the curious, here is a magnet link of the leaked dump (38.7gb)

    
    
        magnet:?xt=urn:btih:4e8564f0edcb3875ad2dbb9658ca3d615cc6c152&dn=finfisher&tr=http://bt.careland.com.cn:6969/announce&tr=udp://tracker.coppersurfer.tk:6969/announce&tr=udp://tracker.openbittorrent.com/announce

~~~
anemic
looking at the file list most of the interesting stuff end with .gpg so if the
key is not included it seems like a waste of bandwidth.

~~~
rdl
Best practice for this kind of leak is widely distributing encrypted files and
then later distributing the key.

~~~
Alupis
or a dead-man's switch release if something happens to the key holder...

------
djent
Reddit disclosure:
[http://www.reddit.com/r/Anarchism/comments/2cjlop/gamma_inte...](http://www.reddit.com/r/Anarchism/comments/2cjlop/gamma_international_leaked/)

HN discussion:
[https://news.ycombinator.com/item?id=8142465](https://news.ycombinator.com/item?id=8142465)

------
x0x0
First takeaway from here [1] and the other docs:

1 - don't allow physical access to your machine. If you are worried about
nation state actors, consider filling firewire and usb slots with super glue.

2 - don't use skype

[1] [https://netzpolitik.org/wp-
upload/FinSpyPC.4.51.ReleaseNotes...](https://netzpolitik.org/wp-
upload/FinSpyPC.4.51.ReleaseNotes.pdf)

~~~
wlesieutre
Or if you do use Skype, use the Metro version, which finfisher allegedly can't
eavesdrop on.

Original source was on Dropbox and is overloaded, but here's a link on
Slashdot:
[http://beta.slashdot.org/story/205507](http://beta.slashdot.org/story/205507)

~~~
sbierwagen

      Or if you do use Skype, use the Metro version, which 
      finfisher allegedly can't eavesdrop on.
    

What? Bullshit. Why would Microsoft remove the law enforcement backdoors in
the Metro version?

~~~
wlesieutre
I haven't seen any indication that FinFisher is using deliberate backdoors
from MS; from the article it sounds like it's just installing your typical
spyware via exploits in things like PDF and XLS files.

But as wslh points out, the assertion that metro's sandbox makes things more
secure isn't accurate. I can't get to the dropbox page either, so I'm not sure
whether it's saying "FinFisher isn't able to eavesdrop on metro for technical
reasons" or "FinFisher can't eavesdrop on metro because they haven't
implemented that yet."

Either way, isn't this a separate issue from any surveillance access Microsoft
is providing? One is local spyware grabbing your communications on your
computer, and the other Microsoft grabbing the data as it goes through the
Skype servers. I know Microsoft has that capability for text chats [1], and I
assume it's the same deal for audio streams.

Making the Skype client less vulnerable is no more closing law enforcement
access than if Apple they fixed a vulnerability in Mail.app while continuing
to hand out your iCloud emails to law enforcement agencies.

[1] [http://arstechnica.com/security/2013/05/think-your-skype-
mes...](http://arstechnica.com/security/2013/05/think-your-skype-messages-get-
end-to-end-encryption-think-again/)

~~~
sbierwagen
Which is mostly the point, I guess.

If the feds want to listen in on your calls they have several options:

    
    
      1.) Use a 0day exploit in Skype client software.
      2.) Use the LE backdoors on the local machine.
      3.) Install a rooted version of Skype using some other Windows 
          0day or LE backdoor.
      4.) Just record any sound the microphone hears.
      5.) Capture traffic as it travels across the backbone.
      6.) Capture traffic as it travels through Microsoft's 
          central servers.
      7.) Capture traffic at the other end if the callee is using
          an old version of Skype.
    

Saying "the feds can't spy on you if you use Metro Skype" is in one narrow
sense true, and in a wider sense outrageously, mendaciously false. If they
can't do #1, they'll do #2-7.

~~~
wlesieutre
The noise I've heard about FinFisher has been less about its use in Western
countries, and more about Gamma selling it to oppressive regimes that use it
against protestors.

If your goal is to keep your calls away from Egypt's State Security
Investigations Service, by all means use metro Skype. If you're trying to hide
from a country with law enforcement access to Skype's backend, then don't. But
I don't see what the latter has to do with FinFisher.

As far as recording things from the mic outside of Skype, if FinFisher does
that you're probably toast regardless. I haven't dug into the technical
details, but I've seen it mentioned that it can deliver arbitrary payloads.
Someone who reads through the doc dump will hopefully be able to confirm what
exactly they've been doing with it.

~~~
x0x0
Yeah, most of this finfisher stuff appears to be for surveillance states (plus
assholes like nsa), not real law enforcement. Real cops / fbi can get a
warrant and go straight to microsoft who appears to have very good skype
capture ability. Why would you screw around with all this nonsense when all it
takes is a couple hours of a DAs time to draft a warrant, a trip to see a
judge (assuming you have a reasonable cause), then a fax to microsoft? Unless
of course the reasonable cause thing is tripping you up...

ps -- that's not to say our governments aren't well aware of what FinFisher is
doing. I bet the fastest way to seriously piss nsa/various pigs off is to sell
an exploit before sharing it with the US/5 eyes. I mean, they don't "know
know", but they know, the same way we know damn well what goes on in
extraordinary rendition, though we all run around pretending to be shocked,
shocked! that there's torture in egyptian prisons...

------
Finny
In www/GGI/SecureLink/secure_link.php, I present to you the password of the
year: $SecureLinkKey="finfisher!@#$%^"; // Set to random string used to
encrypt links

~~~
psykovsky
So random...

------
pwnna
> An intelligence agency used FinFly ISP in the main national Internet Service
> Provider network. It was enough for the system to only know the target’s
> log-in information into the ISP network to be able to deploy a remote
> monitoring solution on his computer and monitor him from then onwards.

Wow. See [https://netzpolitik.org/wp-
upload/FF_SolutionBrosch%C3%BCre_...](https://netzpolitik.org/wp-
upload/FF_SolutionBrosch%C3%BCre_RZ_web.pdf) for FinISP.

~~~
DINKDINK
Does this imply a designed back-door?

~~~
superuser2
From Wikipedia:

>FinFisher can be covertly installed on targets' computers by exploiting
security lapses in the update procedures of non-suspect software

Also, see: [http://blogs.wsj.com/digits/2011/11/21/surveillance-
company-...](http://blogs.wsj.com/digits/2011/11/21/surveillance-company-says-
it-sent-fake-itunes-flash-updates-documents-show/)

So, apparently, no - just that most targets are running at least one
application that downloads updates on an insecure channel. Because general-
purpose OSes don't isolate applications from each other like, say, iOS, it
would only take one neglected utility performing a software update over plain
HTTP to be able to turn MITM into remote code execution with access to your
entire computer.

If you are an ISP, you can of course commit MITM of HTTP traffic on any of
your customers trivially.

The WSJ also shows a screenshot of a faked "download the latest version of
flash player" screen, presumably on a non-HTTPs site. If your ISP is also a
trusted CA (which I believe is not rare) they could also be MITMing HTTPs
traffic as well.

It would seem that if you _and all of the software you run_ uses HTTPs all the
time and if your OS enforces code-signing so that, i.e., only Apple can patch
iTunes, you're pretty much immune. A VPN might provide some defense, but the
ISP with which your VPN terminates could be ordered to perform/allow the same
kind of MITM attack with the same result.

Interestingly, this sort of attack featured heavily in the Girl with the
Dragon Tattoo series, except that she and her friends (lacking control of
ISPs) would actually go to people's houses while they were out and wire
MITMing devices into their cable/DSL connections. Having administrator-level
access to an ISP would obviate the need for field operations, hence the NSA's
infamous "I hunt sysadmins."

------
allegory
A big round of applause to whoever did this.

~~~
fabulist
I'm worried for this individual's safety.

~~~
allegory
I'm not. Too many eyes on this now.

~~~
fabulist
Maybe I'm missing something in the article, or disclosed elsewhere, but we
don't know who s/he is. If the CIA put Thorium in their sushi, we'd have no
way to connect the dots.

Edit: I think they'd be far more likely to prosecute them than assassinate
them though.

------
centizen
Looks like the site might be under attack or just overwhelmed by traffic.
Here's the google cache for those who can't access the site:

[http://webcache.googleusercontent.com/search?q=cache:https:/...](http://webcache.googleusercontent.com/search?q=cache:https://netzpolitik.org/2014/gamma-
finfisher-hacked-40-gb-of-internal-documents-and-source-code-of-government-
malware-published/&strip=1)

------
fabulist
Governments need to stop using private contractors for such sensitive
projects. It exponentiates their attacks surface, and as Peter Zatko pointed
out[1], they have little incentive to defend themselves; if another state
steals a covert capability from a defense contractor, the government's
response is to... hire a defense contractor to replace it with a new, improved
capability.

[1]
[http://www.youtube.com/watch?v=oBtzaRHqP2c](http://www.youtube.com/watch?v=oBtzaRHqP2c)

Edit: perhaps I should clarify that I don't actually support governments doing
this.

~~~
mikeyouse
> Governments need to stop using private contractors for such sensitive
> projects.

This is a problem I've been wondering about for a little while now. A sitting
US Senator is only paid $174,000/year. 100 of the most powerful men/women in
the country, passing trillions of dollars in spending bills, are paid roughly
what a mildly experience engineer makes at Google.

What do you think the average salary of a team capable of producing and
securing software like FinFisher would be in a competitive market? Surely more
than $174,000/year right? This presents a problem for the hierarchical nature
of our government salary base. What possible incentive can you offer to get
the highest quality workers with the prospect of 'hearings' for wasteful
spending loom over you at every election season?

------
tedks
Seems like the original author is only commenting on Reddit. It's surprising
that this was posted to /r/Anarchism instead of a bigger subreddit like
/r/tech or /r/politics. That makes me think that the original leaker was
already involved in the /r/Anarchism community in some way.

Interesting comments from the author on the Reddit thread:

"""

Not just replying to you, but directed at everyone that'll say I should've
leaked it to some organization and that it's 'irresponsible' to dump the raw
data on everyone or something:

I'm unconvinced that news stories about government's surveillance capabilities
are actually effective in fighting those systems of control. Listening to
stories all day about how we're all being hacked and spied on just feels
disempowering. When everyone can participate it's more empowering, more fun,
and far more effective. Gamma deliberately avoided storing identifying
information about their customers, the customers I've managed to identify so
far are from looking at the metadata in the documents they sent finfisher
support staff and other mistakes they made. The more eyes looking at it, they
more we'll find. I want the researchers at citizen lab and elsewhere who have
been researching finfisher attacks to use this data in whatever way it'll help
them. I want whoever wants to try their hand at forensics to be able to look
through it and find what they can about Gamma's customers. I want programmers,
hackers, and reverse engineers to have access so they can analyze the software
and take it apart. In enabling people with diverse talents to actively
participate in the research, we can hopefully develop a better understanding
of the tools, organizations, and methods of operation involved in these
attacks so that those targeted can actually defend themselves, not just read
headlines about how powerful the organizations targeting them are. I want
everyone having access to the data, not just the headlines! Seed the torrent!

"""

"""What rechelon said about the EFF. They're reformist lawyers that do some
good work, but are terrified of anything too radical or illegal. There's no
way they'd touch this, they aren't wikileaks. In the unlikely event that I
ended up on trial for this, EFF probably wouldn't even help with the legal
defense. They help with some hacking related cases like weev's or DeCSS,
because those cases were on the edge of the law and legal precedent was being
set. The EFF does not defend computer hackers if it's not setting legal
precedent and aligning with their reformist goals.

"""

It'll be very interesting to see how this aspect plays out. I expect
"anarchist hacker" headlines before long.

~~~
nilved
I wonder if those passages are enough to perform style analysis. reddit
doesn't let us search comments, but we know they're a member of /r/Anarchism.
These parts seem identifying to me:

* Capital letters and proper punctuation. Investigating the source code shows that they one-space.

* Single quotes, not double quotes, around individual words.

* Repetition in triplets with a serial comma ("...more empowering, more fun, and far more...", "...programmers, hackers, and reverse engineers...".

* No semicolons, sparing use of exclamation points at the end of comments only.

* Always uses contractions.

With further analysis we could probably find regional dialects, average
sentence length, rate of punctuation use, etc. Crawling /r/Anarchism with that
criteria could identify them.

Pure guesses and speculation follow: the hacker probably posts comments on
/r/Anarchism. With 50,000 subscribers, there may be about 5,000 commenters. Of
those, perhaps 80% of them put one space after a period. So, with only that
criteria, we've reduced the anonymity set to 4,000 people.

For what it's worth, I commend their efforts (and am seeding the hell out of
the torrent) but think it was a serious mistake to make a post announcing it.
They should have posted it on major sites anonymously, not pseudonymously. To
post prose online risks being identified by stylometrics or things like time
between key presses, etc. (Perhaps these could be defeated by copy and pasting
to and from Google Translate.)

~~~
afro88
Sorry to burst the bubble but you can't rely on the result of this kind of
analysis. Identifying people through their writing style isn't new, and you
don't know they haven't already done a prior analysis and ensured their
writing style doesn't identify them (or maybe matches to someone else on
/r/anarchy).

Things that can be faked have every chance of being faked. Especially when it
comes to hackers who need to cover their tracks daily.

~~~
nilved
Very true. My post was self-described guesswork and theory, but I wouldn't be
so dismissive of it!

------
psykovsky
After downloading the torrent for a while I noticed this on my router firewall
logs entries

FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 79.245.172.75 Dst ip: 82.
_._.* Type: Redirect Code: Redirect Datagram for the Host

The IP address that has the asteriks is MY IP address and the other one
belongs to Deutsche Telecom. Are they trying to MITM me or what?

------
hummel
There is no news on this topic? It's a very important and almost have no
relevance on the media. The leak detail the hac k here:
[http://t.co/QWRRo9cCLN](http://t.co/QWRRo9cCLN)

