willrae

Honorable
Sep 29, 2013
1
0
10,510
I might simply be paranoid, but Wikileaks revealed that in Australia amongst other countries the Government has been distributing a spyware package called FinSpy in updates for software packages such as Skype. The spyware is rather powerful and affects all common OS platforms such as Windows, OSX, Linux and possibly FreeBSD (unconfirmed). FinSpy can perform life filesystem forensics, silently pull files from storage devices, record entire Skype/VoIP calls, take screencaps and more. I'll add a URL to a PDF file containing further details:

https://wikileaks.org/spyfiles/files/0/289_GAMMA-201110-FinSpy.pdf

So where does our privacy stand? Is there anything we can do to fight back when software we use daily contains spyware? Does anyone know how to detect it? Apparently it is undetected by over forty consumer AV packages, so is there anything we can do?
 

Paul NZ

Admirable
Looks like the NSW police over there have been using it. Looks like F-secure knows what it is. According to Google. They call it Trojan-Spy:​W32/FinSpy.A

The product is called Finfisher

Sounds like what .com, Assange / Snowden were talking about last night here in NZ lol. About our govt doing mass surveillance here

 

Skylyne

Estimable
Sep 7, 2014
405
0
5,010
To evade mass surveillance, there is only so much you can do. Using a VPN is a good start for daily activities like social media/etc.. To stay safe in other ways, using services like TOR or I2P are actually the best methods of circumventing internet traffic eavesdropping; if you know how to do it right, of course.

What most people don't realise is the lack of need for the spyware junk that companies create for mass surveillance. In reality, if someone wants to target you, they don't even need to have access to your computer. I know for a fact that wired keyboards give off radio frequencies that can be read by an antenna, triangulated to determine exact location, and then the hacker could effective log every keystroke, without ever needing to come within a mile of the computer; this might also apply to wireless keyboards as well, though I'm not entirely sure. This is something that enthusiasts have done in the past (I've met some who've done this by accident), and is actually something used by intelligence agencies to this day. It beats keyloggers, since there's no transmission of data coming from the computer; it's only reading the frequencies emitted by the keyboard's keystrokes. If you're not paranoid enough, it's actually true that the NSA has intercepted computer hardware, and has actually modified it to be able to be read/activated remotely. Some keyboards have this kind of hardware hack in them, as well as motherboards. Now, of course, this is only used if you're targeted by the NSA... but if the technology is out there, then, in theory, it could be used against you by someone intending to do harm.

Software is a very minimal security measure, in reality; no one needs to bypass software security to do you harm. Also, most software that we trust is proprietary, which is much more likely to be vulnerable to attacks and back doors, unlike opensource software. Take it with a grain of salt, but there's no such thing as true security with computers, internet or not; and this goes doubly for mobile phones. To look at it cynically, privacy is only something that can truly exist without technology.

As of recent, the Blackphone has become the only real secure option to prevent eavesdropping on mobile devices; at least, that I know of. Apple's messenger actually encrypts messages sent via data/wifi, but not those sent as SMS messages. In fact, the only reason why Apple's messenger shouldn't be trusted on your iPhone is because it can switch to SMS without your knowledge, and it will do so if sending the message as data takes too long.

The only real ways to maintain privacy are buy using trusted software/security companies, IM services that are not run by companies who readily turn over information (Yahoo and AOL are common and very NSA friendly), and by keeping your footprint on the internet to a bare minimum. If you can, get off the "clear" internet, and barely use mobile phones for anything; seriously. Those who are truly privacy concerned don't use very much technology for a reason, and those who do tend to be very careful with who they trust, and what devices they trust with each type of content.

To use the words of Jacob Applebaum, from a talk at 30C3, "For every Karsten and Luca, there are hundreds of people who are paid to do this full time, and never tell us about it." The link starts the video where he shows an NSA hack that two guys at the convention found by accident, and gave a talk about, without knowing it was an NSA hack. In fact, you might want to watch the entire video, as you will likely be quite surprised at just how poor security really is. The way I see things: if there are people being paid to exploit security problems, and never talk about it, you don't know who might stumble across these same vulnerabilities with malicious intent; and you may never know if one of the paid guys is going to take advantage of the vulnerabilities on their own time for malicious intent. I'm a bit paranoid for a reason, and I think everyone should have a little paranoia in them; it keeps you vigilant and questioning things. Although, my level of paranoia is a bit much for most haha.