Syria

Syria,  which Reporters Without Borders has already listed as an “Internet Enemy,”  has stepped up web censorship and cyber-monitoring as the country’s conflict has intensified. Since the uprising began on 15 March 2011, the regime has deployed systems designed to prevent the spread of news and images documenting the official campaign to crush the rebellion. An ultra-centralized internet architecture allows the government to cut off the country from the rest of the world, a step that authorities took on 29 November 2012 and which lasted two days.

Figures

  • Population : 22 500 000
  • Number of Internet users : 5 000 000
  • Internet penetration rate: 22.5%
  • Journalists jailed : 22
  • Netizens jailed : 18
  • Killed in 2012 : 18

Source: Internet World Stats

 A network designed for filtering and monitoring

The Syrian internet network is controlled by two entities: the Syrian Computer Society (SCS) and the Syrian Telecommunications Establishment (STE). Founded by Bashar Al-Assad, SCS controls Syria’s 3G infrastructure. STE, from within the Telecommunications and Technology Ministry, controls the majority of fixed connections. The agency has granted ADSL operators the use of its cables. Alternatively, users connect via landlines and 56K modems. STE manages all web connectivity within Syria. When the government orders blocking of a word, of a URL or of a site, STE transmits the order to service providers.

Reporters Without Borders has obtained a confidential document: a 1999 bid invitation from STE to install a national internet system in Syria (PDF, 7.3Mo). The document makes clear that the system’s capabilities were intended from the very beginning to include filtering and monitoring functions.

image00

The general description of the project (5.1) specifies that STE shall be the only entity providing internet connectivity.  The bid invitation requires the future service provider to install filtering and internet traffic inspection systems at the heart of the network.  The Monitoring system chapter (6-1-8) details an STE requirement that all questions to search engines be stored in a database for one month.

The same chapter lists monitoring system requirements:

  1. Recording of online and offline activities – VIP, chat, surfing and email – of approximately 60 specified individuals.
  2. Capabilities must include copying of all email exchanges from within Syria.
  3. The URLs of all web pages visited to be recorded.
  4. Ability to gather a random sample of the content of posts to forums, which must disclose the senders’ real names.
  5. “Newsgroups” – now outmoded but heavily used in 1999 – also fall within the surveillance parameters.

System requirements also include the ability to detect, intercept and block any encrypted data.

It is impossible to know if the system installed in Syria in the early 2000s meets each of the wildly excessive requirements laid out in the bid invitation. But the document in any case makes clear the extent of official determination to monitor the entire internet system.Refinement of filtering and monitoring systems

Refinement of filtering and monitoring systems

In 2011, the government added new technologies to its cyber-arsenal. The reflets.info site, working with the Telecomix digital activist group and a Tunisian portal, fhimt.com, revealed the presence of Blue Coat proxy servers in Syria. Evidence is posted on the site in the form of  a scan of the Syrian network. The data is compiled in a digital file that is freely accessible for analysis.

Originally, Blue Coat Systems Inc. denied having sold proxies to the Syrian government. After reflets.info posted the evidence, Blue Coat admitted the presence of at least 13 of its servers in Syria. These were apparently sold by a Dubai-based firm whose business was reselling and installing Blue Coat solutions.

In December 2011, Blue Coat announced that it would no longer provide support or updates for servers installed in Syria. The company also said it did not have the means to remotely de-activate servers. Network tests conducted in July 2012 by Citizen Lab showed that Blue Coat servers in Syria were no longer communicating with the parent firm, a finding that confirms the company’s claim.

 Chronology of Man in the Middle Attacks

  • February 2011 – As the Arab Spring uprisings begin, the Syrian government reopens access to sites  - blocked for years - that are enabling Tunisians and Egyptians to mobilize: YouTube, Facebook, Twitter.
  • May 2011 – The Electronic Frontier Foundation, an NGO that defends digital-access rights, reports the first Man in the Middle (MITM) attack. It is aimed at Syrians connecting to each other on the secure version of Facebook. The users see alerts on their browsers warning that the certificate certifying a site’s identity is not valid. Those who connect despite the warning have allowed the attackers to retrieve their user names and passwords.
A security warning on the Firefox browser during an MITM attack

A security warning on the Firefox browser during an MITM attack

  • July 2011 – Digital certification firm DigiNotar detects a network intrusion.
  • July-August 2011 – Hacktivist group Telecomix launches #OpSyria and recovers more than 54 gigabytes of data on operation of the Blue Coat servers.
  • August 2011 – The https versions of Facebook and Yahoo! are blocked in Syria and automatically redirected to insecure versions. Users trying to connect to the sites are forced to disclose their passwords. The tactic means that users who don’t know how to check that a site is secure lose their digital protection. Security indicators are a letter ‘s’ in the URL (https), and the adjoining logo of a padlock.
  • August 2011 – Google detects use of a fraudulent DigiNotar certificate in Iran.

Files recovered through #OpSyria show that Syrian authorities have deployed extremely advanced MITM attacks. Blue Coat server connection logs normally should not record information after a user accesses a secure site (https). However, the connection logs show that Blue Coat servers did, in fact, register an abnormally large quantity of data not normally available due to encryption, following user access to sites that see the heaviest traffic in Syria. The theft of DigiNotar certificates likely explains this result.

Targeted attacks

The Syrian government’s digital weapon includes more than Internet traffic analysis tools. Bloomberg and Citizen Lab report that authorities are also capable of targeted monitoring.

Lessons from an arrest: Taymour Karim

In “The Hackers of Damascus” journalist Stephan Faris of Bloomberg Businessweek reports the story of Taymour Karim, a Syrian activist arrested and tortured by the regime.  Police picked him up on 26 December 2011, as he was on his way to a meeting with one of his contacts. The two had arranged the meeting on a Skype call.

But the authorities had monitored the call. Karim was detained for 71 days. Under interrogation, after he refused to disclose his activities and contacts, he was shown more than 1,000 pages of conversation transcripts and files, all gathered from Skype exchanges. Despite Karim’s resistance, his interrogators had already gathered much of what they wanted to know from the digital trail that he had unwittingly left.

In January 2012, less than one month after Karim was freed, Morgan Marquis-Boire, a security expert at Google, examined the computer of an NGO member based in Syria. The activist thought its system had been compromised. An in-depth analysis showed that the activist was correct. The first intrusion had occurred on 26 December, only a few hours after Karim’s arrest.

Spyware had been transmitted to the NGO member via a Skype message from none other than Karim. The software had been hidden in a document that Karim had finished the day before his arrest.

Phishing and social engineering

The Karim case displays the Syrian government’s methods of monitoring and arresting netizens. Most commonly, during a Skype conversation, a contact suggests that the person on the other end of the call download a video, a document or an image.

The link that starts the download contains spyware. Once the user clicks it, the software installs itself. Skype accounts used in this fashion are those of netizens who have been arrested, or whose computers have been compromised. Accounts created for the specific purpose of trapping netizens have also been used.

Blackshade, a virus-infection campaign named after the malware it employed, was launched in Syria in June 2012. It was exposed thanks to a message from a compromised Skype account to a member of the Syrian opposition.

Screenshot from the EFF article on Blackshade (Creative Commons License)

Screenshot from the EFF article on Blackshade (Creative Commons License)

In translation, the message reads: “"There is a person who hates you, and keeps talking about you. I took a screenshot of the conversation. Please beware of this person, as he knows you personally. This is a screenshot of the conversation." After the message recipient clicks on the included link, the malware installs itself.

The regime also uses a variety of phishing tactics. One of them involves producing a copy of a known site, such as YouTube or Facebook, and demanding that the user enter personal information for seemingly legitimate reasons. These can include updating a profile, or agreeing to a new confidentiality policy.

In March, a counterfeit YouTube site said to host opposition videos required users to enter their log-in and password in order to register comments. The site also enabled installation of spyware by asking those connecting to download an update to Adobe Flash (software that enables viewing of online videos).

Screenshot from EFF article (Creative Commons License)

Screenshot from EFF article (Creative Commons License)

In April 2012, EFF identified at least five phishing attempts aimed at Facebook users. One was transmitted by messages left on Facebook accounts of Syrian opposition leaders, including Burhan Ghalioun. Clicking on the links posted on these pages sent the user to a false Facebook page, which offered installation of an application, FacebookWebBrowser.exe, supposedly designed to improve Facebook account security.

In fact, FacebookWebBrowser.exe is spyware that enables the capture of all characters typed on a keyboard, as well as usernames and passwords for email, YouTube and Skype.

In August 2012, EFF spotted another spyware launch. This campaign centred on aprogram named Antihacker, billed as way to protect the computer in which it was installed. The program installs a version of DarkComet, a program that can record images via the webcam of the victim’s device, de-activate warnings from certain anti-virus programs, record keyboard strokes and retrieve passwords.

Install screen of the ill-named AntiHacker

Install screen of the ill-named AntiHacker

Most targeted attacks have been carried out using certain RAT spyware programs – DarkComet or BlackShade. Once installed on a computer or mobile device, these programs grant access to the webcam, to email passwords, YouTube, Facebook, Skype conversations and keyboard strokes.

Information captured by these malware programs is sent to servers with Syrian IP addresses. The reasonable conclusion is that the attacks originate with the same group -  the Syrian Electronic Army.

This pro-government organization likely also devised the false YouTube page used in the phishing campaign described above. In July 2012, the Electronic Army disseminated 11,000 names and passwords of “NATO supporters” – that is, opposition members.

According to some experts, the paramilitary group works closely with Syrian intelligence services.

Potential Solutions

Protecting against malware is essential in Syria, given the constant threat posed by these programs.

Computer protection

The key is to follow basic guidelines:

  • Do not install any software received by email.
  • Do not install any software unless it is downloaded from an https site. The risk of falling victim to phishing is lessened when a site with a certified identity is used.
  • Do not install any software from an unfamiliar source, even if installation is recommended in a window that suddenly appears.
  • Systematically carry out updates of your operating system and software. Updates frequently resolve security issues.
  • Do not use Internet Explorer. As the most popular browser, it is a major target for hackers. Use Firefox or Chrome instead.

 Protect your browsing and guard against MITM

The simplest anti-MITM measure is to not ignore security warnings from a browser when connecting to an https site. Chrome and Firefox offer extensions that detect MITM attacks.

https everywhere

This extension verifies on each site that an https version (encrypted) exists. If that is the case, the user is redirected to the secure site. Several scenarios are possible:

  • If a phishing attempt targets Facebook users, those who have installed the extension are redirected to the https version.
  • If  the attack is a simple one, the user is sent to the genuine https Facebook site.
  • In the case of a sophisticated attack that uses a counterfeit https site for phishing, users will receive a security alert notifying them that the site is counterfeit.
  • In the case of highly sophisticated attacks, in which the attackers have compromised Facebook’s certificate, the certificate has to be authenticated manually.

Https everywhere is useful on a daily basis. Every time a user transmits data, for example when filling out a form, it is essential to use the https protocol rather than http. Failure to do so means that all data will be transmitted unencrypted, to the user’s peril.

Certificate Patrol

This extension verifies certificates – a site’s ID papers – when a user lands on an https site. The user is alerted when a certificate is changed. This tool is indispensable to protect against MITM attacks. And it ensures that https requests are correctly encrypted.

VPN and TOR

Use of VPN (Virtual Private Network) or Tor provide effective protection against MITM and phishing attacks. These tools allow a user to bypass the Syrian network – thereby evading attacks mounted there -  and to connect to the web in Sweden, the United States or elsewhere.

These tools are especially good at defeating monitoring because they mask users’ IP addresses. VPN solutions have the added benefit of data encryption. Tor, for its part, simply anonymizes the user.

For more information, read our Online survival kit