Howdy, everybody.
Welcome back to the show.
I'm your guest host, Zoe Greif, and I'm pleased to welcome our first guest to the show, Eva Galperin, or maybe Ava, I'm sure she'll correct me.
She works with the Rights for the Electronic Frontier Foundation, and they are defending your rights in the digital world.
According to her bio, she's a lifelong geek, used to be a systems administrator all over Silicon Valley since then.
She has earned degrees in political science and international relations, and she also has written a fantastic article called New Trojan Spread over Skype as cat-and-mouse game between Syrian activists and pro-Syrian government hackers continue.
Please, thank you very much for being with the show.
Eva, or is it Ava?
How do you pronounce your name?
It's Eva.
Eva.
Okay, thank you very much for being with the show today.
No problem.
I've got to tell you, I just really can barely even wrap my head around what a Trojan horse virus is, and you've written this dazzling article talking about the latest and greatest in malware technology, so I'm just going to let you talk.
Please explain what you're talking about, Eva.
All right.
Well, Trojan, in the simplest terms, is named after the Trojan horse, and what it does is it looks like a perfectly normal file that you download.
Somebody sends you an email or a document or an MP3 or a PDF, and they say, hey, look at this, and you open it up, and what it does is it covertly installs software on your machine.
In this particular case, the software is a remote access tool that gives somebody else full control of your machine and allows them to do things like log all your keystrokes and take periodic screenshots.
Wow.
Well, I'm sure that would be pretty useful to, say, an intelligence agency or a military agency.
Absolutely.
Absolutely.
So with regard specifically to Syria, a cat-and-mouse game between Syrian activists and pro-Syrian government hackers, am I picturing it correctly in my mind when I think of a bunch of guys sitting around hunched over their computers with their glasses and Tab-Cola attacking each other with their computers?
Is that how it works, Eva?
Well, it's a little different from that.
Okay.
Please explain.
What's going on in Syria is that over the course of the uprising, the Internet has been an extremely important tool for opposition activists because journalists are banned from entering Syria and reporting on what's going on, but there's still this sort of ravenous demand for information from the ground.
So if you want information about what's going on from dissidents and activists and members of the opposition, you have to contact them somehow.
Most journalists are contacting people online, and that's the way that the opposition is really getting their message out about what's going on.
So the Internet is vitally, vitally important.
But at the same time, the Assad regime controls the Internet inside of Syria.
They control all of the ISPs, and they have this incredibly powerful sort of surveillance technology that allows them to look at all the traffic on the Internet and analyze it in real time.
As activists and opposition members become more savvy about how to avoid that kind of surveillance by using encryption, by using HTTPS on their web browsers, which makes it hard for the Syrian government to eavesdrop on their traffic.
By using satellite Internet uplinks and VPNs that get them out of the Syrian network, the Syrian government has become more concerned because there's all this traffic that they can't read.
So what we've seen is an upsurge in pro-Syrian government hackers who are writing malware that specifically targets members of the Syrian opposition by creating fake PDFs and fake YouTube sites and fake Facebook sites that essentially say things like, hey, we're a bunch of pro-Syrian opposition members, and here's a bunch of pro-opposition videos, and you should log in here and tell us how much you like them.
And when members of the opposition see that and either click or download the files, it covertly installs these Trojans onto their machines and hands over all kinds of very sensitive information to these pro-Syrian government forces.
Wow.
And what would be an example or a couple of examples maybe of some useful information that the pro-Syrian hackers are trying to hack from the Syrian activists?
Well, there are a couple of things that they're really interested in getting.
The first is log-in information, especially log-in information for email accounts.
So that's one of the reasons why these Trojans usually install keyloggers.
This allows them to, again, get access to people's email, get access to their Facebook accounts.
Facebook has been a very important tool for sort of getting the message out from the Syrian opposition.
And occasionally Facebook, those Facebook log-ins are intercepted, and members of the Syrian opposition have had, high-profile members, have had their Facebook accounts hacked.
Interestingly, when those Facebook accounts are hacked, the hackers usually leave messages with links to more malware so that they can go on and infect more members of the opposition.
They're also really interested in Skype log-ins.
These messages are often spread through Skype.
Some person on your Skype contact list contacts you and says, Hey, have you seen this document?
And then you click on it and you're infected.
Wow, and I'm guessing that Skype is...
Honestly, I'm not a computer geek.
I don't even know how to do Skype, but I am aware that there is a thing called Skype, and people who are smarter than me do it.
And I would guess that in a revolutionary or politically uncertain situation, Skype would be a great way for people to communicate in a way that they think would be private.
But you're saying, Oh no, not so much necessarily.
Skype is actually one of the most popular ways for Syrian activists to communicate because it's free and it allows them to communicate face-to-face with people overseas.
And activists use Skype because they think it is in some ways safer because the traffic is encrypted.
But that safety is largely an illusion.
Not only is Skype being used to spread malware, but there are also a whole lot of security problems with Skype, and there are known backdoors in Skype.
And I actually actively discourage people who are concerned about their security, especially if they're concerned about government spying on them from using Skype for sensitive communications.
Wow, well, I guess that begs the question, Eva.
Is there a safe way to communicate?
Is there a way that is beyond the reach, beyond the grasp of this malware and the spyware and all this kind of scary-sounding technology?
Do you know?
If you did, would you even say it on the show?
Would that be like giving away some kind of secret?
Oh no, I think that the safe security practices are really important for everybody, but especially people who are concerned about an active government who is interested in spying on their communications to the point where they will target them with state-sponsored malware.
And, well, I usually recommend encrypted browsing.
I recommend encrypted chat using something like ADM and OTR, which is a program called Off the Record, which encrypts all of your chat messages.
If you absolutely need to video chat and you don't mind Google having all of your information, I usually recommend Google Hangouts.
But all the encryption in the world does you no good at all if you click on a bad link and suddenly your machine is covertly infected with malware that sends all of your information back to bad people.
And so I think it's extremely important for Syrian activists to be very, very careful about what they download online.
One of the other things that these pro-Syrian government hackers are doing is they exploit concerns about security.
They create fake security tools.
Oh yeah, I'm sorry.
That's the music that signals the hard break that's going to interrupt us, right?
When you're just getting going on something interesting.
No problem.
My bad for not warning you, but we're talking about the cat-and-mouse games between the Syrian rebels and the Syrian regime with malware and spyware.
Antiwar Radio, more on the other side.
Welcome back to the show, everybody.
It's Antiwar Radio.
I'm your guest host, Zoe Greif, and I'm very happy to be speaking with Eva Galperin of the Electronic Frontier Foundation.
We're discussing, or actually she's discussing, and I'm learning, her latest write-up, New Trojan spread over Skype as cat-and-mouse game between Syrian activists and pro-Syrian government hackers continue.
And I'm just getting schooled on all this fancy computer malware technology and what it can do and how it's used.
And I don't know, I forget, because it always happens, these breaks interrupt me, Eva, but you were just discussing how useful this would be as far as an intelligence or military organization is concerned and how particularly with regard to Skype it could be very useful.
Maybe you could pick up that ball and keep running with it, maybe?
Well, sure.
Well, just like you, Syrian activists don't necessarily know it's safe, and they're very concerned about their safety, and they're always looking for new tools and new information.
And one of the things that the Syrian hackers, the pro-Syrian government hackers do, is they exploit that fear in a really interesting way.
We have reported on a number of very interesting Trojans which were spread through fake security tools.
A couple of months ago we reported on a fake Skype encryption tool that was being targeted at Syrian activists.
So let me just get this straight.
You think you're clicking on a thing to do one thing, and it actually does the entirely opposite thing of what you intended.
That's what's going on here?
Absolutely.
Okay.
Please continue.
No problem.
So one of the things that they do is they create these fake tools that say that they're going to protect you, they're going to encrypt your content or something like that, and they take advantage of this sort of lack of clarity around what kind of tools you should be using and what's going to be helpful to you.
And they use that to install a Trojan on your machine that logs all your keystrokes and takes periodic screenshots and sends all of that information back into Syrian IP space where it is potentially very useful to the Syrian security forces.
I can only imagine how many different ways they would use that information to further their ends.
In your article you have a whole bunch of screenshots that point out what these various malwares look like.
So I guess you can see that they're there if you know to look for them.
But if you don't know to look for them, you would never notice because it's buried in a whole bunch of other stuff kind of thing.
Absolutely.
Most of the people who are infected with these Trojans never know.
A couple weeks ago we did a full analysis of a hard drive that had belonged to a Syrian activist.
And he said, well, there's something wrong with my machine, and I think there might be some malware on it.
And it turned out that he had been infected with not one, not two, but three different Trojans.
He had managed to fall for this on three separate occasions.
Wow.
He had become reinfected several times.
So I would certainly take that as an indication not just of how well the pro-Syrian government hackers are targeting activists, but how little activists know about how to protect themselves.
Yeah.
I mean, I'm glad you're here to tell them.
I just hope that people will listen and learn.
So, like I said, in your article you show a bunch of screenshots, and then you have in bold, if you see these files on your computer, you have been infected with Black Shades R.A.T.
What an interesting acronym R.A.T. is.
It's actually a very standard term for remote access tools, but it is certainly not a coincidence that it spells rat.
Wow.
So, my goodness gracious.
Well, what's the lesson in all this, I guess?
What's the take-home portion of your warning here?
What's the main thing that you want to communicate to people who might be listening?
Well, first is that things are very difficult for Syrian activists out there right now.
And as Syrian activists become better equipped and more savvy in using more sophisticated tools to protect themselves from government surveillance, they leave themselves vulnerable to this whole other set of tools.
So I think it's very important for Syrians to be careful.
But I think there's also a very important lesson for ordinary Americans who are online who are facing some of the same concerns, who are also worried about their privacy, sometimes from a snooping government, sometimes from advertisers and corporations.
I think it's very important for users to keep themselves informed about tools and the latest developments in online privacy and security.
And I recommend that they go to the EFF website.
We are at www.eff.org.
Well, that sounds like great advice.
We've got just a couple of minutes left before the music's going to interrupt us again.
But I want to ask you, I had a guest on last week, I believe, talking about the Stuxnet and flame viruses.
How, if at all, do these Blackshades RAT compare to the Stuxnet and flame?
Do you know?
Well, what's really interesting about Blackshades and the other remote access tool that is usually used by the pro-Syrian hackers, which is called Dark Comet, is that these are really cheap, out-of-the-box kind of remote access tool solutions, as opposed to flame and Stuxnet, which are incredibly expensive, custom-made, cost hundreds of thousands of dollars.
And what's particularly interesting about these three pieces of malware is that they seem to be equally effective.
Now just about any government can get this sort of capability for what is essentially pocket change.
Wow.
Okay, well, flame and Stuxnet, according to the expert guest, could be used, well, maybe I'm getting them conflated.
But anyway, anything from shutting down a water treatment plant to bringing an airplane into the ground like in Die Hard 2, pretty scary stuff.
But this Blackshades RAT, this is just much more about spying and being not noticed and not trying to take over computer systems.
Oh, you can still completely take over a computer system using this.
Oh, well, please tell me more, because I obviously don't know.
All right.
These are made for taking over Windows computers, Blackshades and Dark Comet, whereas Stuxnet and flame take over SCADA systems, which control things like water and power and centrifuges and other very, very scary things that don't necessarily run Windows.
Wow.
Well, okay, I mean, you don't have to be a science fiction writer to think to yourself, oh, gosh, how could this get out of hand?
How could this literally come back to bite us in the butt?
Care to play with that notion, Eva?
Well, it's a scary world out there, and that's one of the reasons why people really need to stay informed in order to protect themselves.
Here's to that.
I'll tell you what.
Thank you so much for being on the show, Eva.
Thank you.
Electronic Frontier Foundation, Neutrogen spread over Skype as cat-and-mouse game between Syrian activists and pro-Syrian government hackers continues.
I urge you to read it for yourself and study those screenshots and protect yourself, and don't click on that thing that's bad.
Thank you so much, Eva.
Thank you.
Have a great day.
