Kanske intressant läsning för fler här på listan. Procera Networks är (var?) 
svenskbaserat en tid tillbaka.





From: Ron Deibert [mailto:r...@citizenlab.ca] 
Sent: Friday, March 9, 2018 6:40
To: Ron Deibert <r.deib...@utoronto.ca>
Subject: New Citizen Lab Report: BAD TRAFFIC


Dear Colleagues


We are publishing a new Citizen Lab report today, entitled Bad Traffic: 
Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and 
Redirect Egyptian Users to Affiliate Ads?  


Below is my  
<https://deibert.citizenlab.ca/2018/03/introducing-quantum-as-a-service/> blog 
post that summarizes its key findings, and the  
 main report can be found here.


Associated Press: 


Imagine that your device could be silently commandeered and used to spy on you 
simply because you surfed the web. No need for anyone to have possession of it 
and physically install something. No need to trick you into downloading 
spyware, clicking on a malicious link, or entering your credentials into a 
phony login page.  Attackers just wait for you to visit any unencrypted website 
(http rather than https, that is) and -- boom -- you’re owned.


Now imagine this capability was commercialized and available for sale to 
operators all over the world...


Imagine no more. 


In a new Citizen Lab report, titled  
 Bad Traffic, we present our discovery of how operators appear to use 
technology manufactured by a company called Sandvine (formerly Procera) to help 
deliver exactly this type of nation-state malware in Turkey and Syria. 
Bizarrely, we also discovered that the same Sandvine technology was configured 
by operators apparently to commandeer unwitting Internet users in Egypt, but 
not to spy on them. Instead, there we found user requests appeared to have been 
manipulated by operators to covertly raise money through online ads and 
cryptocurrency mining scams. 


Known as “packet injection,” and undertaken by Deep Packet Inspection (DPI) 
devices, the techniques we uncovered at work in Turkey and Egypt are similar to 
those revealed in the Edward Snowden disclosures, codenamed “ 
 QUANTUM.” QUANTUM attacks are considered among the most powerful weapons in 
the NSA’s (and its Five Eyes allies’) toolkit. One was reportedly employed by 
the UK’s GCHQ to  
<https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/> get 
inside the computers of Belgium’s largest telco, Belgacom, by redirecting 
senior Belgacom technicians to fake Linkedin pages where their computers were 
silently infected with malware.  As the Belgacom operation demonstrates, 
QUANTUM attacks typically involve two components: a first, where packets are 
injected into Internet requests; and a second, in which a separate server 
controlled by the attackers (codenamed FOXACID by the NSA) injects spyware.  We 
found Sandvine Packetlogic devices were being used by operators to perform the 
first component, with spyware of the operator’s choice (presumably Turkish 
authorities) involved in the second. 


Pulling off a QUANTUM attack is relatively simple if you control the network of 
a group of users. Computer scientist Nick Weaver  
<https://twitter.com/RonDeibert/status/614131765398081536> demonstrated a 
QUANTUM attack at our  <https://citizenlab.ca/summerinstitute/2015.html> 2015 
Citizen Lab Summer Institute. However, to be able to execute QUANTUM attacks at 
the national scale requires control or cooperation of a major 
telecommunications provider, something only national governments can 
practically do.  


In another Snowden disclosure, Canada’s spy agency, CSE,  
 noted in a top-secret presentation that “it’s no lie, quantum is cool,” but 
then added “it’s easy to find.” Well, maybe for them. For researchers like us, 
it’s not so easy. Our report is the first case where nation-state spyware 
injection has been empirically documented “in the wild.” Credit goes to the 
Citizen Lab’s Bill Marczak, whose remarkable detective work included scanning 
every one of the billions of IPv4 addresses on the Internet to search for the 
unique fingerprint he developed for Sandvine’s PacketLogic device. We also 
verified the fingerprint in a laboratory setting using a second-hand 
PacketLogic device we purchased. Marczak’s sleuthing identified spyware 
injection targeting Türk Telekom subscribers in at least five provinces in 
Turkey, and hundreds of users across the border in Syria who were receiving 
their Internet access through WiFi connection points leased from Türk Telekom. 
The same methods helped uncover the Egyptian mass injections for profit scheme, 
which we have dubbed “AdHose”.


One imagines that the NSA, GCHQ, and their allies spent many years and 
considerable scientific and financial resources developing QUANTUM capabilities 
in house. Today, commercial DPI technology combined with spyware in the ways we 
have documented allows a government to simply order them up.  With 
QUANTUM-as-a-Service, many more governments will now be playing in the Five 
Eyes’ league — governments like Turkey and Egypt, which Human Rights Watch  
<https://www.hrw.org/world-report/2018/country-chapters/turkey> describes  
<https://www.hrw.org/world-report/2018/country-chapters/egypt> respectively as 
“the world leader in jailing journalists and media workers,” and “continuing 
near-absolute impunity for abuses by security forces under the pretext of 
fighting ‘terrorism.’”


The prospect of QUANTUM capabilities being sold “off-the-shelf” to any 
government or government-controlled telco should give everyone pause, 
especially because the type of DPI sold by companies like Sandvine, as 
currently advertised, falls through the regulatory cracks. It is classic 
“dual-use” technology,  
marketed as benign-sounding “quality of service” or “quality of experience” 
functionality: helping Internet Service Providers manage network traffic, speed 
up the delivery of videos for higher-paying clients, and block forbidden 
applications. The 51 member-state, dual-use technology  
 Wassenaar Arrangement targets “IP network communications surveillance” items 
for export controls, but specifically exempts “quality of service” and “quality 
of experience” systems. However, as our report shows, Sandvine’s technology 
(which appears at present to fall under this exemption) can also 
surreptitiously redirect users to sophisticated spyware, or permit the 
hijacking of browsers to mine cryptocurrency for profit. Its power is in the 
hands of the local operator — operators that answer to autocratic rulers like 
Turkey’s Erdogan or Egypt’s el-Sisi. 


It is worth noting that Sandvine is owned by Francisco Partners, the same 
investment group that also happens to own Israeli spyware vendor NSO Group, 
another company whose misused services have been the subject of numerous 
Citizen Lab  <https://citizenlab.ca/tag/reckless/> reports.  In response to our 
letters to these companies, Sandvine and Francisco Partners both claimed that 
they have stringent business ethics and other internal checks to prevent abuse 
of their services. Not good enough checks, it seems. 


Until its acquisition by Francisco Partners last year, and its subsequent 
combination with Procera, Sandvine was headquartered in Waterloo, Canada. At 
the time of the proposed sale, I  
 argued that the takeover warranted closer scrutiny by the federal government. 
In light of Citizen Lab’s report, I wonder if anything will be done by relevant 
authorities in Canada and the United States? Targeted injection of spyware at 
the nation-state level represents a major public safety risk, and technologies 
that facilitate such injection should be regulated accordingly. 


While we wait for governments to act, there’s more that can be done right now 
to protect users. Properly encrypting websites  
<https://www.eff.org/encrypt-the-web> by default would certainly frustrate 
these sorts of attacks. However,  
<https://transparencyreport.google.com/https/top-sites> Google and  
<https://letsencrypt.org/stats/#percent-pageloads> Firefox stats show around 
20-30% of all websites are still not encrypted by default. That needs to change.


Until such time, keep an eye out for the headers of the websites you visit. If 
it reads “http” without the “s”, and there’s no little lock icon up in the 
address bar that says “secure,” you too may be vulnerable to this type of  
<https://securityplanner.org/#/tool/https-everywhere> attack.


Read the full report here  


All the best



Ronald Deibert
Director, the Citizen Lab
Munk School of Global Affairs
University of Toronto
(416) 946-8916
PGP: http://deibert.citizenlab.org/pubkey.txt
8B84 F5D8 1691 8D87 93CB 3398 443A CE6C 19A8 6481
twitter.com/citizenlab <http://twitter.com/citizenlab> 
twitter.com/rondeibert <http://twitter.com/rondeibert> 
 <mailto:r.deib...@utoronto.ca> r.deib...@utoronto.ca