This scripts is long, full of notes, links and open questions, you may consider to stop the kettle, having your coffee and get ready before to start to read this.
Have a deep breath and consider what you are about to read is not easy. This work was hard debugging a malware is not easy and we hope you like it.
We are talking about Malware, offensive security and the attempt to legalize it in Italy or everywhere you are free to read this and to forward it to Government and Institutions.
Malware codename: Galileo from HackedTeam
Shall we begin?
As we like to touch with our hands the stuff about what we talk about, we got one of this “malware” and we start do create a documentation about the setup of this. For everybody who wants to get hands dirty with us.
Then we get infected voluntarily using a device with his malware in order to study it closer, understanding how it works and which bugs may have.
Last, as many and many people are trying to create some rule and law about this very dangerous stuff we need strong guarantees in order to not accused of some false data gathered from our devices, we have tried to generate some fake proof in order to understand how reliable are this gov-malware.
The conclusion we got is that there is no way to be sure technically that the evidence are real!
We documented all the steps in a detail post, but here we want to analyze the ongoing proposal to legalize this malware.
They’re into my pc!
The concrete threat about the abuse of this very powerful tool move us to bring some lights on this foggy situation.
We are not law maker, but seems the malware in Italy are already regulated. This kind of crime is very well now for hacker like us, codename: 615-ter C.P. aka “Abusive Access into a System device” which show also a specific part if the crime is done by an official, yes a policeman.
But the fact this tools are daily used from the police as investigation tool and nobody is showing any problem about that demonstrate how this law is a perfect repressive tools, but is not working very well as justice and social tool.. Which Police station will investigate about their own investigation tools ? Who watch the watchmen?
What we are trying to do for the future is to try to avoid that our (and yours) devices will spy us. Then, We would like spread some good security practice in order to avoid to get infected from this and other Trojans: we will surely need help because we know that won’t be not exactly easy and technology changes everyday.
Regulating armed tanks: Law Proposal Legalizing Malware
How do you explain to some politicians how to use a tank ? How you force them to legalize it ? Nneed to talk about terrorism, about pedoporn? Need to talk shit about some other politician? Or maybe act against some big national operation ? We feel absolutely NOT protected from the Italian law to regulate malware written and showed by “Cicvics and Innovators – Quintarelli Law” (Civici Innovatori – legge Quintarelli) which show a lot of issues; we just stopped a second reading this technical operative law proposal how to rule and limit this and we discover they are trying to create similitude with the malware functionality and the some regulated police practice, like: tag after someone, intercept location data or real confiscation of the data into a device.
Trying to create similitude between classic practice and malware features it’s absurd from every point of view and for every kind of of justice act you may consider:
- compare a confiscation to a remote file acquisition of a device is ridiculous. During a confiscation there’s the presence of the person investigated which can verify what is happening, can request the presence of a lawyer and at the end should receive a list of the confiscated material. We can’t imagine how this can be possible during a remote confiscation using a malware.
- A real confiscation aim to cut off the availability of a specific tool, like a gun.
The malware doesn’t cut off any availability, because is not made for this.
- Compare the GPS tracking of a real tagging is ridiculous. Get the digital data and easy to be analyzed from invasive algorithm is not comparable to a real shadowing, the quality of the data is completely another level.
- But most of all there’s a quantitative question about costs: do a shadowing from the police desk to 1000 people doesn’t have the same cost to do it for real, it’s clear that if yesterday doing a shadowing was a matter of time and money, but now, with a malware all you need is just to focus click and press a button. The consequences of this is quite obvious. Just trying to imagine that this two operations are the same is quite ridiculous.
- Then we start from the idea that a device is owned by the person investigated, but this is not always true. For example all the “public” device, the internet point, the libraries, the university. Reading the email from an internet point tapped where a person under surveillance used the pc before of us, bring us a risk because the pc is bugged (so is an infected pc) our email will go to the police. Even if we with a used device, our email will be delivered to the police.
- Then there is a temporal problem. With a classical mobile interception, the SMS are grabbed starting from a specific day and the interception has a time limit for legal reason. The Trojan is another story, it can read the data with no time limit, sending all the conversation on the device from the beginning of it’s history, because is all saved there.
- During a shadowing there’s the guaranties (except to hire a double) that the position is the effective location of the investigated person. But the device may not travel with the person, it can be stolen or forgotten in a taxy. So basically the device owned by the person is not the person.
- To believe as we read in the document, that the installation of a malware doesn’t lower the security level where is installed is ridiculous, the base idea of the malware is exactly to let open some vulnerability in order to use it and doing so keep insecure the device of everybody in order to infect them.
- To certify the not possibility to modify the evidence seems impossible to obtain and later we prove it in two different way. But there’s more. How is possible to certify the producer is not compromised? How is possible to verify that behind the massive architecture there’s not a backdoor for someone else being able to use it? No, there’s no way to verify it.
- Lastly, seems a paradox for us that the government want to use digital weapons bought from a shadow market and very less transparent as the zero-day market
- Certify the immutability of the evidence seems impossible to obtain for us and we demonstrate it in 2 different ways.
1) How is possible to certify that the malware company hasn’t been hacked (see: #hackedteam)
2) How is possible to certify that in the very big architecture of this malware there are not backdoors?
Both points can’t be verified.
- Last but not least, it’s a paradox to consider that Government use digital weapon (zerodays) found on the black market in a very non-transparent way like every zero-day in the dark market nowadays.
During our experiment we notice that the input of this ‘objects’ are considered trusted (not changed by the user), which is clearly erroneous.
- What may happen if a Skype username is AAAA’ DROP ALL TABLES–?
- And if it’s length is 10million chars?
- And what if instead of an image we put something fuzzy script and the malware breaks ? and yes it brokes very bad, ahaha..
How the law will consider this social behavior? self-defense? evidence occultation?
What we want
For us this ‘objects’ CANNOT be regulated.
Can police realize is using weapons without full control of it ?
For us there’s a danger hidden into the secret action of the government over the citizen and this danger is way more unsafe than any other threats, Fullstop.
We want to know all, not just the stats about how many malware are sold or exported (as recently requested by Hermes to the Italian government), but we want to no specifically how exactly are used these new surveillance technique, like IMSI Catcher or Government Malware and how many of them are used
If someone want to tell us, fell free to write us an email:
Underscore _TO* Hacklab // underscore <at> autistici.org
Key fingerprint = 5DAC 477D 5441 B7A1 5ACB F680 BBEB 4DD3 9AC6 CCA9