WIRED:A FORENSIC examination of Tibetan activists' computers shows a pattern of remotely controlled malware infection that strongly suggested Chinese government involvement.
The German government recently passed legislation that allows law enforcement to install keyboard trackers – software that can monitor every key press a user makes, including passwords and private e-mails – on German home computers with a court order.
The FBI recently revealed the details and features of its own “software bug”: a program it installs on suspects’ computers to permit the equivalent of wiretapping.
If governments are targeting specific users and installing their own brand of surveillance software, should we be worried? And did they learn this trick from criminals who are already targeting particular businesses?
Perhaps it was more worrying when we didn’t know anything. At least Germany now has laws on its books to control when law enforcement can conduct such surveillance, although it gives precious little guidance on how that information should be used.
Most states are very circumspect on the numbers, nature and technology involved in surveillance, with even the evidence drawn from surveillance generally kept out of the courts to protect the methods of the security agencies.
What’s always been the problem with these tools is when they’re misused, and when the little oversight that there is fails. Computer surveillance like this is peculiar because we already know the degree to which it can be misused – as law enforcement is specifically drawing from the capabilities and design of programs built for criminals.
The most sophisticated malware can intercept web and e-mail, take screen shots, scan for credit-card numbers and other valuable confidential information, and commandeer your computer for its own use, like sending spam to other victims.
Most well-known programs like this choose to attack millions of computers and therefore hit the headlines, like the recent Gumblar program. But companies have also reported specific, targeted malware infections.
Last year, a number of US chief executives reported receiving an e-mail that claimed to be a government court order. Clicking on the attachment installed a program that attempted to copy and transfer confidential information from the computer.
The malware that infected Tibetan dissidents was similarly targeted; it was the prevalence of the software on this small group’s machines that tipped investigators to the possibility that it was a Chinese government-led infection.
The traditional protection against such malware is anti-virus software. But programs like Clam Antivirus and Norton AntiVirus generally work by detecting the behaviour of known malware. If you’re only targeting a few users – or companies – it’s far easier to evade these standard defences.
What does still work against targeted malware is standard computer hygiene practices. You may rail at your company’s policies against attachments, or a locked-down firewall, but they do offer a defence against unknown assailants.
Another, just as powerful tool in the hands of end-users, is the transparency of software on a modern computer. You may not know all of the programs running on your Windows PC, but you, or an expert, can still discover exactly what they are.
In a modern computer, the user has all the power: you can shut down or start up whatever software you want. That’s why most software attacks are aimed at fooling an end-user into pressing the wrong button or running the wrong software. Without tricking the computer’s owner, there are few ways of wrestling control from him or her.
That ultimate power can be an issue when the user doesn’t know exactly what they’re doing (and that’s why many companies lock down their employees’ PCs).
But it also means that it’s very hard to hide a malicious piece of programming on a local computer. The program can run, but it can’t hide.
That’s good news if you’re fighting off criminal malware. But it also poses a security problem for those governments.
A wiretap on your phone is invisible to the person being surveilled. But computer malware is more like a physical bug, placed in your house. It’s a great monitoring system as long as it is never found.
I’m not that worried about governments putting bugs in computers, and as long as our anti-malware software keeps track, I don’t think you should feel that threatened by even targeted malware in your company.
But if anyone suggests that any part of your computer should be locked away from you or your IT department’s oversight, I’d get very worried indeed.
Ironically, the main people suggesting this right now are arguing for it as a favour to security. The idea is that you’d have a locked part of your computers’ hardware and software that could only run approved software.
You see a similar model in dedicated devices like the Apple iPhone: only a limited palette of programs with Apple’s signature on them will be accepted by the iPhone operating system.
On a PC, the idea would be that one part of the operating system would be locked from external interference – a “trusted execution” area. Software malware couldn’t run in that space, unless it was “trusted”, or approved, by the software manufacturers.
Unfortunately, in getting an area where random malware can’t run, you’ll lose your transparency. You won’t know what’s approved and running in that space, because you won’t be the person doing the trusting.
I’m not sure I trust anyone to judge what I should and should not be running on my computer. Not even the government.
