Nov 26, 2014

Sophisticated malware 'Regin': Western intelligence suspected source of spy tool

Regin malware warning by Symantec

Symantec recently reported on an advanced malware tool known as Regin or Backdoor.Regin that has  been showing up around the globe. A post that appeared on the company's blog on Sunday described Regin as  “An advanced spying tool [that] displays a degree of technical competence rarely seen and has been used in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals.”

According to Symantec, capabilities include capturing screenshots, stealing passwords, taking control of the mouse’s point-and-click function, monitoring network traffic and gathering information on processes and memory use. It can also search for and retrieve deleted files.

This malware has been around since 2008, prompting at least one insider to question why Symantec has waited until now to make "a big deal about this." Part of the reason may be the design of the tool, making it "highly suitable for persistent, long-term surveillance operations" and the fact that it was withdrawn in 2011 but resurfaced again from 2013 onward.

This report provides a few details on how the spy tool functions:

Symantec described the malware as having five stages, each "hidden and encrypted, with the exception of the first stage." It said "each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat."

Regin also uses what is called a modular approach that allows it to load custom features tailored to targets, the same method applied in other malware, such as Flamer and Weevil (The Mask), the antivirus company said. Some of its features were also similar to Duqu malware, uncovered in September 2011 and related to a computer worm called Stuxnet, discovered the previous year.

As you may recall a Stuxnet worm was used to damage Iran's nuclear centrifuges not so long ago in an effort to hamper nuclear developments in that country. Unlike Stuxnet that is designed to cause serious damage, Regin has the capability of carrying out extensive data-theft while masking as Microsoft software. It is also highly customizable, depending on the requirements of the operation.

There is also the question of where Regin originated. It seems very likely it was developed by Western intelligence. A number of clues point in that direction. For example none of the Regin attacks have been directed at US or Canadian targets. Countries most heavily impacted by the malware hold varying degrees of interest for American/allied intelligence... Pakistan, Saudi Arabia, Mexico, Russian Federation, Iran.

The two countries most targeted are Saudi Arabia (24%) and Russia (28%). Ireland with a surprising 9% share of the infection pie seems at first glance a bit of an anomaly, however as an article in Extremetech notes "... many corporations have taken advantage of low corporate taxes there [Ireland] to shed global tax burdens and reduce exposure" - so doubtless making it a target for this type of operation.

Regin targets:

Regin by country:

Other industry insiders seem pretty sure where the malware originated. A post on Common Dreams notes that "Mikko Hypponen, chief research officer at F-Secure, told Fox-Brewster that his firm does not believe Regin was made by Russia or China, "the usual suspects." According to Fox-Brewster, this leaves the U.S., U.K. or Israel as the "most likely candidates," an assumption that Symantec threat researcher Candid Wueest said was "probable." "

A post on The Intercept identifies the owners of the cyberprints behind a number of European operations. The authors of - Secret malware in European Union attack linked to U.S. and British intelligence - leave no doubt who was behind sophisticated Regin-cyber-attacks that went after European Union targets and a Belgian telecommunications company.


Regin was found on infected internal computer systems and email servers at Belgacom, a partly state-owned Belgian phone and internet provider, following reports last year that the company was targeted in a top-secret surveillance operation carried out by British spy agency Government

Communications Headquarters, industry sources told The Intercept.
The malware, which steals data from infected systems and disguises itself as legitimate Microsoft software, has also been identified on the same European Union computer systems that were targeted for surveillance by the National Security Agency.

Read the full Intercept story - here.

Nov 23, 2014

Some Ukrainian films at Cottbus 24 festival convey 'a thoroughly dishonest presentation of conditions in the east'

Ukrainian films at Cottbus film festival

An article on World Socialist Web Site (WSWS) entitled Distortion and dishonesty: Ukrainian films at the Cottbus Film Festival, critiques some of the Ukrainian films that made it to screen at this year's festival in Cottbus. This is a city 125 kms southeast of Berlin, close to the border with Poland.

Before addressing the films he chose to critique, writer Stefan Steinberg takes the time at the beginning of the article to include an overview of conditions in Eastern Europe. He notes that while some of the films provide "insight, albeit limited, into the problems of the region" others convey a "thoroughly dishonest presentation of conditions in the east."

Steinberg's take on the situation in Eastern Europe addresses a reality that is rarely discussed in any depth on MSM, in part because it is a reality that demonstrates the failure of the capitalist free market on a number of key levels.

Across Eastern Europe, the Balkans and the former Soviet Union, tens of millions face social ruin following 25 years of the restored capitalist free market. Unemployment is rampant and the social welfare systems that existed under the former Stalinist regimes have been smashed up. This process was already well advanced six years ago, but has accelerated since the financial crash of 2008. The result has been the rapid spread of poverty among young and old. The political structures across the region are dominated by corrupt elites drawn from the former Stalinist bureaucracies, combined with a layer of nouveau riche who have plundered state property and enriched themselves fantastically.

The rapid increase of social inequality across the region, a corresponding turn towards authoritarian forms of government and officially orchestrated campaigns of nationalism have been triggered and exacerbated by the policies of the European Union (EU), International Monetary Fund (IMF) and global banks, which demand unceasing rounds of austerity in order to fill the treasuries of the banks and the pockets of the super-rich.

Close to a year after the Washington-backed coup in Kiev - characterized by Western media as a people's "revolution" - the Ukrainian economy is in ruins. Ukraine faces the possibility of economic collapse. The value of the national currency has plummeted resulting in a drop in the real value of salaries. Investors have been bailing out as industrial output slows. The Yanukovych government was replaced by a power structure that includes yet more billionaire oligarchs - "chocolate king" Poroshenko chief among their number. Is this the type of change people were demonstrating for on the Maidan?

Given the hardship faced by millions of working people across Eastern Europe... an observer might reasonably assume that the most pressing focus should be on the deep seated problems plaguing the east. This is especially the case given current developments in the Donbas region that could spiral into a war capable of impacting not only the entire region, but the world. However in addition to films that present a distorted, one-sided view of recent events in Ukraine, the festival gave a high profile to identity politics. Steinberg notes that one of the event's central sections addressed what the program described as "homosexual life worlds." He says:

There can be no doubt that gays and lesbians face considerable discrimination in many eastern European countries where the church and nationalist, homophobic groups play a significant role in political life. But the prioritisation of gay rights in the current situation sends a definite signal. In particular, it creates a platform for parties such as the Greens and various pseudo-left organisations working together with selected NGOs to elevate identity politics above social issues.

In large part, the middle class forces leading campaigns for gay rights are indifferent to, or indeed hostile to, the economic and social needs of broad layers of the working population. That is certainly the case with the German Green Party, which has been very active in the advancement of a “gay and lesbian agenda” in Eastern Europe while advocating the EU- and IMF-dictated austerity programs for the very same countries.

The article includes critiques of some of the films featured at Cottbus 24. These include Once Upon a Time in Ukraine directed by Igor Parfenov, that weaves real events on the Maidan into a fictional plot. Steinberg points to a "dishonest feature" of the film... the lack of mention of the paramilitary role played by fascist and ultra-nationalist forces during the Maidan demonstrations - forces linked to Svoboda and Pravy Sektor.

Almanac #Babylon '13 - "Chronicle of Civil Protest " - was made by a consortium of 12 young film makers. In Steinberg's view it  "... documents, in a one-sided fashion, the events on Maidan beginning in late November 2013."

Another film The Candidate directed by Jonáš Karásek, takes what the author describes as "a scathing look at the political system in Slovakia."

For more - link to the WSWS article in full here.

Nov 20, 2014

New free security tool Detekt scans for hard-to-find surveillance spyware: just launched by Amnesty, EFF

anti-malware Detekt released by Amnesty and EFF

Activists, journalists or just the average concerned citizen who want to know if their computers and mobile devices are a target of unwanted surveillance now have access to a badly needed resource. A German security researcher named Claudio Guarnieri is behind a free new security tool named Detekt. It scans PCs and mobile devices for traces of surveillance spyware that everyday anti-malware programs are likely to miss.

According to Wired Guarnieri works with The Honeypot Project and Shadowserver Foundation developing open source tools.

Amnesty news describes what Detekt is and how it works:

Detekt is a free tool that scans your computer for traces of known surveillance spyware used by governments to target and monitor human rights defenders and journalists around the world. By alerting them to the fact that they are being spied on, they will have the opportunity to take precautions.

It was developed by security researchers and has been used to assist in Citizen Lab's investigations into government use of spyware against human rights defenders, journalists and activists as well as by security trainers to educate on the nature of targeted surveillance.

Amnesty International is partnering with Privacy International, Digitale Gesellschaft and the Electronic Frontier Foundation to release Detekt to the public for the first time.

The release of Detekt is certainly timely given the growing number of cyber threats. As this Guardian article reports the trade in surveillance technologies has shown massive growth over recent years. Surveillance software is being sold to governments and agencies that have no scruples about exploiting it in order to spy on PCs, email, text messages and phone calls of people on their watch list.

Wired UK quotes Marek Marczynski, head of security at Amnesty who had this to say about Detekt and the need for such a tool: "Governments are increasingly using dangerous and sophisticated technology that allows them to read activists and journalists' private emails and remotely turn on their computer's camera or microphone to secretly record their activities... Detekt is a simple tool that will alert activists to such intrusions so they can take action."

Detekt developer Claudio Guarnieri was part of a team that discovered that FinFisher surveillance spyware was showing up on the computers of government and law enforcement agencies worldwide. FinFisher command and control centers have been found in some 35 countries. Recently Wikileaks released copies of FinFisher software in order to further the effort of tech researchers in coming up with counter measures.

When it comes to comparisons between Detekt and commercial security software, Guarnieri is quoted in media reports saying: "Antivirus software is rigorously evaded every time this kind of spyware is released and used. We are using detection techniques that have proved to be successful up to this point, and the goal is to provide it to the public and have the quickest and largest adoption possible."

He went on to say: "I want to empower just about anyone, the ones that do not have resources to acquire noisy and intrusive security software and the ones that are perhaps even prevented from buying any due to economic embargoes... I'm not really interested in drawing a comparison with security vendors, they have a different audience and a different scope. I'm interested in empowering the people with a choice to opt out from surveillance. What companies are doing for profit does not interest me."

Amnesty International, Digitale Gesellschaft, Electronic Frontier Foundation (EFF) and Privacy International are working together to get Detekt out to their networks.

If you would like to download the software and give it a try you can do so from When running Detekt disconnect from the internet and run the program as administrator.

Nov 17, 2014

Video of Syrian boy 'hero' under sniper fire exposed as fake: other Syria-related propaganda

Fake video stills of Syrian boy 'hero' rescuing young girl

In its coverage of a video that purported to show a Syrian boy braving sniper fire in the course of rescuing a young girl, the Daily Mail lauded the spectacle as an act of heroism. The accompanying article claimed the footage was believed to have been shot in Yabroud, a countryside town 50 miles from Damascus.

The Daily Telegraph also published the same story under the title: Watch: Syrian 'hero boy' appears to brave sniper fire to rescue terrified girl in dramatic video.

Both the Mail and Telegraph cited dubious claims while providing themselves an out along the lines of 'not verified as yet.' To hear them tell it you would have thought it was real breaking news.

The Mail noted that the video quickly got 500,000 views and was republished on YouTube by the Shaam News Network... "sham" being the operative word. The video was in fact an elaborate hoax put together by a Norwegian film crew on the vacation island of Malta.

The director, Lars Klevberg, admitted that "The little boy and girl are professional actors from Malta. The voices in the background are Syrian refugees living in Malta."  These extras can be heard yelling "Allahu Akbar"(God is Great) on the audio track, as they play act the part of excited onlookers watching a rescue drama unfold before their eyes.

Klevberg has attempted to justify the hoax by claiming that he was interested in highlighting the plight of children caught in a war zone. But in common with a lot of the other digital fabrications and outright lies coming from Syrian opposition sources, the underlying purpose is invariably to generate sympathy and/or outrage and with it the hope of increasing the odds of Western military intervention.

Stills beneath show Klevberg with the children and the filming of a scene:

Director Lars Klevburg and child actors in fake film
Syrian boy 'hero' in hoax film still

News of the fake video has made Klevberg a target of widespread criticism from a number of different quarters. Journalists and activists signed an open letter condemning the film as "reckless", "irresponsible" and "deceptive."

Here is a video that shows a scene being rehearsed followed by a clip of the fake rescue footage:

Klevberg isn't the first to spread false news about Syria and won't be the last.

Other proven hoaxes concocted by Syrian opposition supporters included the blog - Gay Girl in Damascus. It was allegedly written by one Amina Abdallah Arraf al-Omari, a half-Syrian, half-American lesbian supposedly living in Damascus. "Amina" gave interviews to news organizations and received kudos from journalists and activists around the world. When she was eventually exposed as an invention, we discovered that the real life actor behind the blog was a 40-year old American named Tom MacMaster who was studying at Edinburgh University.

Another act that drew international attention was so-called "Syrian Danny" - a British citizen who showed up regularly on CNN to talk with an impressionable Anderson Cooper. During one appearance, Danny is overheard saying "Well let the gunfire sound then," before asking someone off-camera "Did you tell him to get the gunfire ready?" Danny's tales were accompanied by appeals for military intervention by the US and even by Israel. Astute observers noted that the accounts of violence he claimed to have witnessed would change depending on which news network he was talking to.

Watch Danny faking it  - here.

Concerns about such story telling go back a ways. In a 2012 Al Akhbar article entitled - Hollywood in Homs and Idlib? - Sharmine Narwani addressed false reports perpetuated by elements in the Syrian opposition. She says:

By December, it occurred to me that a big part of the problem was the external-based opposition and their disproportionately loud voices. If you were actually in the business of digging for “verified” information on Syria last year, you would have also quickly copped on to the fact that this wing of the Syrian opposition lies – and lies big.

This discovery coincided with a new report by US intelligence analyst Stratfor that claimed: “most of the opposition's more serious claims have turned out to be grossly exaggerated or simply untrue, thereby revealing more about the opposition's weaknesses than the level of instability inside the Syrian regime.”

Narwani winds up her article with this observation:

Today, reporting from inside Idlib, Al Jazeera's Anita McNaught described the bombing as "earth-shaking and relentless." Bombing caused by who?

“Hollywood” in Syria? Oh yes. Scene-setting the likes of which we have not yet seen outside of celluloid fiction. Delivering lines to a rapt audience that seems incapable of questioning the plot. Some of what transpires in Syria in the future will depend on this: Do people want to go behind the velvet curtain and see the strings – or are they content to be simply led by the entertainment.

Nov 14, 2014

Whistleblower Udu Ulfkotte exposes CIA hand in German media: 'German politicians are US puppets'

Udo Ulfkotte reveals CIA manipulation of journalists

"We’re talking about puppets on a string, journalists who write or say whatever their masters tell them to say or write. If you see how the mainstream media is reporting about the Ukraine conflict and if you know what's really going on, you get the picture. The masters in the background are pushing for war with Russia and western journalists are putting on their helmets."

- From an interview with German journalist Udo Ulfkotte.

A new book by Ulfkotte entitled Bought Journalists: How Politicians, Intelligence and High Finance Control Germany's Mass Media has taken the lid off the tactics used by the CIA and other pro-Washington interests to manipulate what journalists say in print. The extent of the corruption, because there really is no other word for it, is surprising, even shocking for anyone with a naive belief in the integrity of Western media. 

Ulfkotte is a former editor of one of the largest newspapers in Germany - Frankfurter Allgemeine Zeitung. He was an adviser to the Kohl government between 1986 and 1998, and according to a Wiki entry publishes a magazine - Whistleblower - that reports on topics not covered in German media. His revelations have caused a sensation in Germany, in part because it is rare for a journalist to essentially strip off the mask and reveal insider truths that are damning, to say the least.

Ulfkotte claims that members of the German media are paid or otherwise induced by the CIA to spin news in a manner that is favorable to US interests. Over time he admits he himself got in so deep, he "... ended up publishing articles under my own name written by agents of the CIA and other intelligence services, especially the Bundesnachrichtendienst."

CIA manipulation of Western media has a long and sordid track record as anyone familiar with the work of Carl Bernstein will be aware. What has changed over the years are the tactics employed by the agency which now adopts a strategy that involves "non-official cover." So while a journalist may be playing along with the CIA, he or she is not connected in any official capacity, leaving the agency free to deny any associations. Ulfkotte goes into the meaning of the term "non-official cover" in his interview.

In speaking of the rewards for compliance, Ulfkotte talks about gifts and incentives that went with playing the game:

I didn’t get money – I got gifts. Things like gold watches, diving equipment, and trips with accommodations in five-star hotels. I know many German journalists who at some point were able to take advantage of this to buy themselves a vacation home abroad. But much more important than the money and gifts is the fact that you’re offered support if you write pieces that are pro-American or pro-NATO. If you don’t do it, your career won’t go anywhere – you’ll find yourself assigned to sit in the office and sort through letters to the editor.

On a different yet related level Ulfkotte's revelations about CIA influence aren't altogether surprising. The American reach in Germany was highlighted by Edward Snowden when he made the claim that the NSA was "in bed" with German intelligence.

Ulfkotte is being punished for his book in ways that raise additional questions about the freedom of the press in Germany. During an interview he talked about some of the threats and resistance he ran into as a result of blowing the whistle:

When I told the Frankfurter Allgemeine that I would publish the book, their lawyers sent me a letter threatening with all legal consequences if I would publish any names or secrets – but I don’t mind. You see, I don’t have children to take care of. And you must know I was severely injured during the gas attack I witnessed in Iran in 1988. I'm the sole German survivor from a German poison gas attack. I’m still suffering from this. I’ve had three heart attacks. I don’t expect to live for more than a few years.

No German mainstream journalist is allowed to report about the book. Otherwise he or she will be sacked. So we have a bestseller now that no German journalist is allowed to write or talk about. More shocking: We have respected journalists who seem to have gone deep sea diving for a long time. It’s an Interesting situation. I expected and hoped that they would sue me and bring me to court. But they have no idea what to do. The respected Frankfurter Allgemeine just announced they will fire 200 employees, because they’re losing subscribers very rapidly and in high numbers. But they don’t sue me. They know that I have evidence on everything.

I'm also posting a video of the Ulfkotte interview. For some reason the audience and/or interviewer's questions have been cut, perhaps to shorten the duration of the video and keep the focus on Ulfkotte.

To view the video click 'read more' beneath: