Category Archives: Legislations

West and East: Security for insecurity

There is no doubt that all Middle East and North African countries are using technologies designed or developed in Western countries. Information technology is Billion-Dollar industry and most western companies are fighting to penetrate the Middle East as a new market for IT solutions, services, and industries. When it comes to ICT, we will find a lot of problems in the Middle East as usual. The problems vary according to what those countries are trying to do:

–          Critical Infrastructure Security

–          Cybercrime prevention

–          Cyber terrorism investigation

–          Freedom of speech (censorship)

–          Activism (crackdown, interception, or eavesdropping)

–          Pornography or illegal contents (censorship or blocking)

One of the biggest problems is that they can’t (or don’t) identify the differences between freedom of speech and illegal or inappropriate contents!

MENA Governments might legally buy a software or solution from western company to filter online pornographic contents. But who will guarantee that those filters or solutions won’t be used to censor freedom of speech?

This is normal in the Middle East as most countries in the region are fighting their people.

Most western companies don’t care about this issue as long as they are making money!

ONI has documented the filtering situation in MENA and how it is affecting freedom of speech. It explained carefully how western technologies are used to censor the Middle East. But content filtering or censorship is not always the case.

National Security is additional boogeyman used in the Middle East to breach security by governments themselves. State Security Agency in Egypt was an obvious example. Egyptian government used (Lawful Interception) tool to illegally intercept and hack into users computers!

UAE Telecom Company installed a spyware on Blackberry in 2009 as an update. It was not an update for sure! They wanted to spy or crackdown activists. When RIM discovered the problem and started to fix it, governments in the Middle East vowed that they will ban Blackberry services. They said that the upcoming ban on Blackberry services would remain in effect until RIM becomes fully compliant with UAE regulatory requirements.

Finally UAE didn’t ban Blackberry services as RIM reached special agreement with UAE government. There is no explanation for this agreement. But we can understand that UAE government can now access the data on RIM servers.

Those examples are common in most Arab countries and will not be easily justified. Governments should respect human rights, privacy, and freedom of speech. Drafting regulations is not the case as it might be a double-edged weapon in Middle East.

Western countries need to understand that their image will be affected in our region as long as they are putting the right solutions into the wrong hands..!

Egypt: The Insecurity of State Security

Following 25th January revolution in Egypt, protesters were calling for dissolving State Security Police (AKA Amn Dawla). It has long history of torture, repression, invasion of privacy, and other bad things.

Since they didn’t find any action from the government, activists decided to get into it. Eyewitnesses saw smoke and evidences of burning secrets documents done by police officers. And it was the day!

“The Fall of the Capital of Hell” Click here for full story… 

I’m not going to talk about politics and other related issues. My concerns are about technical issues and how this place and its employees were doing everything illegal.

The police officers working in State Security were ordered to chop millions of secret documents to cover their crimes. Protesters were afraid that important document were destroyed and they started to search for such documents inside SS buildings. Many documents were leaked and become popular on the Internet. Even dedicated groups on Facebook and twitter hashtag were created.

Inside SS buildings, activists found smashed Hard Drives, millions of shredded and burned documents.

SS officers thought that burning and chopping documents in addition to smashing electronic evidences such as Hard Drives is the best answer to hiding their crimes. While I’m quite sure that most of secret documents are kept safe on paper and digital archives somewhere, it is still possible to extract important evidences from crime scenes using advanced technology. Shredded papers could be restored using special tools, even WikiLeaks offered on their Twitter account that they have the most up to date technologies to reconstruct shredded documents. Electronic devices and Hard Drives are the best digital evidences. Digital forensics experts are able to restore every bit on that Hard Drives.

The problem with corrupt countries and regimes is they are always thinking that their people are not aware of anything. They think they have the most powerful tools and security options. They have the right to censor the Internet, intercept your phone calls, track your online activities, and even hack into your emails! I can simply say that it will not work and it will not solve any issue. SS tracked activists on Facebook, blogs, and twitter and they tried hard to hack into their emails according to leaked documents. Was that the solution to prevent anything? Is this the security they promote?

Unfortunately this is not only in Egypt. Most Arab countries have their own SS who are violating the privacy of everyone without court order.

Egypt is one of the Middle East countries which don’t have specific Cyber Laws. They are not either involved in any international treaty such as Council of Europe’s. Autocratic countries are dealing with Internet and communications as an Information weapon and they have the right to intercept the communications anytime without any warrant!

Lack of regulations allowed the SS in Egypt to carry out crimes against privacy and freedom of speech. The committed crimes could be also classified as organized cybercrimes due to the involvement of national and international parties. Let’s investigate few examples…

Telecom Companies:
Telecom companies are involved in wiretapping and geo-locating activists in Egypt in association with SS. Mobile phone providers in the Middle East normally promote privacy rights but when working inside an autocratic county, they will be governed by no law! Anything required by State Security is accepted even if they want to send false statements, rumors, and harassment via SMS. Evidences are well-known during Egypt uprising. Police officers in SS can also hide their phone numbers and identities by contacting telecom companies. That makes it easy for them to not only protecting their privacy but to harass other people. Government also cut the Internet completely and ordered mobile networks to shutdown their services to prevent activists from communicating. Mobile operators in Egypt sold many SIM cards without any registered data. Anyone even criminal could buy a SIM card and do whatever he wants then throw it away or even sell it to others. How can they investigate the crime like this?

Internet Service Providers:
The Internet is an important and vital tool for activists. SS always track activists online and ask ISPs to provide their IPs and personal details. ISPs can also be able to intercept Internet communications using sniffers and other tools to provide vital information to the government. Government also used special technology from NARUS which allows Internet surveillance. Internet surveillance is not allowed without court order but in Egypt everything is allowed!

SS recruited hackers:
In a leaked SS document I found evidence that they were able to hack into email accounts related to activists and other people. They used spyware, Trojans, JavaScript codes, and other methods to steal accounts user name and passwords. The document urged SS officers to not hack into emails using old and easily discovered methods until SS will find another way or recruit professional people to do it!
It looks like SS was not able to hack efficiently as they got an offer from local company to sell them one of the well-known Lawful Interception products developed by Gamma Group of Companies in Germany. Full documents and contract dated between 2010 and 2011 stated that the company will send them a demo copy of their software for internal use while the full license cost will be about 390.000 EURO.
Other leaked documents stated that they successfully hacked email accounts related to activists using the above software. This type of software is used for so called “Lawful Interception” to hack into emails and Skype account. This action requires a court order in most countries and the German company knows this for sure. How do they sell something like this for an autocratic regime with no Interception Law in place? In this case, the company should be involved in such a crime!

No laws specifically grant the government the power to censor the internet or put anyone under surveillance. Egypt’s constitution upholds freedom of speech, and the 2003 Law on Telecommunications as well as guaranteeing a citizens’ right to privacy, also requires a judicial warrant for surveillance.

However, the Emergency Law, which has been in effect without interruption since 1981, gives security agencies broad authority to monitor and censor all communications!

Actually, it was FAKE SECURITY..!

Egyptian Government needs to cease this emergency law and address new regulations for cyberspace, lawful interception, cybercrime, and privacy rights.

Sources FYI:

–          Governments uses JavaScript to steal your password (Tunisia)

–          Interception of Communications

–          Gamma FinFisher and F-Secure

–          More information about FinFisher

–          Police Spyware

–          Digital DNA for Active Threat Detection

–          Police Spyware (YES/NO)

–          Government Spyware Detection and Antispyware

–          Spybot

–          Access Controlled

–          Digital Privacy Report

–          FBI Spyware Revealed

–          Internet & Privacy Best Practice

Middle East Fragile Infrastructure!

In the past 2 years cyber attacks and cyber crimes in the Middle East revealed fragile ICT infrastructure. 

I mentioned always in my research that Middle East and North African countries are becoming more reliant on ICT. But unfortunately there are many problems associated with this implementation of ICT without security in place. In addition to poor legislations and low level awareness, most IT companies, service providers, ISPs, and governments don’t take it seriously when it comes to information security. 

It is normal to see lots of troubles related to cybercrime in our countries. The number of incidents doubled each year and businesses in the region become vulnerable to all types of cyber attacks! 

While governments don’t pay much attention to securing their ICT infrastructure, hackers are doing better job to explore and launch their attacks… 

 I’m afraid that they start to realize the threat at point of no return! 

It’s never been easier to launch a sophisticated cyber attack using automated tools, but you can’t defend against these types of attacks using the same tactic…They need to invest more in information security and to better train their IT professionals. Young Cyber-Experts in the Middle East started to explore the world of ethical hacking and that reveals more threats as they realized that their countries’ infrastructure is too easy to hack!  

It is shocking when business leaders in the region understand that they lose millions of dollars each year due to increase of cyber attacks.  

According to top Interpol official, Banks and financial institutions in the region face a lot of troubles due to lack of basic security measures!  

There are lots of cyber attacks in other regions of the word such as USA and Europe and there is no need to spread this information about our weak Infrastructure”, IT experts argue. They even claim that they have most up to date technology to defend against cyber attacks in addition to compliance with top standards such as ISO27001…  

Other experts mentioned that we have one of the lowest levels of cyber threats in the world…  

Worldwide statistics might reveal that Middle East is lower than US, but that doesn’t mean we are safe!  

It is important to understand that there’s big difference between being a source or target for cybercrime!  

When researching the situation in the Middle East and North Africa, we will not find complete and specific treaty or legislations to deal with cyber crimes or cyber attacks!  

Legislation frameworks, policies, expertise, awareness, and International cooperation are always the key to deal with this new phenomenon. It makes cybercriminals think twice before conducting any attack in countries with strong capabilities. It will not prevent the attack but will make it easy to handle the case and even pursue cyber criminals.  

The situation is completely diffident in the Middle East as it might be hard or even impossible in many cases to deal with cyber attacks from both technical and legal views. At large we can see Middle East as big target for cybercriminals and malware infection but it is also source of other cybercrime activities. Security experts revealed that most Middle East countries are among the worst when it comes to botnets and zombies!!!  

We can see lots of investments in implementing ICT and the higher rates of ICT maturity in the region especially in Gulf countries, but they are still too far in developing technical and legislative capabilities.  

Click on the links in the article and check below for more information:  

Cyber attacks double in GCC  

Bank e-security is low  

Increase in Cybercrime  

Cybercrime a threat for 50% of UAE users!  

57% of ME business face cyber attack  

I’m not expecting better situation in 2011 as well…Happy New Year!