In a previous post we wrote, “Little has been said about the more serious damage the S.E.A. (Syrian Electronic Army) and its compatriots in the Assad regime are doing online… Too bad the mainstream press chooses to ignore those more deadly aspects of the story.”

Recent S.E.A. hacks on the Associates Press, The Onion, The Guardian and the Financial Times are shout-outs for media attention. And they worked.

The NYT story makes a breakthrough connection tying the Assad regime with online intrusions and attacks done by the S.E.A. Instead of simply being a rogue hacking group of pro-regime supporters it now seems certain that the S.E.A. is working in cahoots with the regime, as many human rights and Internet activist assumed.

Just as compelling, for us, is how three of our principal characters are sources, on-the record, in the story. Dlshad Othman, Morgan Marquis-Boire and John Scott-Railton figure prominently in the article. We also filmed with reporter Nicole Perlroth in San Francisco as she worked on this piece. The elements for a dramatic, timely, character-driven sequence are in the can. We are excited about how this is going to play in the finished film.

There’s still more to be filmed as this subplot film plays out. So stay tuned.

By and large very little was reported about the source of the attack. And what the SEA regularly does besides posting fake tweets. Much of the news in the U.S. had to do either with how one fake tweet about an attack on the White House and the President impacted financial markets, or why Twitter needs to improve its security.

The markets recovered immediately. And Twitter, according to Wired, is rolling out two-step authentication to improve its security.

Little has been said about the more serious damage the SEA and its compatriots in the Assad regime are doing online. And their lethal consequences.

Our film concerns security online and threats from cyber-surveillance. In particular, how these collide in a very real way right now in the Syrian civil war. Sources have told us about the ways in which activists and members of the opposition are compromised by malware and surveillance software. Facebook and Skype have been used extensively by the SEA and others for this purpose. The consequences can be detention, torture and death.

We have this on-camera.

Too bad the mainstream press chooses to ignore those more deadly aspects of the story. But the film will address them, be sure of that. And threats from cyber-surveillance in other countries as well.

Mikko Hypponen of F-Secure, interviewed during RSA.

This story about a human rights activist inside Syria who was targeted by the regime will be central to our film. Mikko blogged about the investigation at the time.

Mikko helped fill in the blanks, a few of which we can spell out here. The rest will have to wait until the film is released. Probably near the end of the year.

The attacker used Xtreme RAT (remote access trojan) which like Poison Ivy, Ghost Rat, and Dark Comet takes over a computer without the user knowing — controlling it, seeing the screen, recording every keystroke, and accessing files. It can even turn on the microphone and webcam to record a user’s words and actions.

The hard drive shipped to Mikko and his colleagues which they analyzed for surveillance malware.

“Sounds sinister,” Mikko said. “But we don’t know if it is a private IP (Internet provider), if it’s run by the regime, or by companies — or who the end users are. But it looks like [the data] went back to the Syrian regime.”

In this case data was sent to an Internet provider (IP: 216.6.0.28) identified as belonging to the Syrian Telecom Establishment. We looked it up. It’s still reported active — in Damascus. Here.

In relation to increasing levels of Internet-based surveillance and espionage, Mikko told us lately he’s been browsing online recruitment pages of military contractors such as Lockheed Martin. “They’re hiring exploit writers for offensive cyber operations by the dozens. In Ft. Meade Maryland [home of the NSA]! It doesn’t get much more open than that.”

“If someone told me five years ago [offensive cyber operations] would be this active, I wouldn’t have believed it. We’re definitely in a cyber arms race now.”

“I feel deeply about this. I’ve worked with viruses since the ’90s. So much has changed. Governments come in using the same tools that were used by kids for fun. Now it’s deadly serious things.”

Our source had heard a rumor that the U.S. State Department uses Stonesoft to prevent WikiLeaks from being accessed by its employees. When asked, the Stonesoft representative readily admitted this was true. He did the coding! It does not block each and every WikiLeaks document, just the landing pages of WikiLeaks mirror sites. But still…

Down the way from Stonesoft was the booth of Blue Coat, the Silicon Valley-based company which got caught with its surveillance software in use by the Assad regime in Syria. Our friends at the Citizen Lab did a ground-breaking report about Blue Coat a few months ago, and that in turn generated a New York Times story about Blue Coat and cyber-surveillance in Syria.

The Wall Street Journal did its own investigation confirming Blue Coat’s devices were recording and/or blocking a huge amount of Internet traffic inside Syria, especially among opposition activists.

Blue Coat blamed its distributor in Dubai for re-selling to Syria, instead of Iraq, the intended buyer. Their representative said Blue Coat requires clients to declare the end user of their products abroad. However, as with arms sales, it’s easy to route goods through third parties or re-sellers.

The Blue Coat representative conceded its proxy servers can still be found inside Syria but their capabilities are turned off. We are looking into this now with the help of a malware researcher.

When asked if Blue Coat sells to repressive regimes such as Bahrain, the representative pointed to the official U.S. sanction list as being their litmus test. Those trade restrictions may be strict when it comes to North Korea and Cuba, but are less so for other countries. Enforcement is notoriously spotty. And those trade sanctions do not include Bahrain. Our friends at Bahrain Watch will be watching, we’re sure.

Narus, which builds and sells surveillance software, is a wholly owned subsidiary of Boeing, and is based in Sunnyvale, CA. Narus has long been the focus of privacy concerns. Especially since 2006 when it was revealed in Wired that the Narus STA 6400 installed in ATT’s Internet backbone operation in San Francisco was collecting and analyzing network and customer information in real time for the NSA.

Here’s what Narus is up to now, based on a source who spoke with a Narus representative on the floor of the trade show.

Narus software is capable of, “full packet capture… when we want to go after a specific target, based on a keyword, user ID or an IP address. We decide to target [this] person, we go in and create target, and we can target e-mail, Facebook…”

Narus products capture and retain data for later analysis. We were told, for example, “if six months from now Twitter goes off the edge of the earth, we can render stuff exactly as it happened. We can do the same with email, Facebook, IM, and a lot of chat.”

As for Tor, the program which protects activists and journalists worldwide by hiding their physical location and encrypting their online activities, people Narus talks to in the Middle East are “very interested” in trying to break that capability.

There’s more. Narus can do sentiment analysis on e-mail, and Facebook and Twitter posts to determine the “mood” of a particular post or user. This is useful to predict behavior, such as a nascent protest movement that might otherwise escape notice. Where is the next Arab Spring going to occur? “We have the metadata around the session, now we know who the players were and who they are related to.”

If you are in the U.S. working in the private sector you are at risk from Narus technology. Companies use Narus to monitor employee activities online to determine if they’re doing something on the network they shouldn’t be, or if they’re removing unauthorized data.

Amidst this carnival-like atmosphere we came across a few surprises, such as booths for the National Security Agency (NSA), Narus (a subsidiary of Boeing that makes surveillance software), and the Department of Homeland Security. That’s where we had fun running into Dark Tagent (Jeff Moss), founder of BlackHat, the annual Las Vegas information security gathering, who was also visiting the DHS booth.

Dark Tagent (aka Jeff Moss)

We learned a couple of interesting things at the NSA booth such as why they rely on commercial software vendors (more efficient) and how to apply for a job at the NSA’s new Bluffdale facility in Utah.

Shhh. Who might be listening?

At the Narus booth a representative said they’re still selling products to the Egyptian government. He also said a VPN (virtual private network) is not a protection against surveillance using Narus software. However, Narus admits it cannot break Tor, a popular system used by activists, journalists and law enforcement that provides anonymity online.

Narus surveillance software is still being sold to Egypt.

In the next post we visit Blue Coat and Stonesoft, two major players in online surveillance.

Alberto (L) and Eric Rabe (R) of Hacking Team.

Our breakfast club included Eric Rabe and Alberto of Hacking Team, Jacob Appelbaum of Tor, Kurt Opsahl of the Electronic Frontier Foundation, Claudio Guarnieri of the Honeynet Project, and Bloomberg reporter Michael Riley.

It was a surprise that Rabe and Alberto of HT would subject themselves to even more vociferous challenges by Appelbaum, Guarnieri and Opsahl. Made us wonder why they showed up. Is HT trying to burnish its image? Make overtures to the human rights community? Show the security industry its respectable?

The conversation continued where the panel left off: use of HT’s commercial surveillance tools by repressive regimes such as the UAE and Morocco, corporate responsibility for end-uses, the ethics of selling intrusion tools to questionable governments.

As Appelbaum said, “Everyone thinks they’re doing the right thing.”

“No one thinks they’re doing the wrong thing,” Jacob Appelbaum said.

To which Rabe replied, “Who’s going to be the decider… you, EFF?”

A discussion between Opsahl and Rabe actually seemed to start finding some common ground between HT’s and EFF’s positions — that HT would be open to some form of government regulation.

Eric Rabe, Hacking Team and Kurt Opsahl, EFF. Would new regulations help control cyber-surveillance software?

We’ll be watching to see if that discussion continues.

Jacob Appelbaum, a core member of the Tor circumvention project and a frequent target of US law enforcement agencies, demanded answers about HT’s activities. Joining Jacob in asking the hard questions was Kurt Opsahl, senior attorney at the Electronic Frontier Foundation, and Claudio Guarnieri of the Honeynet Project and Rapid7. Bloomberg reporter Michael Riley heroically steered the discussion. Filling out the group was Dale Beauchamp from the Department of Homeland Security, who was badgered by questioners about a host of domestic spying issues.

Unfortunately RSA would not let us film the event.

The panel.

Check out these articles just published about the panel. Funny how it has not yet been covered by any U.S. press.

Der Spiegel (German), Tech Week Europe

Mikko Hypponen, one of the characters in our film, and one of the world’s top security analysts, told us this session was the best part of the entire week-long RSA Conference.

Mikko tweets the panel.

Following the formal panel session we repaired to a nearby hotel for more fireworks, which we could film. The next blog post reveals what happened.