On December 9, 2016, the Center for Long-Term Cybersecurity presented a dissertation talk by Bill Marczak, a computer science Ph.D. candidate at UC Berkeley, a CLTC research grantee, and a senior research fellow at Citizen Lab.
Recently profiled in Vanity Fair, Bill Marczak’s research focuses on identifying and tracking nation-state information controls employed against dissidents, as well as government-exclusive “lawful intercept” malware tools, including FinFisher, Hacking Team’s RCS, and NSO Pegasus. His past work resulted in the identification of the Great Cannon, an attack tool employed by China that hijacked millions of users’ web browsers around the world to conduct Denial of Service (DoS) attacks for censorship purposes, as well as the discovery of the first iPhone zero-day remote jailbreak seen used in the wild, sold by Israeli firm NSO Group to governments around the world, to facilitate surveillance of mobile phones.
In this talk for CLTC, “Defending Dissidents from Targeted Digital Surveillance,” Marczak explains his past work and research, including his analysis of an extensive collection of suspicious files and links targeting activists, opposition members, and non-governmental organizations in the Middle East over a period of several years. He presents examples of attack campaigns involving a variety of commercial “lawful intercept” and off-the-shelf tools, and explains the Internet scanning techniques that he used to map out the potential broader scope of such activity.
He also presents the results of his research study, which involved in-depth interviews with 30 potential targets of abusive surveillance in four countries. The results give insight into potential targets’ perceptions of the risks associated with their online activity—and their security posture. Based on his study results, Marczak proposes Himaya, a defensive approach he developed that readily integrates with targets’ workflow to provide near real-time scanning of a subject’s email messages to check for threats. He explains Himaya’s architecture and provides preliminary data from its beta deployment.