NEWS FROM THE LAB - Tuesday, March 8, 2011

Egypt, FinFisher Intrusion Tools and Ethics Posted by Mikko @ 09:17 GMT

There's unrest in Egypt, Tunisia, Libya, Bahrain and elsewhere in the Arab world.

Two days ago, protesters in Nasr, Egypt took over the Headquarters of the Egyptian State Security.

Inside the HQ, the protesters gained access to loads of confidential state documents.


Among them was a document that is highly relevant to computer security: an offer for a product called FinFisher sent to the Egypt State Security Investigation Department.





Note: we can't confirm the origin of this document. We got it from Mostafa Hussein. You can download the full document from here. [PDF, 1.3MB]

FinFisher seems to be an Intrusion and Spying software framework, developed and sold by a German company. It seems to include multiple components, including an "infection proxy" and various intrusion tools.

We don't know if Egypt State Security purchased the tool or not. We don't know if they were using it to spy on their own citizens. We don't know who else could be using it.

The obvious question here is: do we detect FinFisher? And the answer is: we don't know, as we don't have a sample at hand we could use to confirm this.

The obvious follow-up question is: if somebody gets us a known copy of FinFisher, would we knowingly add detection for it? And the answer is: yes we would.

We are in the business of selling protection. We're selling products to protect our customers from attack programs — regardless of the source of such programs.

It's easy to imagine a case where our customer would be innocent of any wrongdoing, but would be suspected for a crime he didn't commit. In such a situation he would have full expectation of his antivirus protecting him against trojans, even if those trojans would be coming from the government. This would be even more relevant if the customer lives in a totalitarian state. Like some of our customers do.

It's perfectly possible that we have already received a sample of FinFisher or some similar tools from our customers. However, if that has happened we have been unable to distinguish them from "normal" criminal trojans. We don't have any known government intrusion tools in our possession.

We've never received a request from any police force or intelligence organization anywhere in the world, asking not to detect their trojans. If they use trojans, they do not submit them to us.

And even if an official would contact us, asking not to detect their trojan, we would follow our guideline on this, published years ago in 2001. Please see our public statement on this very topic.

It would be a slippery slope to stop detecting government trojans. If the USA's government would ask us not to detect something and we would do it, then what? Should we avoid detecting hacking software used by governments… of which country? Germany? UK? Israel? Egypt? Iran?