On Sunday WikiLeaks retweeted decrypted data leaked by hacker group ShadowBrokers, which revealed that the American National Security Agency (NSA) had penetrated Pakistan’s mobile phone networks. The ShadowBrokers’ data revealed that spy tools were used by NSA to intercept communications and their targets, around the world.
Alarm bells started ringing in Pakistan when this news broke, with the WikiLeaks retweet adding weight to the assertions. Then a researcher going by the Twitter pseudonym “x0rz” tweeted that Mobilink’s GSM network has been compromised by the NSA. Mobilink’s Chief Technical Officer, Khalid Shehzad, has, however, rejected the claims. “Subscriber privacy is our top priority,” he told Dawn newspaper. “We have a state-of-the-art security mechanism in place to ensure data protection and are constantly testing and upgrading it.”
One of the spy tools that were used by the NSA, according to ShadowBrokers, is malware SECONDDATE. It was first mentioned in 2013 in a report published by former NSA contractor Edward Snowden, in collaboration with The Intercept. They revealed then that the NSA has been spying on civil-military leadership in Pakistan. SECONDDATE is a tool that redirects browsers to an NSA web server, by intercepting target device web requests. The 2013 report said it was used to target Pakistan’s National Telecommunications Corporation’s VIP Division.
“In simple words, the NSA has its secret servers on the web that react faster than almost any other website,” says Majid Ali, a Pakistani Android tracking software developer formerly associated with the US-based Mobistealth. “SECONDDATE helps execute the classic ‘man-in-the-middle’ attacks on both an individual device or for bulk targets. It is this speed difference in reacting to online commands that allows these servers, posing as the website, to breach the target’s security in time before the actual website responds.”
He adds that only NSA has the capacity to launch such attacks around the globe. “For they require servers strong enough to give the hackers’ time to pull the cyber-heist off before the legitimate website can react.” The NSA also used SECONDDATE to target Lebanon, by infecting an ISP to extract over 100MB of Hizbollah Unit 1800 data.
ShadowBrokers is now auctioning SECONDDATE along with other NSA-built ‘cyber weapons’. This is the first time NSA software would be made available for usage outside the security agency.
Majid says that while SECONDDATE is a robust tool aimed at penetrating defences if you don’t have the right security in place, the hacking becomes much easier. “I wouldn’t be surprised if our authorities don’t have the requisite security and their devices might be vulnerable to spam that exploits bugs in your Gmail account. Some might even be enticed to click-baits on malicious links.”
A senior official who works with a sensitive agency rubbished the claims, saying that the digital security of the Pakistani authorities was at par with global standards. “I would be surprised if the reports of Pakistani mobile networks being hacked hold any truth, but the claims that our leaders’ digital security has been breached is downright absurd,” he said. Meanwhile, an FIA official confirmed that no complaints have been received over security breaches of the mobile networks.
These revelations have brought back into focus Pakistan’s ability to handle such cybercrimes, not just internally but internationally. Section 1(4) of the Prevention of Electronic Crimes Act states that the cybercrime law shall “also apply to any act committed outside Pakistan by any person if the act constitutes an offence under this Act and affects a person, property, information system or data located in Pakistan.” And Section 42 (4) of the Act on “International Cooperation”, permits the Government of Pakistan to “send and answer requests [through the designated agency] for mutual assistance the execution of such requests or their transmission to the authorities competent for their execution.”
But since different regions have varying levels of legislative recognition of cybercrime, finding international consensus on hacking, for instance, can be difficult, warns Digital Rights Foundation Founder Nighat Dad. “The 2001 Convention on Cybercrime, for instance, has not received sufficient ratification,” she says. “There are, at present, no international laws that directly deal with the possibility of intelligence agencies hacking other country networks.”
Given international trends and concerns of China and Russia being suspected of hacking US and European networks, however, this may change, Nighat Dad believes. She says Pakistan makes it compulsory for the telecom companies to beef up their privacy policies. “Even though these companies – nearly all of whom are owned by foreign companies and in some instances by foreign governments – have stated that they take privacy and data protection seriously, the absence of stringent data protection legislation in Pakistan does make it compulsory for them to keep their privacy policies up to date.”
She says companies the likes of Mobilink should not just plug in the gaps in their security, but also examine their software and hardware setups, to ensure that there is no malignant malware. “They should also implement stronger encryption and best practices regarding intra-company and customer data sharing, and send out immediate alerts to customers in the event of a breach.”
Alarm bells started ringing in Pakistan when this news broke, with the WikiLeaks retweet adding weight to the assertions. Then a researcher going by the Twitter pseudonym “x0rz” tweeted that Mobilink’s GSM network has been compromised by the NSA. Mobilink’s Chief Technical Officer, Khalid Shehzad, has, however, rejected the claims. “Subscriber privacy is our top priority,” he told Dawn newspaper. “We have a state-of-the-art security mechanism in place to ensure data protection and are constantly testing and upgrading it.”
One of the spy tools that were used by the NSA, according to ShadowBrokers, is malware SECONDDATE. It was first mentioned in 2013 in a report published by former NSA contractor Edward Snowden, in collaboration with The Intercept. They revealed then that the NSA has been spying on civil-military leadership in Pakistan. SECONDDATE is a tool that redirects browsers to an NSA web server, by intercepting target device web requests. The 2013 report said it was used to target Pakistan’s National Telecommunications Corporation’s VIP Division.
"There are, at present, no international laws that directly deal with the possibility of intelligence agencies hacking other country networks," says Nighat Dad
“In simple words, the NSA has its secret servers on the web that react faster than almost any other website,” says Majid Ali, a Pakistani Android tracking software developer formerly associated with the US-based Mobistealth. “SECONDDATE helps execute the classic ‘man-in-the-middle’ attacks on both an individual device or for bulk targets. It is this speed difference in reacting to online commands that allows these servers, posing as the website, to breach the target’s security in time before the actual website responds.”
He adds that only NSA has the capacity to launch such attacks around the globe. “For they require servers strong enough to give the hackers’ time to pull the cyber-heist off before the legitimate website can react.” The NSA also used SECONDDATE to target Lebanon, by infecting an ISP to extract over 100MB of Hizbollah Unit 1800 data.
ShadowBrokers is now auctioning SECONDDATE along with other NSA-built ‘cyber weapons’. This is the first time NSA software would be made available for usage outside the security agency.
Majid says that while SECONDDATE is a robust tool aimed at penetrating defences if you don’t have the right security in place, the hacking becomes much easier. “I wouldn’t be surprised if our authorities don’t have the requisite security and their devices might be vulnerable to spam that exploits bugs in your Gmail account. Some might even be enticed to click-baits on malicious links.”
A senior official who works with a sensitive agency rubbished the claims, saying that the digital security of the Pakistani authorities was at par with global standards. “I would be surprised if the reports of Pakistani mobile networks being hacked hold any truth, but the claims that our leaders’ digital security has been breached is downright absurd,” he said. Meanwhile, an FIA official confirmed that no complaints have been received over security breaches of the mobile networks.
These revelations have brought back into focus Pakistan’s ability to handle such cybercrimes, not just internally but internationally. Section 1(4) of the Prevention of Electronic Crimes Act states that the cybercrime law shall “also apply to any act committed outside Pakistan by any person if the act constitutes an offence under this Act and affects a person, property, information system or data located in Pakistan.” And Section 42 (4) of the Act on “International Cooperation”, permits the Government of Pakistan to “send and answer requests [through the designated agency] for mutual assistance the execution of such requests or their transmission to the authorities competent for their execution.”
But since different regions have varying levels of legislative recognition of cybercrime, finding international consensus on hacking, for instance, can be difficult, warns Digital Rights Foundation Founder Nighat Dad. “The 2001 Convention on Cybercrime, for instance, has not received sufficient ratification,” she says. “There are, at present, no international laws that directly deal with the possibility of intelligence agencies hacking other country networks.”
Given international trends and concerns of China and Russia being suspected of hacking US and European networks, however, this may change, Nighat Dad believes. She says Pakistan makes it compulsory for the telecom companies to beef up their privacy policies. “Even though these companies – nearly all of whom are owned by foreign companies and in some instances by foreign governments – have stated that they take privacy and data protection seriously, the absence of stringent data protection legislation in Pakistan does make it compulsory for them to keep their privacy policies up to date.”
She says companies the likes of Mobilink should not just plug in the gaps in their security, but also examine their software and hardware setups, to ensure that there is no malignant malware. “They should also implement stronger encryption and best practices regarding intra-company and customer data sharing, and send out immediate alerts to customers in the event of a breach.”