Exploiting the South Pacific’s Secrets, Security and Trade – Accept the Attacks or Deflect and Defea
This is an open letter to the Prime Ministers, Leaders, Business Owners and Citizens of the South Pacific. The countries and territories of the South Pacific can find relief and hope in being able to access solutions to protect their governments’, businesses’ and citizens’ information from interception and theft.
Where perhaps governments, businesses and citizens felt over the years it was not possible to access these solutions, this is no longer the case. Solutions are not only available, but also economically feasible.
Deploying these solutions helps the countries and territories, businesses and citizens of the South Pacific region create significantly better deals for themselves by making it very difficult for the regional power jostlers and others to steal private, sensitive and secret information.
Jostling for strategic influence and power in the South Pacific continues between Aotearoa, Australia, China, Russia, Taiwan and USA. Soft and cheque-book diplomacy has been and will continue to be used in the region.
Unfortunately, communications interception and other forms of spying has also been used in the region[i]. Solomon Islands for example was allegedly spied on by a friendly nation using mobile phone call eavesdropping equipment from its high commission premises in Honiara[ii].
The jostlers aren’t immune from being spied on either. For example, Aotearoa had some government delegates’ mobile and laptop devices containing sensitive information compromised while attending a trade conference in a foreign country[iii]:
“..During their absence, foreign intelligence officers access their hotel room and install malware on their devices that will automatically log all activity conducted on the devices, even once Chris and Taylor have returned to New Zealand.
Additionally, the officers clone the hard drive of the laptops and recover not only deleted protectively marked documents, but also intellectual property and sensitive information pertaining to trade negotiations...”
With the economic and security uncertainty, and ultimately the change that a Trump presidency brings to the world stage, a withdrawl by the Trump administration from President Obama’s Asia-Pacific strategic pivot may incubate even more jostling between the countries who are determined to remain visible and influential in the region. Over the long term we shouldn’t expect these countries to go away or their activities to decline.
Non-nation state criminal actors have opened up another front of pressure on South Pacific countries; some spying and cyber-attack technologies have become relatively inexpensive to buy and deploy. Open source code and research articles regarding spying and cyber-attack technologies are freely available online and some nefarious spying and attack services are also offered on the dark web for a fee.[iv]
So perhaps for the South Pacific’s nations there’s even more to be concerned about with criminals, on top of other nation states and adversaries spying on their citizens, businesses and government agencies. Consider for example the following taken from “Corruption in Paradise: International crime groups target vulnerable Pacific countries”[v]:
"Trans-national crime groups are very savvy," Jeremy Douglas, of the United Nations Office on Drugs and Crime (UNODC) told Stuff.”
“Law enforcement sources say crime groups are increasingly preying on vulnerable Pacific Island countries to traffic drugs to lucrative markets like New Zealand and Australia.”
“The problem is only worsened by the arrival of Australian and New Zealand bikie gangs, ..., and deportees building new crime networks using their old contacts.”
“Ruthless Mexican cartels are also understood to be eyeing up Pacific Islands as a gateway to Australia and New Zealand.”
Can Anything Be Done?
The risk surface for a South Pacific nation’s information security is enormous, sitting across physical, information and communications technology and human dimensions. Making sense of where to place finite economic and skills resources is challenging.
On the face of it, South Pacific countries may see themselves as being at an economic disadvantage relative to those jostling for influence, unable to afford the means to identify and address information security and spying risks sufficiently or at all. But Fiji, Solomon Islands, Vanuatu, Samoa, Tonga, Nauru, Kiribati, New Caledonia, French Polynesia and other countries and territories in the region do in fact have economically feasible options to push back with.
An added advantage is some of the commercial and open source technologies available:
Have been developed in countries with little or no direct vested economic, military or geopolitical interests in the South Pacific (such as Germany and Switzerland); and
Are transparent, such that the technologies are available for independent validation on request (i.e., for cryptography integrity checking and assurance that no backdoors exist in the software), or freely available as open source code.
Reasons to Act
Setting aside financial and skills constraints for a moment, South Pacific nations’ government and private sectors have a number of very good reasons to mitigate risks of information security breaches by criminals, nation states and other adversaries across these areas (not an exhaustive list):
Protecting economic, national security and intellectual property interests, by protecting secrets, strategies and tactics from being known and exploited in:
Government Cabinet matters and meetings.
East Timor had its Cabinet offices bugged by its neighbour during negotiations for a petroleum and gas treaty in 2004; the neighbour had used the information it had stolen, for its advantage in the negotiations. Later, the lawyer representing East Timor had had his offices raided, under authorisation of the attorney-general of the neighbouring country, to seize material and privileged information belonging to East Timor and the lawyer.[vi] East Timor regarded the actions of its neighbour as an egregious breach of sovereignty and an act of espionage.
Bilateral and multi-lateral negotiations.
"There is not an equal battle between the little countries and the big countries because the big countries know what the little countries are saying. They know what their public servants are talking about they know what their advisers are saying they know what the Prime Minister says on the phone if they want to know it. And so it's meaning that the inequalities between countries is made even greater." [vii]
Security and military agreements.
Trade and diplomatic missions.
Protecting business, community and government recovery and continuity, by making sure plans’ and processes’ risks of disruption or destruction from cyber-attack are mitigated in:
Civil defence preparation and emergency responses.
Critical infrastructure integrity across telecommunications, fuel, water, energy, transport and hospital services and systems.
Protecting justice from being obstructed, manipulated, intercepted or interfered with via cyber-attack in:
Matters before courts and tribunals.
Matters (and people) under police investigation.
Protecting the creation and preservation of valuable tangible and intangible assets and resources from theft via cyber-attack in:
Artistic intellectual property in music, film and writing and other arts.
General academic, medical and other scientific research and development.
Where to Act?
So back to the point about where to place finite resources. Perhaps the place to start is in protecting communication. Communication helps everyone understand what everyone else wants and needs. Whether on the international stage or at grass roots, protecting the security and integrity of that communication means protecting the security and integrity and privacy of the subject matter being discussed and the individuals involved in the discussion. Whether in private interpersonal relationships, in trade negotiations or in diplomacy, communication is necessary.
So how might South Pacific governments and the private sector take steps to audit and protect their communication? Some options (not exhaustive) for consideration are listed below:
Use free open source apps and/or commercial apps for end-to-end encryption across mobile and desktop platforms.
Use baseband firewalls in mobile devices (to detect attacks performed against mobile devices’ baseband processors by over the air and over the cellular network exploits).
Use firewalls in critical cellular communications networks (to mitigate targetted and bulk cellular network exploits).
Data at rest should be encrypted (with strong cryptography) on and across any mobile, tablet and other computing devices, to mitigate risks of information theft through cloning and decrytion of the storage media; if the information is stolen but encrypted, it’s difficult or impossible to access depending on the strength and type of cryptography used.[viii] Storage media includes peripheral storage, such as storage cards and other solid state drives, hard drives and so on.
Delete information properly and securely from storage media.[ix]
Use Bluetooth with extreme caution, or preferably not at all. Effective Bluetooth hacks have been available for many years to enable attacks against devices.[x]
Use WIFI with caution and only when needed (i.e., switch off WIFI on mobile and other portable devices); WIFI enabled on devices can be used to attack those devices.[xi]
Once located, perform counter-surveillance, and/or confiscate or destroy the systems or apply some other form of penalty on the perpetrators.
The surveillance and interception systems may be (for example):
Audio and video recording devices placed in, on and around the target and its physical environment; and
Over the air communications interception devices, such as those targetting mobile devices using cellular network connectivity, WIFI connectivity or Bluetooth.
Feasible, credible and useful technological solutions are available to South Pacific countries and territories, and the businesses and citizens of the region. The technologies enable them to reclaim or assert balance and perhaps some competitive or strategic advantages for themselves in their international and trading relationships at home and abroad. The technologies make it far more difficult for others to steal information from the South Pacific
ARC Solutions is happy to help the South Pacific – but why trust us, especially since we’re based in Australia and led by a New Zealander? The differences with us are we’re independent of governments and we’re from the South Pacific. Our founder’s and ARC Solutions’s care for the region and its security is not cast in empty words made by outsider-fly-by-night folks and their companies – but is a real whakapapa-based connection to the people, land and ocean of our region.
Our motivation to help is to make sure everyone in the South Pacific knows about and has the opportunities to become more secure with their information than they have been before.
Want help? Need help?
Contact us at ARC Solutions anytime. We can help you with acquiring, deploying and using the solutions listed above.
Unencrypted open email: email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
Encrypted email: send us an email from a Tutanota account to email@example.com; the email will be end-to-end encrypted.
Cryptophone encrypted call: From you own Cryptophones, reach us on our ARC Solutions Cryptophone numbers below:
ARC Solutions CP500i mobile: +807 315 98166
ARC Solutions IP 19 desk phone: +807 784 34664
04/05/2018 CP500i Cryptophone number updated.
[i] NZ spying on Pacific 'growing', Radio NZ, 5 March 2015, http://www.radionz.co.nz/news/political/267788/nz-spying-on-pacific-%27growing%27
New Zealand spying on Pacific Island nations and Indonesia, Snowden documents reveal, ABC, 5 March 2015, http://www.abc.net.au/news/2015-03-05/new-zealand-accused-of-spying-on-pacific-neighbours/6283052
New Zealand spying on Pacific allies for 'Five Eyes' and NSA, Snowden files show, The Guardian, 5 March 2015, https://www.theguardian.com/us-news/2015/mar/05/new-zealand-spying-on-pacific-allies-for-five-eyes-and-nsa-snowden-files-show
Snowden revelations / The price of the Five Eyes club: Mass spying on friendly nations, NZ Herald, 5 March 2015 http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11411759
Russian Spy Ship Now Off Hawaii, U.S. Navy Protecting ‘Critical Information’, USNI News, 6 July 2016, https://news.usni.org/2016/07/06/russian-spy-ship-now-off-hawaii-u-s-navy-protecting-critical-information
NZ Spying In the Pacific: Bad Tactics Support Worse Strategy, The Tonga Herald, 7 March 2015, http://tongaherald.com/nz-secret-spying-will-escalate-distrust-hinder-transparency-in-the-region/
Barbara Dreaver: Pacific spying exposé fails to deliver, TVNZ, 5 March 2015, https://www.tvnz.co.nz/one-news/new-zealand/barbara-dreaver-pacific-spying-expos-fails-to-deliver-6248180
New Zealand Used Nsa System To Target Officials, Anti-Corruption Campaigner, The Intercept, 15 March 2015, https://theintercept.com/2015/03/14/new-zealand-xkeyscore-solomon-islands-nsa-targets/
New Zealand Spies On Neighbors In Secret “Five Eyes” Global Surveillance, The Intercept, 5 March 2015, https://theintercept.com/2015/03/04/new-zealand-gcsb-surveillance-waihopai-xkeyscore/
UK Foreign Secretary Philip Hammond says it's time to 'move on' from Snowden, NZ Herald, 11 March 2015, http://www.nzherald.co.nz/new-zealand-and-the-snowden-files/news/article.cfm?c_id=1503794&objectid=11415169
Snowden revelations: NZ's spy reach stretches across globe, NZ Herald, 11 March 2015. http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11415172
[ii] GCSB had Solomons post, papers show, NZ Herald, 16 March 2015, http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11417762
Revealed: The names NZ targeted using NSA's XKeyscore system, NZ Herald, 15 March 2015, http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11417386
GCSB spied on inner circle of former Solomon Islands PM and anti-corruption campaigner, 15 March 2015, http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11417445
[iii] Risks of taking electronic media overseas and not reporting the carrying of protectively marked information: an INFOSEC, PERSEC and PHYSEC case study, Protective Security, https://protectivesecurity.govt.nz/home/case-studies/show/risks-of-taking-electronic-media-overseas-and-not-reporting-the-carrying-of-protectively-marked-info
Government phones hacked in hotel-room break-in, NZ Herald, 15 October 2016, http://www.nzherald.co.nz/it-security/news/article.cfm?c_id=239&objectid=11729041
[iv] Commodity ‘Exaspy’ Spyware Found Targeting High-Level Execs, Kaspersky Threat Post, 4 November 2016 https://threatpost.com/commodity-exaspy-spyware-found-targeting-high-level-execs/121809/
Emergency Ios Update Patches Zero Days Used By Government Spyware, Kaspersky Threat Post, 25 August 2016, https://threatpost.com/emergency-ios-update-patches-zero-days-used-by-government-spyware/120158/
[v] Corruption in Paradise: International crime groups target vulnerable Pacific countries, Stuff, 7 November 2016, http://www.stuff.co.nz/world/south-pacific/85785437/corruption-in-paradise-international-crime-groups-target-vulnerable-pacific-countries
[vi] George Brandis hands over to East Timor docs seized by ASIO, The Sydney Morning Herald, 3 May 2015, http://www.smh.com.au/world/george-brandis-hands-over-to-east-timor-docs-seized-by-asio-20150503-1myyps.html
ASIO raided office of lawyer representing East Timor in spying case, ABC, 4 December 2013, http://www.abc.net.au/news/2013-12-03/asio-raided-lawyer-representing-east-timor-in-spying-case/5132486
East Timor accuses Australia of spying for commercial gain during Timor sea negotiations, ABC, 3 December 2013, http://www.abc.net.au/news/2013-11-27/east-timor-says-australia-spied-for-commercial-gain/5120738
[vii] NZ's Pacific spying creates unfair advantage in regional talks, Radio NZ, 5 March 2015, http://www.radionz.co.nz/international/pacific-news/267847/nz%27s-pacific-spying-creates-unfair-advantage-in-regional-talks
[viii] VeraCrypt: VeraCrypt is a free disk encryption software brought to you by IDRIX and this is based on TrueCrypt 7.1a, VeraCrypt, https://veracrypt.codeplex.com/
How to: Encrypt your windows device, Electronic Frontier Foundation Surveillance Self-Defense, https://ssd.eff.org/en/module/how-encrypt-your-windows-device
[ix] BleachBit: Clean your system and free disk space, BleachBit, https://www.bleachbit.org/
[x] A Review of Bluetooth Attacks and How to Secure Mobile Workforce Devices - Keep your people safe against Bluetooth hackers, Webroot, https://www.webroot.com/us/en/business/resources/articles/corporate-security/a-review-of-bluetooth-attacks-and-how-to-secure-mobile-workforce-devices
Bluetooth Hack Leaves Many Smart Locks, Iot Devices Vulnerable, Kaspersky Threat Post, 11 August 2016, https://threatpost.com/bluetooth-hack-leaves-many-smart-locks-iot-devices-vulnerable/119825/
How To: Building a BlueSniper Rifle - Part 1, Tom’s Guide, 8 March 2005, http://www.tomsguide.com/us/how-to-bluesniper-pt1,review-408.html
[xi] Spy Tech 'Hacks WhatsApp Encrypted Chat From A Backpack', Forbes, 29 September 2016, http://www.forbes.com/sites/thomasbrewster/2016/09/29/wintego-whatsapp-encryption-surveillance-exploits/#7a155a40dade
Intelligence Solutions: Wintego develops tactical interception solutions for extracting strategic data intelligence, Wintego, http://www.wintego.com/intelligence