YOUR sensitive computer files, e-mail communications and Web-surfing habits may not be safe from the state’s prying eyes. At least two state agencies have bought a controversial spy tool allowing them to hack into remote computers. But even as the state sought to expand its snooping capabilities, it was prey to sales agents – acting for a disgraced former New York City cop – who charged exorbitant prices.
The South African Police Service cyber crimes division and National Defence Force intelligence division both bought copies of the tool – a software package named Data Interception by Remote Transmission, or Dirt. The National Intelligence Agency (NIA) considered buying a more powerful version, but refuses to confirm or deny it obtained the technology.
News that South Africa’s security and spy agencies have dabbled in computer hacking technology raises invasion-of-privacy questions, including whether judicial warrants were obtained before Dirt was used against individuals. A Democratic Alliance councillor for Tshwane this week said he believes he was the target of a Dirt attack by the NIA in 2000.
Dirt is described in its operations manual as “similar to an eavesdropping device. Instead of placing hardware inside the target’s computer that would necessitate physical access, investigators electronically place hidden software via the Internet that monitors the target PC.”
Internet discussion groups and publications have been buzzing with debate on Dirt since it was exposed perhaps a year ago. Many experts argue Dirt’s features do not surpass those of other “Trojans” that are freely (though mostly illegally) available on the Internet. Concludes an assessment by Australia’s Diamond Computer Systems: “Why pay thousands of dollars when you can use a free Trojan that does even more?”
Whether it gives value for money or not, Dirt is a powerful tool. The operator sends a “bug”, hidden in an e-mail attachment, to the target computer. The bug installs itself and broadcasts, in small e-mail chunks, requested information back to the operator.
This theoretically allows the operator to snoop around all files on the target computer. The Dirt bug also logs keystrokes on the target machine, meaning passwords can be discovered and encryption bypassed.
Codex Data Systems, the New York supplier of Dirt, has claimed that the product is only for legitimate law enforcement use: it refers to Dirt’s utility in catching terrorists, money launderers, drug traffickers and Internet paedophiles. But Dirt also boasts “remote system management”; meaning the bug can be used to introduce information to the target computer. It can plant evidence.
Extraordinary details of how Dirt was marketed to the South African state including an intended demonstration to President Thabo Mbeki and discussions on how far the price could be inflated are contained in a series of e-mail exchanges anonymously posted on the World Wide Web last month. The exchanges, from March 1999 to October 2000, are mostly between Codex Data Systems in New York and two of their South African agents.
Codex is – or was, as it is not clear whether the company survived recent upheavals – headed by Francis Edward “Frank” Jones, a former New York City policeman convicted in 1999 for illegal possession of bugging equipment. He was sentenced to 300 hours community service and strict parole conditions were imposed, including that he check into a mental health programme and not use drugs.
But Jones is perhaps best known for his unabashed self-aggrandisement, not least on his “SpyKing” website, now defunct. “A legend in his own mind,” is how one Internet publication describes Jones.
There are various theories on how the correspondence between Jones, his deputy Terry Kawles and their South African partners found its way to the Web. One is that Jones, now under renewed attention from United States investigators for alleged breaches of his parole conditions and allegations of financial impropriety within Codex, did it himself to divert attention.
But what seems a more likely explanation comes from Derek Fleming, a DA Tshwane councillor. Formerly with the African National Congress, he received science and computer training in the former Soviet Union and says he has written cryptologic applications capable of defeating programmes like Dirt.
Fleming was detained for a fortnight during a Protection of Information Act investigation in 1997 but never charged. He said this week: “I’ve been under surveillance ever since; electronic and personal.”
Fleming said he discovered the Dirt bug on his computer in May or June 2000, roughly the time the NIA is alleged to have received a demonstration of Dirt. He says he suspects “Hilton Dennis’s boys”. Dennis, formerly a senior NIA manager, is now the director general of its external counterpart, the South African Secret Service.
“On learning that I had been trojanned, I identified the sender’s machine number and that version of the Dirt operating code. The next day I put it all before the international hacker community.”
Fleming says he believes the result was that Codex, and specifically the e-mail files of Kawles, was “reverse-trojanned” and that this led to last month’s anonymous posting of the exchanges on the web.
The exchanges involve Codex’s Jones and Kawles on the one hand, and local agents Nick Turner and Luchi Ficosecco on the other. The following emerges:
- A member of the South African National Defence Force (SANDF) intelligence division obtained a copy of Dirt in 1999. Interestingly, he wanted Codex to build in a new feature causing the bug to self-destruct after a set time, in order to comply with any limit a judicial warrant might set.
SANDF spokesperson John Rolt this week commented: “The Department of Defence acquired a number of computer programs over the past few years in order to develop counter measures to protect our own computer systems from attack by hackers … None of the technology acquired is directed at people or computer systems.”
- Two members of the police cyber crimes unit obtained Dirt in 1999 their orders are extensively discussed. Ficosecco this week told the Mail & Guardian that he believed the unit had achieved “very, very good successes” against criminals using Dirt. He said he did not know whether judicial warrants had been obtained. A police spokesperson said the service could not respond timeously as it had to verify information.
- Turner wrote to Codex in December 1999 “confirming” an NIA order for one “10-target” limited version. It is not clear whether this was obtained at the time, as there is further discussion of a demonstration to the NIA in 2000. In April Ficosecco wrote to Codex saying a meeting with the director general of NIA “went very well”.
Ficosecco this week confirmed that there had been a demonstration attended by Vusi Mavimbela, the NIA Director General, and that a more powerful “unlimited target” version had been discussed. But Ficosecco said no sale resulted through him, although he believed it possible the NIA had bought directly from Jones.
Intelligence services spokesperson Lorna Daniels this week said: “We don’t comment on our operational and intelligence capacities. But yes, we do have a large capacity … unfortunately we cannot provide you with the details.”
Daniels denied that the NIA had launched a Dirt bug at Fleming.
- Codex and its agents wanted to demonstrate Dirt to Mbeki and went as far as deploying an ANC cadre, Ally Lumkwana, whom they believed to be close to Mbeki, to arrange it. In May 2000 Ficosecco wrote: “We have also employed Mr Ali [sic] Lumkwana (personal friend of the president of SA) as a full time consultant with our group. He in fact is the president’s chess partner. Ali will be active in the marketing and ‘pricing’ discussions … Rest assured. All is still on track.”
Lumkwana this week denied being close to Mbeki, although others claimed he once was. He referred questions about the mooted presidential demonstration to Ficosecco, who said he did not know whether it transpired in the end.
- While similar Trojans may have been available freely on the Internet, Codex’s support systems and some of Dirt’s user-friendly features supposedly justified it being sold. It is not clear how much the government agencies paid for their known limited-target versions but the Diamond Computer Systems analysis quotes a price of $2 000 (R22 000) for a single-target version to $30 000 (R330 000) for a 250-target version.
From the correspondence it seems Codex and the agents were intent on milking some clients for all they were worth. In February 2000 Turner wrote to New York, saying: “We have spoken about pricing before, and I need to inform you that … all new prospective customers are being quoted a price which they not only can afford, but are prepared to pay. In most cases, this means you will be receiving for example about three times the price on average for the product.”
The price seems to have escalated to a $2-million (R22-million) price-tag demanded of the NIA. Ficosecco wrote to New York in April 2000 fuming that “someone … sent a fax to the NIA informing them of the cost price of Dirt. The letter was unsigned and undated. This however does not create too much of a problem in our getting our price or close to our price as there are ‘other’ factors at play here that the arsehole who did this is not aware of.”
In June a clearly frustrated Jones wrote from New York: “Sell the program for what the market will bear or I will sell it for what I feel is the correct price … I have no problem making 2-million but if 250 000 is all that is available, sell it …”
Ficosecco this week acknowledged that “everyone got madly greedy” and that he believed the $2-million price tag is what caused the NIA not to buy – at least not through him and his South African partners.
Turner this week said: “I believed then and I believe still today that the product then … was a legitimate law enforcement tool and that it had certain operational features which made it a more professional tool than some of the products that were [freely] available.”
Relations between the South Africans – Ficosecco and Turner – and Codex in New York broke down towards the end of 2000.