ReportWire

Tag: NSO Group

  • You’ve been targeted by government spyware. Now what? | TechCrunch

    [ad_1]

    It was a normal day when Jay Gibson got an unexpected notification on his iPhone. “Apple detected a targeted mercenary spyware attack against your iPhone,” the message read.

    Ironically, Gibson used to work at companies that developed exactly the kind of spyware that could trigger such a notification. Still, he was shocked that he received a notification on his own phone. He called his father, turned off and put his phone away, and went to buy a new one.

    “I was panicking,” he told TechCrunch. “It was a mess. It was a huge mess.”  

    Gibson is just one of an ever-increasing number of people who are receiving notifications from companies like Apple, Google, and WhatsApp, all of which send similar warnings about spyware attacks to their users. Tech companies are increasingly proactive in alerting their users when they become targets of government hackers, and in particular those who use spyware made by companies such as Intellexa, NSO Group, and Paragon Solutions.

    But while Apple, Google, and WhatsApp alert, they don’t get involved in what happens next. The tech companies direct their users to people who could help, but at which point the companies step away.

    This is what happens when you receive one of these warnings. 

    Warning 

    You have received a notification that you were the target of government hackers. Now what? 

    First of all, take it seriously. These companies have reams of telemetry data about their users and what happens on both their devices and their online accounts. These tech giants have security teams that have been hunting, studying, and analyzing this type of malicious activity for years. If they think you have been targeted, they are probably right. 

    It’s important to note that in the case of Apple and WhatsApp notifications, receiving one doesn’t mean you were necessarily hacked. It’s possible that the hacking attempt failed, but they can still tell you that someone tried. 

    A photo showing the text of a threat notification sent by Apple to a suspected spyware victim (Image: Omar Marques/Getty Images)

    In the case of Google, it’s most likely that the company blocked the attack, and is telling you so you can go into your account and make sure you have multi-factor authentication on (ideally a physical security key or passkey), and also turn on its Advanced Protection Program, which also requires a security key and adds other layers of security to your Google account. In other words, Google will tell you how to better protect yourself in the future. 

    In the Apple ecosystem, you should turn on Lockdown Mode, which switches on a series of security features that makes it more difficult for hackers to target your Apple devices. Apple has long claimed that it has never seen a successful hack against a user with Lockdown Mode enabled, but no system is perfect. 

    Mohammed Al-Maskati, the director of Access Now’s Digital Security Helpline, a 24/7 global team of security experts who investigate spyware cases against members of civil society, shared with TechCrunch the advice that the helpline gives people who are concerned that they may be targeted with government spyware.

    This advice includes keeping your devices’ operating systems and apps up-to-date; switching on Apple’s Lockdown Mode, and Google’s Advanced Protection for accounts and for Android devices; be careful with suspicious links and attachments; to restart your phone regularly; and to pay attention to changes in how your device functions.

    Contact Us

    Have you received a notification from Apple, Google, or WhatsApp about being targeted with spyware? Or do you have information about spyware makers? We would love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.

    Reaching out for help

    What happens next depends on who you are. 

    There are open source and downloadable tools that anyone can use to detect suspected spyware attacks on their devices, which requires a little technical knowledge. You can use the Mobile Verification Toolkit, or MVT, a tool that lets you look for forensic traces of an attack on your own, perhaps as a first step before looking for assistance. 

    If you don’t want or can’t use MVT, you can go straight to someone who can help. If you are a journalist, dissident, academic, or human rights activist, there are a handful of organizations that can help. 

    You can turn to Access Now and its Digital Security Helpline. You can also contact Amnesty International, which has its own team of investigators and ample experience in these cases. Or, you can reach out to The Citizen Lab, a digital rights group at the University of Toronto, which has been investigating spyware abuses for almost 15 years. 

    If you are a journalist, Reporters Without Borders also has a digital security lab that offers to investigate suspected cases of hacking and surveillance. 

    Outside of these categories of people, politicians or business executives, for example, will have to go elsewhere. 

    If you work for a large company or political party, you likely have a competent (hopefully!) security team you can go straight to. They may not have the specific knowledge to investigate in-depth, but in that case they probably know who to turn to, even if Access Now, Amnesty, and Citizen Lab cannot help those outside of civil society. 

    Otherwise, there aren’t many places executives or politicians you can turn to, but we have asked around and found the ones below. We can’t fully vouch for any of these organizations, nor do we endorse them directly, but based on suggestions from people we trust, it’s worth pointing them out. 

    Perhaps the most well known of these private security companies is iVerify, which makes an app for Android and iOS, and also gives users an option to ask for an in-depth forensic investigation. 

    Matt Mitchell, a well-regarded security expert who’s been helping vulnerable populations protect themselves from surveillance has a new startup, called Safety Sync Group, which offers this kind of service. 

    Jessica Hyde, a forensic investigator with experience in the public and private sectors, has her own startup called Hexordia, and offers to investigate suspected hacks. 

    Mobile cybersecurity company Lookout, which has experience analyzing government spyware from around the world, has an online form that allows people to reach out for help to investigate cyberattacks involving malware, device compromise, and more. The company’s threat intelligence and forensics teams may then get involved.  

    Then, there’s Costin Raiu, who heads TLPBLACK, a small team of security researchers who used to work at Kaspersky’s Global Research and Analysis Group, or GReAT. Raiu was the unit’s head when his team discovered sophisticated cyberattacks from elite government hacking teams from the United States, Russia, Iran, and other countries. Raiu told TechCrunch that people who suspect they’ve been hacked can email him directly.

    Investigation

    What happens next depends on who you go to for help. 

    Generally speaking, the organization you reach out to may want to do an initial forensic check by looking at a diagnostic report file that you can create on your device, which you can share with the investigators remotely. At this point, this doesn’t require you to hand over your device to anyone. 

    This first step may be able to detect signs of targeting or even infection. It may also turn out nothing. In both cases, the investigators may want to dig deeper, which will require you to send in a full backup of your device, or even your actual device. At that point, the investigators will do their work, which may take time because modern government spyware attempts to hide and delete its tracks, and will tell you what happened. 

    Unfortunately, modern spyware may not leave any traces. The modus operandi these days, according to Hassan Selmi, who leads the incident response team at Access Now’s Digital Security Helpline, is a “smash and grab” strategy, meaning that once spyware infects the target device, it steals as much data as it can, and then tries to remove any trace and uninstall itself. This is assumed as the spyware makers trying to protect their product and hide its activity from investigators and researchers.  

    If you are a journalist, a dissident, an academic, a human rights activist, the groups who help you may ask if you want to publicize the fact that you were attacked, but you’re not required to do so. They will be happy to help you without taking public credit for it. There may be good reasons to come out, though: To denounce the fact that a government targeted you, which may have the side effect of warning others like you of the dangers of spyware; or to expose a spyware company by showing that their customers are abusing their technology. 

    We hope you never get one of these notifications. But we also hope that, if you do, you find this guide useful. Stay safe out there.

    [ad_2]

    Lorenzo Franceschi-Bicchierai

    Source link

  • Meet the team that hunts government spyware

    [ad_1]

    For more than a decade, dozens of journalists and human rights activists have been targeted and hacked by governments all over the world. Cops and spies in Ethiopia, Greece, Hungary, India, Mexico, Poland, Saudi Arabia, and United Arab Emirates, among others, have used sophisticated spyware to compromise the phones of these victims, who at times have also faced real-world violence being intimidated, harassed, and in extreme cases, even murdered.

    In the last few years, in the fight to protect these higher-risk communities, a team of a dozen digital security experts, mostly based in Costa Rica, Manila, and Tunisia, among other places, have played a key role. They work for the New York-headquartered nonprofit Access Now, specifically its Digital Security Helpline

    Their mission is to be the team of people who journalists, human rights defenders, and dissidents can go to if they suspect they’ve been hacked, such as with mercenary spyware made by companies like NSO Group, Intellexa, or Paragon

    “The idea is to provide this 24/7 service to civil society and journalists so they can reach out whenever they have… a cybersecurity incident,” Hassen Selmi, who leads the incident response team at the Helpline, told TechCrunch. 

    According to Bill Marczak, a senior researcher at the University of Toronto’s Citizen Lab who has been investigating spyware for almost 15 years, Access Now’s Helpline is a “frontline resource” for journalists and others who may have been targeted or hacked with spyware.

    The helpline has become a critical funnel for victims. So much so that when Apple sends its users a so-called “threat notification” alerting them that they have been targeted with mercenary spyware, the tech giant has long directed victims to Access Now’s investigators

    In speaking with TechCrunch, Selmi described a scenario where someone gets one of these threat notifications, and where Access Now can help victims.

    “Having someone who could explain it to them, tell them what they should do, what they should not do, what this means… This is a big relief for them,” said Selmi. 

    According to several digital rights experts who have investigated spyware cases and previously spoke with TechCrunch, Apple is generally taking the right approach, even if the optics look like a trillion-dollar tech giant offloading its responsibility to a small team of nonprofit workers. 

    Being mentioned by Apple in the notifications, said Selmi, was “one of the biggest milestones” for the helpline.

    Selmi and his colleagues now look into about 1,000 cases of suspected government spyware attacks per year. Around half of those cases turn into actual investigations, and only around 5% of them, around 25, result in a confirmed case of spyware infection, according to Mohammed Al-Maskati, the helpline’s director.

    When Selmi started doing this work in 2014, Access Now were only investigating around 20 cases of suspected spyware attacks per month. 

    At the time, there were three or four people working in each timezone in Costa Rica, Manila, and Tunisia, locations that allowed them to have someone online throughout the whole day. The team isn’t that much bigger now, with fewer than 15 people working for the helpline. The helpline has more people in Europe, the Middle East, North Africa, and Sub-Saharan region, given that these are hotspots for spyware cases, according to Selmi.  

    The increase in cases, Selmi explained, is due to several circumstances. For one, the helpline is now more well known, so it attracts more people. Then, with government spyware going global and becoming more available, there are potentially more cases of abuse. Finally, the helpline team has done more outreach to potentially targeted populations, finding cases of abuse they may not have found otherwise. 

    Contact Us

    Have you received a notification from Apple, Google, or WhatsApp about being targeted with spyware? Or do you have information about spyware makers? We would love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.

    When someone contacts the helpline, Selmi told TechCrunch, its investigators first acknowledge receipt, then they do a first check to see if the person who contacted them is within the organization’s mandate, meaning if they are part of civil society — and not, for example, a business executive or lawmaker. Then, the investigators assess the case in triage. If a case is prioritized, the investigators ask questions, such as why the person believes they were targeted (if there was no notification), and what device they own, which helps to establish what kind of information the investigators may need to collect from the victim’s device.

    After an initial, limited check of the device performed remotely over the internet, the helpline’s handlers and investigators may ask the victim to send more data, such as a full backup of their device, to do a more thorough analysis examining for signs of intrusions. 

    “For each known kind of exploit that has been used in the last five years, we have a process on how to check that exploit,” said Selmi, referring to known hacking techniques. 

    “We know more or less what is normal, what is not,” said Selmi.

    The Access Now handlers, who manage communication and often speak the victim’s language, will also give the victim advice on what to do, such as whether to get another device, or take other precautions. 

    Every case that the nonprofit looks into is unique. “It’s different from person to person, from culture to culture,” Selmi told TechCrunch. “I think we should do more research, get more people on board — not just technical people — to know how to deal with these kinds of victims.”

    Selmi said that the helpline has also been supporting similar investigative teams in some regions of the world, sharing documentation, knowledge, and tools, as part of a coalition called CiviCERT, a global network of organizations that can help members of civil society who suspect they were targeted with spyware. 

    Selmi said this network has also helped to reach journalists and others in places where otherwise they could not get to. 

    “No matter where they are, [victims] have people who could talk to and report to,” Selmi told TechCrunch. “Having these people talk their language and know their context helped a lot.”

    [ad_2]

    Lorenzo Franceschi-Bicchierai

    Source link

  • Court reduces damages Meta will get from spyware maker NSO Group but bans it from WhatsApp

    [ad_1]

    US District Judge Phyllis Hamilton has reduced the damages Meta is getting from the NSO Group from $167 million to $4 million, but she has also ordered the Israeli spyware maker to stop targeting WhatsApp. If you’ll recall, Meta sued the NSO Group in 2019 over its Pegasus spyware, which it said was used to spy on 1,400 people from 20 countries, including journalists and human rights activists. Meta said at the time that Pegasus can infect targets’ devices even without their participation by sending text messages with malicious codes to WhatsApp. Even a missed call is enough to infect somebody’s device.

    According to Courthouse News Service, Hamilton reduced the damages because they would need to follow a legal framework designed to proportionate damages. However, she has also handed down a permanent injunction on the NSO Group’s efforts to break into WhatsApp. In her decision, she took note of statements made by NSO’s lawyers and its own CEO revealing that it hasn’t stopped collecting WhatsApp messages and trying to get around the messaging app’s security measures. The defendants previously said that the injunction Meta was requesting would “put NSO’s entire enterprise at risk” and “force NSO out of business,” since WhatsApp is one of the Pegasus spyware’s main ways to infect targets’ devices.

    “Today’s ruling bans spyware maker NSO from ever targeting WhatsApp and our global users again,” said Will Cathcart, Head of WhatsApp. “We applaud this decision that comes after six years of litigation to hold NSO accountable for targeting members of civil society. It sets an important precedent that there are serious consequences to attacking an American company.”

    Hamilton wrote that the proposed injunction requires the Israeli company to delete and destroy computer code related to Meta’s platforms, and that she concluded that the provision is “necessary to prevent future violations, especially given the undetectable nature of defendants’ technology.” It’s not quite clear how Meta will ensure that the NSO Group doesn’t use WhatsApp to infect its users’ devices again. Notably, the NSO Group was recently acquired by an American investment group that invested tens of millions of dollars into it to take controlling ownership.

    [ad_2]

    Mariella Moon

    Source link

  • Apple’s latest iPhone security feature just made life more difficult for spyware makers | TechCrunch

    [ad_1]

    Buried in an ocean of flashy novelties announced by Apple this week, the tech giant also revealed new security technology for its latest iPhone 17 and iPhone Air devices. This new security technology was made specifically to fight against surveillance vendors and the types of vulnerabilities they rely on the most, according to Apple.

    The feature is called Memory Integrity Enforcement (MIE) and is designed to help stop memory corruption bugs, which are some of the most common vulnerabilities exploited by spyware developers and makers of phone forensic devices used by law enforcement. 

    “Known mercenary spyware chains used against iOS share a common denominator with those targeting Windows and Android: they exploit memory safety vulnerabilities, which are interchangeable, powerful, and exist throughout the industry,” Apple wrote in its blog post

    Cybersecurity experts, including people who make hacking tools and exploits for iPhones, tell TechCrunch that this new security technology could make Apple’s newest iPhones some of the most secure devices on the planet. The result is likely to make life harder for the companies that make spyware and zero-day exploits for planting spyware on a target’s phone or extracting data from them. 

    “The iPhone 17 is probably now the most secure computing environment on the planet that is still connected to the internet,” a security researcher, who has worked on developing and selling zero-days and other cyber capabilities to the U.S. government for years, told TechCrunch.

    The researcher told TechCrunch that MIE will raise the cost and time to develop their exploits for the latest iPhones, and consequently up their prices for paying customers.

    “This is a huge deal,” said the researcher, who asked to remain anonymous to discuss sensitive matters. “It’s not hack proof. But it’s the closest thing we have to hack proof. None of this will ever be 100% perfect. But it raises the stakes the most.”

    Contact Us

    Do you develop spyware or zero-day exploits and are studying studying the potential effects of Apple’s MIE? We would love to learn how this affects you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.

    Jiska Classen, a professor and researcher who studies iOS at the Hasso Plattner Institute in Germany, agreed that MIE will raise the cost of developing surveillance technologies.

    Classen said this is because some of the bugs and exploits that spyware companies and researchers have that currently work will stop working once the new iPhones are out and MIE is implemented. 

    “I could also imagine that for a certain time window some mercenary spyware vendors don’t have working exploits for the iPhone 17,” said Classen. 

    “This will make their life arguably infinitely more difficult,” said Patrick Wardle, a researcher who runs a startup that makes cybersecurity products specifically for Apple devices. “Of course that is said with the caveat that it’s always a cat-and-mouse game.”

    Wardle said people who are worried about getting hacked with spyware should upgrade to the new iPhones. 

    The experts TechCrunch spoke to said MIE will reduce the efficacy of both remote hacks, such as those launched with spyware like NSO Group’s Pegasus and Paragon’s Graphite. It will also help to protect against physical device hacks, such as those performed with phone unlocking hardware like Cellebrite or Graykey. 

    Taking on the “majority of exploits”

    Most modern devices, including the majority of iPhones today, run software written in programming languages that are prone to memory-related bugs, often called memory overflow or corruption bugs. When triggered, a memory bug can cause the contents of memory from one app to spill into other areas of a user’s device where it shouldn’t go.

    Memory-related bugs can allow malicious hackers to access and control parts of a device’s memory that they shouldn’t be permitted to. The access can be used to plant malicious code that’s capable of gaining broader access to a person’s data stored in the phone’s memory, and exfiltrating it over the phone’s internet connection.

    MIE aims to defend against these kinds of broad memory attacks by vastly reducing the attack surface in which memory vulnerabilities can be exploited.

    According to Halvar Flake, an expert in offensive cybersecurity, memory corruptions “are the vast majority of exploits.” 

    MIE is built on a technology called Memory Tagging Extension (MTE), originally developed by chipmaker Arm. In its blog post, Apple said over the past five years it worked with Arm to expand and improve the memory safety features into a product called Enhanced Memory Tagging Extension (EMTE).  

    MIE is Apple’s implementation of this new security technology, which takes advantage of Apple having complete control of its technology stack, from software to hardware, unlike many of its phone-making competitors.

    Google offers MTE for some Android devices; the security-focused GrapheneOS, a custom version of Android, also offers MTE

    But other experts say Apple’s MIE goes a step further. Flake said the Pixel 8 and GrapheneOS are “almost comparable,” but the new iPhones will be “the most secure mainstream” devices.

    MIE works by allocating each piece of a newer iPhone’s memory with a secret tag, effectively its own unique password. This means only apps with that secret tag can access the physical memory in the future. If the secret doesn’t match, the security protections kick in and block the request, the app will crash, and the event is logged.

    That crash and log is particularly significant since it’s more likely for spyware and zero-days to trigger a crash, making it easier for Apple and security researchers investigating attacks to spot them. 

    “A wrong step would lead to a crash and a potentially recoverable artifact for a defender,” said Matthias Frielingsdorf, the vice president of research at iVerify, a company that makes an app to protect smartphones from spyware. “Attackers already had an incentive to avoid memory corruption.”

    Apple did not respond to a request for comment.

    MIE will be on by default system wide, which means it will protect apps like Safari and iMessage, which can be entry points for spyware. But third-party apps will have to implement MIE on their own to improve protections for their users. Apple released a version of EMTE for developers to do that. 

    In other words, MIE is a huge step in the right direction, but it will take some time to see its impact, depending on how many developers implement it and how many people buy new iPhones. 

    Some attackers will inevitably still find a way.

    “MIE is a good thing and it might even be a big deal. It could significantly raise the cost for attackers and even force some of them out of the market,” said Frielingsdorf. “But there are going to be plenty of bad actors that can still find success and sustain their business.”

    “As long as there are buyers there will be sellers,” said Frielingsdorf.

    [ad_2]

    Lorenzo Franceschi-Bicchierai, Zack Whittaker

    Source link