On the morning of August 10, Ahmed Mansoor, a 46-year-old human rights activist from the United Arab Emirates, received a strange text message from a number he did not recognize on his iPhone.
“New secrets about torture of Emiratis in state prisons,” read the tantalizing message, which came accompanied by a link.
Mansoor, who had already been the victim of government hackers using commercial spyware products from FinFisher and Hacking Team, was suspicious and didn’t click on the link. Instead, he sent the message to Bill Marczak, a researcher at Citizen Lab, a digital rights watchdog at the University of Toronto’s Munk School of Global Affairs.
As it turned out, the message wasn’t what it purported to be. The link didn’t lead to any secrets, but to a sophisticated piece of malware that exploited three different unknown vulnerabilities in Apple’s iOS operating system that would have allowed the attackers to get full control of Mansoor’s iPhone, according to new joint reports released on Thursday by Citizen Lab and mobile security company Lookout.
This is the first time that anyone has uncovered such an attack in the wild. Until this month, no one had seen an attempted spyware infection leveraging three unknown bugs, or zero-days, in the iPhone. The tools and technology needed for such an attack, which is essentially a remote jailbreak of the iPhone, can be worth as much as one million dollars. After the researchers alerted Apple, the company worked quickly to fix them in an update released on Thursday.
The question is, who was behind the attack and what did they use to pull it off?
It appears that the company that provided the spyware and the zero-day exploits to the hackers targeting Mansoor is a little-known Israeli surveillance vendor called NSO Group, which Lookout’s vice president of research Mike Murray labeled as “basically a cyber arms dealer.”
Read more: Meet NSO Group, The New Big Player In The Government Spyware Business
The researchers at Citizen Lab and Lookout were impressed by this new, never-seen-before, type of malware.
“We realized that we were looking at something that no one had ever seen in the wild before. Literally a click on a link to jailbreak an iPhone in one step,” Murray told Motherboard. “One of the most sophisticated pieces of cyberespionage software we’ve ever seen.”
Since its founding in 2010, NSO has developed a reputation for providing sophisticated malware to governments that need to target cellphones in their investigations, although the use of its tools has never been documented before. The company claims that its products are completely stealthy, like a “ghost.” The company has been so guarded about its wares that it’s never had a website, and has rarely given interviews or any comments to the press. But some information has leaked out, including an investment for $120 million by a US-based venture capital firm in 2014 and a subsequent reported valuation of $1 billion.
NSO’s malware, which the company codenamed Pegasus, is designed to quietly infect an iPhone and be able to steal and intercept all data inside of it, as well as any communication going through it.
“It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls. It also basically backdoors every communications mechanism you have on the phone,” Murray explained. “It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram—you name it.”
Citizen Lab’s Marczak and John Scott-Railton, who caught the malware first, analyzed it with the help of Murray and his colleagues at Lookout. The researchers clicked on the link that Mansoor shared on their own guinea-pig iPhone, and infected it with Pegasus, which gave them the ability to see exactly what the malware was designed to do.
This attack on Mansoor, as well as another one Citizen Lab was able to trace back to a journalist in Mexico, shows that the well-known Hacking Team and FinFisher are not the only players in the growing business of private companies providing hacking services to governments. It also shows that those companies’ customers, which are often authoritarian governments with proven records of human rights abuses and targeting of dissidents and activists, aren’t afraid to use them, no matter the cost.
“This indicates the incredible power of the voices of journalists and activists who attract this kind of extremely expensive spyware,” Railton said.
Ultimately, this could be a sign of things to come.
“The people that we see being targeted by these texts today—dissidents, activists—these are kind of the people on the frontlines of what is to come for all of us tomorrow, these guys are sort of the canaries in the coal mine,” Marczak said. “The threats that they are facing today are threats that perhaps ordinary users will face tomorrow.”
A spokesperson for NSO declined to answer any specific questions about the report, saying in a prepared statement that “the company has no knowledge of and cannot confirm the specific cases mentioned in your inquiry.“
HOW NSO GOT CAUGHT
Earlier this year, in May, Citizen Lab revealed a new, sophisticated hacking group it dubbed Stealth Falcon. The researchers couldn’t confirm it, but they suspected Stealth Falcon had a link to the UAE government, and targeted dissidents inside and outside of the country.
As part of its research into Stealth Falcon, Citizen Lab was able to map large parts of the group’s infrastructure, including servers and domains that Stealth Falcon used to steal data and siphon it out of its victims in its hacking campaigns. But the researchers couldn’t find any actual samples of the malware the hackers used. That changed on August 10, when Mansoor sent Marczak the suspicious text message.
Once Marczak and Scott-Railton were able to look into it, they followed a convoluted online trail and realized the spyware communicated with a server, and an IP address, that they had fingerprinted in the past as being part of Stealth Falcon’s infrastructure. Then they found that a server registered to an NSO employee pointed to the same IP address.
Moreover, inside the actual malware, its developers left a revealing string of code: “PegasusProtocol,” an apparent reference to NSO’s spyware codename, Pegasus. The researchers were able to find yet more domains associated with NSO or its customers’ infrastructure, noting that “alarmingly“ some of them appeared designed to impersonate humanitarian organizations like the Red Cross, and news media organizations.
For the first time, the researchers were able to finally have a real glimpse into the features of the company’s malware. Since its founding in 2010, NSO has gained an almost-legendary aura, with unconfirmed rumors about its powers, while remaining essentially unknown to the general public. Its executives have rarely spoken to the press, and the few articles written about the company are full of vague descriptions and unconfirmed rumors.
“We’re a complete ghost,” NSO co-founder Omri Lavie told Defense News, a military trade publication, in 2013.
A short profile in 2014, published in The Wall Street Journal, reported that NSO had peddled its product to the Mexican government, and got the interest of even the CIA. Its spyware, according to the article, was sold all over the world.
Now that its spyware has been exposed, and its zero-days have been burned, NSO perhaps can’t claim to be a ghost anymore, although the company could very well have other zero-days and tools up its sleeves. That’s why the researchers don’t expect their reports, and Apple’s patch, to hit the brakes on the activities of NSO for long.
“We’re not going to put NSO out of business by patching these vulnerabilities,” Murray said.
Moreover, the malware is programmed with settings that go all the way back to iOS 7, which indicates that NSO has likely been able to hack iPhone devices since the iPhone 5.
NSO’s spokesperson Zamir Dahbash said in a statement that the company’s “mission is to help make the world a safer place by providing authorized governments with technology that helps them combat terror and crime.“
“The company sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations. Moreover, the company does NOT operate any of its systems; it is strictly a technology company,“ the statement read. “The agreements signed with the company’s customers require that the company’s products only be used in a lawful manner. Specifically, the products may only be used for the prevention and investigation of crimes.“
The researchers at Citizen Lab and Lookout reached out to Apple as soon as they found out about the zero-days, which they dubbed Trident. It took about 10 days for Apple to develop and release a patch. The patch is now live as part of the iOS 9.3.5 update, which every iPhone user should download and install as soon as possible.
”We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5,” an Apple spokesperson said in a statement, declining to provide more comments.
Dan Guido, the CEO of cybersecurity firm Trail Of Bits, which does a lot of work with Apple systems, said that these attacks, while rarely seen in the open, are to be expected. Ultimately, despite the three zero-days caught in the wild, Guido still believes the iPhone is a much safer choice than Android, for example.
“Apple has raised the cost of exploiting their devices higher than any other vendor out there. But this highlights the need for better compromise detection for iOS,” Guido said, adding that in any case, “iOS is still the single most secure consumer device available.”
“The problem is that it takes a paranoid mentality and friends at Citizen Lab to identify whether you have malware,” he added.
The researchers haven’t been able to find any other samples of Pegasus spyware yet. But while searching for similar links and domains to the ones associated with the attack on Mansoor and the infrastructure of a hacking group they dubbed Stealth Falcon, they were able to find a tweet that appears to target unknown victims in Kenya, as well as an attack on Mexican investigative journalist Rafael Cabrera.
Cabrera was targeted with NSO malware last year for the first time, and again as recently as May of this year. In the latest round of attacks, hackers tried to lure him to click on a series of messages offering government corruption revelations, warning of a charge of $500 on his phone bill, and even promising an adult video that would prove his wife cheated on him. He said he never clicked on any of the links the hackers sent him.
“It’s clear that they wanted me to click,” Cabrera told Motherboard. “You could even say they were desperate.”
Cabrera didn’t want to speculate as to who the hackers really were, saying it could be the government, or someone else. Mexico is among the suspected customers of NSO, but it’s unclear if a police or intelligence agency there are actually using the company’s malware. Mexico was also the largest customer of Hacking Team in the world, and some of its agencies allegedly used the spyware to target journalists and dissidents, rather than criminals.
In the end, Cabrera and Mansoor did not get hacked, as they were savvy enough not to fall for the hackers’ tricks. In a way, they got lucky. By having been targeted before with government hacking attempts, they were more vigilant than usual.
But their stories, as Marczak said, might just be yet another warning of things to come. If governments want hacking tools and have deep pockets to pay for them, companies like Hacking Team and NSO will continue to provide them. In the past, Citizen Lab has documented several attacks against dissidents, journalists, and human rights workers by governments worldwide using spyware similar to the one NSO produces. And despite publicizing and warning about these attacks, the malware hunters at Citizen Lab keep finding new attacks, sometimes performed by the same governments, and even against the same targets.
“The incentives just aren’t there for these companies like NSO to keep these tools out of the hands of serial abusers like the UAE,” Marczak said.
This is also the first sign of the rise of a new superpower in the spyware industry. NSO has potential to grow after the damaging—yet not deadly—hacks on FinFisher and Hacking Team, which are still the most well-known, and notorious, spy tech vendors today.
And all of these revelations would have remained in the shadows if Mansoor had clicked on that link he got on August 10.
Posts Tagged ‘security’
On the morning of August 10, Ahmed Mansoor, a 46-year-old human rights activist from the United Arab Emirates, received a strange text message from a number he did not recognize on his iPhone.
Ransomware, the strain of malware which cryptographically locks a victim’s hard drive until they pay the author an electronic ransom, is super popular among cybercriminals right now. The strategy is so successful, in fact, that some ransomware-makers have apparently begun sabotaging each other’s ransomware to try and take out their competition.
Earlier this week, 3,500 keys for a ransomware known as “Chimera” leaked online, purportedly allowing anyone targeted by it to safely decrypt their ransomed files without having to pony up bitcoins. The decryption keys were apparently posted by the authors of a rival ransomware package called Petya and Mischa, who claimed they had hacked Chimera’s development system, pilfered the keys, and stolen parts of the code.
“Earlier this year we got access to big parts of their deveolpment [sic] system, and included parts of Chimera in our project,” the authors write in a post on Pastebin. “Additionally we now release about 3500 decryption keys from Chimera.”
Chimera is a particularly nasty strain of ransomware which not only locks a victim’s hard drive but threatens to leak their private files online if the ransom isn’t paid. It’s still not clear whether the supposedly-leaked keys will actually decrypt machines affected by the malware, however—the security firm MalwareBytes, which first noticed the leak, says that verifying all the keys will take some time.
In any case, Petya and Mischa’s authors seem to have timed the leak to promote their own ransomware, which is based on the stolen Chimera code and is now being offered as a service to any two-bit cybercriminal willing to shell out bitcoins for it.
The in-fighting seems to indicate another significant, albeit predictable shift in the criminal hacking economy. Previously, ransomware authors have expressed anger at a recent rash of fake ransomware, which display scary messages but don’t actually lock or unlock a victim’s hard drive when the ransom is paid; the thinking is that enough of this fake ransomware could cause people to stop believing they can get their files back when they’re hit with the real thing, endangering future profits.
One of the nation’s most powerful appeals courts ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all “hacking” law that has been widely used to prosecute behavior that bears no resemblance to hacking.
In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal’s use of a former coworker’s password to access one of the firm’s databases was an “unauthorized” use of a computer system under the CFAA.
The decision is a nightmare scenario for civil liberties groups, who say that such a broad interpretation of the CFAA means that millions of Americans are unwittingly violating federal law by sharing accounts on things like Netflix, HBO, Spotify, and Facebook. Stephen Reinhardt, the dissenting judge in the case, noted that the decision “threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.”
In the majority opinion, Judge Margaret McKeown wrote that “Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing.” She then went on to describe a thoroughly run-of-the-mill password sharing scenario—her argument focuses on the idea that Nosal wasn’t authorized by the company to access the database anymore, so he got a password from a friend—that happens millions of times daily in the United States, leaving little doubt about the thrust of the case.
The argument McKeown made is that the employee who shared the password with Nosal “had no authority from Korn/Ferry to provide her password to former employees.”
At issue is language in the CFAA that makes it illegal to access a computer system “without authorization.” McKeown said that “without authorization” is “an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.” The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?
Reinhardt argues that Nosal’s use of the database was unauthorized by the firm, but was authorized by the former employee who shared it with him. For you and me, this case means that unless Netflix specifically authorizes you to share your password with your friend, you’re breaking federal law.
“In the everyday situation that should concern us all, a friend or colleague accessing an account with a shared password would most certainly believe—and with good reason—that his access had been ‘authorized’ by the account holder who shared his password with him,” Reinhardt wrote in a powerful dissent that was primarily concerned with “the government’s boundless interpretation of the CFAA.”
“The majority does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners,” he wrote. “There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing.”
Notably, Reinhardt appears to have a commanding knowledge of what constitutes “hacking,” something that comes up over and over again both in the media and in the courts. He said that the decision “loses sight of the anti-hacking purpose of the CFAA.”
“There is no doubt that a typical hacker accesses an account ‘without authorization’: the hacker gains access without permission—either from the system owner or a legitimate account holder,” he wrote. Using someone else’s password with their permission but not the system’s owner isn’t “hacking,” but that’s what the court is treating it as. Reinhardt noted that all 50 states have their own more narrow computer trespassing statutes, and that the case would have been better suited for civil, not criminal, proceedings.
What does this mean for you? In the short term, unless Netflix or HBO seek to get federal prosecutors to go after many of its customers, probably nothing. So far, neither of those services have shown any inclination to do so, and have made it easy to share your accounts with others. But it does set a scary precedent that should give anyone who shares passwords some pause.
The Ninth Circuit covers much of the West Coast, including Silicon Valley—many tech cases are brought there. The decision will be binding in that circuit, and will be looked at to guide decisions elsewhere in the country.
Cases like these do come up with some regularity. A decision is expected soon in a case called Facebook v Power Ventures, in which a company scraped information from Facebook with permission from its users, but not from Facebook. Once again, the question of “authorization” will come into play.
By Jason Koebler
Secret FBI rules allow agents to obtain journalists’ phone records with approval from two internal officials — far less oversight than under normal judicial procedures.
The classified rules, obtained by The Intercept and dating from 2013, govern the FBI’s use of National Security Letters, which allow the bureau to obtain information about journalists’ calls without going to a judge or informing the news organization being targeted. They have previously been released only in heavily redacted form.
Media advocates said the documents show that the FBI imposes few constraints on itself when it bypasses the requirement to go to court and obtain subpoenas or search warrants before accessing journalists’ information.
The rules stipulate that obtaining a journalist’s records with a National Security Letter (or NSL) requires the sign-off of the FBI’s general counsel and the executive assistant director of the bureau’s National Security Branch, in addition to the regular chain of approval. Generally speaking, there are a variety of FBI officials, including the agents in charge of field offices, who can sign off that an NSL is “relevant” to a national security investigation.
There is an extra step under the rules if the NSL targets a journalist in order “to identify confidential news media sources.” In that case, the general counsel and the executive assistant director must first consult with the assistant attorney general for the Justice Department’s National Security Division.
But if the NSL is trying to identify a leaker by targeting the records of the potential source, and not the journalist, the Justice Department doesn’t need to be involved.
The guidelines also specify that the extra oversight layers do not apply if the journalist is believed to be a spy or is part of a news organization “associated with a foreign intelligence service” or “otherwise acting on behalf of a foreign power.” Unless, again, the purpose is to identify a leak, in which case, the general counsel and executive assistant director must approve the request.
“These supposed rules are incredibly weak and almost nonexistent — as long as they have that second sign-off they’re basically good to go,” said Trevor Timm, executive director of the Freedom of the Press Foundation, which has sued the Justice Department for the release of these rules. “The FBI is entirely able to go after journalists and with only one extra hoop they have to jump through.”
A spokesperson for the FBI, Christopher Allen, declined to comment on the rules or say if they had been changed since 2013, except to say that they are “very clear” that “the FBI cannot predicate investigative activity solely on the exercise of First Amendment rights.”
The Obama administration has come under criticism for bringing a record number of leak prosecutions, and aggressively targeting journalists in the process. In 2013, after it came out that the Justice Department had secretly seized records from phone lines at the Associated Press and surveilled Fox News reporter James Rosen, then-Attorney General Eric Holder tightened the rules for when prosecutors could go after journalists. The new policies emphasized that reporters would not be prosecuted for “newsgathering activities,” and that the government would “seek evidence from or involving the news media” as a “last resort” and an “extraordinary measure.” The FBI could not label reporters as co-conspirators in order to try to identify their sources — as had happened with Rosen — and it became more difficult to get journalists’ phone records without notifying the news organization first.
Yet these changes did not apply to NSLs. Those are governed by a separate set of rules, laid out in a classified annex to the FBI’s operating manual, known as the Domestic Investigations and Operations Guide, or DIOG. The full version of that guide, including the classified annex, was last made public in redacted form in 2011.
The section of the annex on NSLs obtained by The Intercept dates from October 2013 and is marked “last updated October 2011.” It is classified as secret with an additional restriction against distribution to any non-U.S. citizens.
Emails from FBI lawyers in 2015, which were released earlier this year to the Freedom of the Press Foundation, reference an update to this portion of the DIOG, but it is not clear from the heavily redacted emails what changes were actually made.
In a January 2015 email to a number of FBI employee lists, James Baker, the general counsel of the FBI, attached the new attorney general’s policy and wrote that “with the increased focus on media issues,” the FBI and Justice Department would “continue to review the DIOG and other internal policy guides to determine if additional changes or requirements are necessary.”
“Please be mindful of these media issues,” he continued, and advised consulting with the general counsel’s office “prior to implementing any techniques targeting the media.” But the email also explicitly notes that the new guidelines do not apply to “national security tools.”
Allen, the FBI spokesperson, told The Intercept in an emailed statement that “the FBI periodically reviews and updates the DIOG as needed” and that “certainly the FBI’s DIOG remains consistent with all [Attorney General] Guidelines.”
Bruce Brown, executive director of the Reporters Committee for Freedom of the Press, said that the “use of NSLs as a way around the protections in the guidelines is a serious concern for news organizations.”
Last week, the Reporters Committee filed a brief in support of the Freedom of the Press Foundation’s lawsuit for the FBI’s NSL rules and other documents on behalf of 37 news organizations including The Intercept’s publisher, First Look Media. (First Look also provides funding to both the Reporters Committee and the Freedom of the Press Foundation, and several Intercept staffers serve on the foundation’s board.)
Seeing the rules in their un-censored form, Timm, of the Freedom of the Press Foundation, said that the FBI should not have kept them classified.
“Redacting the fact that they need a little extra sign-off from supervisors doesn’t come close to protecting state secrets,” he said.
The FBI issues thousands of NSLs each year, including nearly 13,000 in 2015. Over the years, a series of Inspector General reports found significant problems with their use, yet the FBI is currently pushing to expand the types of information it can demand with an NSL. The scope of NSLs has long been limited to basic subscriber information and toll billing information — which number called which, when, and for how long — as well as some financial and banking records. But the FBI had made a habit of asking companies to hand over more revealing data on internet usage, which could include email header information (though not the subject lines or content of emails) and browsing history. The 2013 NSL rules for the media only mention telephone toll records.
Another controversial aspect of NSLs is that they come with a gag order preventing companies from disclosing even the fact that they’ve received one. Court challenges and legislative changes have loosened that restriction a bit, allowing companies to disclose how many NSLs they receive, in broad ranges, and in a few cases, to describe the materials the FBI had demanded of them in more detail. Earlier this month, Yahoo became the first company to release three NSLs it had received in recent years.
It’s unclear how often the FBI has used NSLs to get journalists’ records. Barton Gellman, of the Washington Post, has said that he was told his phone records had been obtained via an NSL.
The FBI could also potentially demand journalists’ information through an application to the Foreign Intelligence Surveillance Court (or FISA court), which, like NSLs, would also not be covered by the Justice Department policy. The rules for that process are still obscure. The emails about revisions to the FBI guidelines reference a “FISA portion,” but most of the discussion is redacted.
For Brown, of the Reporters Committee, the disclosure of the rules “only confirms that we need information about the actual frequency and context of NSL practice relating to newsgathering and journalists’ records to assess the effectiveness of the new guidelines.”
By Cora Currier
U.S. Senate Majority Leader Mitch McConnell set up a vote late on Monday to expand the Federal Bureau of Investigation’s authority to use a secretive surveillance order without a warrant to include email metadata and some browsing history information.
The move, made via an amendment to a criminal justice appropriations bill, is an effort by Senate Republicans to respond to last week’s mass shooting in an Orlando nightclub after a series of measures to restrict guns offered by both parties failed on Monday.
“In the wake of the tragic massacre in Orlando, it is important our law enforcement have the tools they need to conduct counterterrorism investigations,” Senator John McCain, an Arizona Republican and sponsor of the amendment, said in a statement.
The bill is also supported by Republican Senators John Cornyn, Jeff Sessions and Richard Burr, who chairs the Senate Intelligence Committee.
Privacy advocates denounced the effort, saying it seeks to exploit a mass shooting in order to expand the government’s digital spying powers.
Senator Ron Wyden, an Oregon Democrat, criticized a similar effort last month as one that “takes a hatchet to important protections for Americans’ liberty.”
The amendment would broaden the FBI’s authority to use so-called National Security Letters to include electronic communications transaction records such as time stamps of emails and the emails’ senders and recipients.
The Obama administration for years has lobbied for a change to how NSLs can be used, after a 2008 legal memo from the Justice Department said the law limits them largely to phone billing records. FBI Director James Comey has said the change essentially corrects a typo and is a top legislative priority for his agency.
NSLs do not require a warrant and are almost always accompanied by a gag order preventing the service provider from sharing the request with a targeted user.
The letters have existed since the 1970s, though the scope and frequency of their use expanded greatly after the Sept. 11, 2001, attacks on the United States.
The amendment filed Monday would also make permanent a provision of the USA Patriot Act that allows the intelligence community to conduct surveillance on “lone wolf” suspects who do not have confirmed ties to a foreign terrorist group. That provision, which the Justice Department said last year had never been used, is currently set to expire in December 2019.
A vote is expected no later than Wednesday, McConnell’s office said.