Israel's NSO Group Exploits And Malware Again Being Used To Target Journalists In The Middle East

from the are-we-the-baddies-asked-no-one-at-NSO-ever dept

You'd think the government of a land surrounded by enemies would do more to regulate malware distribution by local companies. It's one thing to hold your enemies close. It's quite another to provide them with the tools to ensure your own downfall.

One would think malware purveyors like the Israel's NSO Group would post photos of countries like Saudi Arabia on its "DO NOT ACCEPT CHECKS FROM THESE GOVERNMENTS" wall at its HQ. But it doesn't care. It sells to whoever will buy, even if that means subjecting Israeli citizens to surveillance programs run by Israel's enemies.

This has been part of NSO's far from illustrious history for years. When not being sued by American companies for leveraging their messaging services to deliver malware, NSO Group has allowed a variety of authoritarian governments to spy on activists, journalists, and dissidents with its toolkit of exploits and scalable attacks.

The latest expose on NSO's unsavory tactics comes from Citizen Lab, which has been exposing the nastiness of malware purveyors for years. Citizen Lab says NSO is still allowing Israel's enemies to target critics, making it far more dangerous for them to engage in activities that expose heinous government actions. Unsurprisingly, it's longtime human rights violators making the most of whatever NSO Group will sell them.

In July and August 2020, government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The personal phone of a journalist at London-based Al Araby TV was also hacked.

The phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage. In July 2020, KISMET was a zero-day against at least iOS 13.5.1 and could hack Apple’s then-latest iPhone 11.

Based on logs from compromised phones, we believe that NSO Group customers also successfully deployed KISMET or a related zero-click, zero-day exploit between October and December 2019.

The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates.

Al Jazeera is one of the only independent news outlets covering Middle East issues. That makes it a popular target for governments that would prefer their own narratives dominate news coverage. NSO's tools make it easier to undercut competing narratives by compromising independent reporting and intimidating journalists who won't act as stenographers for government talking heads.

Citizen Lab's investigation uncovered attacks on journalists' phones, resulting in exfiltration of data and communications. In addition, it saw evidence of capabilities that are present in NSO's malware, even if they aren't being exploited yet. These include taking control of mics on devices to surreptitiously record in-person conversations, as well as accessing audio of encrypted phone conversations. In addition, the malware has the ability to track users' locations and access their stored credentials.

These are powerful tools. And like all powerful tools, they shouldn't be allowed to fall into the wrong hands. But NSO Group not only allows them to fall into the wrong hands, it makes its own countrymen and allies targets by actively placing them in the wrong hands. Then it stands back and says it has no control over its customers' actions, even if it knows certain customers are definitely not going to use these powers for good.

Filed Under: exploits, journalists, malware, surveillance, zero day
Companies: al jazeera, nso group

Former NSO Employees Says The Company Impersonated Facebook To Deploy Malware

from the so-much-for-the-innocent-middleman-theory dept

As Facebook's lawsuit against Israeli malware purveyor, NSO Group, continues, more facts are coming to light that undercut the spyware vendor's claims that it's just a simple software developer that can't be blamed for the malicious acts of its customers.

NSO Group argued in court that the sovereign immunity that insulates the governments it sells to (including such abusive regimes as the United Arab Emirates and Saudi Arabia) similarly shields it from Facebook's desire to prevent it from using WhatsApp to deploy malware. Facebook has since pointed out NSO uses US servers that it owns or rents to deploy the malware it claims it has no involvement in deploying.

More information has come to light, thanks to a whistleblower of sorts who spoke to Joseph Cox of Motherboard. The statements made by a former NSO employee further implicate the company in the dirty doings of its customers (who have targeted journalists, activists, and lawyers).

Infamous Israeli surveillance firm NSO Group created a web domain that looked as if it belonged to Facebook's security team to entice targets to click on links that would install the company's powerful cell phone hacking technology, according to data analyzed by Motherboard.

"Pegasus" is the name of the malware deployed via WhatsApp -- the preferred tool of governments the company sells to. (It's branded as "Phantom" when NSO pitches to US law enforcement agencies.) Once successfully deployed, the malware grants government agencies almost complete access to phone data, communications, and functions. Messages can be intercepted, making encryption irrelevant and the phone's mic and camera can be surreptitiously accessed to record conversations and take pictures.

It's easier to get targets to activate the malware if it looks like it came from a legitimate source. That's where the impersonation comes in.

The IP address provided to Motherboard related to a 1-click installation of Pegasus, the former employee said. Motherboard reviewed multiple databases of so-called passive DNS records from cybersecurity services DomainTools and RiskIQ, which show what web domain an IP address related to at different points in time. Throughout 2015 and 2016, the IP address resolved to 10 domains. Some of these seem to have been designed to appear innocuous, such as a link a person could click on to unsubscribe themselves from emails or text messages. Others impersonated Facebook's security team and package tracking links from FedEx.

The IP address impersonating Facebook is no longer under NSO's control. Infamous IP protection firm MarkMonitor apparently took control of the domain in late 2016, handing control of it to Facebook to prevent further misuse.

Facebook is also suing domain registrars for allowing customers to purchase domains that appear to be associated with the social media service. This isn't an unusual move, but it does appear to indicate most purchasers of Facebook-adjacent domains are using them for malicious purposes. Until now, no one's linked any of these domains to a malware vendor. This is only going to further harm NSO's assertions that its involvement in malware deployment begins and ends at the point of sale.

Filed Under: impersonation, malware, spyware, surveillance
Companies: facebook, nso group, whatsapp

Documents Show NSO Group Is Pitching Its Malware To US Local Law Enforcement Agencies

from the get-in-bed-with-the-UAE,-locals dept

Infamous Israeli malware developer NSO Group is currently being sued by Facebook for using WhatsApp as its preferred attack vector. Malicious links and malware payloads are sent to targets, allowing government agencies -- including those in countries with horrendous human rights records -- to intercept communications and otherwise exploit compromised phones.

NSO has argued it can't be sued for the things done by its customers, all of which appear to be government agencies. The company says those actions are protected by sovereign immunity. NSO insists it only sells the malware. It does not assist its customers with target acquisition or malware deployment. Documents filed by Facebook say otherwise. NSO appears to deploy malware through servers it owns or rents in the United States, suggesting it is actually more involved in its customers' actions than it has sworn in court.

Like any business, NSO Group wants more customers. It's not content to sell exploits to questionable governments that have used its offerings to target journalists, lawyers, activists, and dissidents. It wants to do business in the United States, where there are thousands of potential law enforcement customers.

Some details of NSO's stateside push emerged a few years ago, when reports showed the DEA had met with NSO to discuss its offerings. Motherboard has obtained additional documents indicating NSO is courting local law enforcement as well.

NSO Group, the surveillance vendor best known for selling hacking technology to authoritarian governments, including Saudi Arabia, also tried to sell its products to local U.S. police, according to documents obtained by Motherboard.

[...]

"Turn your target's smartphone into an intelligence gold mine," a brochure for the hacking product, called Phantom, reads. The brochure was made by Westbridge Technologies, "the North American branch of NSO Group," it says. Motherboard obtained the document and related emails through a public records act request.

"Phantom" is just US branding for NSO's "Pegasus" -- the hacking tool sold to foreign governments that's at the center of Facebook's lawsuit. According to the marketing documents sent to the San Diego Police Department, Phantom turns targeted phones into a steady stream of intercepted communications. The software allows police to grab emails, text messages, contact lists, track the device's location, and surreptitiously activate the phone's camera and microphone. Once a phone is compromised, encryption is no longer a problem, as NSO's sales materials point out.

Pitching a tool this powerful to the San Diego PD had a predictable response:

After talking to the company in a phone call, SDPD Sergeant David Meyer told Westbridge in an email that the hacking system "sounds awesome."

The PD's statement says the department is always looking at products that could aid them in investigations. But as tempting as this one was, it was out of the PD's price range.

In his email, Sergeant Meyer added, "we simply do not have the kind of funds to move forward on such a large scale project."

That the NSO Group is seeking US law enforcement customers isn't a surprise. But the nation's police agencies should try to be selective about who they purchase from. NSO has sold malware to serial human rights abusers and one would hope US agencies would voluntarily choose not to buy from a company with such shady clientele. Unfortunately, this single sampling of law enforcement documents shows at least one cop shop showed interest in buying what NSO was selling, and was only held back by budgetary constraints.

Filed Under: hacking, law enforcement, police, spyware, us
Companies: nso group

Israeli Malware Merchant's Employee Used Powerful Spyware To Snoop On A Potential Love Interest

from the surprising-no-one dept

NSO Group is not having a great year. At least not on the PR front. The books may be balancing, but its indiscriminate distribution of malware/spyware to questionable governments has been raising eyebrows and blood pressure for years. Now, it's being sued by Facebook for using WhatsApp as its preferred delivery system for malware payloads.

These payloads target criminals and national security threats. But -- since NSO doesn't care who it sells to or what they do with its powerful software -- the payloads also target journalists, dissidents, activists, and attorneys. This malware can take over devices, feeding communications and phone contents to government agencies that want to keep an eye on their enemies -- even when their "enemies" are just critics and people who disagree with their policies.

But the malware can be used for other reasons, too. Any powerful surveillance tool ultimately ends up being misused. Just ask the NSA. And the FBI. And now, ask NSO, as Joseph Cox has for Motherboard.

An employee of controversial surveillance vendor NSO Group abused access to the company's powerful hacking technology to target a love interest, Motherboard has learned.

The previously unreported news is a serious abuse of NSO's products, which are typically used by law enforcement and intelligence agencies. The episode also highlights that potent surveillance technology such as NSO's can ultimately be abused by the humans who have access to it.

How adorable. Israel's biggest malware merchant thinks it's a cop shop. Even more adorably, the company more or less admits (1) this sort of thing is going to happen occasionally, and (2) there's nothing NSO Group can do about it.

"There's not [a] real way to protect against it. The technical people will always have access," a former NSO employee aware of the incident told Motherboard. A second former NSO employee confirmed the first source's account, another source familiar confirmed aspects of it, and a fourth source familiar with the company said an NSO employee abused the company's system.

This isn't just something NSO employees can do. It's also anything any of NSO's customers can do. Not every target of surveillance is a government-ordained target. Give enough people access and power, and abuse will happen. It's more surprising it's happening at NSO, which has always portrayed itself as a blood-on-the-hands-free purveyor of powerful tools. Once it sells them, it takes no responsibility for what's done with them.

And I agree with that point. NSO is not responsible for the acts of its customers. But it should choose better customers, considering how powerful its spyware is. As Cox explains, it's capable of taking over even fully up-to-date devices by manipulating a number of zero-day exploits. Targets never know their devices have been compromised. In some cases, no action needs to be taken on their end, so dodging suspicious links sent via text, chat, or email isn't even needed.

This obviously makes the software a temptation for its employees, who can use it to target whoever they want. The inevitability has occurred. And it has probably occurred more than the single instance detailed here.

As if this development wasn't unpleasant enough, the illicit targeting happened while the NSO employee was working with one of NSO's more unsavory customers, the United Arab Emirates. Not that the customer matters. It could have happened anywhere. But this one happened when the NSO was providing customer service for a country that engages in torture, operates secret prisons, criminalizes criticism of the government, and officially blesses mistreatment of anyone who isn't a Muslim male.

It's pretty tough for a company with minimal moral boundaries to expect its employees to respect the rules it has (well, let's assume NSO has forbidden illicit use of its tools) established to minimize abuse. When you're willing to sell spyware to monsters, you can't really expect employees to maintain their halos.

Filed Under: employee abuse, love interest, lovint, surveillance
Companies: nso group

Court Filings Show NSO Group Ran Malware Attacks Through Servers Located In California

from the not-immune-from-its-own-carelessness dept

Things are getting even more interesting in Facebook's lawsuit against Israeli malware merchant, NSO Group. Facebook was getting pretty tired of NSO using WhatsApp as an attack vector for malware delivery, which resulted in the company having to do a lot more upkeep to ensure users were protected when utilizing the app.

Unfortunately, Facebook wants a court to find that violating an app's terms of service also violates the CFAA -- something most of us really don't want, even if it would keep NSO and its customers from exploiting messaging services to target criminals, terrorists… and, for some reason, lots of journalists, dissidents, and activists.

NSO finally responded to Facebook's lawsuit by saying it could not be sued over the actions of its customers. Its customer base is mainly government agencies -- including some especially sketchy governments. NSO claims all it does is sell the stuff. What the end users do with it is between the end users and their surveillance targets. Since its customers are governments, sovereign immunity applies… which would dead-end this lawsuit (wrong defendant) and any future lawsuits against governments by Facebook (the sovereign immunity).

NSO's claims it can't be touched by this lawsuit are falling apart. Citizen Lab researcher John Scott-Railton pointed out on Twitter that Facebook's latest filings point to NSO operating its malware servers from inside the United States -- apparently doing far more than simply selling malware to government customers and letting them handle the deployment details.

Facebook's answer to NSO's attempt to dismiss the lawsuit concedes NSO's point: it is not its customers. But that's precisely why it can be sued. From Facebook's response [PDF]:

A flawed premise runs through the motion to dismiss (“MTD”). Defendants contend that they cannot be held responsible for designing and marketing spyware and then deploying it using WhatsApp’s U.S.-based servers, including in California, to hack into WhatsApp users’ devices. Instead, Defendants pin blame on unidentified foreign sovereigns. That argument fails at every turn: Defendants cannot cloak themselves in their putative clients’ immunity; they are accountable for suit in a California court; and the Complaint states valid claims for relief based on Defendants’ unauthorized access to and hijacking of WhatsApp’s servers.

[...]

The statute confers immunity only on foreign states—not private companies who develop and operate their own technology and then claim to act on a foreign state’s behalf.

The claim that NSO Group operates from California (making this venue appropriate for the lawsuit) isn't some distended stretch where malware briefly passed through WhatsApp servers in the US on its way to its targets. Declarations [PDF] by Facebook's expert witnesses show NSO is routing malware deliveries through California data centers. This is only a small part of the list of IP addresses linked to NSO deployments Facebook has uncovered.

Attached as Exhibit 1 is a true and accurate screenshot from IP2Location.com obtained on April 22, 2020, for IP address 104.223.76.220. Exhibit 1 shows that IP address 104.223.76.220 is currently located in Los Angeles, California, and is owned by QuadraNet Enterprises LLC.

According to historical IP address location information from Maxmind.com for IP address 104.223.76.220 obtained through the website archive.org, IP address 104.223.76.220 was located in Los Angeles, California, and owned by QuadraNet Enterprises LLC as of May 28, 2019. Attached as Exhibit 2 is a true and accurate screenshot of the Maxmind.com csv.zip file available for download at archive.org that contains historical IP location information. Attached as Exhibit 3 is a true and accurate screenshot of the unzipped Maxmind.com csv.zip file showing the date of the files as May 28, 2019. Attached as Exhibits 4a, 4b, and 4c are true and accurate screenshots of the netblock for IP address 104.223.76.220 showing the location and ownership of IP address 104.223.76.220 as of May 28, 2019.

This is the upshot of Facebook's investigation of NSO's WhatApp-based efforts:

NSO used QuadraNet’s California-based server more than 700 times during the attack to direct NSO’s malware to WhatsApp user devices in April and May 2019.

These filings appear to show something very different than what NSO Group has claimed. It is not a blind provider of malware to government agencies. This indicates NSO is purchasing and operating servers stateside that its customers use to deploy malware. And if it runs these servers, then it quite possibly knows who its customers are targeting. This is far more involved than its sworn statements have said. The plausible deniability it's trying to project just isn't that plausible.

Facebook's response points out the logical leap NSO is demanding from the court.

The Complaint alleges targeting of 1,400 separate devices, Compl. ¶ 42, and NSO does not specify who it was working for in each attack. Instead, NSO relies on a conclusory declaration from its CEO Shalev Hulio stating that “NSO markets and licenses its Pegasus technology exclusively to sovereign governments and authorized agencies,” and those sovereigns—not NSO—“operate [the] Pegasus technology.” Hulio Decl. ¶¶ 9, 14-15. But Hulio fails to identify any specific foreign sovereign for whom NSO worked—let alone cite a single contract or any evidence establishing NSO’s purportedly limited operational role.

NSO's options are all unappealing at the moment. It can't hope to settle since its customers aren't going to be willing to give up exploitation of an encrypted messaging app used by millions of people around the world. It also can't be looking forward to continued litigation since that's only going to mean more exposure of its actions and inner workings as the lawsuit drags on. But these are the risks you take when your favored attack vector is another company's service and your payload deliveries route themselves through rented/purchased servers located in the United States.

NSO turned itself into a villain by selling its products to governments wanting to target dissidents, journalists, activists, and attorneys. A little more judiciousness would have gone a long way. Running attacks through services owned by one of the most powerful tech companies in the world may have provided NSO's customers with a broad user base to attack, but it also ensured it would find itself in court facing a well-funded and well-equipped adversary.

Filed Under: cfaa, hacking, jurisdiction, spying, surveillance
Companies: facebook, nso group, whatsapp

Israel's High Court Blocks Country's Hastily-Erected Domestic Coronavirus Surveillance Program

from the all-shin-bets-are-off dept

When the coronavirus crisis hit, several countries saw an opportunity to engage in/expand domestic surveillance. Unsurprisingly, China and Hong Kong were some of the first to step up their snooping. But it was Israel that quickly deployed one of the more concerning virus-tracking programs: opening up a massive collection of cellphone data to its national security force, Shin Bet.

This was done without any legislative discussion or input from the millions of stakeholders whose cell data had just become a plaything for Shin Bet. To make matters worse, the backup plan involved Israel's premier malware merchant, NSO Group, which has offered its spy tools to governments to spy on journalists, attorneys, and activists.

Prime Minister Benjamin Netanyahu's unilateral declaration that telcos' data stores were open for government business may have been premature. While there's definitely value in tracking infected members of the population, a more voluntary program would have been the place to start.

The nation's High Court has at least temporarily blocked Shin Bet's use of cell location data.

[T]he ruling states that, “The choice to make use of the state’s preventative security agency to follow those who do not seek to do [the state] harm, without the subjects of the surveillance giving their permission, raises an extremely serious difficulty and a suitable alternative should be sought that fulfills the principles of privacy protection.”

The court says that if the government wants to do this, it needs to create legislation first -- something that will establish guidelines for use of the data collection, as well as provide an expiration date for this specific authority.

This isn't necessarily what the government wanted to hear. Haaretz reports a classified meeting between the country's Foreign Affairs office and the Defense subcommittee discussed concerns about the Shin Bet effort. But officials weren't concerned about the privacy issues the court raised in its decision. Instead, they were discussing a National Security Council report that said that if the government didn't do this, the other alternatives were pretty much useless.

Among other things, the report stated that the primary alternative would be monitoring by NSO group, an Israeli Surveillance company, to which Attorney General Avichai Mendelblit objected because it would undermine residents’ privacy. It was also argued that there is a huge number of people who use kosher phones that cannot download apps, and that this was an impediment.

Yes, you read that correctly. The government's National Security Council argued the NSO effort would undermine privacy. Somehow the same conclusion wasn't drawn about the country's national security agency using the same data.

In more helpful news, the High Court also ruled journalists' data off-limits. If journalists wish to be tracked as part of the temporarily-halted surveillance program, they will need to consent to the collection. Obviously, most journalists will opt out, given the risk this surveillance poses to their sources. Those seeking to opt out can obtain a restraining order from the court to block Shin Bet's access to their records.

All in all, it's a good thing someone's attempting to rein in government overreach in a time when a lot of government activity is going to go unquestioned. This still leaves unanswered questions about the virus-related surveillance -- namely how long it's going to last and how easy it will be to uncouple the government from this data when it's all over. Hopefully, the mandated legislation will answer the questions the Prime Minister apparently didn't ask before authorizing this new form of domestic surveillance.

Filed Under: contact tracing, covid-19, israel, mobile phone data, privacy, shin bet, surveillance
Companies: nso group

Controversial Spyware Vendor NSO Group Is Helping The Israeli Government Spy On Its Own Citizens

from the for-their-health,-of-course dept

Israel's leading malware purveyor is pitching in to help with the pandemic. NSO Group -- which has pitched its spy tools to a number of questionable governments -- is trying to help track the spread of the virus with its proprietary surveillance tool.

This would be the third effort by the country to keep tabs on the disease, starting with the Israeli government's authorization of the use of phone/location data to monitor infected individuals. There's also a more voluntary effort, created by the country's Ministry of Health, that allows users to "check in" by providing data about where they've been and whether or not they've tested positive for the disease.

But it's NSO's spyware that's the most worrying. Motherboard was able to observe the software in action and Lorenzo Franceschi-Bicchierai reports it's a pretty scary piece of spycraft.

The spyware company has adapted the user interface and analytical tool that they already had developed to be used alongside its powerful malware known as Pegasus, which can hack into mobile phones and extract data like photos, messages, and phone calls, from them. NSO is not collecting location data from phones. It only provides the software to governments, which then get the location data from telecom companies and ingest it within the software, according to the source.

At least NSO isn't injecting itself into users' phones, but that's about the only positive thing that can be said about it. The software -- code named Fleming -- takes this data and creates heat maps showing people's movements: where they go, how long they stay, and who they come in contact with. Sure, the data is anonymized, but that's a dodge. Anonymized data can be de-anonymized with very little effort. But with NSO's offering, de-anonymization is just another bullet point on the feature list.

With the goal of protecting people’s privacy, the tool tracks citizens by assigning them random IDs, which the government—when needed—can de-anonymize, the source explained.

With NSO on board, the Israeli government is looking towards a more China-esque management of the country's citizens. China has "citizen scores." Israelis will now be tagged with health scores.

On Monday, Israel's Defense Minister Naftali Bennett tweeted that the Israeli government is working on "world-leading" AI system that will give every citizen a grade between 1 and 10 to determine how likely they are to spread the coronavirus and if they need to be tested, but that it hasn’t gotten all the necessary approvals yet. On Tuesday, Israeli news outlet Calcalist reported that Bennet was referring to NSO’s solution.

If every citizen is getting a score, it would appear the government isn't going to have much use for anonymized data. Seemingly unable to see the downsides of inflicting mass domestic surveillance on Israel's residents, Bennett is fully embracing the involuntary sacrifice of citizens' privacy in exchange for unproven pandemic-fighting gains. The Defense Minister has made it clear he thinks other governments should follow Israel's dubious lead.

Of course, once this pervasive tracking is in place, it will stay there long after the virus is under control. There's no set expiration date for this worldwide health crisis. Once it does retreat into the background, the usual national security and law enforcement concerns will replace it and the access government agencies have taken for granted for months or years won't be relinquished without a fight. And there's a good chance the officials that decided it was necessary to place the country's citizens under surveillance won't see the need to roll things back to their pre-coronavirus level.

Filed Under: covid-19, disease tracking, israel, privacy, spyware, surveillance, tracking
Companies: nso group

Malware Marketer NSO Group Looks Like It's Blowing Off Facebook's Lawsuit

from the why-bother-being-accountable-in-any-minimal-fashion dept

In late October of last year, Facebook and WhatsApp sued Israeli surveillance tech provider NSO Group for using WhatsApp to deliver device-compromising malware. The lawsuit sought to use the CFAA to stop NSO from using WhatsApp as an attack vector.

The lawsuit is dangerous. It asks the court to read the CFAA to cover attacks targeting users' accounts, rather than attacks on the service provider itself. The CFAA is already problematic enough without this sort of expansion. WhatsApp users certainly appreciate the efforts the developers make to protect them from malware, but asking a court to reinterpret an easily-abused law just so Facebook can go after NSO isn't an acceptable solution.

NSO has been the target of non-stop criticism due to its willingness to sell malware and surveillance tech to countries with long histories of human rights violations. Its malware has also been observed targeting activists, dissidents, journalists, and critics of the governments that have deployed NSO malware.

Facebook's lawsuit is going nowhere fast. While it's not uncommon for there to be a delay between the filing of a complaint and the defendant's response, NSO hasn't filed anything -- not even a notice of appearance from its corporate counsel -- since the filing of the suit.

Facebook wants the court to take notice of this no-show. It's asking for the upcoming case management to be postponed indefinitely since it has heard nothing at all from NSO. But the administrative motion [PDF] is not just there to deal with a logistical problem. It's there to let the court know NSO isn't cooperating with the litigation.

After filing the Complaint, Plaintiffs promptly sought to serve Defendants under the Hague Convention, which was effected on December 17, 2019.Plaintiffs also contacted Defendants via email, physical mail, and hand service, but have not received any response. As of the date of this filing, no counsel has entered an appearance in this matter on Defendants’ behalf, nor have Defendants filed an answer to the Complaint. Thus, Plaintiffs cannot fulfill their obligations under the Court’s initial case management scheduling order (ECF No. 9), including the obligations to meet and confer regarding initial disclosures, early settlement, ADR process selection, and a discovery plan.

The NSO is certainly welcome to sit this one out. It's not like blowing off the WhatsApp lawsuit will do anything to its reputation that NSO hasn't already done to it by selling hacking tools to authoritarians. It's possible Facebook will receive a default judgment if NSO decides this is a waste of its time. Even if it did, what use would it be? NSO isn't going to stop marketing malware that can be deployed via messaging services and the governments it sells to aren't going to stop targeting WhatsApp users just because a court in California says it violates the CFAA.

This lawsuit is mostly for show. On the odd chance NSO decides to participate, discovery could expose some of its inner workings and the clients it sells this brand of malware to. NSO isn't going to risk that. It makes more sense to let Facebook flail away ineffectively with a civil suit that will have absolutely no effect on its business model.

Filed Under: cfaa, default judgment, lawsuits, spyware
Companies: facebook, nso group

European Law Enforcement Officials Upset Facebook Is Warning Users Their Devices May Have Been Hacked

from the screw-the-little-people,-we've-got-bad-guys-to-hack dept

Oh boy. Facebook has just added fuel to the anti-encryption fire. And by doing nothing more than something it should be doing: notifying users that their device may have been compromised by malware.

The Wall Street Journal article covering this standard notification is full of quotes from government officials who aren't happy a suspected terrorist was informed his phone had possibly been infected by targeted malware. [Non-paywalled version here.]

A team of European law-enforcement officials was hot on the trail of a potential terror plot in October, fearing an attack during Christmas season, when their keyhole into a suspect’s phone went dark.

WhatsApp, Facebook Inc. ’s popular messaging tool, had just notified about 1,400 users—among them the suspected terrorist—that their phones had been hacked by an “advanced cyber actor.” An elite surveillance team was using spyware from NSO Group, an Israeli company, to track the suspect, according to a law-enforcement official overseeing the investigation.

Facebook is no fan of NSO Group. In fact, very few people are fans of NSO Group, other than their customers, which have included UN-blacklisted countries and a number of governments that rank pretty high on the Most Human Rights Violated charts. Facebook sued NSO back in November, making very questionable allegations about CFAA violations. Facebook's servers were never targeted by NSO's malware. Only end users were, which makes it pretty difficult for Facebook to claim it has been personally (so to speak) injured by NSO's actions.

Back to the matter at hand, Facebook didn't just warn suspected terrorists about detected malware.

WhatsApp’s Oct. 29 message to users warned journalists, activists and government officials that their phones had been compromised, Facebook said. But it also had the unintended consequence of potentially jeopardizing multiple national-security investigations in Western Europe about which Facebook hadn’t been alerted—and about which government agencies can’t formally complain, given their secret nature.

Would these government officials rather have not been warned about threats? Were any of these government officials receiving warnings the same ones now complaining the warning allowed a terrorism suspect to vanish? Maybe so. The one quoted in the article seems very short-sighted.

On the day WhatsApp sent its alert, the official overseeing the terror investigation in Western Europe said, he was stuck in traffic on his way to work when a call came in from Israel. “Have you seen the news? We’ve got a problem,” he said he was told. WhatsApp was notifying suspects whom his team was tracking that their phones had been hacked. “No, that can’t be right. Why would they do that?” the official said he asked his contact, thinking it a joke.

"Why would they do that" indeed. Maybe to protect their users from cybercriminals and state-sponsored hackers. It's not about allowing suspected criminals to dodge law enforcement, even though it will undoubtedly have that effect. It's about keeping users and their communications protected -- users that include journalists, activists, and government officials.

This response indicates the investigators pursuing the suspected terrorist would rather hundreds of innocent people be harmed than someone suspected of terrorism go free. But it really doesn't matter what unnamed officials think about Facebook's "you may have been compromised" notifications or the harm these might do to ongoing investigations. Facebook's voluntary warnings will soon be mandatory in Europe. By the end of 2020, all service providers and telcos will be obligated to warn customers of security threats.

That fact -- and the apparent willingness to allow innocent people to be victimized by targeted attacks -- makes the article's closing statement all the more ridiculous.

Gilles de Kerchove, the European Union’s counterterrorism coordinator, says encryption shouldn’t allow criminals to be “less accountable online than in real life.”

I have no idea what that means. I know what the official thinks it's supposed to mean -- that "online" is bad because sometimes criminals get away -- but even that interpretation doesn't make sense. Criminals discover their phones have been tapped and stop using those lines. Criminals talk to each other in person to avoid creating records of conversations. Criminals get tips from other criminals they're under surveillance. This stuff just happens. Investigations don't always run smoothly.

A standard warning about possibly-compromised devices and services is just good business -- something that protects everyone who uses the service, not just the people governments think are OK to protect. These warnings are essential and they benefit everyone, not just the people governments want to lock up.

Filed Under: disclosure, europe, hacking, law enforcement, malware, terrorists
Companies: facebook, nso group, whatsapp

Facebook's Sues Israeli Malware Marketer With A Lawsuit That Aims To Make An Easily-Abused Law Even More Abusable

from the OK-BOOMER dept

Facebook is suing Israeli exploit developer NSO Group for utilizing WhatsApp to target 1,400 users with malware that allowed NSO's clients to circumvent the chat app's end-to-end encryption.

That NSO is being accused of helping bad people surveill good people is not news. NSO is not very selective when it comes to selling malware, putting its powerful tech in the hands of governments that seem just as likely to target NSO's home country as they are to target local dissidents, journalists, and activists. NSO's software and cavalier approach to sales have been exposed by multiple Citizen Lab investigations, which have outed NSO's sales to blacklisted countries.

Facebook's lawsuit [PDF] basically echoes the findings of Citizen Lab.

In a lawsuit filed in federal court in San Francisco, messaging service WhatsApp, which is owned by Facebook Inc (FB.O), accused NSO of facilitating government hacking sprees in 20 countries. Mexico, the United Arab Emirates and Bahrain were the only countries identified.

WhatsApp said in a statement that 100 civil society members had been targeted, and called it “an unmistakable pattern of abuse.”

Abusive it is, especially when you're trying to tout the benefits of end-to-end encryption, only to have a malware developer show you how easy it is to route around these protections. NSO's malware was spread using WhatsApp's video chat feature, which apparently allowed government agencies to eavesdrop on communications and possibly access device contents.

This isn't the only lawsuit NSO is facing.

NSO came under particularly harsh scrutiny over the allegation that its spyware played a role in the death of Washington Post journalist Jamal Khashoggi, who was murdered at the Saudi Consulate in Istanbul a little over a year ago.

Khashoggi’s friend Omar Abdulaziz is one of seven activists and journalists who have taken the spyware firm to court in Israel and Cyprus over allegations that their phones were compromised using NSO technology. Amnesty has also filed a lawsuit, demanding that the Israeli Ministry of Defense revoke NSO’s export license to “stop it profiting from state-sponsored repression.”

This matters enough to NSO for it to engage in a very limited charm offensive. It has promised to abide by UN guidelines on human rights abuses, which means it's going to have to trim a few countries off its client list. It also claims to have saved the lives of "tens of thousands" of people. It's a great claim to make, especially when no one really expects you to back up it up with evidence or data.

But the lawsuit Facebook is pursuing is questionable, if not a bit dangerous. Facebook likely doesn't have a way to block NSO clients from accessing WhatsApp. It has permanently deleted the accounts of every employee of NSO Group it could find for "violating" Facebook's terms of use. But it's helpless to root out accounts used by NSO's customers, since these aren't nearly going to be as obvious as those belonging to people who list NSO as their employer.

That explains the lawsuit and Facebook's desire to obtain a permanent injunction against NSO Group, blocking it from utilizing WhatsApp to spread malware. But the lawsuit is on pretty shaky legal ground. Worse, if Facebook somehow prevails, the much-abused CFAA will be rewritten in a way that's going to harm plenty of people who've never sold malware to known human rights abusers.

Here's Wired's Andy Greenberg (and defense attorney Tor Ekeland) explaining just one of the problematic aspects of Facebook's lawsuit.

To make that charge stick, WhatsApp will have to show that NSO obtained illegal access to WhatsApp's own systems. Given that NSO's targets were WhatsApp users rather than, say, WhatsApp's servers, they'll have to find an argument that they, as the plaintiff, were the victim. "The fundamental question is, what’s the unauthorized access?" says Ekeland. "You might be able to argue that NSO hacked WhatsApp and not just their users. Maybe they’re trying to make that argument. But they’re not being clear about it, and that lack of clarity is an attack vector for the defendant."

Facebook's on a clear path if it chooses to stick with the argument NSO violated its terms of service. Those terms specifically forbid reverse-engineering code or sending malware via the app. But even if it's limited to that, the obvious solution is for Facebook to ban NSO from using its services. That may be close to impossible to do since Facebook doesn't have access to its client list or their user accounts. Arguing past that point may cause problems, though.

While it may work out for Facebook to have the CFAA cover "uses of our stuff that we don't like," it's going to harm a lot of other people. Security researchers, regular researchers, and anyone else who might use Facebook's platform or apps in a way Facebook doesn't like could be prosecuted or sued under this definition. While it's plainly advantageous for Facebook to force all users to use its products only in a way it approves, the downside is a garden with higher walls that put users completely at the mercy of Facebook. Since terms of use can be rewritten on the fly and applied immediately, Facebook could go after "violators" who aren't even aware they've actually violated anything.

Adding to Facebook's hurdles is a recent Ninth Circuit Court of Appeals ruling (this lawsuit is filed in the Ninth Circuit) that says scraping a site for data -- even when forbidden by the terms of use -- isn't necessarily a violation of the CFAA. Making this tougher for Facebook is there's no evidence it ever gave NSO prior notice its abuse of WhatsApp was forbidden. The lack of notice makes it a bit more difficult for Facebook to claim NSO knowingly violated the terms by using WhatsApp to distribute malware. It will be tough to prove NSO clients had unauthorized access, especially since Facebook didn't get around to permabanning anyone until after it filed its lawsuit.

I'm no fan of NSO and its client list, but I'm no fan of Facebook's lawsuit, either. An opinion finding using internet services in a way their developers don't like is not the precedent we need -- not if we're going to keep pushing for a safer internet for everyone. It will allow dominant players to establish rules that benefit the platforms and stave off competition from third-party offerings that attempt to address shortcomings major platforms refuse to correct. It will also prevent researchers from making online services safer or better, which will be a net loss for all platform users, even if it prevents a handful of authoritarians from exploiting a single service to target the people they think need more surveilling.

There's a lot at stake here but Facebook can't see past its immediate (and somewhat convenient, given its recent rakings over Congressional coal) desire to appear to be the good guy for once.

Filed Under: cfaa, encryption, hacking, key logger, malware
Companies: facebook, nso group, whatsapp