Mexican Businessman Arrested For Using NSO Spyware To Target A Journalist

from the NSO's-long,-international-SEO-nightmare-continues dept

No news is the only good news for Israeli tech company NSO Group. The problem is it's impossible to generate no news when you can't go more than a few days without generating more bad news.

Since the leak of data showing its customers were targeting journalists, activists, religious leaders, and other government officials with powerful malware capable of intercepting cellphone communications, the headlines NSO has racked up range from bad to worse to nightmarish.

Multiple countries are now following up on investigations performed by entities like CitizenLab, performing investigations of their own to determine whether they've been breached by NSO's malware or if government customers have violated rights. The United States has effectively blacklisted the company, forbidding US government agencies from buying its products and US exploit developers from selling to NSO.

One country was host to a large percentage of the numbers on the leaked list of potential NSO Group malware targets: Mexico. 15,000 of the 50,000 phone numbers on the list were located in that country. Perhaps unsurprisingly, Mexico is home to the first arrest related to abuse of NSO spyware.

Mexican prosecutors said Monday they have arrested a businessman on charges he used the Pegasus spyware to spy on a journalist.

[...]

A federal official not authorized to be quoted by name said the suspect is Juan Carlos García Rivera, who has been linked to the company Proyectos y Diseños VME and Grupo KBH. He was detained on Nov. 1.

Mexico buys a lot of spyware from NSO. The AP report says the Mexican government spent $61 million on Pegasus licenses (NSO's most popular -- and most powerful -- phone exploit) from 2006 to 2018. That quote was given to the Associated Press in July. It has since been updated.

Last week, the government’s top anti-money laundering investigator said officials from the two previous administrations had spent about $300 million in government money to purchase spyware. But that figure may reflect all spyware and surveillance purchases, or may include yet-unidentified contracts.

Supposedly the Mexican government has kicked the spyware habit. Current president Andrés Manuel López Obrador was elected in 2018 and promised never to use exploits like these. It remains to be seen if that promise has been broken or will be broken in the future. According to the head of the government's Financial Intelligence Unit -- which monitors government financial transactions for evidence of corruption -- "no transactions" related to the purchase of spyware have been detected.

That's reassuring but not nearly as reassuring as a statement from a non-government entity would be, given the Mexican government's long, mostly unsuccessful, battle with internal corruption.

NSO has, of course, responded with another nonsensical non-denial of the facts at hand:

As stated in the past, NSO’s technologies are only sold to vetted and approved government entities, and cannot be operated by private companies or individuals. We regret to see that, over and over again, the company’s name is mentioned in the media in events that has nothing to do with NSO, directly or indirectly.

This certainly looks like the software was "operated" by a private individual. Maybe that first and pretty damn clear impression will change when more facts are in. Just because NSO forbids the use by private individuals doesn't mean private individuals with access to malware are somehow incapable of deploying it. And, just to be pedantic because NSO insists on pedantry, when issuing defensive statements, this report very definitely has something to do with NSO indirectly. Being angry about the endless stream of bad news doesn't make NSO right and everyone else wrong about it's at least tacit involvement with misuse of its products by its customers.

Filed Under: journalism, malware, mexico, spyware, surveillance
Companies: nso group

Ninth Circuit Tells NSO Group It Isn't A Government, Has No Immunity From WhatApp's Lawsuit

from the law-harder! dept

Long before its current run of Very Bad News, Israeli malware purveyor NSO Group was already controversial. Investigations had shown its exploits were being used to target journalists and activists and its customer list included governments known mostly for their human rights abuses.

Facebook and WhatsApp sued NSO in November 2019, alleging -- among other things -- that NSO had violated WhatsApp's terms of use by deploying malware via the chat service. The arguments made by Facebook/WhatsApp aren't the best and they could allow the CFAA to be abused even more by expanding the definition of "unauthorized access."

Then there's the question of standing, which NSO raised in one motion to dismiss. The alleged harms were to users of the service, not to the service itself. While suing on behalf of violated users is a nice gesture, it's pretty difficult to talk a court into granting your requests for injunctions or damages if you're not the target of the alleged abuse.

NSO also pointed out it didn't actually violate anyone's terms of service. Its customers did when they used WhatApp to deliver malware to targets. NSO said WhatsApp was welcome to sue any of its customers, but was unlikely to get anywhere with that either, given the immunity from lawsuits generally handed to foreign governments.

Then NSO made a ridiculous claim of its own: it said it was immune from lawsuits since it provided this malware to foreign governments. By extension, it argued, the same immunity protecting foreign sovereigns (i.e., its customers) should be extended to the private company that sold them phone exploits. That argument was rejected by the district court. And the Ninth Circuit Appeals Court has just affirmed [PDF] that rejection, which means NSO will have to continue to fight what is now one of several damaging fires.

The Appeals Court says no reasonable reading of the Foreign Sovereign Immunities Act (FSIA) supports NSO's argument in favor of it taking no responsibility for its actions or the actions of its customers.

Whether such entity can sidestep the FSIA hinges on whether the Act took the entire field of foreign sovereign immunity as applied to entities, or whether it took the field only as applied to foreign state entities, as NSO suggests. The answer lies in the question. The idea that foreign sovereign immunity could apply to non-state entities is contrary to the originating and foundational premise of this immunity doctrine.

[...]

Thus, we hold that an entity is entitled to foreign sovereign immunity, if at all, only under the FSIA. If an entity does not fall within the Act’s definition of “foreign state,” it cannot claim foreign sovereign immunity. Period.

NSO isn't a "foreign state." It is not operated by a foreign state. It simply sells products to foreign states, which legally makes it no different than the company that supplies toilet paper to the White House. Just because the product is used almost exclusively by governments, that fact does not make NSO a state actor or a foreign state proxy.

NSO does not contend that it meets the FSIA’s definition of “foreign state,” and, of course, it cannot. It is not itself a sovereign. 28 U.S.C. § 1603(a). It is not “an organ . . . or political subdivision” of a sovereign. Id. § 1603(b)(2). Nor is a foreign sovereign its majority owner. NSO is a private corporation that provides products and services to sovereigns—several of them. NSO claims that it should enjoy the immunity extended to sovereigns because it provides technology used for law-enforcement purposes and law enforcement is an inherently sovereign function. Whatever NSO’s government customers do with its technology and services does not render NSO an “agency or instrumentality of a foreign state,” as Congress has defined that term. Thus, NSO is not entitled to the protection of foreign sovereign immunity. And that is the end of our task.

This heads back to the district court -- the court where NSO first argued that the court had no jurisdiction to handle the lawsuit since it was pretty much just a foreign government d/b/a a private malware manufacturer. It will have to continue facing WhatsApp's lawsuit over its alleged terms of service violations. And the longer the suit runs, the greater the chance NSO might have to divulge some more details on its dirty work and its even dirtier customers.

Filed Under: 9th circuit, immunity, malware, spyware
Companies: facebook, nso group, whatsapp

Israeli Malware Merchants NSO Group, Candiru Added To Commerce Department Export Blacklist

from the unwelcome-to-the-party,-pals dept

A couple of Israeli spyware purveyors have finally gotten themselves disinvited from the good graces of the federal government of the United States. The Commerce Department's Bureau of Industry and Security has amended its export regulations to hand NSO Group and the more mysterious Candiru a "presumption of denial," meaning they'll have to prove they're trustworthy again before US entities will be able to do business with them.

The new rules also make it more difficult for NSO and Candiru to sell their products using middlemen who aren't affected by the regulations.

In addition, the ERC [End-User Review Committee] also determined that no license exceptions should be available for exports, reexports, or transfers (in-country) to the persons being added to the Entity List in this rule.

NSO and Candiru weren't the only ones affected by this amendment, but they're the most notable recipients of the export controls.

The ERC determined that NSO Group and Candiru be added to the Entity List based on § 744.11(b) of the EAR: Entities for which there is reasonable cause to believe, based on specific and articulated facts, that the entity has been involved, is involved, or poses a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States and those acting on behalf of such entities. Specifically, investigative information has shown that the Israeli companies NSO Group and Candiru developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.

Also added to the blacklist were two other malware purveyors located in countries the United States has a much frostier relationship with.

The ERC determined that Positive Technologies, located in Russia, and Computer Security Initiative Consultancy PTE. LTD., located in Singapore, be added to the Entity List based on their engagement in activities counter to U.S. national security. Specifically, these entities traffic in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide.

US companies and agencies will now have to approach the Commerce Department and ask for permission to purchase exploits from these companies, with the presumption being that their requests will be denied. This effectively shutters a large and presumably profitable market for these companies. It also prevents US-based exploit developers from selling their discoveries to any of the affected companies. And it's just another reputational hit for NSO Group, which has been remarkably resilient, considering its now fighting a PR battle on multiple fronts while being dragged down by its long, sordid past.

That hasn't stopped it from complaining that this blacklisting is unfair. Here's the statement it gave to The Record after the publication of the export regulation amendment.

NSO Group is dismayed by the decision given that our technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed.

We look forward to presenting the full information regarding how we have the world’s most rigorous compliance and human rights programs that are based the American values we deeply share, which already resulted in multiple terminations of contacts with government agencies that misused our products.

That is hilarious. It will be fun seeing how NSO proves it has the "world's most rigorous compliance and human rights program" after it has been observed selling its products to countries with dismal human rights records. Combine that statement with its defense that it has no "visibility" into how its customers use its products and it's pretty clear the "rigorous compliance program" NSO claims to have is about 50% delayed reaction and 50% bullshit.

Filed Under: commerce department, entity list, export regulations, malware, spyware
Companies: candiru, nso group

New Investigation Shows A US Journalist Critical Of The Saudi Government Was Hit With NSO Spyware

from the truly-an-unsurprising-development dept

Malware merchant NSO Group's year of embarrassment continues. Leaked data published in July appeared to show NSO malware (namely its phone-hijacking malware Pegasus) had been used to target dissidents, journalists, religious leaders, and prominent politicians.

NSO reacted by first claiming the data showed nothing of the sort or at least was unrelated to its malware and its customers. Then it made contradictory claims, saying it terminated contracts when it discovered abuse of its products and that it had no visibility into its customers' actions. Puzzling.

Then things somehow got worse. Countries accused of using NSO Group malware to target critics and journalists decided to sue critics and journalists. Israel's government opened an investigation into the Israeli company. Another investigation found the government of Bahrain was engaging in exactly the kind of abuse NSO claimed it didn't allow. And, thanks to some pretty ugly divorce proceedings, it came to light that the Dubai's king had used the malware to spy on his ex-wife and her lawyer.

The debacle continues. An investigation by Citizen Lab -- which has uncovered previous misuse of NSO's software -- reveals an American journalist was targeted multiple times by NSO's hacking tools.

New York Times journalist Ben Hubbard was repeatedly targeted with NSO Group’s Pegasus spyware over a three-year period from June 2018 to June 2021. The targeting took place while he was reporting on Saudi Arabia, and writing a book about Saudi Crown Prince Mohammed bin Salman.

The investigators aren't sure who targeted Hubbard, but they do note that complaining to NSO about being targeted in violation of the company's guidelines has zero deterrent effect on future targeting.

The targeting resulted in Pegasus infections in July 2020 and June 2021. Notably, these infections occurred after Hubbard complained to NSO Group that he was targeted by the Saudi-linked KINGDOM Pegasus operator in June 2018.

While it would seem the most likely suspect is the Saudi government (or perhaps the prince himself, given what we now know about individual misuse of NSO spyware), Citizen Lab doesn't have enough information to definitively say who's behind the second round of targeting. And, given government/government officials' willingness to sue journalists over accusations of spying, Citizen Lab is wise to play it safe when it comes to attribution.

The in-depth report is worth reading, detailing how Citizen Lab arrived at these conclusions, as well as noting the similarities between these attacks (which utilized both malicious links and zero-click exploits) and ones observed targeting a Saudi activist earlier this year. And it shows NSO is still months away from being able to put this in the rearview mirror. A change of culture is needed at NSO and it needs to cancel all contracts with countries whose governments whose abuses of human rights and hacking tools have already been the subject of years of reporting.

Filed Under: ben hubbard, malware, pegasus, spyware, surveillance
Companies: citizen lab, nso

In Latest Black Eye For NSO Group, Dubai's King Found To Have Used NSO Spyware To Hack His Ex-Wife's Phone

from the slumming-it-as-a-service dept

NSO Group has endured some particularly bad press lately, what with leaked data pointing to its customers' targeting of journalists, political figures, religious leaders, and dissidents. That its powerful spyware would be abused by its customers was not surprising. Neither were the findings from the leaked data, which only confirmed what was already known.

Despite this, NSO continues to make contradictory claims. First, it says it has no control (or visibility) as to how its customers use its products -- customers that include some notorious abusers of human rights. Second, it says that it cuts off customers who abuse its products to target people who only annoy their governments, rather than directly threaten it with criminal or terrorist acts.

Well, it's either one or the other. And if NSO is waiting for secondhand reports about abusive deployments to act, it really shouldn't be in the intel business. If NSO wants to stay above the fray, it could start by being a lot more selective about who it sells to.

If you're not selective, your customers will not only pettily target people (critics, activists, journalists, dissidents) the government doesn't like but will move on to the extreme pettiness of targeting people certain government officials don't like.

This latest nadir for NSO Group comes courtesy of court proceedings, which illustrates the danger of putting powerful cellphone exploits in the hands of the wrong people.

Dubai's ruler Sheikh Mohammed bin Rashid al-Maktoum ordered the phones of his ex-wife and her lawyers to be hacked as part of a "sustained campaign of intimidation and threat" during the custody battle over their children, England's High Court has ruled.

Mohammed used the sophisticated "Pegasus" software, developed by Israeli firm NSO for states to counter national security risks, to hack the phones of Princess Haya bint al-Hussein, half-sister of Jordan's King Abdullah, and some of those closely connected to her, according to the rulings.

That's the sort of thing you can expect to happen when powerful hacking tools are given to people who have never proven they're capable of handling power responsibly. Adding to the irony is the fact that the King's ex was tipped off by the wife of Tony Blair, who used to work as an outside legal adviser for NSO Group.

Now that this has been exposed, NSO is finally ready to take action.

Once the hacking was uncovered, NSO cancelled its contract with the UAE, Haya's lawyers said. The Israeli firm said it could not immediately comment on the case, but said it took action if it received evidence of misuse of Pegasus.

Well, duh (to use a technical term). But if NSO is so supposedly "proactive" why even sell to the UAE at all? It's not as though it has a long, storied history of respecting rights, much less those possessed by women who also happen to have angered the king? While I understand it might be difficult to promise investors steadily-increasing returns if you choose not to sell to questionable entities, it seems like a long run of bad press and government investigations might have the same effect on the bottom line. Or maybe NSO's investors are just as unconcerned about its partnerships with abusive governments as it is. Whatever the case is, it's led NSO to where it is now: a company best known for giving oppressive governments even more oppression options.

Filed Under: dubai, hacking, malware, pegasus, princess haya bint al-hussein, sheikh mohammed bin rashid al-maktoum, spyware
Companies: nso group

American Malware Purveyor That Did Nothing To Limit Misuse Now Horrified To Find Gov't Of India Misused Its Products

from the who-could-possibly-have-seen-this-inevitable-outcome dept

Another malware purveyor is shocked, SHOCKED to discover its products have been used to do Very Bad Things. Thomas Brewster has more details for Forbes. Here's the setup:

Earlier this year, researchers at Russian cybersecurity firm Kaspersky witnessed a cyberespionage campaign targeting Microsoft Windows PCs at government and telecom entities in China and Pakistan. They began in June 2020 and continued through to April 2021. What piqued the researchers’ interest was the hacking software used by the digital spies, whom Kaspersky had dubbed Bitter APT, a pseudonym for an unspecified government agency. Aspects of the code looked like some the Moscow antivirus provider had previously seen and attributed to a company it gave the cryptonym “Moses.”

More digging by Kaspersky and others discovered who was actually behind these deployments. And the source wasn't some state-supported hackers or a malware purveyor with a malleable set of morals. No, the exploits -- which were deployed to indiscriminately target people in Pakistan and China -- were sold (in a way) to the government of India by an American firm, Exodus Intelligence.

Operating out of Austin, Texas, Exodus doesn't craft many exploits of its own, but rather provides access to information about known exploits, including where to obtain them, and how they can be utilized and leveraged.

Exodus, when asked by Five Eyes countries (an alliance of intelligence-sharing countries that includes the U.S., U.K., Canada, Australia, and New Zealand) or their allies, will provide both information on a zero-day vulnerability and the software required to exploit it. But its main product is akin to a Facebook news feed of software vulnerabilities, sans exploits, for up to $250,000 a year. It’s marketed primarily as a tool for defenders, but customers can do what they want with the information on those Exodus zero days—ones that typically cover the most popular operating systems, from Windows to Google’s Android and Apple’s iOS.

The government of India chose to leverage this knowledge to indiscriminately assault China and Pakistan entities in hopes of hitting targets of interest. That wasn't what Exodus Intelligence's info feed was designed to do. It's only what it ended up being used for. And now the CEO of Exodus is acting like a parent disappointed a child has exceeded the boundaries he never bothered to set.

That feed is what India bought and likely weaponized, says 37-year-old Exodus CEO and cofounder Logan Brown. He tells Forbes that, after an investigation, he believes India handpicked one of the Windows vulnerabilities from the feed—allowing deep access to Microsoft’s operating system—and Indian government personnel or a contractor adapted it for malicious means. India was subsequently cut off from buying new zero-day research from his company in April, says Brown, and it has worked with Microsoft to patch the vulnerabilities. The Indian use of his company’s research was beyond the pale, though Exodus doesn’t limit what customers do with its findings, Brown says, adding, “You can use it offensively if you want, but not if you’re going to be . . . shotgun blasting Pakistan and China. I don't want any part of that.”

While it's great the CEO doesn't want any part of that, not placing limits on end users is always going to result in things like this. And while it's unlikely writing up a new ToS is going to deter customers from "shotgun blasting" people with the weaponry you've provided, it at least allows you to terminate contracts and access without having to engage in a bunch of costly litigation or fruitless negotiations.

And, if you're going to be in the business of selling exploits (or indirect access to exploits), you need to be way more proactive on the security front.

Brown is also now exploring whether or not its code has been leaked or abused by others. Beyond the two zero days already abused, according to Kaspersky, “at least six vulnerabilities” made by Moses have made it out “into the wild” in the last two years.

Whoops. That doesn't look good. But, in all fairness, even the NSA and CIA have seen their tech tools and exploits leaked, resulting in the infliction of misery worldwide by people a shade more malicious than the entities belatedly bemoaning the unplanned distribution of their digital secrets.

Speaking of belated, here's some regret from the cofounder of Exodus Intelligence, Aaron Portnoy.

[T]oday, the 36-year-old self-taught hacker, who dropped out of Northwestern to carve his own career in cybersecurity, worries that he never knew who had access to his code or how they used it. He now regrets relinquishing control over his zero days to salespeople. “It's almost like I was being taken advantage of . . . It felt very much like I was a tool that was being used for a bigger purpose that I really had no insight into,” says Portnoy, now plying his trade at Randori, a Massachusetts-based cybersecurity firm.

Sure, but not so concerning Portnoy didn't leap from Exodus to defense contract Raytheon, and from there to startup Boldend, which partnered with Raytheon to (and I'm directly quoting here) "accelerate cyber operations with greater force."

While it's great that Exodus has revoked the Indian government's access to its exploit feed, the larger problem remains. American companies are aiding and abetting mass surveillance, targeting of dissidents and activists, and other human rights abuses by not being more selective of who they sell to or placing limits on how their products are used. This puts them in the same shady neighborhood as overseas malware merchants like NSO Group and Hacking Team. Sooner or later, it's going to put them on the wrong end of UN sanctions or DOJ investigations. Until then, it appears it will be risky business as usual, making the United States home to plenty of proxy human rights violators.

Filed Under: china, cybersecurity, india, malware, pakistan, security, zero days
Companies: exodus intelligence

Apple Patches Up Devices In Response To The Exposure Of Yet Another NSO Group Exploit

from the soon-they-will-make-a-board-with-a-nail-so-big-it-will-destroy-them-all dept

Israeli digital arms merchant NSO Group continues to sell its malware to a wide variety of governments. The governments it sells to, which includes a bunch of notorious human rights abusers, continue to use these exploits to target dissidents, activists, journalists, religious leaders, and political opponents. And the manufacturers of the devices exploited by governments to harm people these governments don't like (NSO says "criminals and terrorists," long-term customers say "eh, whoever") continue to patch things up so these exploits no longer work.

The circle of life continues. No sooner had longtime critic/investigator of NSO Group's exploits and activities -- Citizen Lab -- reported the Bahrain government was using "zero click" exploits to intercept communications and take control of targeted devices then a patch has arrived. Apple, whose devices were compromised using an exploit Citizen Lab has dubbed FORCEDENTRY, has responded to the somewhat surprising and altogether disturbing news that NSO has developed yet another exploit that requires no target interaction at all to deploy.

Apple released a patch Monday against two security vulnerabilities, one of which the Israeli surveillance company NSO Group has exploited, according to researchers.

The updated iOS software patches against a zero-click exploit that uses iMessage to launch malicious code, which in turn allows NSO Group clients to infiltrate targets — including the phone of a Saudi activist in March, researchers at Citizen Lab said.

The backdoor being closed involves a pretty clever trick of the trade. Since links require clicks and images don't, the exploit utilizes a tainted gif to crash Apple's image rendering library, which is then used to launch a second exploit that gives NSO customers control of these devices, allowing them to browse internal storage and eavesdrop on communications.

It's not the first time NSO has developed a zero-click exploit that affects iOS devices. It's just the latest exposed by Citizen Lab's incredible investigation efforts. Thanks to Citizen Lab, more Apple device users around the world are better protected against malicious hackers… working for a company that sells exploits to government agencies. And whatever can be nominally exploited for good (the terrorists and criminals NSO continues to claim its customers target, despite an ever-growing mountain of evidence that says otherwise) can be exploited by governments and malicious hackers who don't even have sketchy "national security" justifications to raise in the defense of their actions.

The arms race continues. It appears marketers of exploits will continue to do what they've always done: maintain over-the-air superiority for as long as possible. And while it may seem this is just part of the counterterrorism game, NSO Group's tacit approval of the targeting of dissidents, journalists, and others who have angered local governments (but have never committed any terrorist or criminal acts) shows it's not willing to stop profiting from the misery of people being hunted and harmed by repressive regimes.

Filed Under: ios, iphone, malware, patches, surveillance
Companies: apple, nso group

Malwarebytes Conclusion Shows Section 230's Best Feature: Killing Dumb Cases Before They Waste Everyone's Time And Money

from the 230's-procedural-benefits dept

A few years ago, Professor Eric Goldman wrote an important paper, explaining how Section 230 is better than the 1st Amendment. The key part of the argument is that if you treat Section 230 as a rule of civil procedure that kicks out frivolous and wasteful cases quickly, you realize how important it is.

Last month, a federal district court in California dismissed Enigma Software's high profile lawsuit against Malwarebytes. You may have heard about this case. We've been covering it for years, and it even got some (dubious) attention at the Supreme Court, regarding Section 230. Enigma didn't like that Malwarebytes (and others) found Enigma's "SpyHunter" software to be sketchy itself and started suing. Malwarebytes initially won on Section 230 grounds, pointing out that its opinions on what is and what is not spyware is a moderation choice -- in this case protected by Section 230's rarely used (c)(2)'s immunity for content that the provider deems "otherwise objectionable."

Unfortunately, the 9th Circuit reversed that ruling with a very weird opinion that seemed to contradict its own previous precedent. In that ruling, the 9th Circuit carved a new hole in (c)(2) arguing that you could lose 230 protections if there was an argument that the decision to block content (or call something spyware) was done "for anticompetitive reasons." From the ruling:

We hold that the phrase “otherwise objectionable” does not include software that the provider finds objectionable for anticompetitive reasons.

This ruling was appealed to the Supreme Court who declined to hear the case, though allowing Justice Clarence Thomas to spew some unfettered unbriefed nonsense about Section 230.

Either way, that sent the case all the way back to the district court... where it was dismissed anyway because calling something spyware is protected opinion.

Like in Asurvio LP, Enigma has not pleaded that Malwarebytes’ alleged labels are verifiably false rather than just subjective opinions. Enigma’s allegations that users view statements categorizing Enigma’s programs and domains as “malicious,” “threats,” and PUPs as statements of fact rather than subjective opinions are not supported by the facts presented. The allegations ignore that users of Malwarebytes are aware of why it opines that a given software program may be a PUP based on Malwarebytes’ disclosed criteria and can choose to quarantine or un-quarantine the detected program.

In other words, after all this nonsense and back and forth over Section 230, years later, Malwarebytes still wins the case because the 1st Amendment protects its opinions.

This is similar to another famous 9th Circuit ruling on 230 from a while back: the Roommates.com case. In that case, the court ruled that Section 230 did not protect Roommates.com for content it places in a pulldown menu (that users used to select roommate preferences), but in the end (many years later) Roommates.com still won the case because the 1st Amendment protected it.

Both of these cases demonstrate two very important things: first, most of what people complain about regarding Section 230 is actually protected by the 1st Amendment, so even if we got rid of Section 230, the 1st Amendment would still enable websites to moderate how they see fit. But, much more importantly, both of those cases demonstrate the procedural benefits of Section 230, in that they enable these kinds of cases to be dismissed quickly and relatively inexpensively, rather than having to go through a years long process. In short, Section 230's civil procedure benefits are that they get frivolous cases tossed out of court much more quickly, and at less expense. And that's important, since so many of these cases are, in some form or another, SLAPP suits, designed to pressure companies not to moderate certain content.

Filed Under: 1st amendment, content moderation, free speech, malware, moderation, opinion, section 230, spam
Companies: enigma software, malwarebytes

Investigation Finds NSO Malware Being Used By The Bahrain Government To Target Activists And Dissidents

from the truly-unsurprising-development dept

More bad news for Israeli malware purveyor NSO Group. Despite its contradictory and simultaneous claims that it does not allow its customers to abuse its products and that it has no way of monitoring use of its products, more evidence continues to surface that shows the company's customers are deploying NSO's malware to target journalists, activists, prominent politicians, and religious leaders.

Citizen Lab -- which has uncovered plenty of abusive use of NSO malware previously -- has released another report showing an abusive government abusing NSO spyware to spy on activists opposed to the country's current leadership. The investigation also confirms something NSO has repeatedly denied: that the list of numbers leaked to journalists and investigators is actually a list of potential targets of NSO's customers. That list included plenty of journalists, activists, politicians, and religious leaders.

Perhaps the most worrying thing about this report is the use of an exploit that bypasses security measures activists would logically adopt: refusing to click on links sent by unknown senders.

We identified nine Bahraini activists whose iPhones were successfully hacked with NSO Group’s Pegasus spyware between June 2020 and February 2021. Some of the activists were hacked using two zero-click iMessage exploits: the 2020 KISMET exploit and a 2021 exploit that we call FORCEDENTRY.

The hacked activists included three members of Waad (a secular Bahraini political society), three members of the Bahrain Center for Human Rights, two exiled Bahraini dissidents, and one member of Al Wefaq (a Shiite Bahraini political society).

And here's at least partial confirmation that the leaked list of potential targets has something to do with NSO Group and its customers:

We shared a list of the targeted phone numbers we identified with Forbidden Stories. They confirmed that numbers associated with five of the hacked devices were contained on the Pegasus Project’s list of potential targets of NSO Group’s customers, data that Forbidden Stories and Amnesty International describe as dating from 2016 up to several years ago.

If NSO Group is serious about preventing abuse of its products, the first step it could take is refusing to sell exploits to abusive governments. As Citizen Lab points out, Bahrain's government has a long history of human rights abuses. While things improved slightly and briefly around the turn of the century, everything reverted back to the abusive mean a decade later, when reforms were rolled back and the government went back to imprisoning and torturing dissidents, critics, and anti-government activists.

And you can't find people to jail and torture without domestic spying, which the Bahraini government enthusiastically engages in. That apparently includes spying on activists and dissidents who have left the country. The report says two Bahrain citizens who now live in London were hit with NSO malware. But this may have been a proxy hack on behalf of the Bahrain government. Citizen Lab notes it has only seen the Bahrain government deploy malware in its own country or in neighboring Qatar. So, these hacks may have been performed on its behalf by a friendly government with its own set of NSO malware.

In conclusion, NSO Group is complicit in the surveillance, imprisonment, torture, and silencing of activists around the world. The company claims it is selective about who it sells to and that it takes action when there are reports of abuse, but neither of these statements can possibly be true.

While NSO Group regularly attempts to discredit reports of abuse, their customer list includes many notorious misusers of surveillance technology. The sale of Pegasus to Bahrain is particularly egregious, considering that there is significant, longstanding, and documented evidence of Bahrain’s serial misuse of surveillance products including Trovicor, FinFisher, Cellebrite, and, now, NSO Group.

Once again, if NSO's statements about preventing abuse are going to be taken seriously, the company needs to dump customers with proven track records of human rights abuses. That's the bare minimum it can do to prevent its exploits from being used to target people governments just don't like. If these tools have been developed to fight dangerous crime and terrorism, the worst thing to do is place them in the hands of governments whose actions are criminal and often indistinguishable from terrorism.

Filed Under: activists, bahrain, dissidents, malware, pegasus, spyware, surveillance
Companies: citizen lab, nso group

Israeli Government Finally Decides To Start Looking Into NSO Group And Its Customers

from the laconic-ideal dept

The NSO Group's latest scandal is the gift that keeps on giving. The malware purveyor has always been controversial, thanks to its decision to sell powerful cellphone exploits to known human rights violators. That these exploits have been used to place world leaders, journalists, activists, and religious leaders under surveillance is just the expected result of choosing to do business with extremely shady governments.

A list of 50,000 phone numbers portrayed as potential targets for NSO's Pegasus malware is the latest black eye for the Israeli company. The list contains numbers linked to all of the sorts of individuals listed above -- not exactly the criminals and "Bin Ladens" of the world, as NSO claims its software is used to surveil.

These revelations have led to a lot of obfuscation and backpedaling by NSO, which simultaneously claims its customers do not abuse its products while also claiming it has no insight into how its customers choose to deploy the Pegasus malware. So, when NSO says it takes action when customers use its product to target people who aren't suspected criminals or terrorists, it's pretty much just making stuff up because it really doesn't know the malware is being used or who it's being deployed against.

This has prompted reactions all over the world. In France (where activists are being sued for claiming governments have deployed this spyware), French President Emmanuel Macron recently acquired a new phone after discovering his old one had potentially been targeted by a foreign government using NSO's spyware. This prompted a call from the French government to the Israeli government demanding some answers about NSO Group, its customers, and its targets.

It also prompted an investigation into the deployment of the Pegasus malware in France. And this shows you just how quickly a government can wrap up an investigation when it's sure it will be pointing its finger at other governments or their constituents: it only took nine days to get some actionable results.

France’s cybersecurity agency has confirmed the mobile phones of two French journalists from the investigative news outlet Mediapart were hacked with the Pegasus spyware, the first instance of such surveillance being detected by a government agency.

The hacking of the phones of Lénaïg Bredoux and Edwy Plenel, the two journalists from Mediapart, was earlier detected by Amnesty International’s security lab as part of the reporting by an international consortium of journalists on the targeting of 50,000 phone numbers around the world by clients of the Isreali firm NSO Group, which developed Pegasus.

Meanwhile, the Israeli government has opened its own... something... of NSO Group. But this inquiry is moving much more cautiously with local agencies showing much less urgency.

The Record reports NSO Group was "raided" by Israeli government agencies, including the Ministry of Defense. But The Record's own reporting shows this was much more casual than its headline suggests.

Israeli news outlet Calcalist, which also reported on the raids earlier today, cited an anonymous source who said the raids were more of a formal meeting than an in-depth audit of NSO’s documents and computer systems.

A tweet by the Ministry of Defense also appears to confirm this wasn't really a raid.

Representatives from a number of bodies came to NSO today to examine the publications and allegations raised in this case.

NSO says it "welcomes" the investigation and is cooperating with the Israeli government. As for the Ministry of Defense, it won't even go so far as to call it an "investigation."

Israel’s Defense Ministry has been mum about its plans to investigate the firm and remained laconic about the matter on Wednesday, refusing to elaborate on the nature of the visit, if a formal investigation had been launched, who the officials were and what specific allegations they were checking.

NSO must be feeling some pressure. While it's obligated to follow local export license laws when selling its products to foreign governments, it pretty much takes violating a UN embargo to run afoul of Israeli law, allowing NSO Group to sell its products to a number of countries that aren't exactly on good terms with the company's homeland. Nevertheless, for the first time ever, NSO Group is actually taking the sort of action it claims has always been standard operating procedure when its customers are suspected of abusing its products.

Israeli spyware company NSO Group has temporarily blocked several government clients around the world from using its technology as the company investigates their possible misuse, a company employee told NPR on Thursday.

The suspensions are in response to an investigation by the Pegasus Project, a consortium of media outlets that reported the company's Pegasus spyware was linked to hacks and potential surveillance of telephones of people including journalists, human rights activists and heads of state.

This seems to indicate that the list of numbers is actually related to NSO Group and potential targets of its customer base. If the list has nothing to do with NSO or its customers -- as NSO has claimed -- it likely wouldn't feel compelled to cut off customers and/or curtail their use of Pegasus malware. While this isn't an explicit admission of culpability by NSO, the implication is that the company sold its products to governments it knew would abuse them to surveil people they didn't like, rather than just criminals and terrorists.

Filed Under: israel, malware, pegasus, spyware, surveillance
Companies: nso group