Israeli Malware Merchant's Employee Used Powerful Spyware To Snoop On A Potential Love Interest

from the surprising-no-one dept

NSO Group is not having a great year. At least not on the PR front. The books may be balancing, but its indiscriminate distribution of malware/spyware to questionable governments has been raising eyebrows and blood pressure for years. Now, it's being sued by Facebook for using WhatsApp as its preferred delivery system for malware payloads.

These payloads target criminals and national security threats. But -- since NSO doesn't care who it sells to or what they do with its powerful software -- the payloads also target journalists, dissidents, activists, and attorneys. This malware can take over devices, feeding communications and phone contents to government agencies that want to keep an eye on their enemies -- even when their "enemies" are just critics and people who disagree with their policies.

But the malware can be used for other reasons, too. Any powerful surveillance tool ultimately ends up being misused. Just ask the NSA. And the FBI. And now, ask NSO, as Joseph Cox has for Motherboard.

An employee of controversial surveillance vendor NSO Group abused access to the company's powerful hacking technology to target a love interest, Motherboard has learned.

The previously unreported news is a serious abuse of NSO's products, which are typically used by law enforcement and intelligence agencies. The episode also highlights that potent surveillance technology such as NSO's can ultimately be abused by the humans who have access to it.

How adorable. Israel's biggest malware merchant thinks it's a cop shop. Even more adorably, the company more or less admits (1) this sort of thing is going to happen occasionally, and (2) there's nothing NSO Group can do about it.

"There's not [a] real way to protect against it. The technical people will always have access," a former NSO employee aware of the incident told Motherboard. A second former NSO employee confirmed the first source's account, another source familiar confirmed aspects of it, and a fourth source familiar with the company said an NSO employee abused the company's system.

This isn't just something NSO employees can do. It's also anything any of NSO's customers can do. Not every target of surveillance is a government-ordained target. Give enough people access and power, and abuse will happen. It's more surprising it's happening at NSO, which has always portrayed itself as a blood-on-the-hands-free purveyor of powerful tools. Once it sells them, it takes no responsibility for what's done with them.

And I agree with that point. NSO is not responsible for the acts of its customers. But it should choose better customers, considering how powerful its spyware is. As Cox explains, it's capable of taking over even fully up-to-date devices by manipulating a number of zero-day exploits. Targets never know their devices have been compromised. In some cases, no action needs to be taken on their end, so dodging suspicious links sent via text, chat, or email isn't even needed.

This obviously makes the software a temptation for its employees, who can use it to target whoever they want. The inevitability has occurred. And it has probably occurred more than the single instance detailed here.

As if this development wasn't unpleasant enough, the illicit targeting happened while the NSO employee was working with one of NSO's more unsavory customers, the United Arab Emirates. Not that the customer matters. It could have happened anywhere. But this one happened when the NSO was providing customer service for a country that engages in torture, operates secret prisons, criminalizes criticism of the government, and officially blesses mistreatment of anyone who isn't a Muslim male.

It's pretty tough for a company with minimal moral boundaries to expect its employees to respect the rules it has (well, let's assume NSO has forbidden illicit use of its tools) established to minimize abuse. When you're willing to sell spyware to monsters, you can't really expect employees to maintain their halos.

Filed Under: employee abuse, love interest, lovint, surveillance
Companies: nso group

Brooklyn Prosecutor Forged Judges' Signatures On Wiretap Warrants To Eavesdrop On A 'Love Interest'

from the rules-are-for-other-people dept

The reason there are so many controls and layers of oversight over wiretap warrants is because the potential for abuse is huge. The FBI abused its wiretap authority for years, which resulted in new restrictions for federal wiretap warrants. The DEA has found a way to route around these, but at the expense of its investigations.

At the state level, the vetting doesn't appear to be as thorough. An insider who knew the weaknesses in the system abused wiretap warrants to perform some very personal surveillance.

A high-ranking prosecutor in the Brooklyn district attorney’s office was arrested this week on charges that she used an illegal wiretap to spy on a police detective and one of her colleagues in what a law-enforcement official described as a love triangle gone wrong.

The prosecutor, Tara Lenich, was taken into custody on Monday and fired after investigators in the district attorney’s office learned over Thanksgiving weekend that she had conducted the illicit surveillance because of “a personal entanglement between her and the detective,” according to the law enforcement official, who spoke on the condition of anonymity because of the delicate nature of the case.

Give the wrong person enough power and they're sure to abuse it. Lenich forged judges' signatures repeatedly to extend her very personal wiretap warrant every 30 days. This allowed her to illegally eavesdrop on conversations for nearly a year. She ducked questions about her wiretap by claiming she was working on a sensititive investigation in conjunction with the NYPD Internal Affairs department.

As defense lawyer Wilson A. LaFaurie points out, a system heavily-reliant on signatures raises some questions about the trustworthiness of that system.

“The public should have a tangible fear of this,” Mr. LaFaurie said. If prosecutors were willing to forge a judge’s signature, he said, they could also potentially manipulate evidence for other cases by forging the signatures of witnesses, crime victims or police detectives.

At least in the cases of the judges whose signatures were forged, those can be verified by asking the judges themselves. In some of the hypothetical cases LaFaurie refers to, there may be no one to ask.

The most disheartening part of this mini-debacle is the responses from the district attorney's office. The spokesman for the office says an internal review of protocols and guidelines is underway, but says nothing about digging through Lenich's cases for other possible misconduct. The best protocols and procedures may already be in place, but that's not going to stop someone determined to abuse their power. And there's no way to confirm they haven't abused this power in the past if you're not willing to examine their body of work.

Lenich's lawyer's statement is even worse, although it can be partially forgiven as he's not acting as an agent of the state.

Gary Farrell, Ms. Lenich’s lawyer, said he did not believe there was “any merit to the claims that these charges somehow impugn wiretaps for other cases.”

Actually, it does impugn wiretaps for other cases, especially in cases overseen by his client. Her lawyer says there's nothing to see here, which is fine in terms of advocating for a client. But the DA's office seems to hold the same opinion, which is much more worrisome. Whenever abuse is uncovered, the usual response is to treat it like a unicorn, rather than possibly a leading indicator of malfeasance yet to be uncovered.

Then there's this:

Mr. Farrell said Ms. Lenich was well known and well liked in Brooklyn legal circles and had a reputation for fairness and professionalism.

Well, not so much now. All it takes is one severe, felonious abuse of the system to undo all of that goodwill and cause collateral damage to the reputation of the office she served.

Filed Under: brooklyn, lovint, surveillance, tara lenich, wiretaps

Details Reveal NSA Track Record Of Flagrant Abuse, Failed Audits And Minimal Accountability

from the self-reported? dept

For months, the NSA and its defenders insisted that for all of the details that Ed Snowden's leaks revealed, at least there weren't any signs of intentional abuses. Even President Obama insisted that the lack of intentional abuses proved that the systems were working. And, then, of course, it came out that there actually have been a series of intentional abuses (which were apparently just revealed to the Senate Intelligence Committee, which is supposed to be in charge of oversight, right before the public found out about it). We were told of approximately one willful violation per year, with many being classified as "LOVINT" for someone spying on a "love interest."

Senator Grassley asked the Inspector General of the NSA to reveal the details of those abuses, and the Inspector General has done so, revealing the details, circumstances, investigations and punishments regarding the twelve known intentional violations (without revealing names). I say "known" intentional violations because reading through these, it quickly becomes clear that there are likely many, many more intentional violations, but it's just that the NSA doesn't know about them. For all the claims of the NSA's audit abilities, it appears that many of these intentional violations were caught via self-reporting or other suspicions, rather than an audit. And, many of them were caught quite a while after the violation happened. Let's go through the revealed abuses:

In 2011, before an upcoming reinvestigation polygraph, the subject reported that in 2004, "out of curiosity," he performed a SIGINT query of his home telephone number and the telephone number of his girlfriend, a foreign national. The SIGINT system prevented the query on the home number because it was made on a US person. The subject viewed the metadata returned by the query on his girlfriend's telephone.

Note: this only came about because the guy admitted to it before undergoing a polygraph. But, also important, this came out seven years later. Yes, the system stopped the query on his home phone number, but apparently that didn't raise any alarm bells at all to look at his other queries done around the same time. If this only came out because the guy admitted it, how many NSA analysts have done the same and just never admitted it?

Oh, and while the investigation found that the person broke the law, the DOJ declined to prosecute (protect your own!), and the guy retired in 2012 without any disciplinary action.

In 2005, during a pre-retirement reinvestigation polygraph and interview, the subject reported that, in 2003, he tasked SIGINT collection of the telephone number of his foreign-national girlfriend without an authorized purpose for approximately one month to determine whether she was "involved with any [local] government officials or other activities that might get [him] in trouble."

Once again, this wasn't discovered via an audit, but rather the person admitting it years later. Not only that, but he was able to view a month's worth of data. It also appears that this person wasn't punished, and the NSA doesn't even have a record of whether or not the issue was referred to the DOJ.

In 2004, upon her return from a foreign site, the subject reported to NSA Security that, in 2004, she tasked a foreign telephone number she had discovered in her husband's cellular telephone because she suspected that her husband had been unfaithful. The tasking resulted in voice collection of her husband.

Once again, this is self-reported (though, at least it happened in the same year!). Also, it's important to note that this does not appear to be metadata, but voice collection. Remember how the NSA's defenders keep talking about not collecting contents of phone calls? Yes, well that's "under this program." The NSA has many programs. Sometimes they can collect the content of phone calls for important things like checking to see if your husband is spying on you. Also: no punishment because the woman resigned.

In 2003, the appropriate OIG was notified that an employee had possibly violated USSID 18. A female foreign national employed by the U.S. government, with whom the subject was having sexual relations, told another government employee that she suspected that the subject was listening to her telephone calls. The other employee reported the incident.

The investigation determined that, from approximately 1998 to 2003, the employee tasked nine telephone numbers of female foreign nationals, without a valid foreign intelligence purpose, and listened to collected phone conversations while assigned to foreign locations. The subject conducted call chaining on one of the numbers and tasked the resultant numbers. He also incidentally collected the communications of a U.S. person on two occasions.

Once again, this wasn't any audit that caught it. It was the woman, who was savvy enough to suspect her lover was spying on her, telling someone which resulted in the investigation. And, then it was discovered that this had gone on for five years without being caught, and it wasn't just over this one woman. Oh, and, again he was listening in on actual phone calls. Not just "metadata." At least in this case, he was "suspended without pay," but he then resigned before any other discipline could be handed out.

The employee's agency discovered that an employee had misused the SIGINT collection system between 2001 and 2003 by targeting three female foreign nationals.

Not much detail here, but again, it went on for years before someone noticed, and it doesn't sound like a regular audit found it, though I guess it's possible. Yet again, the guy just resigned with no punishment.

As the result of a polygraph examination, it was discovered that an employee had accessed the collection of communications on two foreign nationals.

It's not clear when this happened and how long it took to discover it, because they don't say. But, again, it wasn't an audit that discovered the problem, but a polygraph -- and polygraphs are notoriously ineffective, and can be beaten. Does anyone actually believe that every NSA analyst who's taken a polygraph test was forced to admit the times they abused the system? At least this guy was very slightly punished: 10 days suspension without pay, and a recommendation for a promotion was withdrawn (and a "one-year letter of reprimand" was appended to his file).

In 2011, the NSA OIG was notified that, in 2011, the subject had tasked the telephone number of her foreign-national boyfriend and other foreign nationals and that she reviewed the resultant collection. The subject reported this activity during an investigation into another matter.

The subject asserted that it was her practice to enter foreign national phone numbers she obtained in social settings into the SIGINT system to ensure that she was not talking to "shady characters" and to help mission.

Oh right. Forget the "reasonable and articulable suspicions" standard. Apparently this analyst thought it was the "shady character" standard that she was being held to. And, yes, once again, this was self-reported. Furthermore, just the fact that she seemed to think that this was a perfectly reasonable use of the system highlights how all the claims from the NSA and its defenders that its analysts are so well-trained to not abuse the system is a load of bunk. And, once again, the woman resigned before any punishment.

In 2005, the NSA OIG was notified that, on the subject's first day of access to the SIGINT collection system, he queried six e-mail addresses belonging to a former girlfriend, a U.S. person, without authorization. A site review of SIGINT audit discovered the queries four days after they had occurred.

The subject testified that he wanted to practice on the system and had decided to use this former girlfriend's e-mail addresses. He also testified that he received no information as a result of his queries and had not read any U.S. person's e-mail.

Hey, look, finally on case number eight we have one that was caught by an audit. It turns out that there actually are some audits somewhere, even if they missed all those other cases. Still, I do love this story. On the guy's first day of access he went immediately to search his girlfriend's emails. Also, this raises some other questions, since while it's known that the NSA has built a database of phone records, there's been a lot less discussion on email records, so it makes you wonder which database he was querying. This guy also got a bit of punishment: reduction in grade, 45 days restriction, 45 days of extra duty (he was in the military obviously) and half pay for two months. It was also recommended that he not be given a security clearance (now there's an idea...).

In 2006, the Office of Oversight and Compliance within NSA's Signals Intelligence Directorate informed NSA OIG that, between 2005 and 2006, the subject had without authorization queried in two SIGINT systems the telephone numbers of two foreign nationals, one of whom was his girlfriend. On one occasion, the subject performed a text query of his own name in a SIGINT system.

The OIG investigation found that the subject queried his girlfriend's telephone number on many occasions and her name on two. He testified that he received only one "hit" from the queries on the girlfriend. Another number he queried, that of a foreign national language instructor, returned "insignificant information."

The subject claimed that he queried his name to see if anyone was discussing his travel and the telephone numbers to ensure that there were no security problems.

I really do love the excuses these guys come up with. Either way, we've got yet another case of this practice going on for a while before being discovered, and it not being discovered via any audit.

In 2008, the NSA OIG was notified that a SIGINT audit had discovered a possible violation of USSID 18. A investigation revealed that, while reviewing the communications of a valid intelligence target, the subject determined that the intelligence target had a relative in the U.S. The subject queried the SIGINT system for the e-mail address of the intelligence target in 2008 and used other search terms to obtain information about the target's relative.

Hey, once again the audit finally shows up. The guy got a "written reprimand."

In 2009, the NSA OIG was notified that, in 2009, a military member assigned to a military tactical intelligence unit queried the communications of his wife, who was also a military member stationed in a foreign location. The misuse was discovered by a review of SIGINT audit logs. The investigation by his military unit substantiated the misuse.

Hurray for another one caught by an audit. This guy received similar punishment as the other military member above (reduction in rank, 45 extra days of duty, half pay for two months) and had the issue referred to the DOJ, though it doesn't sound like the DOJ did anything about it.

i> In 2009, a military unit at a foreign location notified the NSA OIG that, in 2009, a military member had queried a country's telephone numbers to aid in learning that country's language. The misuse was discovered by a review of SIGINT audit logs.

And there we are. One more victory for the audit, but what an abuse, huh? Apparently purchasing a copy of Rosetta Stone was too pricey, so why not just sift through an entire country's phone system to get some "real folks" to help him learn the language.

Either way, the pattern is clear. While audits did catch a few extreme cases, many of the other intentional misuses of SIGINT were only discovered (often years later) thanks to the person themselves admitting it. I don't see how anyone can read those and not realize that it's likely that there are many, many, many more similar abuses, that were just never self-reported, meaning people got away with them. I don't see how the NSA and its defenders can possibly argue that these are a full accounting of all of the intentional abuses.

Filed Under: audits, lovint, nsa, nsa surveillance