Schneier on Security

ResearcherZero • December 20, 2021 11:17 PM

@Ted

“the prosecutor is being targeted in retaliation for her attempted investigation by the same government she works for”

It’s a popular pass time in many places. A truly wonderful experience, being targeted. I certainly enjoyed it, and on occasion, still continue to many years later.

ResearcherZero • December 22, 2021 7:41 PM

@Ted, Clive @ALL

It’s not likely though that anyone would knowingly abuse their power using these tools though is it? If they were to abuse their power I assume it would be purely by accident, and what’s the worse that could happen?

For example:

“It is alarming that, instead of accepting the Committee’s recommendations and allowing time for scrutiny of subsequent amendments, the Morrison Government rushed these laws through Parliament in less than 24 hours.”
https://www.hrlc.org.au/news/2021/8/25/insufficient-safeguards-in-new-surveillance-law

When presented with such warrant from the Administrative Appeals Tribunal, Australian companies, system administrators etc. must comply, and actively help the police to modify, add, copy, or delete the data of a person under investigation.
https://ia.acs.org.au/content/ia/article/2021/help-government-hack-or-face-10-years–jail.html

The three types of content moderation methods assessed in the report involve different technical approaches, but they share one crucial thing in common: they put the security of billions of people and nations worldwide at risk.
https://www.globalencryption.org/2020/11/breaking-encryption-myths/

“With similar policies being introduced in other countries, we could potentially see these economic consequences extending globally in addition to compromised security and privacy of billions of people worldwide. It is vital governments take a step back and implement a rigorous assessment of the potential impact of these policies before they’re enacted so that we can avoid potential economic harm.”
https://www.internetsociety.org/news/press-releases/2021/new-study-finds-australias-tola-law-poses-long-term-risks-to-australian-economy/

“Australia lacks a robust human rights framework that would provide adequate protection against the abuse of the powers contained in this Bill.”
https://static1.squarespace.com/static/580025f66b8f5b2dabbe4291/t/60349b7a9f95cf2bdc3f4c8c/1614060411448/Sub+15+-+Human+Rights+Law+Centre.pdf

The definitions also capture a range of offences that are wholly unrelated to the purpose of the Bill stated in the Explanatory Memorandum; in such circumstances, the use of these warrants is unlikely to be proportionate.

he breadth of these definitions means that the Warrants can be used to target relatively minor criminal activities, such as theft, as well as the activities of individuals acting in the public interest, such as whistleblowers.

In theory, at least, the police could put something like child exploitation images onto your computer. While something like this is not the intention of the bill, there are also no significant safeguards against it.
https://tutanota.com/blog/posts/australia-surveillance-bill/

For example, under the current definitions a warrant can be deployed where:

• a person posts content on social media that is deemed menacing, harassing or offensive

• a person dishonestly takes, conceals or tampers with post;

• a person dishonestly obtains cheaper internet;

• a person marries two other people;

• a person alters a registered trade mark without permission;

• a person owns a whale or dolphin that has been unlawfully imported;

• a person organises a protest activity involving breaking into a farm;

• a whistleblower communicates information obtained under a surveillance warrant in a way that prejudices an investigation;

• a whistleblower discloses information relating to the “assistance and access” regime in the Telecommunications Act;

• a lawyer or journalist assists a government whistleblower to uncover wrongdoing, in a manner deemed to constitute “incitement”.

The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 gives the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) three new powers for dealing with online crime:

Data disruption warrant: "disrupt data" by modifying, copying, adding, or deleting it.

Account takeover warrant: take control of an online account (e.g. social media) for the purposes of gathering information for an investigation.


ResearcherZero • December 22, 2021 10:02 PM

@Ted

from Black Hat security conference

Mobile Espionage in the Wild: Pegasus and Nation-State Level Attacks (45 minutes)
https://www.youtube.com/watch?v=Y6e_ctKqSqM

a shorter presentation on Amnesty’s forensic analysis from The Print news outlet:

Zero Clicks, suspicious links — here’s how Amnesty’s forensic analysis of phones caught Pegasus
https://www.youtube.com/watch?v=hg4jV-j80ZU

ResearcherZero • December 22, 2021 11:26 PM

@Ted

This article references the capability of Pegasus and the knowledge and skill set needed to build it.

“For example, when Google reverse-engineered the hack used against American diplomats in Uganda, it found an elegant, tiny piece of code that adapted software from 1990s Xerox machines to fit a so-called Turing machine—essentially a complete computer—into a single GIF file.”

“Pretty incredible, and at the same time, pretty terrifying,” said Google’s engineers. “Wow. Just wow,” tweeted Yaniv Erlich, an Israeli professor of computer science at Columbia University.

“You can count on one hand the number of teams in the world that could create something like that,” said John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, which found the malware and brought it to Apple’s attention.
https://arstechnica.com/information-technology/2021/12/the-secret-uganda-deal-that-has-brought-nso-to-the-brink-of-collapse/

ResearcherZero • December 23, 2021 1:52 AM

from ‘Apple v. NSO Group: How will it affect security researchers?’

“A security researcher who is accused of ‘breaking the terms and conditions’ of a service within the same country as the software provider would have one less legal layer to protect themselves,”

The legal implications for researchers will come down to how the Computer Fraud and Abuse Act (CFAA), which Cohn described as a “ridiculously bad law, even when it was written,” is interpreted.

“I think it is absolutely possible, and important, that the CFAA be interpreted in a way that really aims at the folks who are supplying this technology to repressive governments knowing that it’s going to be misused, and not to the very people who brought us this news about the Pegasus papers, Citizen Lab and other security researchers,” Cohn said. “So it takes a little careful parsing to make sure that you get this right, but it’s doable.”

…However, the CFAA in relation to this lawsuit presents several questions for Cohn, including: Who gets to do that authorizing? It is a central piece, she said, not only because users are on other peoples’ computers constantly, but the software is also owned by other companies. In this instance, will authorization be up to the user, or to Apple?

If it continues to be the user who can hack their own devices or give permission to someone else to do so, then Cohn said there will be a wide lane for security researchers, which is good.

“If Apple becomes the person who gets to decide what they do on your device, that would be a misreading of the complaint. This isn’t what Apple has said, but this is where some of the confusion lies in this very big statute,” Cohn said.

…The case’s potential side effects on security researchers, according to Pfefferkorn, demonstrate that the CFAA, like the Digital Millennium Copyright Act (DMCA) statute at issue in another Apple lawsuit, both need to be amended by Congress in order to protect good-faith security research.

In 2019, Apple sued Corellium, a vendor that provides mobile penetration testing and security research. Apple alleged that Corellium “infringed Apple’s copyrights in iOS and circumvented its security measures in violation of the federal Digital Millennium Copyright Act (DMCA).” Corellium denied the allegations, and Apple dropped the lawsuit this year.

There is some suspicion, Pfefferkorn said, that part of Apple’s motivation behind the NSO lawsuit may be to relitigate its claims against Corellium, this time against a less sympathetic defendant.

…Sony sued an individual, George Hotz, for hacking into his own PlayStation3 and accused him of “jailbreaking” the device.

“It relied on the CFAA and the DMCA, and Sony ultimately prevailed on a temporary injunction on the DMCA claim,” Tuma said in an email to SearchSecurity. “Since that time the CFAA has come a long way and I think is much stronger today, in this case, than it was back in 2011, especially considering how integrated the Apple devices and iOS are with Apple’s network’s servers, which makes the case much stronger for an ‘unauthorized access’ to Apple’s devices.”

If this application of the CFAA is done correctly in Apple v. NSO, Cohn said it can be good.

“That’s not something we say all the time,” she said. “I hope other companies will follow suit.”

… “It’s not something I think we can prevent entirely, but we can make this business model illicit and that’s what we need to do,”

ResearcherZero • December 23, 2021 4:32 AM

@ALL

“The suggestion that Polish services used operational methods for political ends is unjustified,” said Stanislaw Zaryn, spokesman for the ministry in charge of the secret services.

Roman Giertych, a lawyer involved in several cases against the ruling Law and Justice (PiS) party, told Gazeta Wyborcza that Poland was using the spyware “to fight the democratic opposition”.

“Using this type of programme to fight the opposition completely eliminates the sense of democratic elections,” he said, explaining that the spyware was used ahead of the 2019 elections.

Ewa Wrzosek, a prosecutor and opposition figure, also said the spyware had been used against her. She had been alerted by Apple, she added.

Citizen Lab, a cyber-security watchdog based in Canada, confirmed it had looked into the use of Pegasus against Giertych and Wrzosek.

“We conducted these investigations and provided confirmation to the two named individuals that they were repeatedly infected with Pegasus spyware,” John Scott Railton, a senior researcher at Citizen Lab, told AFP.

https://www.securityweek.com/poland-rejects-accusations-political-spyware-use

The Polish channel TVN in 2019 reported that the country’s anti-corruption agency had spent 7.6 million euros ($8.6 million) on phone spyware.

Zaryn said Tuesday the activities of “operational control” were carried out in accordance with the law only after obtaining the consent of the Prosecutor General and a court order.

A Polish state security spokesman, Stanislaw Zaryn, would neither confirm nor deny whether the government ordered the hacks or is an NSO customer.

Zaryn did not comment on whether the two matters might be related. He said Poland conducts surveillance only after obtaining court orders.

An NSO spokesperson said Monday that the company is a “software provider, the company does not operate the technology nor is the company privy to who the targets are and to the data collected by the customers.” Citizen Lab and Amnesty International researchers say, however, that NSO appears to maintain the infection infrastructure.

The company spokesperson also called the allegations of Polish misuse of Pegasus unclear: “Once a democratic country lawfully, following due process, uses tools to investigate a person suspected in committing a crime, this would not be considered a misuse of such tools by any means.”

https://www.securityweek.com/ap-exclusive-polish-opposition-duo-hacked-nso-spyware

–

@Clive Robinson

I removed a keylogger from my brothers phone, and rather than thank me, he wanted to know how I knew it was there. He then claimed I hacked him in the process of scanning his phone and removing the malware from his phone and PC.

My brother removed any security policies and software that imposed difficulty on his need to insecurely broadcast and serve files from his home network. He was happy to receive free service and equipment from me, but not a fan of remote administration, even though he requested license keys from me, rather than pay for his own software.
The benefit of paying for the software is that you get to administer the users. My brother should have read the documentation, considered that although generous – I am not a charity specializing in free computer repairs, and that I don’t get hardware and software for free.

ResearcherZero • December 30, 2021 8:59 PM

@vas pup

It’s been well prepared for too. We started finding backdoors placed into exchanges and other critical infrastructure at least in 2010, and then seeing testing of capabilities after that. Small scale power outages, things of that nature. Fun for the entire family.

ResearcherZero • January 30, 2022 7:17 PM

bump

Amnesty International Security Lab
https://media.ccc.de/v/rc3-2021-cbase-410-catching-nso-groups-p