Facebook and NSO Group: An Odd Couple or Squabbling Neighbors?
July 28, 2021
Late in 2019, The Adware Guru published “Facebook Sues NSO Group Spyware Maker Due to Exploitation of WhatsApp Vulnerability.” That write up stated:
The cause of [Facebook’s] lawsuit was WhatsApp’s zero-day vulnerability, which Facebook claims was sold to the NSO Group, and then the company helped use the problem to attack human rights defenders, journalists, political dissidents, diplomats, and governmental officials. According to court documents, more than 1,400 people in Bahrain, the United Arab Emirates, and Mexico suffered a total of 11 days from attacks. Facebook has already sent WhatsApp special messages to everyone affected.
In April 2020, Technadu published “The NSO Group Is Accusing Facebook of Having Tried to License Their Spyware.” That write up stated:
The ‘NSO Group’ is now turning the tables, claiming that they rejected Facebook’s proposal to license Pegasus because they only did it for governments and not private companies. In addition to that, they describe Facebook’s accusations as baseless and even accuse the social media company of failing to prepare the legal paperwork properly, which resulted in legislative procedure problems. NSO says Facebook didn’t have powerful methods to spy on iOS devices in the same way that they did with Android, and they felt like Pegasus could solve this problem for them. Facebook, on the other side, completely dismissed these statements by saying that these allegations had the sole purpose of distracting the court from the real facts.
Technadu added:
even if Facebook wasn’t trying to add Pegasus in Onavo for iOS, they are giving the NSO Group something to hold on to and make allegations that are at least seemingly realistic. At the very least, this development will complicate the legal process by much now.
Jump to the present. The Guardian’s story “Officials Who Are US Allies Among Targets of NSO Malware, Says WhatsApp Chief” reported on July 24, 2021:
Cathcart said that he saw parallels between the attack against WhatsApp users in 2019 – which is now the subject of a lawsuit brought by WhatsApp against NSO – and reports about a massive data leak that are at the centre of the Pegasus project… When WhatsApp says it believes its users were “targeted”, it means the company has evidence that an NSO server attempted to install malware on a user’s device.
The Guardian story includes this statement from the PR savvy NSO Group:
An NSO spokesperson said: “We are doing our best to help creating a safer world. Does Mr Cathcart have other alternatives that enable law enforcement and intelligence agencies to legally detect and prevent malicious acts of pedophiles, terrorists and criminals using end-to-end encryption platforms? If so, we would be happy to hear.”
Are Facebook’s statements credible? Is NSO Group’s version believable? Are these two behaving like the characters in Neil Simon’s “Odd Couple” or like the characters in the 1981 film “Neighbors”? Does each firm have something the other needs?
Stephen E Arnold, July 28, 2021
NSO Group: Investigative Reporters Are Investigating
July 27, 2021
What happens when one puts a family of beavers (the furry animals once prized for hats) in what remains of the Chrysler Building in Midtown? Well, those beavers will try to build a dam. What do investigative reporters do from more than a dozen newspapers enthralled by the NSO Group intelware story? The answer, gentle reader, is investigate.
What’s been made public in the last few days?
There were a handful of data nuggets I found mildly interesting; for example:
- The very wonderful UK Daily Mail reported that NSO Group “spent millions of dollars on Washington lobbyists, consultants, and lawyers, as it tried to sell its Pegasus spyware to the US government.” One name disclosed in the article was Tom Ridge, the first secretary of homeland security. The estimable Daily Mail notes that the Washington Post knew this factoid too. The Daily Mail added, that NSO Group retained “The Who’s Who of government figures runs through at least three administrations.” The money flowed from OSY Technologies and Francisco Partners, which once owned NSO Group.
- Mashable published “QAnon Believers Don’t Know How to Handle Michael Flynn’s Ties to Spyware Firm Behind Pegasus.” In addition to the QAnon trigger word, the Mashable story noted, “Edward Snowden is call it [Pegasus] the story of the year.” Mashable reported: “Many QAnon followers still don’t exactly know what to make of the news. Some seemed to accept the idea that this “doesn’t look good” for Flynn.”
- Axios (via Yahoo News) reported that Francisco Partners “…The firm finally exited NSO in early 2019, selling it back to the [NSO Group] company’s founders and London-based private equity firm Novalpina, which pledged “a new model for public transparency. Since then, NSO has become the pulsing heart of a dispute between the partners of Novalpina. And, in an ironic twist, it involves leaked WhatsApp messages and a lawsuit against one of the newspapers that later became part of the Pegasus consortium.”
My hunch is that the investigative reporters will continue just like the hypothetical beavers. Beavers were skinned by intrepid traders. Will the investigative reporters find themselves in a similar business process? Flipping stones with the NSO Group logo stenciled on them may reveal some surprises.
Stephen E Arnold, July 27, 2021
DarkCyber for July 27, 2021: NSO Group Again, Making AWS Bots, How Bad Actors Scale, and Tethered Drones
July 27, 2021
The 15th DarkCyber for 2021 addresses some of the NSO Group’s market position. With more than a dozen news organizations digging into who does what with the Pegasus intelware system, the Israeli company has become the face of what some have called the spyware industry. In this program, Stephen E Arnold, author of the Dark Web Notebook, explains how bad actors scale their cyber crime operations. One thousand engineers is an estimate which is at odds with how these cyber groups and units operate. What’s the technique? Tune in to learn why Silicon Valley provided the road map for global cyber attacks. If you are curious, you can build your own software robot to perform interesting actions using the Amazon AWS system as a launch pad. The final story explains that innovation in policing can arrive from the distant pass. An 18th century idea may be the next big thing in law enforcement’s use of drones. DarkCyber is produced by Stephen E Arnold, who publishes Beyond Search. You can access the blog at www.arnoldit.com/wordpress and view the DarkCyber video at this link.
Kenny Toth, July 27, 2021
The NSO Group Story: Inspiring, Incriminating, or Obfuscating?
July 23, 2021
The Washington Post or Wapo to some in the DC orbit is an influential newspaper. The outfit has a connection to the world’s richest man. That billionaire’s idea for an online bookstore spawned a massive online service. One of the customers using that service was allegedly given some good news. The idea was that this particular customer could go elsewhere for online services. This factoid does not appear in “Somebody Has to Do the Dirty Work: NSO Founders Defend the Spyware They Built.” I mention this omission because the ties within the intelware and policeware industry are many and often quite important.
The write up explains:
This week, The Washington Post and a consortium of 16 other media partners reported that the company’s military-grade spyware was used in attempted and successful hacks of 37 smartphones belonging to journalists, business executives, and two women close to the murdered Saudi journalist Jamal Khashoggi.
This week refers to the period from July 19 to July 22, 2021, when information about the use of once-classified technology became readily available. What’s happened is that a single intelware and policeware company, the commercial-government connections in Israel, and the threads which tie many of the Herliya-based intelware and policeware companies to American firms is a subject of interest to lots of investigative journalists. I want to point out that the best investigative journalists fit the profile of intelligence operatives and first-class detectives working in government institutions. A few journalists have this type of work experience as well.
This means that a poster child for intelware and policeware is going to be a focal point for a news cycle or two. That’s the good news. The bad—actually really bad, bad news—is that the collateral information could be untangled. Then what will the investigative journalists find?
The Wapo article cited above adds some interesting detail; for example, “it was not appropriate to have any direct knowledge of the internal national security matters of foreign countries. They also thought they weren’t equipped to make political decisions about whom to sell to.”
And this factoid: One of the founders “was on a volunteer search-and-rescue mission in Haiti, pulling bodies out of the rubble of a collapsed university.”
Plus, one founder runs on “little sleep, Diet Coke and takeout sushi.”
There is a suggestion about managing the cyber security industry. How about this idea:
The situation would be better …if the cybersecurity industry were regulated by a global body. More importantly, he said, the Israeli government has a role to play: Countries that violate their agreements should be banned from being recipients of any of Israel’s cyber technology.
One can hypothesize about the questions my DarkCyber research team might raise about this statement, but I won’t speculate.
This article strikes me as a “make nice” write up. That’s good for NSO Group. However, I am not sure the 80 journalists and 17 news organizations are going to leave the NSO Group with stories about hard working entrepreneurs who created a successful company. Some questions I think this group of intrepid “real news” professionals could explore include:
- What’s the story behind NSO Group selling itself to Francisco Group and then buying itself back?
- Who have become the primary stakeholders in the NSO Group since Eddy Shalev made an investment in the company?
- What government contracts has the NSO Group landed in the last two years?
- What vendors resell or provide hosting services to the NSO Group?
- What partnerships exist between NSO Group and other companies?
- What conferences does NSO Group attend? What are the presentations NSO Group professionals deliver?
- What interactions exist among NSO Group and other intelware and policeware companies in Herzliya?
- What companies are now employing former NSO Group professionals?
- Who are the principal technical contractors NSO Group compensates to assist with technology development?
- What university professionals are associated with NSO Group?
- Who has nominated NSO Group for intelware and policeware awards?
There are other questions the 80 journalists and 17 news organizations can address. Digging might yield more useful information than “how quickly the pace of tech and the
advent of smartphones had enabled criminals to outrun law enforcement” or the the founders “didn’t have the background of the typical Israeli entrepreneur.”
Isn’t there more to this story? Weren’t the founders in the Israeli Army? Is that important? Perhaps the 80 journalists and 17 news organizations can answer this question, a question I think it is quite important to pull the knots from this puzzle.
Stephen E Arnold, July 23, 2021
NSO Group: The Rip in the Fabric of Intelware
July 22, 2021
A contentious relationship with the “real news” organizations can be risky. I have worked at a major newspaper and a major publisher. The tenacity of some of my former colleagues is comparable to the grit one associates with an Army Ranger or Navy Seal, just with a slightly more sensitive wrapper. Journalists favored semi with it clothes, not bushy beards. The editorial team was more comfortable with laptops than an F SCAR.
Communications associated with NSO Group — the headline magnet among the dozens of Israel-based specialized software companies (an very close in group by the way)— may have torn the fabric shrouding the relationship among former colleagues in the military, government agencies, their customers, and their targets.
Whose to blame? The media? Maybe. I don’t have a dog in this particular season’s of fights. The action promises to be interesting and potentially devastating to some comfortable business models. NSO Group is just one of many firms working to capture the money associated with cyber intelligence and cyber security. The spat between the likes of journalists at the Guardian and the Washington Post and NSO Group appears to be diffusing like spilled ink on a camouflage jacket.
I noted “Pegasus Spyware Seller: Blame Our Customers Not Us for Hacking.” The main point seems to be that NSO Group allegedly suggests that those entities licensing the NSO Group specialized software are responsible for their use of the software. The write up reports:
But a company spokesman told BBC News: “Firstly, we don’t have servers in Cyprus.
“And secondly, we don’t have any data of our customers in our possession.
“And more than that, the customers are not related to each other, as each customer is separate.
“So there should not be a list like this at all anywhere.”
And the number of potential targets did not reflect the way Pegasus worked.
“It’s an insane number,” the spokesman said.
“Our customers have an average of 100 targets a year.
“Since the beginning of the company, we didn’t have 50,000 targets total.”
For me, the question becomes, “What controls exist within the Pegasus system to manage the usage of the surveillance system?” If there are controls, why are these not monitored by an appropriate entity; for example, an oversight agency within Israel? If there are no controls, has Pegasus become an “on premises” install set up so that a licensee has a locked down, air tight version of the NSO Group tools?
The second item I noticed was “NSO Says ‘Enough Is Enough,’ Will No Longer Talk to the Press About Damning Reports.” At first glance, I assumed that an inquiry was made by the online news service and the call was not returned. That happens to me several times a day. I am an advocate of my version of cancel culture. I just never call the entity again and move on. I am too old to fiddle with the egos of a younger person who believes that a divine entity has given that individual special privileges. Nope, delete.
But not NSO Group. According to the write up:
“Enough is enough!” a company spokesperson wrote in a statement emailed to news organizations. “In light of the recent planned and well-orchestrated media campaign lead by Forbidden Stories and pushed by special interest groups, and due to the complete disregard of the facts, NSO is announcing it will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign.” NSO has not responded to Motherboard’s repeated requests for comment and for an interview.
Okay, the enough is enough message is allegedly in “writing.” That’s better than a fake message disseminated via TikTok. However, the “real journalists” are likely to become more persistent. Despite a lack of familiarity with the specialized software sector, a large number of history majors and liberal arts grads can do what “real” intelligence analysts do. Believe me, there’s quite a bit of open source information about the cozy relationship within and among Israel’s specialized software sector, the interaction of these firms with certain government entities, and public messages parked in unlikely open source Web sites to keep the “real” journalists learning, writing, and probing.
In my opinion, allowing specialized software services to become public; that is, actually talk about the capabilities of surveillance and intercept systems was a very, very bad idea. But money is money and sales are sales. Incentive schemes for the owners of specialized software companies guarantee than I can spend eight hours a day watching free webinars that explain the ins and outs of specialized software systems. I won’t but some of the now ignited flames of “real” journalism will. They will learn almost exactly what is presented in classified settings. Why? Capabilities when explained in public and secret forums use almost the same slide decks, the same words, and the same case examples which vary in level of detail presented. This is how marketing works in my opinion.
Observations:
1. A PR disaster is, it appears, becoming a significant political issue. This may pose some interesting challenges within the Israel centric specialized software sector. NSO Group’s system ran on cloud services like Amazon’s until AWS allegedly pushed Pegasus out of the Bezos stable.
2. A breaker of the specialized software business model of selling to governments and companies. The cost of developing, enhancing, and operating most specialized software systems keeps companies on the knife edge of solvency. The push into commercial use of the tools by companies or consumerizing the reports means government contracts will become more important if the non-governmental work is cut off. Does the world need several dozen Dark Web indexing outfits and smart time line and entity tools? Nope.
3. A boost to bad actors. The reporting in the last week or so has provided a detailed road map to bad actors in some countries about [a] What can be done, [b] How systems like Pegasus operate, [c] the inherent lack of security in systems and devices charmingly labeled “insecure by design” by a certain big software company, and [d] specific pointers to the existence of zero day opportunities in blast door protected devices. That’s a hoot at ??????? ???? “Console”.
Net net: The NSO Group “matter” is a very significant milestone in the journey of specialized software companies. The reports from the front lines will be fascinating. I anticipate excitement in Belgium, France, Germany, Israel, the United Kingdom, and a number of other countries. Maybe a specialized software Covid Delta?
Stephen E Arnold, July 22, 2021
Palantir SPACtacular Pipeline Filler
June 14, 2021
I read “Palantir Gets Aggressive in SPAC Investments, Backing Digital Health, Aviation and Robot Companies.” The article explains that in a short period of time — about 12 weeks — the intelware company has “forged agreements to invest in at least six special purpose acquisition companies.”
Why?
The answer may be in this statement from the article:
Beyond the financial returns, Palantir is looking for innovative companies in big markets that can make use of its data tools.
Who says?
The write up answers this question too:
“We’re seeing an opportunity to back really good management teams with big visions,” said Kevin Kawasaki, Palantir’s head of business development. The company can partner and “allow them to have our data operating systems platform that we’ve put 15 years and billions of R&D dollars into,” he said.
It appears that Palantir is investing and then its “investment” is used to license its software.
If I am correct, this is an interesting way to generate revenues and obtain customer engagement. Let’s assume I am on the right track, my questions are:
- With the buzz generated by the initial public offering, have leads been converting into signed agreements at an improved rate?
- Is the Palantir system encountering the type of headwinds that other search and content processing companies have encountered; that is, long and complex set up, tuning, and customization process for impatient clients?
- Is the market for intelware facing competition from lower cost providers from other countries and US start ups which “appify” large, workstation like systems?
I, of course, don’t have answers to these questions. Worth watching how this SPACtacular pipeline filler delivers the sustainable revenue.
Stephen E Arnold, June 14, 2021
Recorded Future: Poking Googzilla?
May 26, 2021
Google and In-Q-Tel were among the first to embrace the start up Recorded Future. Over the years, Recorded Future beavered away in specialist markets. There were some important successes; for example, helpful insights about the Paris Terrorist bombing. But Recorded Future was not a headline grabber. Predictive analytics is not the sort of thing that inflames the real journalists at many “real news” publications. The Googley part of Recorded Future faded over time, and it seems to me that most of the analysts forgot it was around in the first place. Then came the sale of Recorded Future to Insight Partners for about $800 million. From start up to exit in 12 years and another home run for the founders. Now the work begins. The company has to generate more revenue, which has been a challenge for similar companies.
Recorded Future does do search, but it does not do online advertising as a revenue generator. The company has a broad array of services, and it is finding that established competitors like IBM i2, Palantir Technologies, and Verint are also chasing available projects for specialized software. To add a twist to the story, start ups like Trendalyze (an outfit focused on real time analytics) and DataWalk (a better Palantir in my opinion) are snagging work in some rarified niches.
What’s the non Googley Recorded Future doing?
After reading “Thousands of Chrome Extensions Are Tampering with Security Headers,” I think the Insight owned outfit is poking a stick into the zoological park in which Googzilla hunts. My hunch is that Google continues taking off-the-radar actions to ensure that its revenues flow and glow. (No, that’s not on any Google T shirt I possess.) The new Recorded Future is revealing a Google method, and I think some in the Googleplex will not be happy.
The write up does not get into Google’s business strategy. But someone will read the Recorded Future post and do a bit of digging.
Several thoughts:
- Has Recorded Future broken an unwritten rule regarding the explanation of Google’s more interesting methods?
- Will the Google respond in a way that tweaks the nose of the Recorded Future team?
- Will Recorded Future escalate its revelations about the GOOG to get clicks, generate traffic, and possibly make sales?
I have no answers. I think the write up is interesting and probably long overdue. I think this is an important shift which has taken place with a new owner overseeing the once Googley predictive analytics company. Insight probably used the Recorded Future methods to predict the probabilities for upsides and downsides of this type of article. There are margins of error, however.
Stephen E Arnold, May 26, 2021
Specialized Technology: Why Processing Talk Can Be Helpful to Anyone
May 7, 2021
Some specialized services companies have provided cheat sheets for audio and video intercepts. I heard that this technology was under wraps and available only to those with certain privileges. Not any longer.
An outfit at Wordcab.com can perform what once was an intelligence function for anyone with Internet access, content, and a way to pay. Navigate to Wordcab.com and sign up. The company says:
Automagically summarize all your internal meetings. Wordcab creates detailed, natural-language summaries of all your meetings and sales calls. So you can focus on people, not paper.
Thumbtypers will thrill with the use of the word “automagically.” The service can ingest a Zoom recording and generate a summary. The outputs can be tweaked, but keep in mind, this is smart software, not Maxwell Perkins reincarnated as your blue pencil toting digital servant. There’s an API so the service can be connected to whizzy distributed services and, if you have a copy of Palantir Gotham-type software, you can do some creative analysis.
The idea is that the smart software can make an iPhone toting bro or bro-ette more efficient.
The key point is that once was a secret capability is now available to anyone with an Internet connection. And to those who don’t think there is useful information in TikTok-type services. Maybe think again?
Stephen E Arnold, May 7, 2021
Signal and Cellebrite: Raising Difficult Questions
April 22, 2021
Signal published an summary of its exploration of the Cellebrite software. Founded in Israel and now owned by the Japanese company Sun Corporation, Cellebrite is a frequent exhibitor, speaker, and training sponsor at law enforcement and intelligence conferences. There are units and subsidiaries of the company, which are not germane to this short blog post. The company’s main business is to provide specialized services to make sense of data on mobile devices. Yes, there are other use cases for the company’s technology, but phones are a magnet at the present time.
“Exploiting Vulnerabilities in Cellebrite UFED and Physical Analyzer from an App’s Perspective” makes clear that Cellebrite’s software is probably neither better nor worse than the SolarWinds, Microsoft Exchange Server, or other vendors’ software. Software has bugs, and once those bugs are discovered and put into circulation via a friendly post on a Dark Web pastesite or a comment in a tweet, it’s party time for some people.
Signal’s trope is that the Cellebrite “package” fell off a truck. I am not sure how many of those in my National Cyber Crime 2021 lectures will find that explanation credible, but some people are skeptics. Signal says:
[Cellebrite’s] products have often been linked to the persecution of imprisoned journalists and activists around the world, but less has been written about what their software actually does or how it works. Let’s take a closer look. In particular, their software is often associated with bypassing security, so let’s take some time to examine the security of their own software.
The write up then points out vulnerabilities. The information may be very useful to bad actors who want to configure their mobile devices to defeat the Cellebrite system and method. As readers of this blog may recall, I am not a big fan of disclosures about specialized software for certain government entities. Others — like the Signal analysts — have a different view point. I am not going to get involved in a discussion of this issue.
What I want to point out is that the Signal write up, if accurate, is another example of a specialized services vendor doing the MBA thing of over promising, overselling, and over marketing a cyber security solution.
In the context of the cyber security threat intelligence services which failed to notice the not-so-trivial SolarWinds, Microsoft Exchange Server, and Pulse Secure cyber missteps — the Signal essay is important.
Let me express my concern in questions:
What if the cyber security products and services are not able to provide security? What if the indexes of the Dark Web are not up to date and complete so queries return misleading results? What if the auto-generate alerts are based on flawed methods?
The cyber vendors and their customers are likely to respond, “Our products are more than 95 percent effective.” That may be accurate in some controlled situations. But at the present time, the breaches and the Signal analysis may form the outlines of a cyber environment in which expensive cyber tools are little more than plastic hammers and saws. Expensive plastic tools which break when subjective to real world work.
Stephen E Arnold, April 22, 2021
Palantir and Anduril: Best Buds for Sure
March 12, 2021
I read “Anduril Industries Joins Palantir Technologies’ TITAN Industry Team.” In the good old days I would have been zipping from conference to conference outputting my ideas. Now I sit in rural Kentucky and fire blog posts into the datasphere.
This post calls attention to an explicit tie up between two Peter Thiel-associated entities: Palantir Technologies and Anduril. The latter is an interesting company with some nifty smart technology, including a drone which has the cheerful name “Anvil.”
For details about the new US Army project and the relationship between these two companies, the blog post was online as of March 8, 2021. (Some information may be removed, and I can’t do much about what other outfits do.)
Information about Anduril is available at their Web site. Palantir is everywhere and famous in the intelware business and among some legal eagles. No, I don’t have a Lord of the Rings fetish, but some forever young folks do.
Stephen E Arnold, March 12, 2021
-
- Subscribe to Beyond Search
Feature archive
News archive
-
