DarkCyber for July 27, 2021: NSO Group Again, Making AWS Bots, How Bad Actors Scale, and Tethered Drones
July 27, 2021
The 15th DarkCyber for 2021 addresses some of the NSO Group’s market position. With more than a dozen news organizations digging into who does what with the Pegasus intelware system, the Israeli company has become the face of what some have called the spyware industry. In this program, Stephen E Arnold, author of the Dark Web Notebook, explains how bad actors scale their cyber crime operations. One thousand engineers is an estimate which is at odds with how these cyber groups and units operate. What’s the technique? Tune in to learn why Silicon Valley provided the road map for global cyber attacks. If you are curious, you can build your own software robot to perform interesting actions using the Amazon AWS system as a launch pad. The final story explains that innovation in policing can arrive from the distant pass. An 18th century idea may be the next big thing in law enforcement’s use of drones. DarkCyber is produced by Stephen E Arnold, who publishes Beyond Search. You can access the blog at www.arnoldit.com/wordpress and view the DarkCyber video at this link.
Kenny Toth, July 27, 2021
NSO Group: The Rip in the Fabric of Intelware
July 22, 2021
A contentious relationship with the “real news” organizations can be risky. I have worked at a major newspaper and a major publisher. The tenacity of some of my former colleagues is comparable to the grit one associates with an Army Ranger or Navy Seal, just with a slightly more sensitive wrapper. Journalists favored semi with it clothes, not bushy beards. The editorial team was more comfortable with laptops than an F SCAR.
Communications associated with NSO Group — the headline magnet among the dozens of Israel-based specialized software companies (an very close in group by the way)— may have torn the fabric shrouding the relationship among former colleagues in the military, government agencies, their customers, and their targets.
Whose to blame? The media? Maybe. I don’t have a dog in this particular season’s of fights. The action promises to be interesting and potentially devastating to some comfortable business models. NSO Group is just one of many firms working to capture the money associated with cyber intelligence and cyber security. The spat between the likes of journalists at the Guardian and the Washington Post and NSO Group appears to be diffusing like spilled ink on a camouflage jacket.
I noted “Pegasus Spyware Seller: Blame Our Customers Not Us for Hacking.” The main point seems to be that NSO Group allegedly suggests that those entities licensing the NSO Group specialized software are responsible for their use of the software. The write up reports:
But a company spokesman told BBC News: “Firstly, we don’t have servers in Cyprus.
“And secondly, we don’t have any data of our customers in our possession.
“And more than that, the customers are not related to each other, as each customer is separate.
“So there should not be a list like this at all anywhere.”
And the number of potential targets did not reflect the way Pegasus worked.
“It’s an insane number,” the spokesman said.
“Our customers have an average of 100 targets a year.
“Since the beginning of the company, we didn’t have 50,000 targets total.”
For me, the question becomes, “What controls exist within the Pegasus system to manage the usage of the surveillance system?” If there are controls, why are these not monitored by an appropriate entity; for example, an oversight agency within Israel? If there are no controls, has Pegasus become an “on premises” install set up so that a licensee has a locked down, air tight version of the NSO Group tools?
The second item I noticed was “NSO Says ‘Enough Is Enough,’ Will No Longer Talk to the Press About Damning Reports.” At first glance, I assumed that an inquiry was made by the online news service and the call was not returned. That happens to me several times a day. I am an advocate of my version of cancel culture. I just never call the entity again and move on. I am too old to fiddle with the egos of a younger person who believes that a divine entity has given that individual special privileges. Nope, delete.
But not NSO Group. According to the write up:
“Enough is enough!” a company spokesperson wrote in a statement emailed to news organizations. “In light of the recent planned and well-orchestrated media campaign lead by Forbidden Stories and pushed by special interest groups, and due to the complete disregard of the facts, NSO is announcing it will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign.” NSO has not responded to Motherboard’s repeated requests for comment and for an interview.
Okay, the enough is enough message is allegedly in “writing.” That’s better than a fake message disseminated via TikTok. However, the “real journalists” are likely to become more persistent. Despite a lack of familiarity with the specialized software sector, a large number of history majors and liberal arts grads can do what “real” intelligence analysts do. Believe me, there’s quite a bit of open source information about the cozy relationship within and among Israel’s specialized software sector, the interaction of these firms with certain government entities, and public messages parked in unlikely open source Web sites to keep the “real” journalists learning, writing, and probing.
In my opinion, allowing specialized software services to become public; that is, actually talk about the capabilities of surveillance and intercept systems was a very, very bad idea. But money is money and sales are sales. Incentive schemes for the owners of specialized software companies guarantee than I can spend eight hours a day watching free webinars that explain the ins and outs of specialized software systems. I won’t but some of the now ignited flames of “real” journalism will. They will learn almost exactly what is presented in classified settings. Why? Capabilities when explained in public and secret forums use almost the same slide decks, the same words, and the same case examples which vary in level of detail presented. This is how marketing works in my opinion.
Observations:
1. A PR disaster is, it appears, becoming a significant political issue. This may pose some interesting challenges within the Israel centric specialized software sector. NSO Group’s system ran on cloud services like Amazon’s until AWS allegedly pushed Pegasus out of the Bezos stable.
2. A breaker of the specialized software business model of selling to governments and companies. The cost of developing, enhancing, and operating most specialized software systems keeps companies on the knife edge of solvency. The push into commercial use of the tools by companies or consumerizing the reports means government contracts will become more important if the non-governmental work is cut off. Does the world need several dozen Dark Web indexing outfits and smart time line and entity tools? Nope.
3. A boost to bad actors. The reporting in the last week or so has provided a detailed road map to bad actors in some countries about [a] What can be done, [b] How systems like Pegasus operate, [c] the inherent lack of security in systems and devices charmingly labeled “insecure by design” by a certain big software company, and [d] specific pointers to the existence of zero day opportunities in blast door protected devices. That’s a hoot at ??????? ???? “Console”.
Net net: The NSO Group “matter” is a very significant milestone in the journey of specialized software companies. The reports from the front lines will be fascinating. I anticipate excitement in Belgium, France, Germany, Israel, the United Kingdom, and a number of other countries. Maybe a specialized software Covid Delta?
Stephen E Arnold, July 22, 2021
Smart Devices and Law Enforcement: Yes, the Future
June 28, 2021
I read “Security Robots Expand across U.S., with Few Tangible Results.” The write up highlights Yet Another Security Sales Play or YASSP. The write up states:
Officer Aden Ocampo-Gomez, a spokesman for the Las Vegas Metropolitan Police Department, said that while the complex is no longer in the agency’s top 10 list for most frequent 911 calls in the northeastern part of the Las Vegas Valley, he doesn’t think all the credit should go to Westy. “I cannot say it was due to the robot,” he said.
No surprise. Crime is a result of many factors; some of which make many, many people uncomfortable. A parent loses a job and steals money from an old timer with a cane. A hormone filled young person frustrated with a person staring decides to beat up the clueless person looking for a taxi. A street person needs a snort of Cisco. Many examples, and I have not wandered into the thicket of gangs, vendettas, psychological weirdness, or “hey, it seemed like fun.”
The write up does bump up a reality for vendors of police-related technology. Here’s an interesting passage:
But the finances behind the police robot business is a difficult one. Last year, Knightscope lost more money than ever, with a $19.3 million net loss, nearly double from 2019. While some clients are buying more robots, the company’s overall number of clients fell to 23, from 30, in the past four years. Plus, the number of robots leased has plateaued at 52 from the end of 2018 through the end of last year. The pandemic certainly didn’t help things. Just two months ago, Knightscope told investors that there was “substantial doubt regarding our ability to continue” given the company’s “accumulated deficit,” or debt, of over $69 million as of the end of 2020. Its operating expenses jumped by more than 50 percent, including a small increase on research, and a doubling of the company’s marketing budget. Knightscope itself recently told investors that absent additional fundraising efforts, it will “not be solvent after the third quarter of 2022.”
Earlier this month I gave a talk to a group on the East Coast affiliated with a cyber crime outfit. One question popped up on the Zoom chat:
What’s law enforcement look like in five years?
As I have pointed out many times, if I could predict the future, I would be rolling in Kentucky Derby winnings. I said something to the effect, “More technology.”
That’s what CNBC is missing in its write up about the robot outfit Knightscope: Enforcement agencies worldwide are trying to figure out how to attract individuals who will enforce laws. Australia has explored hiring rehabbed criminals for special roles. Several years ago, I had dinner with one of these individuals, and I came away thinking, “This is a perfect type for undercover work.”
The major TV outlets in my area of the Rust Belt routinely run interviews with government officials who point out that there are employment opportunities in law enforcement.
The problem is that finding employees is not easy. Once a person is an employee, often that individual wants to work on a schedule appropriate to the person, not the organization. If asked to do extra work, the employee can quit or not show up. This issue exists at fast food outfits, manufacturing plants, and government agencies.
What the write up ignores is that robots will work. Using semi smart devices is the future. Turn ‘em on; devices mostly work.
One can’t say that for human counterparts.
Net net: Without enough humans who will actually work, smart devices are definitely the future. I stand by my observation to the cyber crime seminar attendees. What do you want patrolling your subdivision: A smart device or a 22 year old fascinated with thumbtyping who wants a three day work week and doesn’t want to get involved.
Think about it. Knightsbridge, if I can do anything to boost your company, let me know.
Stephen E Arnold, June 28, 2021
Signal and Cellebrite: Raising Difficult Questions
April 22, 2021
Signal published an summary of its exploration of the Cellebrite software. Founded in Israel and now owned by the Japanese company Sun Corporation, Cellebrite is a frequent exhibitor, speaker, and training sponsor at law enforcement and intelligence conferences. There are units and subsidiaries of the company, which are not germane to this short blog post. The company’s main business is to provide specialized services to make sense of data on mobile devices. Yes, there are other use cases for the company’s technology, but phones are a magnet at the present time.
“Exploiting Vulnerabilities in Cellebrite UFED and Physical Analyzer from an App’s Perspective” makes clear that Cellebrite’s software is probably neither better nor worse than the SolarWinds, Microsoft Exchange Server, or other vendors’ software. Software has bugs, and once those bugs are discovered and put into circulation via a friendly post on a Dark Web pastesite or a comment in a tweet, it’s party time for some people.
Signal’s trope is that the Cellebrite “package” fell off a truck. I am not sure how many of those in my National Cyber Crime 2021 lectures will find that explanation credible, but some people are skeptics. Signal says:
[Cellebrite’s] products have often been linked to the persecution of imprisoned journalists and activists around the world, but less has been written about what their software actually does or how it works. Let’s take a closer look. In particular, their software is often associated with bypassing security, so let’s take some time to examine the security of their own software.
The write up then points out vulnerabilities. The information may be very useful to bad actors who want to configure their mobile devices to defeat the Cellebrite system and method. As readers of this blog may recall, I am not a big fan of disclosures about specialized software for certain government entities. Others — like the Signal analysts — have a different view point. I am not going to get involved in a discussion of this issue.
What I want to point out is that the Signal write up, if accurate, is another example of a specialized services vendor doing the MBA thing of over promising, overselling, and over marketing a cyber security solution.
In the context of the cyber security threat intelligence services which failed to notice the not-so-trivial SolarWinds, Microsoft Exchange Server, and Pulse Secure cyber missteps — the Signal essay is important.
Let me express my concern in questions:
What if the cyber security products and services are not able to provide security? What if the indexes of the Dark Web are not up to date and complete so queries return misleading results? What if the auto-generate alerts are based on flawed methods?
The cyber vendors and their customers are likely to respond, “Our products are more than 95 percent effective.” That may be accurate in some controlled situations. But at the present time, the breaches and the Signal analysis may form the outlines of a cyber environment in which expensive cyber tools are little more than plastic hammers and saws. Expensive plastic tools which break when subjective to real world work.
Stephen E Arnold, April 22, 2021
McKinsey: MBAs Are a Fascinating Group to Observe
February 5, 2021
Watching blue chip consulting firms is more enjoyable than visiting a zoo. Here’s a good example of the entertainment value of individuals who strive to apply logic to business. Logic is definitely good, right?
“AP Source: McKinsey to Pay $573M for Role in Opioid Crisis” explains that the McKinsey wizards somehow became involved in the “opioid crisis.” Crisis is self explanatory because most people have been ensnared in the Covid Rona thing. But opioid is difficult to appreciate. Think of addiction, crime, prostitution, trashed families, abandoned children, etc. You get the idea.
How could a blue chip consulting firm become involved in crimes which do not appear in the McKinsey collateral, on its Web site, or in its presentations to potential and current clients?
The write up says in the manner of “real” news outfits:
The global business consulting firm McKinsey & Company has agreed to a $573 million settlement over its role in advising companies on how to “supercharge” opioid sales amid an overdose crisis…
I interpret this to mean that the MBAs used their expertise to incentivize those in the legal pharma chain to move product. “Moving product” is a phrase used by narcotics dealers and MBAs alike, I believe.
The “real” news item reports:
McKinsey provided documents used in legal proceedings regarding OxyContin maker Purdue Pharma, including some that describe its efforts to help the company try to “supercharge” opioid sales in 2013, as reaction to the overdose crisis was taking a toll on prescribing. Documents made public in Purdue proceedings last year include include emails among McKinsey.
A wonderful engagement until it wasn’t. Blue chip consulting firms like to write checks to those who generate billable hours. My understanding is that writing checks for unbillable work irritates partners who expect bonuses and adulation for their business acumen.
An allegation of “supercharging” addictive products and producing the secondary effects itemize by me in paragraph two of this post is a bit of a negative. Even worse, the desired secondary effect like a zippy new Porsche conjured up on the Porsche Car Configurator, a position in a new investment fund, or a nice house and land in New Zealand does not arrive.
No word on jail time, but there’s a new administration now. The prostitution, child abandonment, and crime issues may become more consequential now.
Will this become a Harvard case? Who am I kidding? McKinsey in numero uno. Do los narcotraficantes operate with McKinsey’s acumen, logic, and efficiency. Good question.
Stephen E Arnold, February 5, 2021
What Is Next for Amazon Netradyne?
February 4, 2021
I noted the “real” news outfit CNBC story “Amazon Is Using AI-Equipped Cameras in Delivery Vans and Some Drivers Are Concerned about Privacy.” The use case is monitoring drivers. I have heard that some drivers work like beavers. Other comments suggest that some drivers play fast and loose with their time. These are lazy beavers. Other drivers misplace packages. These are crafty beavers. Another group driver like the route through the subdivision is a race. These are thrill-loving beavers. The Netradyne Driveri gizmo provides a partial solution with benefits; for example, imagery. My thought is that the Netradyne gizmo can hook into the Amazon AWS mother ship for a range of interesting features and functions. Maybe the data would be of use to those engaged in Amazon’s public sector work; for example, policeware services and solutions?
The story states:
Amazon is using an AI-powered camera made by Netradyne, a San Diego-based start-up that was founded in 2015 by two former senior Qualcomm employees. The camera, called Driveri, has four lenses that capture the road, the driver, and both sides of the vehicle.
I want to step away from the Netradyne and ask a few questions to which I don’t have answers at this time:
- Will Amazon learn from the Netradyne deployment what product enhancements to include in the “son of Netradyne”?
- What if a vehicle is equipped with multiple Netradyne type devices and shares these data with Amazon’s public sector partners and customers?
- What if Amazon’s drone routing surveillance technology is adapted to function with Amazon delivery mechanisms; that is, robot carts, lockers at the local store, trunk centric delivery, Ring doorbells, etc.?
The drivers are the subjects of a Silicon Valley style A-B test. My hunch is that there will be further smart camera developments either by AWS itself, AWS and a partner, or a few startups taking advantage of AWS technology to provide a platform for an application of the Netradyne learnings.
Who competes with Amazon AWS in this sector? Google, Microsoft, got any ideas? Sure, you do.
Stephen E Arnold, February 4, 2021
Law Enforcement Content Acquisition Revealed
January 22, 2021
Everything you do with a computer, smartphone, wearable, smart speaker, or tablet is recorded. In order to catch bad actors, law enforcement issues warrants to technology companies often asking for users who searched for specific keywords or visited certain Web sites in a specific time frame. Wired explains how private user information is still collected despite big tech promising to protect their users in the article, “How Your Digital Trails Wind Up In The Police’s Hands.”
Big tech companies continue to host apps and sell technology that provides user data to law enforcement. Apple attempted to combat the unauthorized of user information by requiring all developers to have a “nutritional label” on its apps. The label will disclose privacy policies. It is not, however, a blanket solution.
Big tech companies pledge their dedication to ending law enforcement using unlawful surveillance, but their actions are hypocritical. Amazon is committed to racial equity, but they saw an uptick in police request for user information. Google promises the same equity commitment with Google Doodles and donations, but they provide police with geofence warrants.
Law makers and political activists cite that these actions violate people’s civil rights and the Fourth Amendment. While there are people who are rallying to protect the average user, the bigger problem rests with users’ lack of knowledge. How many users are aware about the breadcrumbs they are leaving around the Internet? How many users actually read privacy policies or terms of service agreements? Very few!
“The solution isn’t simply for people to stop buying IoT devices or for tech companies to stop sharing data with the government. But “equity” demands that users be aware of the digital bread crumbs they leave behind as they use electronic devices and how state agents capitalize on both obscure systems of data collection and our own ignorance.”
Perhaps organizations should concentrate on educating the public or require big tech companies to have more transparent privacy policies in shorter, readable English? With thumb typing and illiteracy prevalent in the US, ignorance pays data dividends.
Whitney Grace, January 22, 2020
MIT: In the News Again
January 18, 2021
I have used “high school science club management methods” to describe some of the decisions at Silicon Valley-type outfits. I have also mentioned that the esteemed Massachusetts Institute of Technology found itself in a bit of a management dither with regards to the infamous Jeffrey Epstein. If you are not familiar with the MIT Epstein adventure, check out “Jeffrey Epstein’s Money Bought a Coverup at the MIT Media Lab.” High school science club management in action.
I read a story dated January 14, 2021, with the fetching title “MIT Professor Charged with Hiding Work for China.” Yep, someone hired a person, failed to provide appropriate oversight, and created a side gig. I learned:
While working for MIT, Chen entered into undisclosed contracts and held appointments with Chinese entities, including acting as an “overseas expert” for the Chinese government at the request of the People’s Republic of China Consulate Office in New York, authorities said. Many of those roles were “expressly intended to further the PRC’s scientific and technological goals,” authorities said in court documents. Chen did not disclose his connections to China, as is required on federal grant applications, authorities said. He and his research group collected about $29 million in foreign dollars, including millions from a Chinese government funded university funded, while getting $19 million in grants from U.S federal agencies for his work at MIT since 2013, authorities said.
MIT is allegedly an institution with many bright people. Maybe that is part of the challenge. The high school science club mentality has ingrained itself into the unsophisticated techniques used to track donations and smart professors.
Harvard has a business school. Does it offer a discount for MIT administrative professionals?
Stephen E Arnold, January 18, 2021
How Will MindGeek Get Paid? Umm, Encrypted and Anonymous Digital Currencies Maybe
December 11, 2020
I have followed the strong MasterCard and Visa response to revelations about MindGeek’s less-than-pristine content offerings. The Gray Lady wrote about MindGeek and then other “real” news sites picked up the story. A good example is “Visa, MasterCard Dump Pornhub Over Abuse Video Claims.” The write ups appear to have sidestepped one question which seems obvious to me:
How will MindGeek collect money?
There are some online ad outfits which have been able to place ads on Dark Web sites and on some other sites offering specialized content, not very different from MindGeek’s glittering content array. Amped up advertising seems one play.
But what about MindGeek’s paying customers?
Perhaps MindGeek, nestled in the Euro-centric confines of Montréal, will come up with the idea to use a digital currency. Invoices can be disseminated in secret messaging systems like those favored by the Russian based Edward Snowden. The payments can flow via encrypted digital currencies. Now many transactions can be tracked by government authorities in a number of countries. Nevertheless, making this type of shift is likely to increase the burden on investigators.
Just as killing off Backpage created additional work for some law enforcement professionals. The MasterCard and Visa termination may have a similar effect. Yes, the backlog can be resolved. But that is likely to add friction to some enforcement activities. A failure by regulatory agencies to get a handle of payments systems (encrypted and unencrypted) is now evident to some.
Stephen E Arnold, December 11, 2020
DHS Turns to Commercial Cellphone Data Vendors for Tracking Intelligence
November 18, 2020
Color us completely unsurprised. BuzzFeed News reports, “DHS Authorities Are Buying Moment-By-Moment Geolocation Cellphone Data to Track People.” In what privacy advocates are calling a “surveillance partnership” between government and corporations, the Department of Homeland Security is buying cellphone data in order to track immigrants at the southern border. This is likely to go way beyond the enforcement of immigration laws—once precedent is set, agencies across the law enforcement spectrum are apt to follow suit.
Citing a memo that came into their possession, reporters Hamed Aleaziz and Caroline Haskins reveal DHS lead attorney Chad Mizelle believes ICE officials are free to access locations and cellphone data activity without the need to obtain a warrant and without violating the Fourth Amendment (protection against unreasonable search and seizure). His reasoning? The fact that such data is commercially available, originally meant for advertising purposes, means no warrant is required. Consider that loophole as you ponder how much personal information most citizens’ cell phones hold, from our daily movement patterns to appointments with doctors and other professionals, to our communications. Aleaziz and Haskins write:
“When DHS buys geolocation data, investigators only know that phones and devices visited certain places — meaning, they don’t automatically know the identities of people who visited those locations. Investigators have to match a person’s visited locations with, say, property records and other data sets in order to determine who a person is. But this also means that, technically, moment-by-moment location tracking could happen to anyone, not just people under investigation by DHS. In particular, lawyers, activists, nonprofit workers, and other essential workers could get swept up into investigations that start with geolocation data. DHS officials said they do not comment on alleged leaked documents. The agency is aware of potential legal vulnerabilities under the Fourth Amendment. Mizelle states in his memo that there are ways for CBP and ICE to ‘minimize the risk’ of possible constitutional violations, pointing out that they could limit their searches to defined periods, require supervisors to sign off on lengthy searches, only use the data when more ‘traditional’ techniques fail, and limit the tracking of one device to when there is ‘individualized suspicion’ or relevance to a ‘law enforcement investigation.’”
Earlier this year, The Wall Street Journal reported that DHS was purchasing this data for ICE and CBP. Federal records show both agencies have bought licenses and software from mobile-device-data-vendor Venntel. The House Committee on Oversight and Reform is now investigating the company for selling data to government agencies.
Interesting dynamics.
Cynthia Murrell, November 18, 2020
-
- Subscribe to Beyond Search
Feature archive
News archive
-
