NSO Group: Talking and Not Talking Is Quite a Trick

July 30, 2021

I read “A Tech Firm Has Blocked Some Governments from Using Its Spyware over Misuse Claims.” First, let’s consider the headline. If the headline is factual, the message I get is that NSO Group operates one or more servers through which Pegasus traffic flows. Thus, the Pegasus system includes one or more servers which have log files, uptime monitoring, and administrative tools which permit operations like filtering, updating, and the like. Thus, a systems administrator with authorized access to one or a fleet of NSO Group servers supporting Pegasus can do what some system administrators do: Check out what’s shakin’ with the distributed system. Is the headline accurate? I sure don’t know, but the implication of the headline (assuming it is not a Google SEO ploy to snag traffic) is that NSO Group is in a position to know — perhaps in real time via a nifty AWS-type dashboard — who is doing what, when, where, for how long, and other helpful details about which a curious observer finds interesting, noteworthy, or suitable for assessing an upcharge. Money is important in zippy modern online systems in my experience.

My goodness. That headline was inspirational.

What about the write up itself from the real news outfit National Public Radio or NPR, once home to Bob Edwards, who was from Louisville, not far from the shack next to a mine run off pond outside my door. Ah, Louisville, mine drainage, and a person who finds this passage suggestive:

“There is an investigation into some clients. Some of those clients have been temporarily suspended,” said the source in the company, who spoke to NPR on condition of anonymity because company policy states that NSO “will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign.”

So the company won’t talk to the media, but does talk to the media, specifically NPR. What do I think about that? Gee, I just don’t know. Perhaps I don’t understand the logic of NSO Group. But I don’t grasp what “unlimited” means when a US wireless provider assures customers that they have unlimited bandwidth. I am just stupid.

Next, I noted:

NSO says it has 60 customers in 40 countries, all of them intelligence agencies, law enforcement bodies and militaries. It says in recent years, before the media reports, it blocked its software from five governmental agencies, including two in the past year, after finding evidence of misuse. The Washington Post reported the clients suspended include Saudi Arabia, Dubai in the United Arab Emirates and some public agencies in Mexico. The company says it only sells its spyware to countries for the purpose of fighting terrorism and crime, but the recent reports claim NSO dealt with countries known to engage in surveillance of their citizens and that dozens of smartphones were found to be infected with its spyware.

Okay, if the headline is on the beam, then NSO Group, maybe some unnamed Israeli government agencies like the unit issuing export licenses for NSO Group-type software, and possibly some “trusted” third parties are going to prowl through the data about the usage of Pegasus by entities. Some of these agencies may be quite secretive. Imagine the meetings going on in which those in these secret agencies. What will the top dogs in these secret outfits about the risks of having NSO Group’s data sifted, filtered, and processed by Fancy Dan analytics’ systems tell their bosses? Yeah, that will test the efficacy of advanced degrees, political acumen, and possible fear.

And what’s NSO Group’s position. The information does not come from an NSO Group professional who does not talk to the media but sort of does. Here’s the word from the NSO Group’s lawyer:

Shmuel Sunray, who serves as general counsel to NSO Group, said the intense scrutiny facing the company was unfair considering its own vetting efforts.

“What we are doing is, what I think today is, the best standard that can be done,” Sunray told NPR. “We’re on the one hand, I think, the world leaders in our human rights compliance, and the other hand we’re the poster child of human rights abuse.”

I like this. We have the notion of NSO Group doing what it can do to the “best standard.” How many times has this situation faced an outfit in the intelware game, based in Herliya, and under the scrutiny of an Israeli agency which says yes or no to an export license for a Pegasus type system. Is this a new situation? Might be. If true, what NSO Group does will define the trajectory of intelware going forward, won’t it?

Next, I like the “world leaders” and “Human rights compliance.” This line creates opportunities for some what I would call Comedy Central comments. I will refrain and just ask you to consider the phrase in the context of the core functions and instrumentality of intelware. (If you want to talk in detail, write benkent2020 at yahoo dot com and one of my team will get back to you with terms and fees. If not, I am retired, so I don’t care.)

Exciting stuff and the NSO Group ice cream melt is getting stickier by the day. And in Herzliya, the temperature is 29 C. “C” is the grade I would assign to this  allegedly accurate statement from the article that NSO Group does not talk to the media. Get that story straight is my advice.

And, gentle NPR news professional, why not ask the lawyer about log file retention and access to data in Pegasus by an NSO system administrator?

Stephen E Arnold, July 30, 2021

Exploit Checklist for Bad Actors

July 28, 2021

I found this post my MIT Research (oops, sorry, I meant MITRE Research. The information in “2021 CWE Top 25 Most Dangerous Software Weaknesses” is fascinating. It provides hot links to details in a public facing encyclopedia called Common Weakness Enumeration. The link is to additional information about the Out-of-Bounds Write” weak point. The Top 25 is a helpful reference for good actors as well as bad actors. The MITRE team provides this preface to the list:

The 2021 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses. To create the 2021 list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record. A formula was applied to the data to score each weakness based on prevalence and severity.

Popular weaknesses, the equivalent of a 1960s AM radio station’s “Fast Mover Tunes” are:

  • CWE-276 (Incorrect Default Permissions): from #41 to #19
  • CWE-306 (Missing Authentication for Critical Function): from #24 to #11
  • CWE-502 (Deserialization of Untrusted Data): from #21 to #13
  • CWE-862 (Missing Authorization): from #25 to #18
  • CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #31 to #25

New entries are:

  • CWE-276 (Incorrect Default Permissions): from #41 to #19
  • CWE-918 (Server-Side Request Forgery (SSRF)): from #27 to #24
  • CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #31 to #25

A few minutes spent with this list can be instructive. The write up includes a list of weaknesses which one might want to know about.

Net net: Who will find this list more inspirational: Marketing oriented cyber threat vendors or bad actors working under the protection of nation states hostile to US interests?

Stephen E Arnold, July 28, 2021

DarkCyber for July 27, 2021: NSO Group Again, Making AWS Bots, How Bad Actors Scale, and Tethered Drones

July 27, 2021

The 15th DarkCyber for 2021 addresses some of the NSO Group’s market position. With more than a dozen news organizations digging into who does what with the Pegasus intelware system, the Israeli company has become the face of what some have called the spyware industry. In this program, Stephen E Arnold, author of the Dark Web Notebook, explains how bad actors scale their cyber crime operations. One thousand engineers is an estimate which is at odds with how these cyber groups and units operate. What’s the technique? Tune in to learn why Silicon Valley provided the road map for global cyber attacks. If you are curious, you can build your own software robot to perform interesting actions using the Amazon AWS system as a launch pad. The final story explains that innovation in policing can arrive from the distant pass. An 18th century idea may be the next big thing in law enforcement’s use of drones. DarkCyber is produced by Stephen E Arnold, who publishes Beyond Search. You can access the blog at www.arnoldit.com/wordpress and view the DarkCyber video at this link.

Kenny Toth, July 27, 2021

NSO Group: The Rip in the Fabric of Intelware

July 22, 2021

A contentious relationship with the “real news” organizations can be risky. I have worked at a major newspaper and a major publisher. The tenacity of some of my former colleagues is comparable to the grit one associates with an Army Ranger or Navy Seal, just with a slightly more sensitive wrapper. Journalists favored semi with it clothes, not bushy beards. The editorial team was more comfortable with laptops than an F SCAR.

Communications associated with NSO Group — the headline magnet among the dozens of Israel-based specialized software companies (an very close in group by the way)— may have torn the fabric shrouding the relationship among former colleagues in the military, government agencies, their customers, and their targets.

Whose to blame? The media? Maybe. I don’t have a dog in this particular season’s of fights. The action promises to be interesting and potentially devastating to some comfortable business models. NSO Group is just one of many firms working to capture the money associated with cyber intelligence and cyber security. The spat between the likes of journalists at the Guardian and the Washington Post and NSO Group appears to be diffusing like spilled ink on a camouflage jacket.

I noted “Pegasus Spyware Seller: Blame Our Customers Not Us for Hacking.” The main point seems to be that NSO Group allegedly suggests that those entities licensing the NSO Group specialized software are responsible for their use of the software. The write up reports:

But a company spokesman told BBC News: “Firstly, we don’t have servers in Cyprus.

“And secondly, we don’t have any data of our customers in our possession.

“And more than that, the customers are not related to each other, as each customer is separate.

“So there should not be a list like this at all anywhere.”

And the number of potential targets did not reflect the way Pegasus worked.

“It’s an insane number,” the spokesman said.

“Our customers have an average of 100 targets a year.

“Since the beginning of the company, we didn’t have 50,000 targets total.”

For me, the question becomes, “What controls exist within the Pegasus system to manage the usage of the surveillance system?” If there are controls, why are these not monitored by an appropriate entity; for example, an oversight agency within Israel? If there are no controls, has Pegasus become an “on premises” install set up so that a licensee has a locked down, air tight version of the NSO Group tools?

The second item I noticed was “NSO Says ‘Enough Is Enough,’ Will No Longer Talk to the Press About Damning Reports.” At first glance, I assumed that an inquiry was made by the online news service and the call was not returned. That happens to me several times a day. I am an advocate of my version of cancel culture. I just never call the entity again and move on. I am too old to fiddle with the egos of a younger person who believes that a divine entity has given that individual special privileges. Nope, delete.

But not NSO Group. According to the write up:

“Enough is enough!” a company spokesperson wrote in a statement emailed to news organizations. “In light of the recent planned and well-orchestrated media campaign lead by Forbidden Stories and pushed by special interest groups, and due to the complete disregard of the facts, NSO is announcing it will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign.” NSO has not responded to Motherboard’s repeated requests for comment and for an interview.

Okay, the enough is enough message is allegedly in “writing.” That’s better than a fake message disseminated via TikTok. However, the “real journalists” are likely to become more persistent. Despite a lack of familiarity with the specialized software sector, a large number of history majors and liberal arts grads can do what “real” intelligence analysts do. Believe me, there’s quite a bit of open source information about the cozy relationship within and among Israel’s specialized software sector, the interaction of these firms with certain government entities, and public messages parked in unlikely open source Web sites to keep the “real” journalists learning, writing, and probing.

In my opinion, allowing specialized software services to become public; that is, actually talk about the capabilities of surveillance and intercept systems was a very, very bad idea. But money is money and sales are sales. Incentive schemes for the owners of specialized software companies guarantee than I can spend eight hours a day watching free webinars that explain the ins and outs of specialized software systems. I won’t but some of the now ignited flames of “real” journalism will. They will learn almost exactly what is presented in classified settings. Why? Capabilities when explained in public and secret forums use almost the same slide decks, the same words, and the same case examples which vary in level of detail presented. This is how marketing works in my opinion.

Observations:

1. A PR disaster is, it appears, becoming a significant political issue. This may pose some interesting challenges within the Israel centric specialized software sector. NSO Group’s system ran on cloud services like Amazon’s until AWS allegedly pushed Pegasus out of the Bezos stable.

2. A breaker of the specialized software business model of selling to governments and companies. The cost of developing, enhancing, and operating most specialized software systems keeps companies on the knife edge of solvency. The push into commercial use of the tools by companies or consumerizing the reports means government contracts will become more important if the non-governmental work is cut off. Does the world need several dozen Dark Web indexing outfits and smart time line and entity tools? Nope.

3. A boost to bad actors. The reporting in the last week or so has provided a detailed road map to bad actors in some countries about [a] What can be done, [b] How systems like Pegasus operate, [c] the inherent lack of security in systems and devices charmingly labeled “insecure by design” by a certain big software company, and [d] specific pointers to the existence of zero day opportunities in blast door protected devices. That’s a hoot at ??????? ???? “Console”.

Net net: The NSO Group “matter” is a very significant milestone in the journey of specialized software companies. The reports from the front lines will be fascinating. I anticipate excitement in Belgium, France, Germany, Israel, the United Kingdom, and a number of other countries. Maybe a specialized software Covid Delta?

Stephen E Arnold, July 22, 2021

DarkCyber for July 13, 2021, Now Available

July 13, 2021

DarkCyber is a twice-a-month video news program about the Dark Web, lesser known Internet services, and cyber crime. You can view the program at this link or use the viewer on the Beyond Search splash page. The DarkCyber for July 13, 2021, discusses the new US GAO report on facial recognition. Plus a 2019 report, with numerous FR vendors and accuracy tests, provides data not in the 2021 report. Also, in this program are stories about: [a] what cohort (age group) is most susceptible to online scams, [b] Amazon eCommerce vulnerabilities, and [c] a report about the US Navy’s autonomous mid-air refueling drone. DarkCyber is produced by Stephen E Arnold.

Kenny Toth, July 13, 2021

Tor Compromised?

July 9, 2021

I read “Tor Encryption Can Allegedly Be Accessed by the NSA, Says Security Expert.” I was stunned. I thought that the layers of encryption, the triple hop through relays, and the hope that everything worked as planned was bulletproof. And who funded Tor in the first place? What’s the status of the not-for-profit foundation today? Why were some European entities excited about cross correlating date and time stamps, IP addresses, and other bits of metadata? I don’t have answers to these questions, nor does the write up.

The article presents this information:

A security expert by the name of Robert Graham, however, has outlined his reasons for actually believing that the NSA might not even need tricks and paltry exploits in order for them to gain access to Tor, according to a blog post on Erratasec. Why? The security expert notes that this is because they might already have the keys to the kingdom. If they don’t, then they might be able to, according to arsTechnica.

Let me see if I can follow the source of this interesting assertion. TechTimes (the outfit publishing the “Tor Encryption Can” story cited above) quotes a security expert. There was a source called Erratasec. Then there was a story on ars Technica.

Now I think that Tor software and the onion method have security upsides and downsides. I also know that what humans create, other humans can figure out. I think the point of the write up is that anyone who uses Tor should embrace the current version.

Can NSA or any other intelligence entity figure out who is doing what, when, and why? My view is that deobfuscation methods are advancing. The fact that bad actors are shifting from old-school Dark Web sites to other channels speaks volumes. Bad actors have been shifting to messaging services which feature end-to-end encryption (E2EE) and do not require a particularly hard-to-complete registration process. But this shift from the “old” Dark Web to the “new” Dark Web began several years ago.  Bad actors have been aware that other secure communications options were Job One for years. My thought is that this story in interesting, just not focused on what is actually further consumerizing criminal behavior. The action has shifted, and the US may not be the leader in making sense of the new types of communications traffic.

Stephen E Arnold, July 9, 2021

DarkCyber for June 29, 2021, Now Available: Operation Trojan Shield Provides an Important Lesson

June 29, 2021

DarkCyber 13 discusses the Operation Trojan Shield sting. You can view the video at this link. The focus is on three facets of the interesting international takedowns not receiving much attention. The wrap up of the program is a lesson which should be applied to other interesting mobile device applications. If you are wondering how useful access to app data and its metadata are, you may find this 11 minute video thought provoking. DarkCyber is a production of Stephen E Arnold, a semi-retired consultant who dodges thumbtypers, marketers, and jargon lovers. Remember: No ads and no sponsors. (No, we don’t understand either but he pays our modest team like clockwork.)

Kenny Toth, June 29, 2021

Smart Devices and Law Enforcement: Yes, the Future

June 28, 2021

I read “Security Robots Expand across U.S., with Few Tangible Results.” The write up highlights Yet Another Security Sales Play or YASSP. The write up states:

Officer Aden Ocampo-Gomez, a spokesman for the Las Vegas Metropolitan Police Department, said that while the complex is no longer in the agency’s top 10 list for most frequent 911 calls in the northeastern part of the Las Vegas Valley, he doesn’t think all the credit should go to Westy. “I cannot say it was due to the robot,” he said.

No surprise. Crime is a result of many factors; some of which make many, many people uncomfortable. A parent loses a job and steals money from an old timer with a cane. A hormone filled young person frustrated with a person staring decides to beat up the clueless person looking for a taxi. A street person needs a snort of Cisco. Many examples, and I have not wandered into the thicket of gangs, vendettas, psychological weirdness, or “hey, it seemed like fun.”

The write up does bump up a reality for vendors of police-related technology. Here’s an interesting passage:

But the finances behind the police robot business is a difficult one. Last year, Knightscope lost more money than ever, with a $19.3 million net loss, nearly double from 2019. While some clients are buying more robots, the company’s overall number of clients fell to 23, from 30, in the past four years. Plus, the number of robots leased has plateaued at 52 from the end of 2018 through the end of last year. The pandemic certainly didn’t help things. Just two months ago, Knightscope told investors that there was “substantial doubt regarding our ability to continue” given the company’s “accumulated deficit,” or debt, of over $69 million as of the end of 2020. Its operating expenses jumped by more than 50 percent, including a small increase on research, and a doubling of the company’s marketing budget. Knightscope itself recently told investors that absent additional fundraising efforts, it will “not be solvent after the third quarter of 2022.”

Earlier this month I gave a talk to a group on the East Coast affiliated with a cyber crime outfit. One question popped up on the Zoom chat:

What’s law enforcement look like in five years?

As I have pointed out many times, if I could predict the future, I would be rolling in Kentucky Derby winnings. I said something to the effect, “More technology.”

That’s what CNBC is missing in its write up about the robot outfit Knightscope: Enforcement agencies worldwide are trying to figure out how to attract individuals who will enforce laws. Australia has explored hiring rehabbed criminals for special roles. Several years ago, I had dinner with one of these individuals, and I came away thinking, “This is a perfect type for undercover work.”

The major TV outlets in my area of the Rust Belt routinely run interviews with government officials who point out that there are employment opportunities in law enforcement.

The problem is that finding employees is not easy. Once a person is an employee, often that individual wants to work on a schedule appropriate to the person, not the organization. If asked to do extra work, the employee can quit or not show up. This issue exists at fast food outfits, manufacturing plants, and government agencies.

What the write up ignores is that robots will work. Using semi smart devices is the future. Turn ‘em on; devices mostly work.

One can’t say that for human counterparts.

Net net: Without enough humans who will actually work, smart devices are definitely the future. I stand by my observation to the cyber crime seminar attendees. What do you want patrolling your subdivision: A smart device or a 22 year old fascinated with thumbtyping who wants a three day work week and doesn’t want to get involved.

Think about it. Knightsbridge, if I can do anything to boost your company, let me know.

Stephen E Arnold, June 28, 2021

DarkCyber for June 15, 2021, Now Available

June 15, 2021

DarkCyber is a video news program issued every two weeks. The June 15, 2021, show includes five stories:

  • Pentest tools you can download and use today for free
  • A free report that explains Britain’s cyber weaknesses
  • Additional information about the E2EE revolution
  • Another tip for finding flexible developers and programmers who will do exactly what you want done
  • The FireScout, a drone with a 100 mile range and the ability to drop sonobuoys and other devices, perform surveillance, and remain aloft for up to 10 hours.

The DarkCyber video news program contains information presented in Stephen E Arnold’s lectures to law enforcement and intelligence professionals. His most recent lecture was the New Dark Web. He presented his most recent research findings to a group of more than 100 cyber fraud investigators working in Connecticut for a variety of LE and related organizations. The

The June 15, 2021, DarkCyber video program is available from Mr. Arnold’s blog splash page and can be viewed on YouTube. One important note: The video program does not contain advertisements or sponsored content. We know that’s unusual today, but the DarkCyber team prefers to operate without an invisible hand on the controls or an invisible foot on the team’s neck.

Kenny Toth, June 15, 2021

DarkCyber for June 1, 2021, Now Available

June 1, 2021

DarkCyber is a video news program about the Dark Web, cyber crime, and lesser known Internet services. This edition’s story line up includes a bad actor promoting on the regular Internet, a look at Europol’s business process analysis for industrialized cyber crime, a University of Washington research project for a do-it-yourself IMSI sniffer, two free reports about phishing, the go-to method for compromising users’ computer security, and a look at the Gaza, a new drone designed to strike at those who would wrongfully act toward certain groups. DarkCyber is produced by Stephen E Arnold with assistance from the DarkCyber research team. The programs appear twice each month. The videos are available on YouTube. You can view the video via the player on the Beyond Search blog or at https://youtu.be/f1ym19l2Y0I. No ads, no vendor supported posts, nothing but Mr. Arnold commenting on important news stories. How is this possible? No one who thumb typers knows.

Kenny Toth, June 1, 2021

Next Page »

  • Archives

  • Recent Posts

  • Meta