Citizen Lab experts say latest hacking highlights security, regulation vulnerabilities

Bill Marczak and John Scott-Railton made headlines around the world this week when they disclosed serious iPhone security flaws after an attempted attack on the phone of the prominent human rights activist Ahmed Mansoor through a link in a text message. Scott-Railton and Marczak are senior researchers at the Citizen Lab at the 91�Թ�'s Munk School of Global Affairs. With the help of mobile security firm Lookout, they traced the link back to a company called NSO Group that sells access to these vulnerabilities to their clients.

Read about the report here

Read the full report here

91�Թ� News writer Romi Levine spoke with Scott-Railton and with his Citizen Lab colleague Sarah McKune about the incident and about the murky territory that surrounds regulating companies like the NSO group.

John Scott-Railton

Lookout’s vice president, research called the NSO group at the centre of the Citizen Lab report a “cyber arms dealer” – what does he mean by that?

This is an interesting way to describe it. We’re in a geopolitical situation – there’s a market desire from countries that don’t have the ability to build the capability domestically to do digital surveillance. They go looking to the private market. There are a series of companies that are looking to sell them those capabilities. These are companies that are selling kinds of tools governments want for espionage and law enforcement.

Some accuse these companies of being mercenaries. It raises the question of proliferation – how do you decide whether or not to sell to a country? Part of our work at Citizen Lab is based around shedding light on that marketplace and to show clear evidence into whether or not there are abuses.

Are companies like the NSO group doing something illegal?

Some people believe that the way to solve the problem of proliferation is for governments to have export control regulations that require that any sale of this kind of technology is required to get a license and go through a process of evaluation.

The challenge seems to be, even though many of these frameworks exist, it’s still the case these companies are selling spyware technology to countries with notorious histories of serial misuse of this kind of spyware.

It raises the obvious question: If that’s not enough to stop a sale, what would stop a sale?

Ahmed Mansoor has now been targeted three times with this kind of technology from three different companies. If this isn’t evidence of serial misuse, I don’t know what is.

“Zero-day exploits” would have allowed NSO group to jailbreak Mansoor’s phone. What are they?

Zero day vulnerability is something that the vendor – in this case Apple – has spent zero days working to close. It basically means this is a hole or a bug in a product or software that can be exploited to run malicious code. This is very powerful knowledge because it gets you around the kind of security that you would expect to be built into products.
There’s a market for this kind of knowledge because it represents information about where these secret unlocked doors are that could potentially be very valuable.
There’s also a market for intrusion tools that could be used on top of that.

So vulnerability is like a secret door, the exploit is a set of instructions that get you in the door and the malware is what you put inside once you gain access.

Should the average person see Mansoor’s hacking as a threat to their own privacy?

The attacks we work on at Citizen Lab tend to be targeted at high-value individuals. It is not necessarily something everyone should be instantly afraid of.
But we at Citizen Lab think activists, dissidents and journalists are canaries in the coal mine – this targeting shows us a glimpse of a future where if this kind of market is not in some way addressed, this kind of vulnerability will be more and more part of the daily conversation.

When you target dissidents and journalists you’re not just targeting individuals, you’re targeting the democratic process and the people who help contribute to a fairer and more just and honest society – both because of the direct violence it does to civil societies and because of what it shows us about the future and the risks that will come.

Follow Scott-Railton’s digital security advice

How can someone recognize this kind of threat?

The sophistication of this threat is that it’s hard to recognize. Our advice to the general population is treat links and attachments especially from people you don’t know with great care. With the kinds of threats we see, like in the case of Mansoor, we see the critical importance of companies like Apple quickly responding to security threats we report to them.

Sarah McKune

How are companies like the NSO group regulated?

The regulatory area that’s been explored so far is that of export control. It’s the first step because export controls include a framework devoted to compliance and there can be penalties if you violate the applicable export control violations.

There's a multilateral export control group called the Wassenaar Arrangement – it includes over 40 countries including Canada, the United States and Russia, but it does not include Israel (where the NSO Group is based). But Israel incorporates the regulations that are agreed upon in the Waassenaar framework.

Export controls are a very arcane and language-specific beast. The arrangement lists different items that are subject to control implemented on the national levels. Individual nations implement those controls.

One of the controls that was added in December of 2013 related specifically to intrusion software. What NSO Group offers does seem to meet the criteria to be considered one of the items. That’s the crux of the issue – how these controls are implemented.

(If a product falls under the criteria, it’s) not an outright ban, you need to submit a license application and the authorities will grant or deny it.

We just don’t have visibility into the process with respect to NSO Group. It’s possible they may have submitted a request to a licensing application. It’s also possible a request has been granted.
The UAE has significant problems with respect to human rights including a track record of surveillance so it seems that if the authorities did engage in this review of the license application, those human rights concerns were not determined on the decision to grant the application if it was indeed granted .

So there’s no form of regulation one country can enforce on another country?

That demonstrates the limitation of export controls. They aren’t enough to address the human rights concerns associated with these technologies.

We have to start thinking beyond export controls to what other avenues are available.

What other ways are there to address these regulatory issues?

It involves a number of different facets.

We can look at the applicable laws relevant to this type of activity – there are some criminal laws that could apply to this type of context.

We can also look at consumer protection – this is certainly an issue of fraud perpetrated against individual users. Websites and other components of these types of spyware kits often attempt to mislead users as to what it is they’re trying to access and download.

There are legal and policy options on the table – legislatiures need to tackle this issue.

It is very complex but I do think this case demonstrates how vulnerable these types of technologies render users at large. It’s not just about one specific target. It’s about undermining technologies that affect us all.

Citizen Lab researchers uncover extensive Twitter cyber espionage campaign

lavende4 — Mon, 30 May 2016 14:52:57 +0000

Citizen Lab researchers uncover extensive Twitter cyber espionage campaign

lavende4 Mon, 05/30/2016 - 10:52

Cutline

Tag cloud of bait content topics used by Stealth Falcon shows a strong emphasis on political topics and narratives critical of the United Arab Emirate government

Topic

Global Lens

Munk School of Global Affairs & Public Policy

Citizen Lab

Global

Cyber-Espionage

A new report from the 91�Թ�’s Citizen Lab reveals a sophisticated international cyber-espionage campaign targeting journalists and activists whose work concerns the United Arab Emirates. The campaign used elaborate ruses, including fake organizations and journalists, to engage targets online, then entice them to open malicious files and links containing malware capable of monitoring their activities.

The campaign, which the researchers named Stealth Falcon, was first uncovered when a fictitious organization named “The Right to Fight” contacted Rori Donaghy, a UK-based journalist and founder of the Emirates Center for Human Rights. Building from this discovery, the Citizen Lab team, led by Bill Marczak, uncovered an elaborate web of fake social media handles and organizations.

“We’ve been diligently tracing Stealth Falcon for the past six months. But these guys have very good operational security. For every fake persona we have thus far identified, dozens may await discovery,” Marczak said.

Stealth Falcon’s techniques rely heavily on ruses, which they seem to have constructed with the help of a good picture of their targets’ behaviors and interests. One particularly concerning approach was the use of fake journalists to entice targets to open malicious documents.

“Stealth Falcon shows us that masquerading as a journalist is a recurrent technique, but that it can have chilling effect on trust in civil society,” added Marczak's colleague John Scott Railton.

The targets include a range of activists and public figures whose work covers issues of Human Rights and advocacy in the United Arab Emirates. Several of the individuals targeted by Stealth Falcon’s ruse were later convicted or jailed by the UAE. The researchers analyzed more than 400 pieces of ‘bait’ content, of which 73 percent concerned the United Arab Emirates.

“Governments and the private sector are increasingly exporting attack tools and know-how in the name of cybersecurity," Marczak said.

The report, called Keep Calm and (Don't) Enable Macros, stops short of conclusively attributing Stealth Falcon a particular sponsor, but highlights circumstantial evidence that could point towards UAE government involvement.

The research shows how the Internet, a key tool for organizing and activism, is also a powerful vehicle in the hands of malicious attackers, said Ron Deibert, Citizen Lab director. “Autocratic regimes like the United Arab Emirates are now routinely finding ways to subvert the tools of social media to accomplish their sinister aims. Careful research of the sort undertaken here can help journalists, activists, and others be on guard for these new threats.”

The Citizen Lab, based at the Munk School of Global Affairs, has an established track record of uncovering cyber espionage campaigns and other kinds of targeted digital attacks against human rights organizations. For more about the Citizen Lab, see https://citizenlab.org/.

Cyber-Espionage

Citizen Lab experts say latest hacking highlights security, regulation vulnerabilities

Read about the report here

Read the full report here

John Scott-Railton

Follow Scott-Railton’s digital security advice

Sarah McKune

Citizen Lab researchers uncover extensive Twitter cyber espionage campaign

Read the Citizen Lab report, Keep Calm and (Don’t) Enable Macros, here