<h2>Banning Surveillance-Based Advertising</h2>
<a href="https://www.schneier.com/blog/archives/2021/06/banning-surveillance-based-advertising.html"><strong>[2021.06.24]</strong></a> The Norwegian Consumer Council just published a fantastic new report: “<a href="https://www.forbrukerradet.no/wp-content/uploads/2021/06/20210622-final-report-time-to-ban-surveillance-based-advertising.pdf">Time to Ban Surveillance-Based Advertising.</a>” From the Introduction:
<blockquote>The challenges caused and entrenched by surveillance-based advertising include, but are not limited to:
<ul><li>privacy and data protection infringements
<li>opaque business models
<li>manipulation and discrimination at scale
<li>fraud and other criminal activity
<li>serious security risks</ul>
In the following chapters, we describe various aspects of these challenges and point out how today’s dominant model of online advertising is a threat to consumers, democratic societies, the media, and even to advertisers themselves. These issues are significant and serious enough that we believe that it is time to ban these detrimental practices.
A ban on surveillance-based practices should be complemented by stronger enforcement of existing legislation, including the General Data Protection Regulation, competition regulation, and the Unfair Commercial Practices Directive. However, enforcement currently consumes significant time and resources, and usually happens after the damage has already been done. Banning surveillance-based advertising in general will force structural changes to the advertising industry and alleviate a number of significant harms to consumers and to society at large.
A ban on surveillance-based advertising does not mean that one can no longer finance digital content using advertising. To illustrate this, we describe some possible ways forward for advertising-funded digital content, and point to alternative advertising technologies that may contribute to a safer and healthier digital economy for both consumers and businesses.</blockquote>
<a href="https://www.forbrukerradet.no/side/new-report-details-threats-to-consumers-from-surveillance-based-advertising/">Press release</a>. Press <a href="https://techcrunch.com/2021/06/23/international-coalition-joins-the-call-to-ban-surveillance-advertising/?tpcc=ECTW2020">coverage</a>.
I signed their <a href="https://fil.forbrukerradet.no/wp-content/uploads/2021/06/2021-06-22-letter-to-policymakers-surveillance-based-advertising-draft.pdf">open letter</a>.
<h2>AI-Piloted Fighter Jets</h2>
<a href="https://www.schneier.com/blog/archives/2021/06/ai-piloted-fighter-jets.html"><strong>[2021.06.25]</strong></a> <a href="https://cset.georgetown.edu/newsletter/june-24-2021/">News</a> from Georgetown’s Center for Security and Emerging Technology:
<blockquote><b>China Claims Its AI Can Beat Human Pilots in Battle:</b> Chinese state media reported that an AI system <a href="https://www.businessinsider.com/china-pits-fighter-pilots-against-ai-aircraft-in-simulated-dogfights-2021-6">had successfully defeated human pilots during simulated dogfights</a>. According to <a href="https://www.globaltimes.cn/page/202106/1226131.shtml">the Global Times report</a>, the system had shot down several PLA pilots during a handful of virtual exercises in recent years. Observers outside China noted that while reports coming out of state-controlled media outlets should be taken with a grain of salt, <a href="https://www.thedrive.com/the-war-zone/41152/chinese-pilots-are-also-dueling-with-ai-opponents-in-simulated-dogfights-and-losing-report">the capabilities described in the report are not outside the realm of possibility</a>. Last year, for example, an AI agent defeated a U.S. Air Force F-16 pilot five times out of five as part of DARPA’s AlphaDogfight Trial (<a href="https://cset.georgetown.edu/newsletter/ai-wins-darpa-dogfight-tiktok-sale-is-jeopardized-and-palantir-files-to-go-public/">which we covered at the time</a>). While the Global Times report indicated plans to incorporate AI into future fighter planes, it is not clear how far away the system is from real-world testing. At the moment, the system appears to be used only for training human pilots. DARPA, for its part, <a href="https://www.thedrive.com/the-war-zone/39899/darpa-now-has-ai-controlled-f-16s-working-as-a-team-in-virtual-dogfights">is aiming to test dogfights</a> with AI-piloted subscale jets later this year and with full-scale jets in 2023 and 2024.
<li><b>More:</b> <a href="https://www.brookings.edu/research/ai-weapons-in-chinas-military-innovation/">“AI weapons” in China’s military innovation</a> | <a href="https://www.wired.com/story/ai-enable-swarm-warfare-fighter-jets/">AI Could Enable ‘Swarm Warfare’ for Tomorrow’s Fighter Jets</a></li>
<h2>NFC Flaws in POS Devices and ATMs</h2>
<a href="https://www.schneier.com/blog/archives/2021/06/nfc-flaws-in-pos-devices-and-atms.html"><strong>[2021.06.28]</strong></a> It’s a <a href="https://www.wired.com/story/atm-hack-nfc-bugs-point-of-sale/">series of vulnerabilities</a>:
<blockquote>Josep Rodriguez, a researcher and consultant at security firm IOActive, has spent the last year digging up and reporting vulnerabilities in the so-called near-field communications reader chips used in millions of ATMs and point-of-sale systems worldwide. NFC systems are what let you wave a credit card over a reader — rather than swipe or insert it — to make a payment or extract money from a cash machine. You can find them on countless retail store and restaurant counters, vending machines, taxis, and parking meters around the globe.
Now Rodriguez has built an Android app that allows his smartphone to mimic those credit card radio communications and exploit flaws in the NFC systems’ firmware. With a wave of his phone, he can exploit a variety of bugs to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock the devices while displaying a ransomware message. Rodriguez says he can even force at least one brand of ATMs to dispense cashthough that <a href="https://www.wired.com/story/jackpotting-atm-hacks/">“jackpotting” hack</a> only works in combination with additional bugs he says he’s found in the ATMs’ software. He declined to specify or disclose those flaws publicly due to nondisclosure agreements with the ATM vendors.</blockquote>
<h2>Risks of Evidentiary Software</h2>
<a href="https://www.schneier.com/blog/archives/2021/06/risks-of-evidentiary-software.html"><strong>[2021.06.29]</strong></a> Over at Lawfare, Susan Landau has an <a href="https://www.lawfareblog.com/dangers-posed-evidentiary-softwareand-what-do-about-it">excellent essay</a> on the risks posed by software used to collect evidence (a Breathalyzer is probably the most obvious example).
Bugs and vulnerabilities can lead to inaccurate evidence, but the proprietary nature of software makes it hard for defendants to examine it.
<blockquote>The software engineers proposed a three-part test. First, the court should have access to the “Known Error Log,” which should be part of any professionally developed software project. Next the court should consider whether the evidence being presented could be materially affected by a software error. Ladkin and his co-authors noted that a chain of emails back and forth are unlikely to have such an error, but the <a href="https://www.zdziarski.com/blog/?p=3717">time</a> that a software tool logs when an application was used could easily be incorrect. Finally, the reliability experts recommended seeing whether the code adheres to an industry standard used in an non-computerized version of the task (e.g., bookkeepers always record every transaction, and thus so should bookkeeping software).
Inanimate objects have long served as evidence in courts of law: the door handle with a fingerprint, the glove found at a murder scene, the Breathalyzer result that shows a blood alcohol level three times the legal limit. But the last of those examples is substantively different from the other two. Data from a Breathalyzer is not the physical entity itself, but rather a software calculation of the level of alcohol in the breath of a potentially drunk driver. As long as the breath sample has been preserved, one can always go back and retest it on a different device.
What happens if the software makes an error and there is no sample to check or if the software itself produces the evidence? At the time of our writing the article on the use of software as evidence, there was no overriding requirement that law enforcement provide a defendant with the code so that they might examine it themselves.
Given the high rate of bugs in complex software systems, my colleagues and I concluded that when computer programs produce the evidence, courts cannot assume that the evidentiary software is reliable. Instead the prosecution must make the code available for an “adversarial audit” by the defendant’s experts. And to avoid problems in which the government doesn’t have the code, government procurement contracts must include delivery of source code — code that is more-or-less readable by people — for every version of the code or device. </blockquote>
<h2>Insurance and Ransomware</h2>
<a href="https://www.schneier.com/blog/archives/2021/07/insurance-and-ransomware.html"><strong>[2021.07.01]</strong></a> As ransomware becomes more common, I’m seeing more discussions about the ethics of paying the ransom. Here’s one more contribution to that issue: a <a href="https://static.rusi.org/247-op-cyber-insurance-v2.pdf">research paper</a> that the insurance industry is hurting more than it’s helping.
<blockquote>However, the most pressing challenge currently facing the industry is ransomware. Although it is a societal problem, cyber insurers have received considerable criticism for facilitating ransom payments to cybercriminals. These add fuel to the fire by incentivising cybercriminals’ engagement in ransomware operations and enabling existing operators to invest in and expand their capabilities. Growing losses from ransomware attacks have also emphasised that the current reality is not sustainable for insurers either.
To overcome these challenges and champion the positive effects of cyber insurance, this paper calls for a series of interventions from government and industry. Some in the industry favour allowing the market to mature on its own, but it will not be possible to rely on changing market forces alone. To date, the UK government has taken a light-touch approach to the cyber insurance industry. With the market undergoing changes amid growing losses, more coordinated action by government and regulators is necessary to help the industry reach its full potential.
The interventions recommended here are still relatively light, and reflect the fact that cyber insurance is only a potential incentive for managing societal cyber risk.They include: developing guidance for minimum security standards for underwriting; expanding data collection and data sharing; mandating cyber insurance for government suppliers; and creating a new collaborative approach between insurers and intelligence and law enforcement agencies around ransomware.
Finally, although a well-functioning cyber insurance industry could improve cyber security practices on a societal scale, it is not a silver bullet for the cyber security challenge. It is important to remember that the primary purpose of cyber insurance is not to improve cyber security, but to transfer residual risk. As such, it should be one of many tools that governments and businesses can draw on to manage cyber risk more effectively. </blockquote>
Basically, the insurance industry incents companies to do the cheapest mitigation possible. Often, that’s paying the ransom.
News <a href="https://www.zdnet.com/article/ransomware-has-become-an-existential-threat-that-means-cyber-insurance-is-about-to-change/">article</a>.
<h2>More Russian Hacking</h2>
<a href="https://www.schneier.com/blog/archives/2021/07/more-russian-hacking.html"><strong>[2021.07.02]</strong></a> Two reports this week. The first is from Microsoft, which <a href="https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/">wrote</a>:
<blockquote>As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers. The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign.</blockquote>
The second is from the NSA, CISA, FBI, and the UK’s NCSC, which <a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF">wrote</a> that the GRU is continuing to conduct brute-force password guessing attacks around the world, and is in some cases successful. From the <a href="https://www.nsa.gov/news-features/press-room/Article/2677750/nsa-partners-release-cybersecurity-advisory-on-brute-force-global-cyber-campaign/">NSA press release</a>:
<blockquote>Once valid credentials were discovered, the GTsSS combined them with various publicly known vulnerabilities to gain further access into victim networks. This, along with various techniques also detailed in the advisory, allowed the actors to evade defenses and collect and exfiltrate various information in the networks, including mailboxes.</blockquote>
News <a href="https://www.wired.com/story/fancy-bear-russia-brute-force-hacking/">article</a>.
<h2>Stealing Xbox Codes</h2>
<a href="https://www.schneier.com/blog/archives/2021/07/stealing-xbox-codes.html"><strong>[2021.07.05]</strong></a> Detailed <a href="https://www.bloomberg.com/features/2021-microsoft-xbox-gift-card-fraud/">story</a> of Volodymyr Kvashuk, a Microsoft insider who noticed a bug in the company’s internal systems that allowed him to create unlimited Xbox gift cards, and stole $10.1 million before he was caught.
<h2>Vulnerability in the Kaspersky Password Manager</h2>
<a href="https://www.schneier.com/blog/archives/2021/07/vulnerability-in-the-kaspersky-password-manager.html"><strong>[2021.07.06]</strong></a> A vulnerability (just patched) in the random number generator used in the Kaspersky Password Manager resulted in <a href="https://donjon.ledger.com/kaspersky-password-manager/">easily guessable</a> passwords:
<blockquote>The password generator included in Kaspersky Password Manager had several problems. The most critical one is that it used a PRNG not suited for cryptographic purposes. Its single source of entropy was the current time. All the passwords it created could be bruteforced in seconds. This article explains how to securely generate passwords, why Kaspersky Password Manager failed, and how to exploit this flaw. It also provides a proof of concept to test if your version is vulnerable.
The product has been updated and its newest versions aren’t affected by this issue.</blockquote>
Stupid programming mistake, or intentional backdoor? We don’t know.
More generally: generating random numbers is hard. I recommend my own algorithm: <a href="https://www.schneier.com/academic/fortuna/">Fortuna</a>. I also recommend my own password manager: <a href="https://www.schneier.com/academic/passsafe/">Password Safe</a>.
EDITED TO ADD: <a href="https://threadreaderapp.com/thread/1412411435842519049.html">Commentary</a> from Matthew Green.
<h2>Details of the REvil Ransomware Attack</h2>
<a href="https://www.schneier.com/blog/archives/2021/07/details-of-the-revil-ransomware-attack.html"><strong>[2021.07.08]</strong></a> ArsTechnica has a <a href="https://arstechnica.com/gadgets/2021/07/up-to-1500-businesses-infected-in-one-of-the-worst-ransomware-attacks-ever/">good story</a> on the REvil ransomware attack of last weekend, with technical details:
<blockquote>This weekend’s attack was carried out with almost surgical precision. According to Cybereason, the REvil affiliates first gained access to targeted environments and then used the zero-day in the Kaseya Agent Monitor to gain administrative control over the target’s network. After writing a base-64-encoded payload to a file named agent.crt the dropper executed it.
The ransomware dropper Agent.exe is signed with a Windows-trusted certificate that uses the registrant name “PB03 TRANSPORT LTD.” By digitally signing their malware, attackers are able to suppress many security warnings that would otherwise appear when it’s being installed. Cybereason said that the certificate appears to have been used exclusively by REvil malware that was deployed during this attack.
To add stealth, the attackers used a technique called <a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf">DLL Side-Loading</a>, which places a spoofed malicious DLL file in a Windows’ WinSxS directory so that the operating system loads the spoof instead of the legitimate file. In the case here, Agent.exe drops an outdated version that is vulnerable to DLL Side-Loading of “msmpeng.exe,” which is the file for the Windows Defender executable.
Once executed, the malware changes the firewall settings to allow local windows systems to be discovered. Then, it starts to encrypt the files on the system….</blockquote>
REvil is demanding $70 million for a universal decryptor that will recover the data from the 1,500 affected Kaseya customers.
<a href="https://www.wired.com/story/revil-ransomware-supply-chain-technique/">More</a> <a href="https://www.nytimes.com/2021/07/06/technology/kaseya-cyberattack-ransomware-revil.html">news</a>.
Note that this is yet another supply-chain attack. Instead of infecting those 1,500 networks directly, REvil infected a single managed service provider. And it leveraged a zero-day vulnerability in that provider.
EDITED TO ADD (7/13): Employees warned Kaseya’s management for years about critical security flaws, but they <a href="https://gizmodo.com/kaseyas-staff-sounded-the-alarm-about-security-flaws-fo-1847270346/amp">were ignored</a>.
<h2>Analysis of the FBI's Anom Phone</h2>
<a href="https://www.schneier.com/blog/archives/2021/07/analysis-of-the-fbis-anom-phone.html"><strong>[2021.07.12]</strong></a> Motherboard got its hands on one of those Anom phones that were really <a href="https://www.schneier.com/blog/archives/2021/06/fbi-afp-run-encrypted-phone.html">FBI honeypots</a>.
The <a href="https://www.vice.com/en/article/n7b4gg/anom-phone-arcaneos-fbi-backdoor">details</a> are interesting.
<h2>Iranian State-Sponsored Hacking Attempts</h2>
<a href="https://www.schneier.com/blog/archives/2021/07/iranian-state-sponsored-hacking-attempts.html"><strong>[2021.07.13]</strong></a> Interesting <a href="https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453">attack</a>:
<blockquote>Masquerading as UK scholars with the University of London’s School of Oriental and African Studies (SOAS), the threat actor TA453 has been covertly approaching individuals since at least January 2021 to solicit sensitive information. The threat actor, an APT who we assess with high confidence supports Islamic Revolutionary Guard Corps (IRGC) intelligence collection efforts, established backstopping for their credential phishing infrastructure by compromising a legitimate site of a highly regarded academic institution to deliver personalized credential harvesting pages disguised as registration links. Identified targets included experts in Middle Eastern affairs from think tanks, senior professors from well-known academic institutions, and journalists specializing in Middle Eastern coverage.
These connection attempts were detailed and extensive, often including lengthy conversations prior to presenting the next stage in the attack chain. Once the conversation was established, TA453 delivered a “registration link” to a legitimate but compromised website belonging to the University of London’s SOAS radio. The compromised site was configured to capture a variety of credentials. Of note, TA453 also targeted the personal email accounts of at least one of their targets. In subsequent phishing emails, TA453 shifted their tactics and began delivering the registration link earlier in their engagement with the target without requiring extensive conversation. This operation, dubbed SpoofedScholars, represents one of the more sophisticated TA453 campaigns identified by Proofpoint.</blockquote>
The report details the tactics.
News <a href="https://www.vice.com/en/article/dyvwvw/professor-says-being-impersonated-by-iranian-hackers-was-stressful-but-good-for-networking">article</a>.
<h2>China Taking Control of Zero-Day Exploits</h2>
<a href="https://www.schneier.com/blog/archives/2021/07/china-taking-control-of-zero-day-exploits.html"><strong>[2021.07.14]</strong></a> China is <a href="https://www.washingtonpost.com/business/china-tightens-control-over-cybersecurity-in-data-crackdown/2021/07/13/0b3bd7fe-e3da-11eb-88c5-4fd6382c47cb_story.html">making sure</a> that all newly discovered zero-day exploits are disclosed to the government.
<blockquote>Under the new rules, anyone in China who finds a vulnerability must tell the government, which will decide what repairs to make. No information can be given to “overseas organizations or individuals” other than the product’s manufacturer.
No one may “collect, sell or publish information on network product security vulnerabilities,” say the rules issued by the Cyberspace Administration of China and the police and industry ministries.</blockquote>
This just blocks the cyber-arms trade. It doesn’t prevent researchers from telling the products’ companies, even if they are outside of China.
<h2>Upcoming Speaking Engagements</h2>
<a href="https://www.schneier.com/blog/archives/2021/07/upcoming-speaking-engagements-10.html"><strong>[2021.07.14]</strong></a> This is a current list of where and when I am scheduled to speak:
<li>I’m speaking at <a href="https://www.townscript.com/e/ieee-ssit-norbert-wiener-in-the-21st-century-023322">Norbert Wiener in the 21st Century</a>, a virtual conference hosted by The IEEE Society on Social Implications of Technology (SSIT), July 23-25, 2021.</li>
<li>I’m speaking at <a href="https://defcon.org/html/defcon-29/dc-29-index.html">DEFCON 29</a>, August 5-8, 2021.</li>
<li>I’m speaking (via Internet) at <a href="https://theshift.fi/persons/bruce-schneier/">SHIFT Business Festival</a> in Finland, August 25-26, 2021.</li>
<li>I’ll be speaking at an <a href="https://www.informa.com/">Informa</a> event on September 14, 2021. Details to come.</li>
<li>I’m keynoting <a href="https://www.ciisec.org/live">CIISec Live</a>—an all-online event—September 15-16, 2021.</li>
<li>I’m speaking at the <a href="https://www.cailaw.org/Institute-for-Law-and-Technology/Events/2021/cybersecurity.html">Cybersecurity and Data Privacy Law Conference</a> in Plano, Texas, USA, September 22-23, 2021.</li>
The list is maintained on <a href="https://www.schneier.com/events/">this page</a>.
<h2>Colorado Passes Consumer Privacy Law</h2>
<a href="https://www.schneier.com/blog/archives/2021/07/colorado-passes-consumer-privacy-law.html"><strong>[2021.07.15]</strong></a> First California. Then Virginia. Now <a href="https://leg.colorado.gov/bills/sb21-190">Colorado</a>.
<a href="https://www.adlawaccess.com/2021/07/articles/privacy-law-update-colorado-privacy-bill-becomes-law-how-does-it-stack-up-against-california-and-virginia/">Here’s</a> a good comparison of the three states’ laws.
<h2>REvil is Off-Line</h2>
<a href="https://www.schneier.com/blog/archives/2021/07/revil-is-off-line.html"><strong>[2021.07.16]</strong></a> This is an <a href="https://www.nytimes.com/2021/07/13/us/politics/russia-hacking-ransomware-revil.html">interesting development</a>:
<blockquote>Just days after President Biden demanded that President Vladimir V. Putin of Russia shut down ransomware groups attacking American targets, the most aggressive of the groups suddenly went off-line early Tuesday.
Gone was the publicly available “happy blog” the group maintained, listing some of its victims and the group’s earnings from its digital extortion schemes. Internet security groups said the custom-made sites - think of them as virtual conference rooms — where victims negotiated with REvil over how much ransom they would pay to get their data unlocked also disappeared. So did the infrastructure for making payments.</blockquote>
Okay. So either the US took them down, Russia took them down, or they took themselves down.
<h2>Candiru: Another Cyberweapons Arms Manufacturer</h2>
<a href="https://www.schneier.com/blog/archives/2021/07/candiru-another-cyberweapons-arms-manufacturer.html"><strong>[2021.07.19]</strong></a> Citizen Lab has identified yet another Israeli company that sells spyware to governments around the world: Candiru.
From <a href="https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/">the report</a>:
<ul><li>Candiru is a secretive Israel-based company that sells spyware exclusively to governments. Reportedly, their spyware can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts.
<li>Using Internet scanning we identified more than 750 websites linked to Candiru’s spyware infrastructure. We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.
<li>We identified a politically active victim in Western Europe and recovered a copy of Candiru’s Windows spyware.
<li>Working with Microsoft Threat Intelligence Center (MSTIC) we analyzed the spyware, resulting in the discovery of <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31979">CVE-2021-31979</a> and <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33771">CVE-2021-33771</a> by Microsoft, two privilege escalation vulnerabilities exploited by Candiru. Microsoft patched both vulnerabilities on July 13th, 2021.
<li>As part of their investigation, Microsoft <a href="https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/">observed</a> at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims include human rights defenders, dissidents, journalists, activists, and politicians.
<li>We provide a brief technical overview of the Candiru spyware’s persistence mechanism and some details about the spyware’s functionality.
<li>Candiru has made efforts to obscure its ownership structure, staffing, and investment partners. Nevertheless, we have been able to shed some light on those areas in this report.</blockquote>
We’re not going to be able to secure the Internet until we deal with the companies that engage in the international cyber-arms trade.
<h2>NSO Group Hacked</h2>
<a href="https://www.schneier.com/blog/archives/2021/07/nso-group-hacked.html"><strong>[2021.07.20]</strong></a> NSO Group, the Israeli cyberweapons arms manufacturer behind the Pegasus spyware — used by authoritarian regimes around the world to spy on dissidents, journalists, human rights workers, and others — was hacked. Or, at least, an enormous trove of documents was leaked to journalists.
There’s a lot to read out there. Amnesty International has a <a href="https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/">report</a>. Citizen Lab conducted an <a href="https://citizenlab.ca/2021/07/amnesty-peer-review/">independent analysis</a>. The <i>Guardian</i> has <a href="https://www.theguardian.com/news/series/pegasus-project">extensive coverage</a>. <a href="https://www.nytimes.com/2021/07/18/world/middleeast/israel-nso-pegasus-spyware.html">More</a> <a href="https://www.washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/?itid=lk_inline_manual_10">coverage</a>.
Most interesting is a list of over 50,000 phone numbers that were being spied on by NSO Group’s software. Why does NSO Group have that list? The obvious answer is that NSO Group provides spyware-as-a-service, and centralizes operations somehow. Nicholas Weaver <a href="https://citizenlab.ca/2021/07/amnesty-peer-review/">postulates</a> that “part of the reason that NSO keeps a master list of targeting…is they hand it off to Israeli intelligence.”
This isn’t the first time NSO Group has been in the news. Citizen Lab has been <a href="https://citizenlab.ca/tag/nso-group/">researching and reporting</a> on its actions since 2016. It’s been <a href="https://citizenlab.ca/2018/10/the-nso-connection-to-jamal-khashoggi/">linked</a> to the Saudi murder of Jamal Khashoggi. It is <a href="https://citizenlab.ca/2017/02/bittersweet-nso-mexico-spyware/">extensively used</a> by Mexico to spy on — among others — supporters of that country’s soda tax.
NSO Group seems to be a completely deplorable company, so it’s hard to have any sympathy for it. As I <a href="https://www.schneier.com/blog/archives/2015/07/more_on_hacking_1.html">previously wrote</a> about another hack of another cyberweapons arms manufacturer: “It’s one thing to have dissatisfied customers. It’s another to have dissatisfied customers with death squads.” I’d like to say that I don’t know how the company will survive this, but — sadly — I think it will.
Finally: here’s a <a href="https://techcrunch.com/2021/07/19/toolkit-nso-pegasus-iphone-android/">tool</a> that you can use to test if your iPhone or Android is infected with Pegasus. (Note: it’s not easy to use.)
<h2>Nasty Windows Printer Driver Vulnerability</h2>
<a href="https://www.schneier.com/blog/archives/2021/07/nasty-printer-driver-vulnerability.html"><strong>[2021.07.22]</strong></a> From <a href="https://labs.sentinelone.com/cve-2021-3438-16-years-in-hiding-millions-of-printers-worldwide-vulnerable/">SentinelLabs</a>, a <a href="https://threatpost.com/hp-printer-driver-bug-windows/167944/">critical vulnerability</a> in HP printer drivers:
<blockquote>Researchers have released technical details on a high-severity privilege-escalation flaw in HP printer drivers (also used by Samsung and Xerox), which impacts hundreds of millions of Windows machines.
If exploited, cyberattackers could bypass security products; install programs; view, change, encrypt or delete data; or create new accounts with more extensive user rights.
The bug (CVE-2021-3438) has lurked in systems for 16 years, researchers at SentinelOne said, but was only uncovered this year. It carries an 8.8 out of 10 rating on the CVSS scale, making it high-severity.</blockquote>
Look for your printer <a href="https://support.hp.com/us-en/drivers/printers">here</a>, and download the patch if there is one.
<h2>Commercial Location Data Used to Out Priest</h2>
<a href="https://www.schneier.com/blog/archives/2021/07/commercial-location-data-used-to-out-priest.html"><strong>[2021.07.23]</strong></a> A Catholic priest was outed through commercially available surveillance data. Vice has a <a href="https://www.vice.com/en/article/pkbxp8/grindr-location-data-priest-weaponization-app">good analysis</a>:
<blockquote>The news starkly demonstrates not only the inherent power of location data, but how the chance to wield that power has trickled down from corporations and intelligence agencies to essentially any sort of disgruntled, unscrupulous, or dangerous individual. A growing market of data brokers that collect and sell data from countless apps has made it so that anyone with a bit of cash and effort can figure out which phone in a so-called anonymized dataset belongs to a target, and abuse that information.</blockquote>
There is a <a href="https://www.vice.com/en/article/epnmvz/industry-unmasks-at-scale-maid-to-pii">whole industry</a> devoted to re-identifying anonymized data. This was something that Snowden showed that the NSA could do. Now it’s available to everyone.