Entries Tagged "Saudi Arabia"

Page 1 of 1

UAE Hack and Leak Operations

Interesting paper on recent hack-and-leak operations attributed to the UAE:

Abstract: Four hack-and-leak operations in U.S. politics between 2016 and 2019, publicly attributed to the United Arab Emirates (UAE), Qatar, and Saudi Arabia, should be seen as the “simulation of scandal” ­– deliberate attempts to direct moral judgement against their target. Although “hacking” tools enable easy access to secret information, they are a double-edged sword, as their discovery means the scandal becomes about the hack itself, not about the hacked information. There are wider consequences for cyber competition in situations of constraint where both sides are strategic partners, as in the case of the United States and its allies in the Persian Gulf.

Posted on August 13, 2020 at 9:28 AMView Comments

Technical Report of the Bezos Phone Hack

Motherboard obtained and published the technical report on the hack of Jeff Bezos’s phone, which is being attributed to Saudi Arabia, specifically to Crown Prince Mohammed bin Salman.

…investigators set up a secure lab to examine the phone and its artifacts and spent two days poring over the device but were unable to find any malware on it. Instead, they only found a suspicious video file sent to Bezos on May 1, 2018 that “appears to be an Arabic language promotional film about telecommunications.”

That file shows an image of the Saudi Arabian flag and Swedish flags and arrived with an encrypted downloader. Because the downloader was encrypted this delayed or further prevented “study of the code delivered along with the video.”

Investigators determined the video or downloader were suspicious only because Bezos’ phone subsequently began transmitting large amounts of data. “[W]ithin hours of the encrypted downloader being received, a massive and unauthorized exfiltration of data from Bezos’ phone began, continuing and escalating for months thereafter,” the report states.

“The amount of data being transmitted out of Bezos’ phone changed dramatically after receiving the WhatsApp video file and never returned to baseline. Following execution of the encrypted downloader sent from MBS’ account, egress on the device immediately jumped by approximately 29,000 percent,” it notes. “Forensic artifacts show that in the six (6) months prior to receiving the WhatsApp video, Bezos’ phone had an average of 430KB of egress per day, fairly typical of an iPhone. Within hours of the WhatsApp video, egress jumped to 126MB. The phone maintained an unusually high average of 101MB of egress data per day for months thereafter, including many massive and highly atypical spikes of egress data.”

The Motherboard article also quotes forensic experts on the report:

A mobile forensic expert told Motherboard that the investigation as depicted in the report is significantly incomplete and would only have provided the investigators with about 50 percent of what they needed, especially if this is a nation-state attack. She says the iTunes backup and other extractions they did would get them only messages, photo files, contacts and other files that the user is interested in saving from their applications, but not the core files.

“They would need to use a tool like Graykey or Cellebrite Premium or do a jailbreak to get a look at the full file system. That’s where that state-sponsored malware is going to be found. Good state-sponsored malware should never show up in a backup,” said Sarah Edwards, an author and teacher of mobile forensics for the SANS Institute.

“The full file system is getting into the device and getting every single file on there­ — the whole operating system, the application data, the databases that will not be backed up. So really the in-depth analysis should be done on that full file system, for this level of investigation anyway. I would have insisted on that right from the start.”

The investigators do note on the last page of their report that they need to jailbreak Bezos’s phone to examine the root file system. Edwards said this would indeed get them everything they would need to search for persistent spyware like the kind created and sold by the NSO Group. But the report doesn’t indicate if that did get done.

Posted on January 24, 2020 at 8:34 AMView Comments

Cargo Security

The New York Times writes:

Despite the increased scrutiny of people and luggage on passenger planes since 9/11, there are far fewer safeguards for packages and bundles, particularly when loaded on cargo-only planes.

Well, of course. We’ve always known this. We’ve not worried about terrorism on cargo planes because it isn’t very terrorizing. Packages aren’t people. If a passenger plane blows up, it affects a couple of hundred people. If a cargo plane blows up, it just affects the crew.

Cargo that is loaded on to passenger planes should be subjected to the same level of security as passenger luggage. Cargo that is loaded onto cargo planes should be treated no differently from cargo loaded into ships, trains, trucks, and the trunks of cars.

Of course: now that the media is talking about cargo security, we have to “do something.” (Something must be done. This is something. Therefore, we must do it.) But if we’re so scared that we have to devote resources to this kind of terrorist threat, we’ve well and truly lost.

EDITED TO ADD (10/30): The plot — it’s still unclear how serious it was — wasn’t uncovered by any security screening, but by intelligence gathering:

Intelligence officials were onto the suspected plot for days, officials said. The packages in England and Dubai were discovered after Saudi Arabian intelligence picked up information related to Yemen and passed it on to the U.S., two officials said.

This is how you fight through terrorism: not by defending against specific threats, but through intelligence, investigation, and emergency response.

Posted on October 30, 2010 at 9:41 AMView Comments

Ass Bomber

Nobody tell the TSA, but last month someone tried to assassinate a Saudi prince by exploding a bomb stuffed in his rectum. He pretended to be a repentant militant, when in fact he was a Trojan horse:

The resulting explosion ripped al-Asiri to shreds but only lightly injured the shocked prince — the target of al-Asiri’s unsuccessful assassination attempt.

Other news articles are here, and here are two blog posts.

For years, I have made the joke about Richard Reid: “Just be glad that he wasn’t the underwear bomber.” Now, sadly, we have an example of one.

Lewis Page, an “improvised-device disposal operator tasked in support of the UK mainland police from 2001-2004,” pointed out that this isn’t much of a threat for three reasons: 1) you can’t stuff a lot of explosives into a body cavity, 2) detonation is, um, problematic, and 3) the human body can stifle an explosion pretty effectively (think of someone throwing himself on a grenade to save his friends).

But who ever accused the TSA of being rational?

Posted on September 28, 2009 at 6:19 AMView Comments

Fourth Undersea Cable Failure in Middle East

The first two affected India, Pakistan, Egypt, Qatar, Saudi Arabia, the United Arab Emirates, Kuwait, and Bahrain. The third one is between the UAE and Oman. The fourth one connected Qatar and the UAE. This one may not have been cut, but taken offline due to power issues.

The first three have been blamed on ships’ anchors, but there is some dispute about that. And that’s two in the Mediterranean and two in the Persian Gulf.

There have been no official reports of malice to me, but it’s an awfully big coincidence. The fact that Iran has lost Internet connectivity only makes this weirder.

EDITED TO ADD (2/5): The International Herald Tribune has more. And a comment below questions whether Iran being offline has anything to do with this.

EDITED TO ADD (2/5): A fifth cut? What the hell is going on out there?

EDITED TO ADD (2/5): More commentary from Steve Bellovin.

EDITED TO ADD (2/5): Just to be clear: Iran is not offline. That was an untrue rumor; it was never true.

Posted on February 5, 2008 at 8:28 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.