Information Technology

An investigation into leaked data allegedly connected to NSO Group has resulted in claims that its software is being used to target journalists, activists, and government figures. 

As reported by The Guardian, an investigation into a data leak apparently connected to the Israeli spyware vendor implies that “authoritarian” governments are using NSO Group’s Pegasus software to compromise mobile devices belonging to human rights activists, political dissidents, lawyers, journalists, and politicians.  Pegasus is a spyware tool with remote access capabilities that is able to extract handset information, harvest conversations taking place over apps including WhatsApp and Facebook, monitor email clients and browser activity, record calls, and spy on victims through their microphone and camera.  Based in Israel, NSO Group markets its products as intended for governments to detect and “prevent a wide range of local and global threats,” as well as a way to tackle criminal and terrorist activity.  However, a probe launched by non-profit Forbidden Stories, Amnesty International, and a number of media outlets alleges that the software is being abused to monitor innocents.  According to the publication, a leaked list of phone numbers accessed by Forbidden Stories and Amnesty International revealed over 50 000 numbers believed to have been “of interest” to NSO Group clients and “selected for targeting” since 2016. While the existence of a phone number does not mean that a handset has been compromised, the consortium’s investigation — dubbed the Pegasus project — says that infection was confirmed: “in dozens of cases.”

The project says:”NSO Group contends that its Pegasus software is meant only to help legitimate law enforcement bodies go after criminals and terrorists, and that any other use would violate its policies and user agreements.The Pegasus Project did find numbers belonging to suspected criminal figures on the leaked list. However, of over 1,000 numbers whose owners were identified, at least 188 were journalists. Many others were human rights activists, diplomats, politicians, and government officials. At least 10 heads of state were on the list.”In response, the Israeli firm slammed the project’s claims as full of “wrong assumptions and uncorroborated theories” and has denied any wrongdoing. “Their sources have supplied them with information which has no factual basis, as evident by the lack of supporting documentation for many of their claims,” the NSO Group says. “In fact, these allegations are so outrageous and far from reality that NSO is considering a defamation lawsuit.” According to the company, the data used to back up the Pegasus project’s claims is likely based on “accessible and overt basic information” gleaned from services such as HLR Lookups and are not related to “the customers’ targets of Pegasus or any other NSO products.” “Such services are openly available to anyone, anywhere, and anytime, and are commonly used by governmental agencies for numerous purposes, as well as by private companies worldwide,” NSO Group says. “The claims that the data was leaked from our servers is a complete lie and ridiculous since such data never existed on any of our servers.” The company repeated that its technologies are only sold to vetted governments, law enforcement, and intelligence agencies.  In 2019, Facebook filed a lawsuit against the software vendor, alleging that the company was responsible for the sale and deployment of a zero-day vulnerability in WhatsApp to target over 1,400 devices owned by government employees, political dissidents, journalists, activists, and more.  Tech giants including Microsoft, Google, and Cisco later filed an amicus brief in support of the court case.  Last year, the US Federal Bureau of Investigation (FBI) launched an investigation into the NSO Group amid suspicions that US citizens and organizations may have been targeted for cyberespionage.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Security researchers have shown how they were able to bypass Windows 10’s Windows Hello biometric authentication with just a single infrared frame of the target. Researchers at security firm Cyber Ark have detailed the Windows Hello authentication bypass and how an attacker could exploit it. 

The attack is quite elaborate and would require planning, including being able to acquire an infrared (IR) image of the target’s face and building a custom USB device, such as a USB web camera, that will work with Windows Hello. The attack exploits how Windows 10 treats these USB devices and would require the attacker to have gained physical access to the target PC.SEE: Windows 10 Start menu hacks (TechRepublic Premium)But with those pieces in place, an attacker could gain access to sensitive information on the target’s Windows 10 PC – and potentially information stored in Microsoft 365 cloud services.”With only one valid IR frame of the target, the adversary can bypass the facial recognition mechanism of Windows Hello, resulting in a complete authentication bypass and potential access to all the victim’s sensitive assets,” Cyber Ark researcher Omer Tsarfati explained in a blogpost. The attacker could capture an IR frame of the target or convert a regular RGB frame into an IR frame. 

The apparent weakness lies in how Windows Hello processes “public” data, such as the image of the person’s face, from a USB device, so long as the device meets Windows Hello requirements that the camera has both IR and RGB sensors. The researchers discovered that only the IR camera frames are processed during authentication, so an attacker just needs a valid IR frame to bypass Windows Hello authentication. The RGB frames can contain anything. During tests, Tsarfati used an RGB frame of SpongeBob and the bypass still worked. Tsarfati argued it would be fairly simple to get an IR frame of the target. For example, walking by the person with an IR camera or placing it where the target will likely walk through, such as an elevator. The image could even be snapped at a distance with higher-end infrared sensors.Tsarfati noted that Microsoft addressed the vulnerability last week and has tagged it as CVE-2021-34466.    SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefMicrosoft said that the attacker would need physical access and that it is a complex attack to pull off. Microsoft noted it is an important patch to apply, but its description suggests it’s nothing an admin should lose sleep over. “A successful attack depends on conditions beyond the attacker’s control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected,” Microsoft noted. “For example, a successful attack may require an attacker to: gather knowledge about the environment in which the vulnerable target/component exists; prepare the target environment to improve exploit reliability; or inject themselves into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g., a man in the middle attack).” More

Facebook has addressed comments made by US President Biden over social media and the spread of fake COVID-19 information, saying it is time to move past “finger pointing.”

Since the start of the pandemic, social media platforms including Twitter and Facebook have become melting pots of coronavirus-related misinformation, hoaxes, and conspiracy theories, some of which may have increased vaccine hesitancy in some groups.  Facebook, Twitter, Google, and other tech giants have been fighting the spread.  On Friday, Biden was asked by a reporter what his message would be to social media platforms, like Facebook, in light of COVID-19 misinformation and anti-vaccination content.  In a blunt fashion, Biden said, “they’re killing people.” “I mean, they’re really — look — the only pandemic we have is among the unvaccinated,” Biden said. “And they’re killing people.” On July 17, Facebook published a blog post responding to these accusations, penned by Guy Rosen, Facebook VP of Integrity. 

“At a time when COVID-19 cases are rising in America, the Biden administration has chosen to blame a handful of American social media companies,” Rosen said. “While social media plays an important role in society, it is clear that we need a whole of society approach to end this pandemic. And facts — not allegations — should help inform that effort.” According to reports, vaccine hesitancy remains high in some US states at a time when the Delta variant is thought to be behind a spike in cases in areas including Florida. However, Facebook says that hesitancy in its US user base continues to decline, and 85% of Facebook users in the country either have had or want a COVID-19 vaccine.  “President Biden’s goal was for 70% of Americans to be vaccinated by July 4,” the company says. “Facebook is not the reason this goal was missed. In fact, increased vaccine acceptance has been seen on and off Facebook, with many leaders throughout the US working to make that happen.” The social media giant has published a set of rules for content relating to COVID-19 and vaccines. For example, the company prohibits posts designed for the “active and deliberate spread of communicable diseases,” meet-ups encouraging participants who have COVID-19 or organized in order to disrupt vaccination programs, and content that denies the existence or severity of the disease.   Facebook says that since the start of the pandemic, over 18 million “instances” of COVID-19 misinformation have been removed, and over 167 million pieces of content have been labeled by fact-checkers as fake or potentially misleading.  “The Biden Administration is calling for a whole of society approach to this challenge,” Rosen added. “We agree. As a company, we have devoted unprecedented resources to the fight against the pandemic, pointing people to reliable information and helping them find and schedule vaccinations. And we will continue to do so.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A Swedish man has been sentenced to 15 years behind bars for operating a cryptocurrency scam that claimed to pay investors based on the price of gold reserves.  

Roger Nils-Jonas Karlsson pleaded guilty to securities fraud, wire fraud, and money laundering in March this year after being prosecuted in the United States following his arrest in Thailand in 2019. He was later extradited.The 47-year-old was charged with operating Eastern Metal Securities (EMS), a company that claimed to operate an investment service based on cryptocurrency. Investors who participated in EMS from 2012 to 2019 were offered plans in which shares, purchased for under $100, would eventually realize a return equivalent to 1.15 kilograms of gold.In 2019, 1.15kg in gold was worth over $45,000. Today, its value would be over $58,000.  In order to join the scheme, investors were asked to purchase shares through cryptocurrencies including Bitcoin (BTC) and Ethereum (ETH).  Furthermore, traders were told that in the ‘unlikely’ event that the shares would not reach their promised value, participants would have 97% of their initial investment returned.  Karlsson made sure EMS operated for as long as possible by frequently rebranding, issuing updates, and providing asset statements. 

He also falsely claimed that paying out a vast sum all at once would have a negative impact on global financial systems, and also said the company was working with the US Securities and Exchange Commission (SEC) to explain away payment delays.  However, as is often the case when extreme returns on investments are offered, the promise was too good to be true. Investors saw no returns, and instead, Karlsson — who also used online aliases including Steve Heyden, Euclid Deodoris, and Joshua Millard — siphoned the cryptocurrency and used the cash to purchase homes and a resort in Thailand.  US prosecutors estimate that investors were swindled out of over $16 million.  “Karlsson admitted he had no way to pay off the investors,” the US Department of Justice (DoJ) said. “Karlsson’s fraud targeted financially insecure investors, causing severe financial hardship for many of them.” Alongside the 15-year sentence, Karlsson has been ordered to forfeit the resort in Thailand, other properties, accounts, and has received a monetary judgment of  $16,263,820. Prosecutors also hope to secure restitution for past EMS investors and an order is expected in court within 90 days.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
To look at the headline numbers, Ericsson’s second quarter was steady on a revenue front and saw decent earnings growth. For the quarter ended June 30, the Swedish telco equipment manufacturer reported revenue dropped 1% to just under SEK55 billion, earnings before interest and tax (EBIT) jumped 51% to SEK5.8 billion, and net income increased by the same percentage to SEK3.9 billion. The worry for the company is its numbers from China, which saw sales plummet from SEK4.1 billion last year to SEK1.5 billion. Ericsson said its networks segment was steady with revenue at SEK40 billion and EBIT growing 65% to SEK8.6 billion. The impact from China on the segment was SEK2 billion. For digital services, despite being down 8% to SEK7.9 billion in revenue, the company said that number was adjusted for “comparable units and currency”, and it was another stable result. China was responsible for the loss of SEK0.5 billion. In EBIT terms, the segment dropped from last year’s second quarter SEK0.7 billion loss to a loss of SEK1.6 billion. “There is a high risk regarding future market share in [core networking] in Mainland China and the company has made a write-down of -SEK0.3 billion for pre-commercial product investments for the Chinese market,” it said. Managed services saw a 8% drop in sales compared to last year to SEK5.1 billion, while EBIT increased 58% to SEK0.4 billion.

For the emerging business segment, sales jumped 29% to SEK2.1 billion, while the EBIT loss stretched from SEK1 billion in the hole to SEK1.7 billion. “EBIT was negatively impacted by -SEK0.8 billion in the quarter, as a result of the Nokia settlement related to the 2019 resolution with the US authorities,” Ericsson said, referring to the 2019 imposition of $1 billion in fines from the US. The company said increases in its sales and margin for the emerging business segment was due to its Cradlepoint acquisition. In May, Ericsson warned it might be collateral damage from strained relations between Stockholm and Beijing after Sweden banned Chinese 5G equipment. “The geopolitical situation can have consequences on the entire industry, with an increased likelihood of further industry split, separation of global value chains, and separation of global standards for mobile telecommunications,” it said at the time. Meanwhile in the Pacific, Telstra confirmed reporting from Nine newspapers in Australia that it was in discussions over potentially picking up Digicel Pacific. “Telstra was initially approached by the Australian government to provide technical advice in relation to Digicel Pacific which is a commercially attractive asset and critical to telecommunications in the region. If Telstra were to proceed with a transaction it would be with financial and strategic risk management support from the government,” the telco said on Monday. “In addition to a significant government funding and support package any investment would also have to be within certain financial parameters with Telstra’s equity investment being the minor portion of the overall transaction. “Digicel Pacific enjoys a strong market position in the South Pacific region generating EBITDA of $235 million in calendar 2020 with a strong margin, as well as extensive network coverage.” It was reported Canberra was turning to Telstra to keep the assets out of Chinese hands. Digicel Pacific has networks in Papua New Guinea, Fiji, Nauru, Samoa, Tonga, and Vanuatu. In 2018, Canberra decided to use around AU$200 million of its foreign aid budget to lock Huawei out of building a subsea cable to the Solomon Islands and Papua New Guinea. Instead of Huawei, Vocus eventually picked up a AU$137 million contract to build the cable. Related Coverage More

The internet has become such a dangerous place these days that experts are now suggesting users install VPNs on all of their devices, particularly on the machines they are using to work from home. The problem is, not all VPNs are created equal, so you really need to choose a platform that offers you the ultimate in protection without requiring you to make some very inconvenient trade-offs. Fortunately, Private Internet Access VPN fits that criteria perfectly and a two-year subscription is currently on sale for only $69.99, plus you get a $15 store credit.

Basically, there are three main benefits to using a VPN. First and foremost is security, because a VPN can protect your most sensitive data from cybercriminals. The second is privacy protection, it’s no one’s business what you do online. The third benefit of using a VPN is being allowed to unlock content that may not be available in your geographical region.Private Internet Access VPN has you covered for all of those. It has an advanced firewall to block undesirable connections and keeps your data secure with strong encryption. The VPN will also protect your identity and ensure your privacy by masking your IP address, as well as your location. Plus, the MACE feature blocks trackers, ads, and malware. Geographically blocked or censored websites, services and apps will be a thing of the past, too, since Private Internet Access VPN has more than 30,000 servers in over 75 countries.Additionally, the platform gets bonus points for two things that are uncommon among VPNs. While other services are notorious for slowing down your internet connection, Private Internet Access VPN offers blazing fast speeds. You also get to use it on up to 10 devices at a time with unlimited bandwidth. It’s no wonder that Private Internet Access VPN is rated 4.5 of 5 stars on Google Play, an even better 4.7 out of 5 stars on the App Store, and that CNET chose it as one of the Best VPN Services of 2021.Don’t pass up this chance to web surf worry-free for 2 years with this fast, secure, and user-friendly platform. Get a two-year subscription to Private Internet Access VPN today while it’s on sale and includes a $15 store credit for just $69.99.

ZDNet Recommends More

keeps is your location data. Doing a Google search or using Google Maps gives the company your location to pinpoint accuracy. Why does Google want this? To serve you more relevant ads and search results and so on, but for some people, that’s an unacceptable privacy tradeoff.Here’s how to stop handing over your location data to Google.Must read: These three simple tips will keep your iPhone safe from hackersFire up your browser, and go to Google.com.Click on your profile pic and sign into your account.Click on your profile pic followed by Manage your Google AccountFrom Privacy & Personalization, select Manage your data & personalizationGo to Activity controls and select Manage your activity controlsGo to Web & App Activity and switch the toggle to offOn the screen that follows (a screen explaining the downsides to turning this feature off), click PausePhew! That was a long trip!But what about all the location data Google has collected? That’s still stored, but if you want to delete it, here’s how (we have to retrace some of our steps!):Fire up your browser, and go to Google.com.Click on your profile pic followed by Manage your Google AccountFrom Privacy & Personalization, select Manage your data & personalizationGo to Activity controls and select Location HistorySelect Manage activity to go to your Google TimelineClick on the settings icon to the left of a button marked Map, and from the pop-up select Delete all Location HistoryConfirm that you do indeed want to delete location data, and click Delete Location History More

Many victims of the Kaseya ransomware attack are still in the process of recovering but one victim is facing a particularly difficult issue. Mike Hamilton, former CISO of Seattle and now CISO of ransomware remediation firm Critical Insight, told ZDNet that a customer, who asked not to be named, was one of the few Kaseya victims to pay a ransom to the REvil ransomware group.Hamilton explained that the company paid the ransom and received the decryption keys from REvil but have found that they aren’t working. REvil typically offers a help desk function that aids victims with getting back their data. But REvil made news this week when all of their websites went dark, causing widespread speculation about why they potentially closed shop. Now that REvil has shuttered its operation, the company has been left with few options to address their issue, Hamilton said.

Kaseya attack

“Some of our customers got off really easily. If you had that agent installed on unimportant computers, you just rebuilt them and got back to life. But we got a distress call a few days ago from a company that got hit hard because they had a company that was managing a lot of their servers with the Kaseya VSA. They got a lot of their servers hit and had a lot of information on them and so they brought in their insurance company and decided to pay the ransom,” Hamilton said. “They got their decryption key and when they started to use it, they found that in some places it worked and in other places it didn’t. These ransomware gangs have customer support but all of a sudden they went dark. They’re completely gone and so there is no help and these folks are just stuck. They’re going to end up losing a lot of data and they’re going to end up spending a lot of money to completely rebuild their network from scratch.”

ZDNet contacted multiple cybersecurity experts and companies to see whether other Kaseya victims were facing similar issues. But almost all of those contacted said most victims did not pay ransoms and that they have not seen any other company going through an issue similar to this. Hamilton said that due to the size of the attack — estimates say about 1,500 organizations were affected — there had to be others who paid the ransom but are now struggling to decrypt their files without the help of REvil’s support systems. Recorded Future ransomware expert Allan Liska theorized that REvil was not expecting all of these single machine infections and was ill-prepared to handle decryptions for each one. Following the attack, there was significant discussion online about whether one decryption key would work for all of the Kaseya victims. Experts said it was absolutely possible for REvil to have created separate decryption keys for each victim but the ransomware group eventually came forward to offer Kaseya a universal decryptor for a $70 million ransom. “My guess is [REvil] has shit decryptor key management so they may not know which key to give out to each individual victim. They may have been handing out the wrong keys to the few $45,000 victims who paid,” Liska said.Hitesh Sheth, CEO at Vectra, said his team has seen descriptions of sophisticated customer support channels run by ransomware bandits but noted that REvil’s disappearance is more evidence that these groups are “out to make money, not nurse their victims back to strength.” Hamilton said the situation facing the company unable to get their decryptor working “is the result of a well-intended federal policy that caused a lot of collateral damage.” While both US authorities and Russian officials have denied any involvement in REvil’s disappearance, Hamilton said he believes the gang went dark because of how the conversation about ransomware has changed in the US over the last few months. While he does think it’s a possibility that the people behind REvil stopped of their own volition, he said it was more likely that Russian government officials put pressure on REvil due to the increased pressure coming from the Biden administration. “This particular predicament that a lot of companies find themselves in right now is the result of being collateral damage for our federal policy changes. Who knows? This could have been an intentional act on the way out the door. ‘We’re going to do this huge thing and then we’re going to disappear as a final poke in the eye.’ But I’m still going to say that this is the result of our change in policy and how that is affecting Vladimir Putin’s conversation with his intelligence people,” Hamilton said.  “It just happened to be timed in such a way that it left a bunch of people high and dry right after this this shotgun blast went out. Other companies that are in this particular predicament right now are probably just going to lose data, and they’re going to have to rebuild from scratch, and this may drive some companies out of business.” More