Cyber-Espionage / en Citizen Lab experts say latest hacking highlights security, regulation vulnerabilities /news/citizen-lab-experts-iphone <span class="field field--name-title field--type-string field--label-hidden">Citizen Lab experts say latest hacking highlights security, regulation vulnerabilities </span> <div class="field field--name-field-featured-picture field--type-image field--label-hidden field__item"> <img loading="eager" srcset="/sites/default/files/styles/news_banner_370/public/GettyImages-586900280.jpg?h=afdc3185&amp;itok=UFGy3vmS 370w, /sites/default/files/styles/news_banner_740/public/GettyImages-586900280.jpg?h=afdc3185&amp;itok=Nm3wOVWy 740w, /sites/default/files/styles/news_banner_1110/public/GettyImages-586900280.jpg?h=afdc3185&amp;itok=azr2J8uz 1110w" sizes="(min-width:1200px) 1110px, (max-width: 1199px) 80vw, (max-width: 767px) 90vw, (max-width: 575px) 95vw" width="740" height="494" src="/sites/default/files/styles/news_banner_370/public/GettyImages-586900280.jpg?h=afdc3185&amp;itok=UFGy3vmS" alt="iPhone"> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>Romi Levine</span></span> <span class="field field--name-created field--type-created field--label-hidden"><time datetime="2016-08-26T13:10:57-04:00" title="Friday, August 26, 2016 - 13:10" class="datetime">Fri, 08/26/2016 - 13:10</time> </span> <div class="clearfix text-formatted field field--name-field-cutline-long field--type-text-long field--label-above"> <div class="field__label">Cutline</div> <div class="field__item"> (Photo by Jaap Arriens/NurPhoto via Getty Images)</div> </div> <div class="field field--name-field-author-reporters field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/authors-reporters/romi-levine" hreflang="en">Romi Levine</a></div> </div> <div class="field field--name-field-author-legacy field--type-string field--label-above"> <div class="field__label">Author legacy</div> <div class="field__item">Romi Levine</div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Topic</div> <div class="field__item"><a href="/news/topics/global-lens" hreflang="en">Global Lens</a></div> </div> <div class="field field--name-field-story-tags field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/tags/citizen-lab" hreflang="en">Citizen Lab</a></div> <div class="field__item"><a href="/news/tags/security" hreflang="en">Security</a></div> <div class="field__item"><a href="/news/tags/munk-school-global-affairs-public-policy" hreflang="en">Munk School of Global Affairs &amp; Public Policy</a></div> <div class="field__item"><a href="/news/tags/cyber-espionage" hreflang="en">Cyber-Espionage</a></div> <div class="field__item"><a href="/news/tags/global" hreflang="en">Global</a></div> </div> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><strong>Bill Marczak</strong> and <strong>John Scott-Railton</strong> made headlines around the world this week when they disclosed&nbsp;serious iPhone security flaws after an attempted attack on the phone of the prominent human rights activist Ahmed Mansoor through a link in a text message. Scott-Railton and Marczak are senior researchers at the Citizen Lab at the University of Toronto's Munk School of Global Affairs.&nbsp;With the help of mobile security firm Lookout, they&nbsp;traced the link back to a company called NSO Group that sells access to these vulnerabilities to their clients.&nbsp;</p> <h4><a href="/news/researchers-uncover-iphone-espionage">Read about the report here&nbsp;</a></h4> <h4><a href="https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/">Read the full report here&nbsp;</a></h4> <p><em>U of T News</em> writer<strong> Romi Levine</strong> spoke with Scott-Railton and with his Citizen Lab colleague<span style="line-height: 20.8px;">&nbsp;</span><strong style="line-height: 20.8px;">Sarah McKune </strong>about the incident and about&nbsp;<span style="line-height: 20.8px;">&nbsp;the murky territory that surrounds regulating companies like the NSO group.</span></p> <hr> <h2><strong>John Scott-Railton</strong></h2> <p><img alt class="media-image attr__typeof__foaf:Image img__fid__1790 img__view_mode__media_large attr__format__media_large" src="/sites/default/files/styles/large/public/railton.jpg?itok=4SsdfN76" style="width: 254px; height: 271px; float: left; margin-left: 6px; margin-right: 6px;" typeof="foaf:Image"><strong>Lookout’s vice president, research called the NSO group at the centre of the Citizen Lab report a “cyber arms dealer” – what does he mean by that?&nbsp;</strong></p> <p>This is an interesting way to describe it. We’re in a geopolitical situation – there’s a market desire from countries that don’t have the ability to build the capability domestically to do digital surveillance. They go looking to the private market. There are a series of companies that are looking to sell them those capabilities. These are companies that are selling kinds of tools governments want for espionage and law enforcement.&nbsp;</p> <p>Some accuse these companies of being mercenaries. It raises the question of proliferation – how do you decide whether or not to sell to a country?&nbsp;Part of our work at Citizen Lab is based around shedding light on that marketplace and to show clear evidence into whether or not there are abuses. &nbsp;</p> <p><strong>Are companies like the NSO group doing something illegal?&nbsp;</strong></p> <p>Some people believe that the way to solve the problem of proliferation is for governments to have export control regulations that require that any sale of this kind of technology is required to get a license and go through a process of evaluation.&nbsp;</p> <p>The challenge seems to be, even though many of these frameworks exist, it’s still the case these companies are selling spyware technology to countries with notorious histories of serial misuse of this kind of spyware.&nbsp;</p> <p>It raises the obvious question: If that’s not enough to stop a sale, what would stop a sale?</p> <p>Ahmed Mansoor has now been targeted three times with this kind of technology from three different companies. If this isn’t evidence of serial misuse, I don’t know what is.&nbsp;</p> <p><strong>“Zero-day exploits” would have allowed NSO group to jailbreak Mansoor’s phone. What are they?</strong></p> <p>Zero day vulnerability is something that the vendor – in this case Apple – has spent zero days working to close. It basically means this is a hole or a bug in a product or software that can be exploited to run malicious code. This is very powerful knowledge because it gets you around the kind of security that you would expect to be built into products.<br> There’s a market for this kind of knowledge because it represents information about where these secret unlocked doors are that could potentially be very valuable.&nbsp;<br> There’s also a market for intrusion tools that could be used on top of that.</p> <p>So vulnerability is like a secret door, the exploit is a set of instructions that get you in the door and the malware is what you put inside once you gain access.&nbsp;</p> <p><strong>Should the average person see Mansoor’s hacking as a threat to their own privacy?</strong></p> <p>The attacks we work on at Citizen Lab tend to be targeted at high-value individuals. It is not necessarily something everyone should be instantly afraid of.&nbsp;<br> But we at Citizen Lab think activists, dissidents and journalists are canaries in the coal mine – this targeting shows us a glimpse of a future where if this kind of market is not in some way addressed, this kind of vulnerability will be more and more part of the daily conversation. &nbsp;</p> <p>When you target dissidents and journalists you’re not just targeting individuals, you’re targeting the democratic process and the people who help contribute to a fairer and more just and honest society – both because of the direct violence it does to civil societies and because of what it shows us about the future and the risks that will come.&nbsp;<a href="https://www.johnscottrailton.com/jsrs-digital-security-low-hanging-fruit/"><span style="line-height: 20.8px;"></span></a></p> <h4><a href="https://www.johnscottrailton.com/jsrs-digital-security-low-hanging-fruit/"><span style="line-height: 20.8px;">Follow Scott-Railton’s digital security advice</span></a></h4> <p><strong>How can someone&nbsp;recognize this kind of threat?&nbsp;</strong></p> <p>The sophistication of this threat is that it’s hard to recognize. Our advice to the general population is treat links and attachments especially from people you don’t know with great care. With the kinds of threats we see, like in the case of Mansoor, we see the critical importance of companies like Apple quickly responding to security threats we report to them.&nbsp;</p> <h2>&nbsp;</h2> <hr> <h2><strong>Sarah McKune</strong></h2> <p><strong>How are companies like the NSO group regulated?</strong></p> <p>The regulatory area that’s been explored so far is that of export control. It’s the first step because export controls include a framework devoted to compliance and there can be penalties if you violate the applicable export control violations.</p> <p>There's a multilateral export control group called the&nbsp;<a href="http://www.wassenaar.org/">Wassenaar Arrangement</a>&nbsp;– it includes over 40 countries including Canada, the&nbsp;United States and Russia, but it does not include Israel (where the NSO Group is based). But Israel incorporates the regulations that are agreed upon in the Waassenaar framework.</p> <p>Export controls are a very arcane and language-specific beast. The arrangement lists different items that are subject to control implemented on the national levels. Individual nations implement those controls.</p> <p>One of the controls that was added in December of 2013 related specifically to intrusion software. What NSO Group offers does seem to meet the criteria to be considered one of the items.&nbsp;That’s the crux of the issue – how these controls are implemented. &nbsp;</p> <p>(If a product falls under the criteria, it’s) not an outright ban, you need to submit a license application and the authorities will grant or deny it.&nbsp;</p> <p>We just don’t have visibility into the process with respect to NSO Group. It’s possible they may have submitted a request to a licensing application. It’s also possible a request has been granted.<br> The UAE has significant problems with respect to human rights including a track record of surveillance so it seems that if the authorities did engage in this review of the license application, those human rights concerns were not determined on the decision to grant the application if it was indeed granted .</p> <p><strong>So there’s no form of regulation one country can enforce on another country?</strong></p> <p>That demonstrates the limitation of export controls. They aren’t enough to address the human rights concerns associated with these technologies.&nbsp;</p> <p>We have to start thinking beyond export controls to what other avenues are available.&nbsp;</p> <p><strong>What other ways are there to address these regulatory issues?&nbsp;</strong></p> <p>It involves a number of different facets.&nbsp;</p> <p>We can look at the applicable laws relevant to this type of activity – there are some criminal laws that could apply to this type of context.&nbsp;</p> <p>We can also look at consumer protection – this is certainly an issue of fraud perpetrated against individual users. Websites and other components of these types of spyware kits often attempt to mislead users as to what it is they’re trying to access and download.</p> <p>There are legal and policy options on the table – legislatiures need to tackle this issue.&nbsp;</p> <p>It is very complex but I do think this&nbsp;case demonstrates how vulnerable these types of technologies render users at large. It’s not just about one specific target. It’s about undermining technologies that affect us all.&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> </div> <div class="field field--name-field-news-home-page-banner field--type-boolean field--label-above"> <div class="field__label">News home page banner</div> <div class="field__item">Off</div> </div> Fri, 26 Aug 2016 17:10:57 +0000 Romi Levine 100273 at Citizen Lab researchers uncover extensive Twitter cyber espionage campaign /news/citizen-lab-researchers-uncover-extensive-twitter-cyber-espionage-campaign <span class="field field--name-title field--type-string field--label-hidden">Citizen Lab researchers uncover extensive Twitter cyber espionage campaign</span> <div class="field field--name-field-featured-picture field--type-image field--label-hidden field__item"> <img loading="eager" srcset="/sites/default/files/styles/news_banner_370/public/image10-1.png?h=afdc3185&amp;itok=TKsGpYLN 370w, /sites/default/files/styles/news_banner_740/public/image10-1.png?h=afdc3185&amp;itok=LeIJcBCq 740w, /sites/default/files/styles/news_banner_1110/public/image10-1.png?h=afdc3185&amp;itok=xClFcsxn 1110w" sizes="(min-width:1200px) 1110px, (max-width: 1199px) 80vw, (max-width: 767px) 90vw, (max-width: 575px) 95vw" width="740" height="494" src="/sites/default/files/styles/news_banner_370/public/image10-1.png?h=afdc3185&amp;itok=TKsGpYLN" alt="Tag cloud of bait content topics used by Stealth Falcon shows a strong emphasis on political topics and narratives critical of the United Arab Emirate government"> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span>lavende4</span></span> <span class="field field--name-created field--type-created field--label-hidden"><time datetime="2016-05-30T10:52:57-04:00" title="Monday, May 30, 2016 - 10:52" class="datetime">Mon, 05/30/2016 - 10:52</time> </span> <div class="clearfix text-formatted field field--name-field-cutline-long field--type-text-long field--label-above"> <div class="field__label">Cutline</div> <div class="field__item">Tag cloud of bait content topics used by Stealth Falcon shows a strong emphasis on political topics and narratives critical of the United Arab Emirate government</div> </div> <div class="field field--name-field-topic field--type-entity-reference field--label-above"> <div class="field__label">Topic</div> <div class="field__item"><a href="/news/topics/global-lens" hreflang="en">Global Lens</a></div> </div> <div class="field field--name-field-story-tags field--type-entity-reference field--label-hidden field__items"> <div class="field__item"><a href="/news/tags/munk-school-global-affairs-public-policy" hreflang="en">Munk School of Global Affairs &amp; Public Policy</a></div> <div class="field__item"><a href="/news/tags/citizen-lab" hreflang="en">Citizen Lab</a></div> <div class="field__item"><a href="/news/tags/global" hreflang="en">Global</a></div> <div class="field__item"><a href="/news/tags/cyber-espionage" hreflang="en">Cyber-Espionage</a></div> </div> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>A new <a href="https://citizenlab.org/2016/05/stealth-falcon/">report</a>&nbsp;from the University of Toronto’s Citizen Lab reveals a sophisticated international cyber-espionage campaign targeting journalists and activists whose work concerns the United Arab Emirates.&nbsp;The campaign used elaborate ruses, including fake organizations and journalists, to engage targets online, then entice them to open malicious files and links containing malware capable of monitoring their activities.</p> <p>The campaign, which the researchers named Stealth Falcon, was first uncovered when a fictitious organization named “The Right to Fight” contacted Rori Donaghy, a UK-based journalist and founder of the Emirates Center for Human Rights.&nbsp;Building from this discovery, the Citizen Lab team, led by&nbsp;<strong>Bill Marczak</strong>, uncovered an elaborate web of fake social media handles and organizations.</p> <p>“We’ve been diligently tracing Stealth Falcon for the past six months.&nbsp;But these guys have very good operational security.&nbsp; For every fake persona we have thus far identified, dozens may await discovery,” Marczak said.</p> <p>Stealth Falcon’s techniques rely heavily on ruses, which they seem to have constructed with the help of a good picture of their targets’ behaviors and interests. One particularly concerning approach was the use of fake journalists to entice targets to open malicious documents.</p> <p>“Stealth Falcon shows us that masquerading as a journalist is a recurrent technique, but that it can have chilling effect on trust in civil society,” added Marczak's colleague&nbsp;<strong>John Scott Railton</strong>.</p> <p>The targets include a range of activists and public figures whose work covers issues of Human Rights and advocacy in the United Arab Emirates. Several of the individuals targeted by Stealth Falcon’s ruse were later convicted or jailed by the UAE. The researchers analyzed more than&nbsp;400 pieces of ‘bait’ content, of which&nbsp;73 percent&nbsp;concerned the United Arab Emirates.</p> <p>“Governments and the private sector are increasingly exporting attack tools and know-how in the name of cybersecurity," Marczak said.&nbsp;</p> <p>The report, called Keep Calm and (Don't) Enable Macros, stops short of conclusively attributing Stealth Falcon a particular sponsor, but highlights circumstantial evidence that could point towards UAE government involvement.</p> <p>The research shows how the Internet, a key tool for organizing and activism, is also a powerful vehicle in the hands of malicious attackers, said&nbsp;<strong>Ron Deibert</strong>, Citizen Lab director.&nbsp;“Autocratic regimes like the United Arab Emirates are now routinely finding ways to subvert the tools of social media to accomplish their sinister aims. Careful research of the sort undertaken here can help journalists, activists, and others be on guard for these new threats.”</p> <p>The Citizen Lab, based at the Munk School of Global Affairs, has an established track record of uncovering cyber espionage campaigns and other kinds of targeted digital attacks against human rights organizations. For more about the Citizen Lab, see <a href="https://citizenlab.org/">https://citizenlab.org/</a>.&nbsp;</p> <h3><a href="https://citizenlab.org/2016/05/stealth-falcon/">Read the Citizen Lab report, Keep Calm and (Don’t) Enable Macros, here</a>&nbsp;</h3> </div> <div class="field field--name-field-news-home-page-banner field--type-boolean field--label-above"> <div class="field__label">News home page banner</div> <div class="field__item">Off</div> </div> Mon, 30 May 2016 14:52:57 +0000 lavende4 14175 at