Were Some Party Goers at 10 Downing Street Targeted by NSO Group Technology?
April 26, 2022
The New Scientist (yes, the New Scientist for goodness sakes) published “UK Prime Minister’s Office Smartphones Targeted by Pegasus Spyware.” (You may have to pay to view this write up, gentle reader.) The main point of the write up is it seems to me:
Researchers claim to have uncovered cyber attacks using Pegasus software against 10 Downing Street and the Foreign and Commonwealth Office.
Is this the government office about which Euronews said that UK prime minister Boris Johnson was fined over Downing Street lockdown partiers? It sure looks like it to me.
The New Scientist story recycles the Citizen Lab reports about someone using NSO Group technology to snoop on individuals in the British government. I don’t know if the research is on the money. I described the University of Toronto’s interest in NSO Group as a Munk-ey on the poster child company.
Several observations:
- I am concerned that the recycling of information about NSO Group technology may have unintended consequences; for example, if I were a college computer science professor, I could envision asking students to check out the Pegasus software on GitHub and come up with similar functionality. But I am not a college prof yet there may be a professor in Estonia who comes up with a similar idea.
- The idea that a scientific research publication is focusing attention on an Israeli firm whose software was used by a government illustrates how information leakage can slosh around. Is this a click decision or a political decision or an ethical decision? I have no idea, but someone made a decision to recycle the Munk story.
- Companies pay big money to get their “brand” in front of eyeballs. NSO Group is clearly the brand champion in the intelware sector. Winner? Well, maybe.
Net net: This NSO Group buzz shows no sign of decreasing. That’s not good.
Stephen E Arnold, April 26, 2022
UAE Earns a Spot on Global Gray List
April 26, 2022
Forget Darkmatter. This is a gray matter.
Where is the best place to stash ill-gotten gains? The Cayman Islands and Switzerland come to mind, and we have to admit the US is also in the running. But there is another big contender—the United Arab Emirates. The StarTribune reports, “Anti-Money-Laundering Body Puts UAE on Global ‘Gray’ List.” Writer Jon Gambrell tells us:
“A global body focused on fighting money laundering has placed the United Arab Emirates on its so-called ‘gray list’ over concerns that the global trade hub isn’t doing enough to stop criminals and militants from hiding wealth there. The decision late Friday night by the Paris-based Financial Action Task Force [FATF] puts the UAE, home to Dubai and oil-rich Abu Dhabi, on a list of 23 countries including fellow Mideast nations Jordan, Syria and Yemen.”
Will the official censure grievously wound business in the country? Not by a long shot, though it might slightly tarnish its image and even affect interest rates. The FATF admits the UAE has made significant progress in fighting the problem but insists more must be done. Admittedly, the task was monumental from the start. We learn:
“The UAE long has been known as a place where bags of cash, diamonds, gold and other valuables can be moved into and through. In recent years, the State Department had described ‘bulk cash smuggling’ as ‘a significant problem’ in the Emirates. A 2018 report by the Washington-based Center for Advanced Defense Studies, relying on leaked Dubai property data, found that war profiteers, terror financiers and drug traffickers sanctioned by the U.S. had used the city-state’s boom-and-bust real estate market as a safe haven for their money.”
Is the government motivated to change its country’s ways? Yes, according to a statement from the Emirates’ Executive Office of Anti-Money Laundering and Countering the Financing of Terrorism. That ponderously named body promises to continue its efforts to thwart and punish the bad actors. The country’s senior diplomat also chimed in on Twitter, pledging ever stronger cooperation with global partners to address the issue.
Cynthia Murrell, April 26, 2022
Covid Info, Misinfo, Disinfo, and Reformed Info: The US Government Now Cares
April 25, 2022
In a long overdue move, reports Engadget, “US Surgeon General Orders Tech Companies to Reveal Sources of COVID-19 Misinformation.” In keeping with his declaration last year that health misinformation is an urgent threat, Surgeon General Vivek Murthy has appealed to tech companies to voluntarily reveal the sources and scale of misinformation that has crossed their platforms related to the disease itself and vaccinations. Writer S. Dent cites reporting from The Washington Post as he tells us:
“Murthy’s request pertains to social networks, search engines, crowd sourced platforms, e-commerce and instant messaging companies. To start with, he wants data and analysis on typical vaccine misinformation already identified by the Centers for Disease Control and Prevention. That includes falsities like ‘the ingredients in COVID-19 vaccines are dangerous’ and ‘COVID-19 vaccines contain microchips.’ The administration seeks to learn how many users have been exposed to such misinformation, and which demographic groups may have been disproportionally affected. On top of that, it’s looking for data about the major sources of COVID-19 misinformation, including individuals or businesses that sell unapproved COVID-19 products or services. Tech companies have until May 2nd to comply, though they won’t be penalized if they don’t.”
We recognize a strongly worded advisory is the limit of the Surgeon General’s regulatory power, but will these companies cough up the requested information voluntarily? Certain platforms make big bucks from circulating false information. They have shown time and again profits are more important than their reputations, so a public shaming is likely to be ineffective. Still, we suppose Murthy had to try. The advisory is part of the administration’s “COVID National Preparedness Plan.” (Preparedness? Hasn’t that ship sailed?)
Cynthia Murrell, April 25, 2022
TransUnion: Squeezing Juice from a 20-Year Regulatory Drought
April 21, 2022
I believe everything I read on the Internet. Some things I believe a whole lot, even though the information may be shaded. Navigate to “Feds sue TransUnion, Calling It Unwilling or Incapable of Operating Lawfully.” I noted this passage:
TransUnion tricked people into recurring payments after previously being fined for the activity, the consumer watchdog agency said…
The company’s position echoes the emissions from some high-technology firms:
TransUnion dismissed the claims as “meritless,” saying the allegations “in no way reflect the consumer-first approach we take to managing of our businesses.”
Let’s not regulate or let the financial information sector self regulate. Both are great ideas.
Now let’s think about a government which can manage a large firm operating within its borders. The allegation is that the estimable TransUnion ignored guidelines, suggestions, and rules. Why? Maybe too expensive or just annoying bureaucratic clap trap?
Several observations:
- What other firms have adopted the TransUnion approach to treating their customers in a fair and ethical way?
- Does the US government see the irony of a commercial enterprise doing what it wants and then having the government sue the company so that it modifies its behavior?
- Will TransUnion modify its executive incentive program and make obeying the guidelines, suggestions, and rules of a federal agency important?
I can answer all three questions. My answer: Nope.
Stephen E Arnold, April 21, 2022
Is This a Wake Up Call for Cyber Crime Experts?
April 20, 2022
Do you want to be an in-demand cyber expert? You can. You can learn what you need by watching, downloading, or paying for online courses. Then go for the real money: Consulting, training, and explaining to law enforcement, intelligence, and security professionals. Easy, right.
Just be selective about your customers.
“U.S. Hacker Sentenced to Five Years Following Crypto Lessons in North Korea” reports an actual factual situation involving “expert knowledge.” The write up states:
… crypto currency expert and hacker Virgil Griffith was sentenced to five years in prison this Tuesday for aiding North Korea in avoiding U.S. sanctions. The sentence comes in wake of his participation in a crypto currency-focused conference held in North Korea’s capital city, Pyongyang in April 2019, which the U.S. citizen attended even after being denied a travel permit for the purpose. Griffith pled guilty to conspiracy last year, which accelerated his sentencing.
The original article provides additional information. I just want to focus on the risks of not keeping information confidential and out of certain channels. The issues related to incidents associated with FinFisher, Hacking Team, NSO Group, and other companies have not had much impact on specialized software and services never intended for a nation state at odds with the US or not created for commercial use.
The cyber crime training sector is booming. But certain information can blow up in one’s face. One can recover after five years of rest I suppose. But where was the fabric of clear decision making? In a Pyongyang relaxation spa? Perhaps with McKinsey & Company in Paris, a fave destination for some North Koreans?
Stephen E Arnold, April 20, 2022
TikTok: A Murky, Poorly Lit Space
April 15, 2022
TikTok, according to its champions, is in the words of Ernie (Endurance) Hemingway:
You do not understand. This is a clean and pleasant café. It is well lighted. (Quote from “A Clean, Well-Lighted Place”)
No, I understand. If the information in “TikTok under US Government Investigation on Child Sexual Abuse Material” is on the money, the Department of Justice and the US Department of Homeland Security, TikTok may not be a “clean and pleasant café.”
The paywalled story says that TikTok is a digital watering hole for bad actors who have an unusually keen interest in young people. The write up points out that TikTok is sort of trying to deal with its content stream. However, there is the matter of a connection with China and that country’s interest in metadata. Then there is the money which just keeps flowing and growing. (Facebook and Google are now breathing TikTok’s diesel exhaust. Those sleek EV-loving companies are forced to stop and recharge as the TikTok tractor trailer barrels down the information highway.
For those Sillycon Valley types who see TikTok as benign, check out some of TikTok’s offers to young people. Give wlw a whirl. Oh, and the three letters work like a champ on YouTube. Alternatively ask some young people. Yeah, that’s a super idea, isn’t it. Now about unclean, poorly illuminated digital spaces.
Stephen E Arnold, April 15, 2022
Google Hits Microsoft in the Nose: Alleges Security Issues
April 15, 2022
The Google wants to be the new Microsoft. Google wanted to be the big dog in social media. How did that turn out? Google wanted to diversify its revenue streams so that online advertising was not the main money gusher. How did that work out? Now there is a new dust up, and it will be more fun than watching the antics of coaches of Final Four teams. Go, Coach K!
The real news outfit NBC published “Attacking Rival, Google Says Microsoft’s Hold on Government Security Is a Problem.” The article presents as actual factual information:
Jeanette Manfra, director of risk and compliance for Google’s cloud services and a former top U.S. cybersecurity official, said Thursday that the government’s reliance on Microsoft — one of Google’s top business rivals — is an ongoing security threat. Manfra also said in a blog post published Thursday that a survey commissioned by Google found that a majority of federal employees believe that the government’s reliance on Microsoft products is a cybersecurity vulnerability.
There you go. A monoculture is vulnerable to parasites and other predations. So what’s the fix? Replace the existing monoculture with another one.
That’s a Googley point of view from Google’s cloud services unit.
And there are data to back up this assertion, at least data that NBC finds actual factual; for instance:
Last year, researchers discovered 21 “zero-days” — an industry term for a critical vulnerability that a company doesn’t have a ready solution for — actively in use against Microsoft products, compared to 16 against Google and 12 against Apple.
I don’t want to be a person who dismisses the value of my Google mouse pad, but I would offer:
- How are the anti ad fraud mechanisms working?
- What’s the issue with YouTube creators’ allegations of algorithmic oddity?
- What’s the issue with malware in approved Google Play apps?
- Are the incidents reported by Firewall Times resolved?
Microsoft has been reasonably successful in selling to the US government. How would the US military operate without PowerPoint slide decks?
From my point of view, Google’s aggressive security questions could be directed at itself? Does Google do the know thyself thing? Not when it comes to money is my answer. My view is that none of the Big Tech outfits are significantly different from one another.
Stephen E Arnold, April 15, 2022
Is Tim Apple Worried: How Can Regulators Ignore What Apple Wants?
April 13, 2022
I know Apple and Tim are important. Fresh from a right to repair campaign and the cute move to make upgrades to the new and improved Mac Mini Studio, Tim Apple faces a poor report card. Tim Apple has failed Apple’s employee-acolyte examination. “Apple’s Tim Cook Warns of Unintended Consequences in App Store Antitrust Legislation” reports:
Apple CEO Tim Cook blasted regulatory proposals by Congress and in the European Union on Tuesday, arguing that legislation aimed at cracking open the company’s app store will hurt user security and privacy.
Are we talking Apple stalker gizmos? (This is my synonym for the Apple AirTag. Please, see “Apple AirTags Allegedly Being Used by Stalkers: Viral Twitter Thread.”
Nope. The idea that elected officials want to permit sideloading.
Let me translate: If an iPhone user wants to load an application without going through Apple’s online store, bad things will happen. Remember the good, old days of buying software in a box and installing it. That’s sideloading in my book.
Are we talking Apple compliance with rules in China and Russia (pre-Ukraine, of course)?
The write up continues:
Former top national security officials have sided with Apple, saying that requiring iPhones to accept apps that may lack sufficient security protections could ultimately endanger the country.
Are we talking Apple’s often decidedly un-snappy response to legitimate government requests? Nope. We are talking national security and the unnamed terrible things waiting to roar down the on ramp of the information highway to deliver (my goodness!) unintended consequences.
Several observations:
- Tense much, Mr. Apple?
- Are we talking about AirTags?
- Concerned about losing a revenue stream?
- Worried about regulation after decades of riding horses hard in the digital Wild West?
I would prefer more action related to the personnel issues which are smoking on the burning brush at the spaceship.
Stephen E Arnold, April 13, 2022
DOD Cloud Program JWCC Pushed Back Until December
April 13, 2022
Turns out it takes longer to evaluate the options in the cloud than the DOD thought. Nextgov reveals, “Pentagon’s Effort to Supply Departmentwide Cloud Capabilities is Delayed, Again.” Reporters Lauren C. Williams and Brandi Vincent write:
“The Defense Department is delaying the award for its latest multibillion-dollar program to provide enterprise-wide commercial cloud services to the end of the year—which means certain solutions likely won’t be deployed until at least mid-2023. Amazon Web Services, Google, Microsoft and Oracle were named by the Pentagon as contenders for the potentially massive $9 billion Joint Warfighting Cloud Capability contract in November and invited to submit proposals. But DOD Chief Information Officer John Sherman said ‘conducting the due diligence with four vendors’ is taking more time than previously anticipated and that is contributing to the shift from the original award scheduled for April 2022.”
At stake are four separate contracts worth up to $9 billion in total. Each will have a three-year base period with two one-year options. The Joint War fighting Cloud Capability (JWCC) will replace the Joint Enterprise Defense Infrastructure (JEDI), which became bogged down by protest and litigation. The DOD’s Deputy CIO for Information Enterprise Danielle Metz tells us what has changed:
“What sets JWCC apart from the other current cloud service offerings that we have is that this is going to be a direct partnership with a cloud service provider. So, it’s going to enable us to be able to have commercial parity and to hold into account the cloud service providers from a cybersecurity perspective. We’ll be able to glean a lot and work closely with the cloud service providers, which will set the stage for our future acquisition activities.”
The article tells us this direction marks a purposeful shift for the DOD—focusing on multiple vendors and interoperability should speed up the entire contracting, acquisition, and funding process so personnel will get the capabilities they need faster. Sounds great in theory, but as this recent delay shows, that cloud stuff can be more complicated than it looks.
A bureaucracy bureaucratizes.
Cynthia Murrell, April 13, 2022
NSO Group Knock On: More Attention Directed at Voyager Labs?
April 12, 2022
Not many people know about Voyager Labs, its different businesses, or its work for some government entities. From my point of view, that’s how intelware and policeware vendors should conduct themselves. Since the NSO Group’s missteps have fired up everyone from big newspaper journalists to college professors, the once low profile world of specialized software and services has come to center stage. Unfortunately most of the firms providing these once secret specialized functions are, unlike Tallulah Bankhead, ill prepared for the rigors of questions about chain smoking and a sporty life style. Israeli companies in the specialized software and services business are definitely not equipped for criticism, exposure, questioning by non military types. A degree in journalism or law is interesting, but it is the camaraderie of a military unit which is important. To be fair, this “certain blindness” can be fatal. Will NSO Group be able to survive? I don’t know. What I do know is that anyone in the intelware or policeware game has to be darned careful. The steely gaze, the hardened demeanor, and the “we know more than you do” does not play well with an intrepid reporter investigating the cozy world of secretive conferences, briefings at government hoe downs, or probing into private companies which amass user data from third-party sources for reselling to government agencies hither and yon.
Change happened.
I read “On the Internet, No One Knows You’re a Cop.” The author of the article is Albert Fox-Cahn, the founder and director of STOP. Guess what the acronym means? Give up. The answer is: The Surveillance Technology Oversight Project.
Where does this outfit hang its baseball cap with a faded New York Yankees’ emblem? Give up. The New York University Urban Justice Center. Mr. Fox-Cahn is legal type, and he has some helpers; for example, fledgling legal eagles. (A baby legal eagle is technically eaglets or is it eaglettes. I profess ignorance.) This is not a Lone Ranger operation, and I have a hunch that others at NYU can be enjoined to pitch in for the STOP endeavor. If there is one thing college types have it is an almost endless supply of students who want “experience.” Then there is the thrill of the hunt. Eagles, as you know, have been known to snatch a retired humanoid’s poodle for sustenance. Do legal eagles enjoy the thrill of the kill, or are they following some protein’s chemical make up?
The write up states:
Increasingly, internet surveillance is operating under our consent, as police harness new software platforms to deploy networks of fake accounts, tricking the public into giving up what few privacy protections the law affords. The police can see far beyond what we know is public on these platforms, peaking behind the curtains at what we mean to show and say only to those closest to us. But none of us know these requests come from police, none of us truly consent to this new, invasive form of state surveillance, but this “consent” is enough for the law, enough for the courts, and enough to have our private conversations used against us in a court of law.
Yeah, but use of public data is legal. Never mind, I hear an inner voice speaking for the STOP professionals.
The article then trots through the issues sitting on top of a stack of reports about actions that trouble STOP; to wit, use of fake social media accounts. The idea is to gin up a fake name and operate as a sock puppet. I want to point out that this method is often helpful in certain types of investigations. I won’t list the types.
The write up then describes Voyager Labs’ specialized software and services this way:
Voyager Labs claims to perceive people’s motives and identify those “most engaged in their hearts” about their ideologies. As part of their marketing materials, they touted retrospective analysis they claimed could have predicted criminal activity before it took place based on social media monitoring.
Voyager Labs’ information was disclosed after the Los Angeles government responded to a Brennan Center Freedom of Information Act request. If you are not familiar with these documents, you can locate at this link which I verified on April 9, 2022. Note that there are 10,000 pages of LA info, so plan on spending some time to locate the information of interest. If you want more information about Voyager Labs, navigate to the company’s Web site.
Net net: Which is the next intelware or policeware company to be analyzed by real news outfits and college professors? I don’t know, but the revelations do not make me happy. The knock on from the NSO Group’s missteps are not diminishing. It appears that there will be more revelations. From my point of view, these analyses provide bad actors with a road map of potholes. The bad actors become more informed, and government entities find their law enforcement and investigative efforts are dulled.
Stephen E Arnold, April 12, 2022
-
- Subscribe to Beyond Search
Feature archive
News archive
-
