NSO’s Pegasus Spyware No Longer Works in the UK, US

At this point, this is only a rumor, but maybe with high confidence. The Israeli spyware company NSO Group continues to get into trouble as they sell their software, pretty much, to anyone who will pay the price.

Earlier this month a UK court ruled against NSO that it was likely that a Dubai princess and her lawyers had their phones hacked by the NSO software, probably at the request of her ex-husband.

Amazingly, at virtually the same time, according to an unnamed source, NSO stopped the software from working on all FIVE-EYES country’s phone numbers (UK, US, Canada, Australia and New Zealand).

For how long is unclear.

NSO is facing a lot of lawsuits right now, so they may be trying to deflect some heat. Since they are not publicly saying what they are doing or for how long, I would not count on the good behavior lasting. Too much money to ignore.

What likely happened is that some parts of the international intelligence community “suggested” they cool it for a while, otherwise, they might be force to take some actions like they did in Iran with Stuxnet. If you remember, Stuxnet generated a complete meltdown of Iran’s nuclear program. It is highly likely that the NSA or GCHQ could do the same thing to NSO if they wanted to. Not saying that is what happened, but…..

The NY Post reported that the Princess paid $6.4 million to keep an affair with her bodyguard secret. When this fact came out the Princess, daughter of King Hussein of Jordan, left Dubai with her two young children from her marriage from the Sheikh. It is likely that all of this ugliness is what caused the Shiekh to decide to hack her and her attorney’s phones.

The Sheikh was a bit unhappy with her sudden departure and tried to get the UK High Court to return the children. I guess in the UAE, all is fair in love, war and child custody. He even tried to kidnap the kids using a helicopter.

All of this is kind of above my pay grade, but it does seem to poke some holes in NSO’s claims that they are good guys and their software is only used to catch bad guys, which is what their public story is.

How long NSO will continue to lose revenue opportunities is not clear.

What this “outing” of NSO means, however, is that fears that the Pegasus software was used to spy on diplomats, politicians, reporters and activists are likely true.

Credit: The Guardian

Coming Clean After A Hack

A hacker claims to have breached the Argentinian government’s network and stolen ID card details for every person in the country. The data is now being sold on the underground.

The agency that holds the data, RENAPER or Registro Nacional de las Personas, is translated as the National Registry of Persons.

The agency is tasked with creating national ID cards for citizens and the data behind the ID cards is used by most other agencies to validate a citizen’s request for services.

But here is where things get messy.

The hacker posted ID card photos and personal details for 44 celebrities on Twitter – including that of the President.

The hacker also published an ad on a well-known hacking board offering to look up the details of ANY Argentinian.

Three days later the government concocted a story that says they discovered a VPN account was used to query the RENAPER database for 19 photos at the exact same time as they were published on Twitter.

Sounds convenient to me. But if the hacker posted 44 names and the VPN user queried 19 names – where did the rest of the data come from? And, at the exact moment? Shouldn’t there be some delay between stealing the data and using it. At least a little delay. They went out of their way to say at the EXACT moment.

When the media contacted the hacker after the government published their likely made up story, the hacker offered to look up the national ID number of any citizen of the reporter’s choosing.

The hacker says that he will continue to sell the data to interested buyers and that he is probably going to publish the data of 1 to 2 million citizens (out of 45 million) in a couple of days.

The hacker didn’t deny that the VPN leak was real. Possible point of data extraction.

I can’t guarantee that the government is lying and the hacker is telling the truth, but sure seems that way.

If the hacker has all of the data needed to make fake ID cards for every citizen, that is kind of a problem for the government.

It is also a problem for citizens if their card is used to commit a crime.

BUT, it is also an interesting defense – it wasn’t me, it could have been anyone since the data is for sale on the underground web.

The government may be trying to figure out what to do. Reissuing – SECURELY – 45 million ID cards quickly is going to be a challenge. What do they do in the mean time? Are they still trying to figure out whether the data was stolen?

This is a challenge for everyone who gets hacked – government or otherwise.

I think you have to tell the truth. The truth will come out in the end and if you are caught fibbing, you look worse than if you just fessed up in the first place.

For Argentina – a big mess. For everyone else – an opportunity to figure out your data breach crisis communications strategy. Credit: The Record

Security News for the Week Ending October 15, 2021

Microsoft Investigating Multiple Windows 11 Issues

While some of the issues are not fatal, others like a memory leak in File Manager that can only be recovered from by rebooting are more of a problem. I recommend waiting for a month or two in order for other users to detect more bugs. Credit: Bleeping Computer

Feds Arrest Nuke Navy Engineer for Selling Nuke Secrets to Foreign Power

A Navy nuclear engineer stole restricted data for a Virginia class nuclear submarine and tried to sell it to a foreign power. For whatever reason, the person that he contacted in the unnamed country shared his letter with the FBI. They strung him along for a while as he made several dead drops of data and they paid him cryptocurrency until they arrested him last week. He was able to smuggle the documents out past security, which just shows how hard it is to actually secure against a determined adversary. Credit: The Register

An unintended Consequence of Covid Vaccine Passports

The UK is one place where vaccine passports are required. The app that runs on people’s phones is managed by the National Health Service or NHS. The app has a barcode that security at the airport can use to check a passenger’s vaccine status. No proof of vaccine or negative Covid test and you can’t get on that plane. Which is great until the app’s backend database crashes like it did today. For about 4 hours. Heathrow came to a standstill. One journalist reported that she was offered a later flight for a 250 Pound fee. Oh, yeah, and she would need to take and pay for a rapid Covid test for another 119 Pounds. She opted not to fly. Another passenger tried using his paper vaccine card, but security would not accept it. The app has an offline mode or you could screenshot the barcode, but those only work if the app is running. Unintended consequences. Credit: BBC

Treasury Links $5 Billion in Bitcoin to Ransomware

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) has done some trolling on the Bitcoin blockchain. Anyone who thinks that bitcoin is anonymous does not understand how that works. They identified Bitcoin wallet addresses after analyzing suspicious activity reports (SARs) that banks send in. This has nothing to do with actually recovering any money. If they put those wallets on the banned list then the hackers will create new wallets (which they should be doing anyway to make things harder to track). It is probably a good thing for them to do because a lot of crooks are stupid and those are the ones that they might catch out of this. Credit: Bleeping Computer

Fallout From the Epik Hack

Epik, as I reported earlier, is a domain registrar that is kind of a last resort for people who can’t get another registrar to manage their domain – along with many vanilla domains. Epik supports a number of conspiracy theory and alt-right domains because they say that they are neutral in the battle. As a result of being hacked, a lot of data which people would like to remain private became public. As a result of that, people are being fired and businesses are losing customers. One person, who’s information was disclosed, continued the conspiracy theory tactic and said that the data was easily falsiable (who did this – Epik or the hackers – and why?), that he was the possible victim of extortion and the newspaper that reported the information was “fake news”. Possible, but that is likely not going to help some people who get outed. Credit: The Washington Post

Businesses Losing Customers due to Connected Products Security Concerns

59% of cybersecurity executives at large and medium organizations say that they have LOST business due to product security concerns for connected and embedded devices.

connected product security concerns

45% say that customers want detailed information about what is in their devices, but only 11% of companies have high confidence that they can do that, even if they want to.

Only 27% of people interviewed said that their organizations conduct software composition analysis (what is in it) and only 30% say that they can easily generate a software bill of materials (as required by the new executive order).

So what does it take to develop secure products? More resources (62%), more expertise (60%), industry standards (46%). Only 21% said that their have a security supply chain policy.

connected product security concerns

On top of this, only half of the respondents said their organization check out the security of their products before they ship them.

The good news is that 74% of the organizations either have a Chief Product Security Officer or plan to hire one. In the next two years.

And, last but not least, only 10% have full confidence that they know all vendors in the supply chain for each of its devices.

Ready to buy one of them secure connected devices now?

Credit: Help Net Security

What if You Get Locked Out of Your Cloud Account?

Konstantin Gizdov has an interesting story to tell. He got locked out of his Microsoft Azure account. He doesn’t think it was hacked, it was a Microsoft software bug.

More importantly, his attempts to recover the account were incredibly frustrating. The frustration was, in part, caused by the fact that Microsoft didn’t think it was their problem.

The problem started when he got an email that his account had been renamed. All of his attempts to get Microsoft support to unlock the account were totally unsuccessful and the data in the account was important to him.

Part of his problem was that, as an IT person, he had secured his account very effectively and removed most of the back doors that would have let him back in.

He followed all of Microsoft’s procedures for recovering his account, but, for whatever reason, none of them worked. Microsoft said there are no bugs (really? What alternate reality do they live in?)

He did have an emergency account recovery code which should work except that, he said, there was s 30 day waiting period before he could use it.

But he lucked out. His story got a fair amount of coverage and Microsoft’s Identity VP saw it. HE apologized on Twitter, both for the bug and how Microsoft’s customer support handled it.

But this is a good lesson for everyone.

Even Microsoft says that you should use an out of network backup. WE have at least 4 generations of backups, including at least one that is locked up in a bank vault. You really can’t have too many backups.

As companies and individuals move more stuff to the cloud, this is becoming a potentially large issue.

While the world won’t stop turning if you lose all of your music or photos stored in the cloud, I suspect a lot of people will not be happy. Support on the consumer side is even worse than what this guy experienced.

On the business side, getting locked out of your business records or customer records could, potentially, put you out of business. And get you sued on top of it.

And cyber insurance companies are starting to get into the act telling businesses that they won’t get coverage if they don’t have the right air-gapped backups.

This would be a good time to review what you have, both for your business and personally, and make sure that you are okay with whatever losses you might have if something bad were to happen.

Credit: The Register and Security Week

Attorney Client Privilege in Cyber Land

Historically, attorney-client privilege was used to protect conversations between attorneys and their client as they were preparing their defense.

While that is still the case, there is a lot of information that companies that were breached might not want to get out to the folks suing them. If it is not done right, it is highly unlikely that the information will be protected.

Some of examples of doing it wrong.

After a data breach occurred, Capital One retained a law firm that later entered into an agreement with Mandiant for various cyber-related services (including incident remediation), which required that Mandiant provide deliverables to the firm, rather than to Capitol One.  Plaintiffs sought release of the report created by Mandiant (regarding the factors leading to the breach), arguing that it was prepared for business and regulatory purposes and therefore was not privileged, while Capital One argued that the report was privileged because it was prepared in anticipation of litigation.  Capital One lost and they had to turn over the report.

Plaintiffs filed a motion to compel Dominion Dental Services to produce a report created by Mandiant, a cybersecurity firm.  Dominion claimed that the report was created to inform legal counsel and create a litigation strategy, and thus was privileged and protected by the attorney work-product doctrine.  The court stated that Dominion had not met its burden of demonstrating that the materials were protected work-product and held that the materials were not privileged because (1) Mandiant had a relationship with Dominion prior to the breach, and which anticipated services in the event of a breach occurring; and (2) Dominion used the materials for non-litigation purposes.  

There are more of these. The wall for attorney-client privilege is filled with holes.

This means that you need prepare for how you are going to respond in case of a breach.

BEFORE the breach.

Some things to figure out:

  • Failure to distinguish the parameters of retaining an outside consultant for the creation of a breach report can increase the risk of this report not being covered within the work-product doctrine. THIS MEANS THAT YOU NEED TO COMPARTMENTALIZE WHAT YOU ARE DOING. Likely one project/vendor for incident cleanup and a different one for legal prep.
  • Retainers for vendors used in preparing a breach report should be categorized as a legal expense. BREACHED COMPANIES WHO HAD ENGAGED MANDIANT BEFORE THE BREACH AND CLASSIFIED THE EXPENSE AS AN IT EXPENSE HAVE A HARD TIME CHANGING THEIR MIND LATER. BUT CLASSIFING IT AS A LEGAL EXPENSE DURING NORMAL TIMES AND HAVING THEM REPORT TO “IT” IS ALSO A PROBLEM.
  • Only share the data breach report for legal purposes, and share the report with as few individuals in the organization as possible. SEE COMPARTMENTALIZE ABOVE. IF YOUR LAW FIRM DOES NOT UNDERSTAND THIS, THEY ARE THE WRONG LAW FIRM TO HANDLE THE TASK.
  • Proceed with caution when using a data breach report outside of litigation purposes.

Now is the time to figure things out. Before you need to use it. Credit: ADCG

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed