Tag Archives: NSO

Security News for the Week Ending November 26, 2021

Tesla Locks Owners Out of Cars – On Accident

Hundreds of Tesla owners got locked out of their cars when a server that powers the Tesla app crashed due to load. Apparently those owners forgot there is such a thing as a car key. The outage lasted about 5 hours and Elon Musk later tweeted that they would work to avoid this in the future. This doesn’t happen often; just a reminder that no tech is perfect. Credit: The Guardian

The Zelle Fraud Scam – Don’t Fall Victim

The Zelle fraud scam starts with a fake text message that asks if you made a Zelle payment in the amount of $X. If you respond to the text with anything, you will get a call from the scammer pretending to be your bank. The scammer asks for your online banking USER NAME (not password) and the hacker then does a password reset, asking you for the PIN that your bank sends to do the password reset. And then empties your bank account. For more details, see the Brian Krebs account of the attack.

Microsoft Says Attackers Don’t Bother to Brute Force Long Passwords

A Microsoft engineer analyzed over 25 million password attempts against a honeypot of SSH servers and discovered that 77% of the attempts to brute force a password used passwords of 7 characters or less and only 6% used passwords of over 10 characters. Also, only 7% of the attempts used a special character. This gives users some parameters for constructing passwords. Credit: The Record

US Sanctions 28 Quantum Computing Companies in China, Russia, Pakistan and Japan

The US continues to work on protecting our technology from foreign bad actors. The Commerce Department added 28 companies in multiple countries as a risk to the US. These sanctions prohibit US companies from dealing with these organizations. Given that quantum computing is a strategic technology for everyone, we do not want to accidentally be helping the bad guys. For a list of these companies, check out this article.

Israel Bans Sales of Hacking Tools to 65 Countries

In the wake of all of the negative press that Israeli hacking tools company NSO Group is getting, including being banned in the US, Israel reduced the list of countries that companies like NSO can sell to from 102 to just 37 countries. See the list here.

India to Ban Almost All Private Crypocurrencies

India is about to ban almost all private cryptocurrencies. A new bill will create a framework for an official digital currency, to be issued by the Reserve Bank of India. Included in the ban would be Bitcoin and Ethereum. Effectively, if this bill becomes law non-fiat cryptocurrency would cease to exist in one of the world’s most populous countries. Credit: Euronews

How to Defend Against NSO Spyware

Or at least try!

The NSO Group is the Israeli company that sells spyware to governments. And which evidence suggests also sells to all forms of unsavory characters, although they deny that.

Evidence also says that they target journalists, activists, business executives and lawyers around the world.

But they come from the Werner Von Braun school of rocketry – once they go up, who cares where they come down. They say that how their customers use the software is not their business.

While iPhones are usually good at stopping malware, in this case they are about as secure as a screen door against NSO’s Pegasus software.

While there is no such thing as perfect security, that doesn’t mean that you should just give up and allow the hackers in. The Pegasus software gives the hackers unlimited access to a target’s mobile device. It allows the hacker, which may be a government, to:

  • Remotely and covertly collect information including
  • – location
  • – relationships
  • – phone calls
  • – plans
  • – activities
  • Monitor Voice and VoIP phone calls in real time
  • Siphon contacts, passwords, files and encrypted content from the phone
  • Use it to monitor the room around the phone by turning on the microphone
  • Monitor the phone’s location
  • and, monitor connections through apps like WhatsApp, Facebook, Signal and other apps

All that being said, it is just an old fashioned remote access trojan.

So, what can you do to even the odds?

  1. Avoid click bait – text messages or WhatsApp messages that try to get you to click on a link (and install the malware). The messages may appear to come from your bank, for example.
  2. Separate sensitive work from non-sensitive work on different devices. I know that is a pain, but so is getting hacked.
  3. Use out of band verification if you get a link that you are not expecting

That is just one form of attack. Another is to intercept unencrypted web traffic and redirect it to malicious sites. To help thwart this:

  1. Always type the HTTPS:// in front of the URL
  2. Bookmark known sites and only go there from the bookmarks
  3. Use a VPN

Unfortunately, there are also zero-click exploits, ones that you don’t have to interact with to get infected. There was a recent iMessage attack that worked like that. Just send you a malformed iMessage and you were infected. To reduce the odds of this working:

  1. UNINSTALL **ALL** apps that are not absolutely essential
  2. Regularly audit your apps to make sure there are none there that you don’t need
  3. Regularly install all patches to the OS and apps – but only do that when you are on a trusted network
  4. Use a tamper bag to stop a phone from communicating with its handler when you are not using it

Obviously, the simplest attack is physical access. To help thwart this:

  1. Keep your phone under your control at all times
  2. Do not believe the myth that hotel room safes are secure. They are not.
  3. Put your device in a tamper-evident bag if you need to leave it somewhere. At least that way you will know if someone attempted to get into it.
  4. Use burner phones and change them like underwear

I know that all of this is a pain in the rear. You have to decide what your level of paranoia is.

Remember: Security or convenience, pick one.

Credit: The Intercept

Security News for the Week Ending May 1, 2020

China, Korea, Vietnam Escalate Hacking During Covid-19 Outbreak

The Trump administration is calling out China for hacking our hospitals and research facilities who are looking for cures and vaccines for Covid-19. That should not be much of a surprise since China has always opted for stealing solutions vs. figuring them out themselves. At least that this point, the U.S. is not doing anything about this theft. Credit: CNN

At the same time, Vietnam is hacking at China’s Ministry of Emergency Management and the Wuhan government, probably trying to do the same thing and also steal information on their neighbor’s lies about their death toll. Credit: Reuters

Finally, South Korea’s Dark Hotel government hacking group is hacking at China, using 5 zero-day vulnerabilities in one attack. 5 is a massive arsenal to use in one attack, since zero-days are hard to find (or at least we think they are. Since they are unknown until they get used or announced, we don’t really know). Reports are that the group has compromised 200+ VPN servers in an effort to infiltrate the Chinese government and other Chinese institutions. Credit: Cyberscoop

Bottom line, it is business as usual, with everyone hacking everyone they can.

Israel Thwarts Major Coordinated Cyber-Attack on its Water Infrastructure

Israel says that they have reports on coordinated attacks on their wastewater, pumping and sewage infrastructure.

The response was to tell companies to take their systems off the Internet as much as possible, change passwords and update software. All good things to do but disconnecting from the Internet likely makes companies unable to operate, since most plants run “lights out” – with no onsite staff.

The attacks took place on Friday and Saturday – during the Jewish Sabbath when the least people would be around to detect and respond. Credit: The Algemeiner

Surveillance Company Employee Used Company’s Tool to Hack Love Interest

An employee of hacking tool vendor NSO Group, who was working on site at a customer location, broke into the office of the customer and aimed the software at a “love interest”.

While vendors like to claim that they are righteous and above reproach, the reality is that they have little control over what employees do. Even the NSA seems to have trouble with reports of their analysts sharing salacious images that they come across.

in fact, the “insider threat” problem as it is referred to is a really difficult problem to solve. In this case, the employee set off an alarm when he broke into the office where the authorized computer was located and was caught and fired. Most do not get caught. Credit: Vice

Over 1,000 Public Companies List Ransomware as Risk

In case you had any doubt about the risk that ransomware represents, over 1,000 publicly traded companies list ransomware as a risk to future earnings in their 10K, 10Q and other SEC filings. Companies only have to list items that have the potential to be material to earnings, so it is usually a relatively short list. Four months into 2020, 700 companies have already mentioned ransomware is on that short list. Credit: ZDNet

Nearly 3 in 5 Americans Don’t Trust Apple-Google Covid Tracking Tech

The authorities want to track the contacts of anyone who who tests positive for Covid-19. The way they want to do this is by getting everyone to install an app on their smartphone. 1 in 6 (16%) Americans don’t even have a smartphone. For the high risk group, these over 65, only 50% have smartphones and for those over 75, it is even less.

Resistance is higher among Republicans and those that think they are at lower risk. Only 17% of all smartphone owners said they would Definitely use it.

The main reason for resistance is that people don’t trust Apple, Google and others to keep their data private. Even if the tech companies wanted to keep it private, the government could demand that they hand it over. Credit: Washington Post