Analysis | The Cybersecurity 202: Bezos hack reveals dangerous escalation in use of commercial hacking tools, experts warn

By Joseph Marks

11-14 minutes - Source: The Washington Post

---

Saudi Crown Prince Mohammed bin Salman and Amazon founder and chief executive Jeff Bezos in Riyadh. (Bandar al-Jaloud/AFP/Getty Images)

THE KEY
An alleged Saudi hacking campaign that compromised the cellphone of Amazon founder and Washington Post owner Jeff Bezos is a chilling example of how even the world's richest person can be hacked with tools that were likely bought off the shelf. 
It marks a significant escalation in the way nations use commercial hacking tools -- and is fueling calls from officials and experts to ban the international sale of spyware. 
“This should be a wake-up call for the international community,” Agnes Callamard, a U.N. investigator who urged such a moratorium in light of the Bezos hack, told me. “We need to take action before we are completely unable to control this technology.”
The breach underscores how the spread of commercial spyware is allowing a new generation of nations to engage in the sort of high-stakes hacking and espionage that was once the exclusive domain of a handful of countries including the United States, Russia and China. 
“It’s become a free-for-all, and anyone can acquire [these tools] now,” former FBI agent and cybersecurity expert Clint Watts told me.

You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.

Not a regular subscriber?

Callamard and another U.N. expert, David Kaye, called on the U.S. government and other authorities yesterday to further investigate the hack, which they said appears to have been part of “an effort to influence, if not silence, The Washington Post's reporting on Saudi Arabia.”
The hacking occurred several months before the murder of Washington Post contributing columnist Jamal Khashoggi, who was critical of the Saudi regime and whose killing the CIA linked to the Saudi government in a December 2018 congressional briefing. The malware appears to have arrived in a WhatsApp message from the personal account of Saudi Crown Prince Mohammed bin Salman, investigators found.
The hack also appears to have been the source for leaked texts between Bezos and his girlfriend, Laura Sanchez, that appeared in the National Enquirer, according to a forensic investigation commissioned by Bezos which was published yesterday by Motherboard.
Saudi Arabia’s foreign minister, Prince Faisal bin Farhan Al Saud, disputed the U.N. report, saying “the idea that the crown prince would hack Jeff Bezos’s phone is absolutely silly,” as my colleague Marc Fisher reported.
Researchers have fretted for years about the way Saudi Arabia and other authoritarian regimes use commercial hacking and surveillance tools to spy on journalists and activists. Facebook even sued a major spyware vendor, Israel's NSO Group, in October for allegedly helping governments hack at least 100 journalists, political activists and human rights defenders across 20 countries using a technical flaw in its WhatsApp messaging service. Cost appears to be no object: Saudi Arabia paid NSO Group $55 million for use of its spyware in 2017, the New York Times has reported citing Israeli news reports on government authorizations for the sale.
But this marks the first known instance of it being used to target a figure as prominent as Bezos. 
The hack also raises troubling questions about the role the U.S. government should play in a hack against a private citizen that nevertheless has major implications for the First Amendment, Watts told me.
Watts compared it to North Korean’s 2014 hack against Sony Pictures Entertainment, which U.S. officials said was sparked by leader Kim Jong Un’s ire at the gross-out buddy comedy “The Interview.” In the wake of the hack, Sony pulled the movie from theaters, leading to criticism it was caving to an adversary that wanted to curtail free speech. The Obama administration imposed new sanctions on North Korea following the hack, pledging to defend U.S. businesses and citizens and respond to foreign attempts to undermine U.S. values.
 “This is one of those gray zones we have not thought through,” Watts said. “There’s no war game in the U.S. military here when a foreign government hacks an important U.S. business and media leader and dumps his information to the National Enquirer. What’s our responsibility in that case? What’s our counter response?”
Investigators hired by Bezos did not find traces of the malware itself but said its effects were similar to sophisticated hacking tools that are commercially available to intelligence and law enforcement agencies. They noted specific similarities to NSO tools, but the company vehemently denied it was the source of the tools in a statement on its website.
Investigators believe the malware was so sophisticated, in fact, that it did not require Bezos to click on the malicious video the crown prince sent him before it started extracting data.
“I think we’re just at the beginning of seeing these tools used in this way, and it’s very frightening,” Kaye told me.
The fact that a figure as prominent as Bezos was compromised also underscores how vulnerable most people without his resources are to spyware, Kaye said. “How does a regular person who doesn’t have their own personal security outfit...protect themselves?" he said. "It’s a pretty grim situation."

PINGED, PATCHED, PWNED

Apple CEO Tim Cook and President Trump tour an Apple manufacturing plant Nov. 20 in Austin. (Evan Vucci/AP)

PINGED: President Trump doubled down on his calls for Apple to assist the Justice Department with cracking into two encrypted iPhones that belonged to the gunman who killed three people at a Florida naval base last month. 
“I think we should … start finding some of the bad people out there that we can do with Apple. I think it’s very important,” Trump said in an interview with CNBC’s Joe Kernen yesterday morning.
Trump’s comments echoed a tweet he posted last week slamming the tech giant for not complying with the FBI’s requests to help it crack into the iPhones.
Privacy advocates have come to Apple’s defense, warning that government efforts to undermine encryption could hurt national security by making it easier for hackers to compromise encrypted communications. That includes the security of U.S. elections.
“It is vital that our nation’s election systems have the strongest possible shield against malicious hackers, especially given the resources that hostile foreign powers could deploy to undermine confidence in our democracy,” a coalition of groups led by the nonprofit watchdog Project on Government Oversight wrote in a letter to Attorney General William P. Barr.

A customer holds an iPhone. (Chris Ratcliffe/Bloomberg News)

PATCHED: As federal officials push for encryption back doors, local law enforcement agencies have increasingly turned to a cottage industry of powerful phone-cracking technology to break into encrypted devices they gather as evidence. At least 11 states have spent millions of dollars to break into the technology, an investigation by Michael Hayes at Medium's OneZero found. 
The office of Manhattan District Attorney Cyrus R. Vance Jr., for instance, who has long called for an encryption back door, spent at least $200,000 on phone-cracking tools from Israeli company Cellebrite. 
The number of law enforcement agencies using the technology is probably greater than Hayes was able to confirm because a number of agencies did not respond to his public records requests or claimed they were exempt, he noted. 

The Huawei logo is seen at the IFA consumer electronics fair last year in Berlin. (Hannibal Hanschke/AP)

PWNED: U.S. officials have continued to warn Western allies that they will stop sharing intelligence with them if they do not sufficiently secure their next-generation 5G telecom networks against Chinese hacking. Robert L. Strayer, the State Department's top cybersecurity official, urged French officials to take “strong security measures” against security risks posed by the Chinese telecom Huawei in a meeting yesterday, the Associated Press reports. 
Strayer did not push for a full ban on Huawei but accused the company of being a potential tool for Chinese spying. Data theft by China “happens on a regular basis,” Strayer said. Huawei has steadfastly denied aiding Chinese espionage. 
The European Union has declined to recommend that members ban Huawei from their 5G buildouts. So far, Poland is the only European Union nation to do so.

PUBLIC KEY

— Defending Digital Campaigns, a nonprofit organization that offers free and reduced-price cybersecurity tools to federal election campaigns, announced this morning it's offering services from 11 new companies including Microsoft and the security-key company Yubico. Other new services come from the web security company Cloudflare and the app security firm Kryptowire among others. 
DDC began offering cybersecurity help to campaigns in May after winning a Federal Elections Commission ruling that it could do so without violating campaign finance laws. Other companies working with DDC include the anti-phishing firm Area 1 Security and the encrypted messaging platform Wickr.
— More cybersecurity news from the public sector:

About 1.2 million registered voters in King County will have the option to cast ballots on their smartphones or computers in a local election.
The Wall Street Journal

Democratic campaigns were warned late last year that cybercriminals were seeking to steal their funds by posing online as staff and election vendors, CNN has learned.
CNN

The demands by Trump and his attorney general are raising expectations of a new push for legislation or a precedent-setting court ruling to compel Silicon Valley to give in on encryption.

The U.S. is preparing for a longer and broader campaign to banish Huawei Technologies from next-generation 5G cellular networks around the world, as Washington faces resistance on the front line of its lobbying campaign.
https://www.facebook.com/stuwoo

PRIVATE KEY

— Leading Internet Service Providers and global cybersecurity organizations including Deutsche Telekom, Korea Telecom and the Global Cyber Alliance signed on today to a new set of security principles released by the World Economic Forum Center for Cybersecurity. The principles include protecting customers from cyberattacks "by default" and working with manufacturers to raise the minimum level of cybersecurity for the products. 
— More cybersecurity news from the private sector:

Google engineers said a tool Apple Inc. developed to help users avoid web tracking is fundamentally flawed and creates more problems than it solves.
Bloomberg

Almost 250 million records of Microsoft customer service and support reports, including locations and email addresses, were briefly exposed online in late December before the vulnerability was patched, a report published Wednesday found.
The Hill

U.S. insurers are ramping up cyber-insurance rates by as much as 25% and trying ...

THE NEW WILD WEST

— Cybersecurity news from abroad:

Huawei Chief Financial Officer Meng Wanzhou returned to a Vancouver courtroom on Wednesday where Canadian prosecutors defended a U.S. extradition request, saying Meng’s alleged bank fraud is the heart of the case that has strained relations between Ottawa and Beijing.
Reuters

Market Insider | Biggest Moves Premarket: Stocks making the biggest moves premarket: Comcast, Travelers, American Air, GE & more

Peter Schacknow

3-4 minutes - Source: CNBC

---

Check out the companies making headlines before the bell:

Comcast (CMCSA) – The NBCUniversal and CNBC parent reported quarterly earnings of 79 cents per share, 3 cents a share above estimates. Revenue came in above forecasts as well. The company said its cable division saw record quarterly net additions for customer relationships. Comcast also announced a 10% dividend increase.
Procter & Gamble (PG) – The consumer products giant beat estimates by 5 cents a share, with quarterly profit of $1.42 per share. The company also raised its full-year earnings outlook. Sales missed estimates for the first time in five quarters, however, hurt by a stronger dollar.
Travelers (TRV) – Travelers beat estimates by 3 cents a share, with quarterly earnings of $3.32 per share. Revenue came in just above estimates. The insurance company saw net written premiums increase in all three business segments for the 12th consecutive quarter.
American Airlines (AAL) – The airline beat forecasts by a penny a share, with adjusted quarterly earnings of $1.15 per share. Revenue was essentially in line with estimates. The airline said about 10,000 flights were canceled during the quarter due to the Boeing (BA) 737 Max grounding.
General Electric (GE) – Morgan Stanley upgraded GE to “overweight” from “equal-weight” and raised the price target to $14 per share. Morgan Stanley noted the risks from the power and long-term care businesses, and from pension issues, are declining. It also called GE’s aviation business “best-in-class.”
VF Corp. (VFC) – The parent of North Face and other apparel brands reported adjusted quarterly profit of $1.23 per share, 2 cents a share above estimates. Revenue came in below Wall Street forecasts, however, and VF lowered its full-year guidance amid weak demand for its Timberland brand.
Southwest Airlines (LUV) – The airline reported quarterly profit of $1.16 per share, excluding an item of 18 cents per share from profit-sharing plan contributions related to compensation from Boeing. That compared to a consensus estimate of $1.09 per share. CEO Gary Kelly said more 737 Max-related schedule adjustments are likely to come. Revenue came in slightly above forecasts.
Amazon.com (AMZN) – Amazon asked a court to pause Microsoft’s (MSFT) work on the Pentagon’s “JEDI” contract, which Amazon maintains was unfairly awarded to Microsoft.
PG&E (PCG) – PG&E struck a deal with creditors led by Elliott Management and Pimco that will allow the utility to proceed with its reorganization plan. The creditors group had been pushing for a rival plan, but will now support PG&E’s proposal.
Texas Instruments (TXN) – Texas Instruments reported quarterly profit of $1.11 per share, beating estimates by 9 cents a share. The chipmaker’s revenue was also above Wall Street forecasts. The company forecast better-than-expected current-quarter revenue as demand for microchips stabilizes.
Ford Motor (F) – Ford will see a $2.2 billion pre-tax loss for the fourth quarter due to higher contributions to its employee pension plans.
Kinder Morgan (KMI) – Kinder Morgan reported quarterly earnings of 26 cents per share, missing estimates by a penny a share. The pipeline operator’s revenue also fell short of Wall Street forecasts, as prices for natural gas and crude oil fell.

When the Tech Backlash Turns Dangerous: Fake Calls for a SWAT Team

By Sheera Frenkel

8-10 minutes - Source: NYT

---

Online forums carry personal details of potential targets like industry leaders and their families. The police are struggling to find a solution.

Credit...Sarah Mazzetti

• Jan. 23, 2020

SAN FRANCISCO — Over the first week of November, the police in San Francisco and New York responded to a series of telephone calls claiming that hostages were being held in the homes of Adam Mosseri, a senior Facebook executive.
The calls appeared to be coming from inside the homes. Officers arrived in force and barricaded the streets outside. Twice. But after tense, hourslong standoffs, they realized the calls were hoaxes. There were no hostages, and no one in the homes had called the police.
Mr. Mosseri was one of a number of tech executives who have been targeted recently in so-called swatting incidents. Swatting is online lingo used to describe when people call the police with false reports of a violent crime of some sort inside a home, hoping to persuade them to send a well-armed SWAT team.
These incidents have become more common in communities rich with tech companies and their billionaire executives, like the Bay Area and Seattle, according to six police departments contacted by The New York Times.

Exact numbers are unclear, the police say, because there is no central repository of information for these sorts of attacks. But as online discourse has become more combative and more personal, some in the industry aren’t surprised that tech executives — the people who decide what is posted on and who is barred from social media — have become regular targets.

Swattings have spiked at Facebook in particular, according to local police departments and security officials at the company, which in recent years has cracked down on false accounts, threatening language and other types of content that violates its rules. They spoke on the condition of anonymity because of the sensitivity surrounding the attacks.
Mr. Mosseri declined to comment, and a Facebook spokesman, Anthony Harrison, said in a statement that “because these things deal with security matters and our employees, we are unable to comment.”
“Like any other type of crime, when the cost is zero and the deterrent is very low, you’ve created a perfect opportunity for people to pour time and resources into that crime,” said Brian Krebs, a swatting victim who writes a widely read blog, Krebs on Security.

The attacks have been aided by forums that have sprung up both on the public internet and on the camouflaged sites of the so-called dark web. These forums name thousands of people, from high-ranking executives to their extended families, who could be targets, providing cellphone numbers, home addresses and other information. Some even discuss techniques that can be used — like cheap, online technology that can spoof a phone number and make the police believe a 911 call is coming from a target’s home.
In the eight months since one online forum was started, nearly 3,000 people have joined.
“Who should we do next?” read one message on the forum last month. The responses included gun emojis — the symbol, in swatting forums, for an attack in which the police were successfully called to the target’s home. Many of the responses were laced with profanity, as well as suggestions for ex-girlfriends who should be swatted.
One forum names at least two dozen Facebook employees as potential targets. They range from executives to product engineers. Some forum participants said that they had been barred from Facebook or Instagram, and that Facebook employees were fair game because they “think they are god.”
On another forum, new names of potential swatting victims are added daily. With each new entry, there is — at a minimum — a home address. Some entries contain more details, including the best time of day to catch the person at home or information about the children’s school.
“Lol, sick,” read many of the replies.
Swatting started in the combative world of online gaming. It was a way to terrorize someone more famous, get even with a rival or retaliate against someone with different political views.
Provoking a heavily armed police response presents obvious risks. Last year, a 26-year-old California man was sentenced to 20 years in federal prison for calling in dozens of fake emergency calls, including one that led to the fatal police shooting of a Kansas resident, Andrew Finch.

Because few people carrying out swattings are ever caught, the police and tech companies can only guess at their motivations. They have seen, however, a correlation between removals of large numbers of accounts for threatening behavior or hate speech and what they believe to be retaliatory attacks against the executives responsible.

While more police departments are recognizing the threat, some have already found practical solutions. In Seattle, people who believe they are at risk of being swatted can include their information and that of their families on a police registry. When an emergency call about a potential threat comes in, the police check to make sure the home isn’t in the registry. If it is, they call the home first to see if they can reach someone inside, and check with neighbors to see if there are any corroborating reports of shots fired or other disturbances.
“The registry is a voluntary thing we created, and it is a small but effective step for people who know they are at risk of being targeted,” said Carmen Best, the police chief of Seattle. “Swatting is not a new thing. It’s been around for a long time, and it weaponizes our 911 system. It’s a lot more than a hoax or a prank.”
In addition to the registry, the Police Department has trained 911 operators to pick up cues to potential swatting in calls, Chief Best said. It has also begun educating officers on the importance of responding to questionable calls with a limited amount of force.
Seattle’s approach is unusual. None of the other police departments contacted by The Times had a similar registry, or had even heard of the idea, despite the recent swattings against tech executives in their jurisdictions.

Because swattings are largely organized online, the people behind them can live anywhere in the world. And despite numerous attempts to create federal legislation banning the practice, there is no specific statute that allows swatting to be investigated and prosecuted as a federal crime.

Facebook, Google and Twitter did not respond to requests for comment on measures they have taken to protect their employees from swatting. In recent months, all three companies have held discussions with employees who they believe are at risk.
They have asked those employees to take added precautions, such as not publicly giving their whereabouts or listing information about their family. The tech companies have also privately let the local police know when certain high-profile executives are at risk, according to police departments in the Silicon Valley area.
The home of Facebook’s chief executive, Mark Zuckerberg, was permanently flagged as high risk, said one Facebook security expert, who asked not to be named because of the sensitivity of the topic.
Facebook, Google and Twitter informally share information about potential swattings, giving warnings to one another if they spot a threat on their platforms, the expert said.
In an attack on another Facebook executive last year, police officers encircled the man’s home in Palo Alto, Calif., after being told that he was at risk of harming himself and his family. The incident was resolved without anyone getting hurt.
Facebook had flagged the executive as a likely target for swatting, and had taken precautions to protect him and his family. The police still sent a SWAT team.
“Anyone can be at risk of being swatted, but people who work in tech are at a particular risk,” Chief Best said. “We have to get a foothold on this, before more people get hurt.”

China coronavirus: The confirmed cases and where they are

Weizhen Tan, Joanna Tan

3-4 minutes - Source: CNBC

---

A new strain of virus that was first reported in China has killed 17 people and infected nearly 600 others.
Sometimes referred to as the Wuhan virus, it has been temporarily named the “2019-nCoV” and belongs to a family of viruses known as coronaviruses, which can be transmitted from person to person.
The deadly pneumonia-like disease was first identified on December 31, 2019, in the Chinese city of Wuhan in Hubei Province. It has since spread beyond Wuhan to major cities such as Beijing, Shanghai, Macau, and Hong Kong. Abroad, Thailand has confirmed cases, and the United States, Taiwan, South Korea, and Japan have each reported one case.
China’s capital city Beijing canceled major public events including two well-known Lunar New Year temple fairs, the state-run Beijing News said on Thursday, as authorities try to curb the spread of a deadly coronavirus outbreak.
Separately, the country’s railway operator, China State Railway Group, said passengers would be able to receive full refunds on tickets nationwide starting on Friday.
On Thursday, China put on lockdown the two cities at the epicenter of a new coronavirus outbreak. Most transport in Wuhan, a city of 11 million people, was suspended on Thursday morning and people were told not to leave. Hours later, state media in neighboring Huanggang, a city of some 6 million people, said it was imposing a similar lockdown.
Wuhan’s city government said it would shut down all urban transport networks and suspend outgoing flights from 10 a.m. (0200 GMT). Domestic media said some airlines were operating after the deadline, however.
State media broadcast images of one of Wuhan’s transport hubs, the Hankou rail station, nearly deserted, with gates blocked or barred. The government is urging citizens not to leave the city.
State media reported highway toll booths around Wuhan were closing down, which would effectively cut off road exits. Guards were patrolling major highways, one resident told Reuters.
Similar measures will take effect starting Friday in the nearby city of Ezhou. Theaters, internet cafes and other entertainment centers were also ordered closed, further increasing the economic costs of the response to the outbreak.
“The lockdown of 11 million people is unprecedented in public health history, so it is certainly not a recommendation the WHO has made,” Gauden Galea, the World Health Organization’s representative in Beijing, told Reuters.
The World Health Organization is debating on whether it should classify the outbreak a global health emergency.
Here’s a snapshot of the number of known cases and where they are, as well as confirmed deaths.

Mainland China: 571
Hong Kong: 2
Macau: 1
Taiwan: 1
South Korea: 1
Japan: 1
Thailand: 4
United States: 1
* Chinese cities or provinces with reported cases include Wuhan (Hubei), Beijing, Shanghai, Zhejiang, Guangdong, Hebei, Liaoning, Jiangsu, Fujian

—Reuters and The Associated Press contributed to this report.

UN calls for investigation into alleged Saudi crown prince involvement in Bezos phone hack

Natasha Turak

5-6 minutes - Source: CNBC

---

Amazon CEO Jeff Bezos announces Blue Moon, a lunar landing vehicle for the Moon, during a Blue Origin event in Washington, DC, May 9, 2019.
Saul Loeb | AFP | Getty Images

DUBAI, United Arab Emirates — UN experts have called for an immediate investigation into the “possible involvement” of Saudi Crown Prince Mohammed bin Salman in the hacking of Amazon CEO Jeff Bezos’ iPhone in 2018.

“The information we have received suggests the possible involvement of the Crown Prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, The Washington Post’s reporting on Saudi Arabia,” UN special rapporteurs said in a statement Wednesday.
“The alleged hacking of Mr. Bezos’s phone, and those of others, demands immediate investigation by U.S. and other relevant authorities, including investigation of the continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents.”

The statement from UN’s human rights body centers on forensic investigations into the claim by Bezos — one of the world’s wealthiest men and owner of the Washington Post — that the Saudi government orchestrated a cyberattack against him to extract large amounts of data from his phone, including nude photos sent to his mistress.
The UN special rapporteurs, who are appointed by the world body but operate independently, made the statement after reviewing the 2019 forensic analysis carried out by Washington-based business advisory firm FTI Consulting on behalf of the American billionaire. Their statements follow earlier investigations into the killing and dismemberment of Washington Post journalist Jamal Khashoggi.
FTI consulting could not detail the specific spyware used in the attack, but said its experts had “medium to high confidence” that Bezos’ iPhone was hacked by malware coming from a Whatsapp account used by the Saudi crown prince.
“Based upon the results of a full forensic examination of the logical file system of Bezos’s phone, including network analysis, and an in-depth investigation conducted over several months, FTI reports with medium to high confidence that Bezos’s IPhone X was compromised via malware sent from a WhatsApp account used by Saudi Crown Prince Mohammed bin Salman,” the report said, according to an excerpt published by the Financial Times.

Riyadh has consistently rejected the accusations, and the Saudi embassy in Washington on Wednesday called the allegations “absurd.”

Bezos, through his security consultant Gavin de Becker, has flatly accused the Saudi government of wanting to do him harm. De Becker in March of 2019 alleged that the Saudis had “access to Bezos’s phone, and gained private information” and that the government was “intent on harming Jeff Bezos since . . . the Post began its relentless coverage” of the brutal murder in October 2018 of Khashoggi, a Saudi journalist critical of the kingdom’s monarchy. Khashoggi was a contributing writer for the Post with U.S. residency.
Riyadh said the killing was the result of a “rogue operation” that did not involve the crown prince, contradicting the CIA’s reported conclusion from late 2018 that implicated Bin Salman as being involved.

The hack: how experts believe it happened

According to the 2019 forensic analysis by FTI Consulting, Bezos’ phone was likely “infiltrated on 1 May 2018 via an MP4 video file sent from a WhatsApp account utilized personally by Mohammed bin Salman,” the UN statement read.
Bezos and the crown prince had exchanged numbers the month prior. Within hours of the video being sent from the crown prince’s account, “massive and (for Bezos’ phone) unprecedented exfiltration of data from the phone began” — the volume of data being transited to another location suddenly shot up by nearly 30,000% to 126 MB.
“Data spiking then continued undetected over some months and at rates as much as 106,032,045% (4.6 GB) higher than the pre-video data egress baseline for Mr. Bezos’ phone of 430KB,” the statement said.
The analysis pointed to a spyware product previously identified in other cases of Saudi surveillance, saying the intrusion was “likely undertaken” by a product like the Pegasus-3 malware created by Israeli-based NSO Group. Pegasus has been widely reported as having been purchased by Saudi officials, Saud al Qahtani, prince Mohammed’s former advisor who was implicated in the Khashoggi murder but ultimately not charged by the Saudi authorities.
“This would be consistent with other information,” the UN special rapporteurs wrote. “For instance, the use of WhatsApp as a platform to enable installation of Pegasus onto devices has been well-documented and is the subject of a lawsuit by Facebook/WhatsApp against NSO Group.”
NSO responded in a statement posted to its website Wednesday, saying “NSO is shocked and appalled by the story that has been published with respect to alleged hacking of the phone of Mr. Jeff Bezos,” and calling for a “full investigation” if the story is true.
“Just as we stated when these stories first surfaced months ago, we can say unequivocally that our technology was not used in this instance,” the company said.

Analysis | The Cybersecurity 202: Glenn Greenwald says Brazil charges are part of a global trend to criminalize journalism

By Joseph Marks

13-17 minutos - Source: The Washington Post

---

Journalist Glenn Greenwald. (Evaristo Sa/AFP/Getty Images)

THE KEY
American journalist Glenn Greenwald says the Brazilian government's charges against him are the latest strike in a global campaign by governments across the world to use anti-hacking laws to punish and silence journalists. 
“Governments [are] figuring out how they can criminalize journalism based on large-scale digital leaks,” Greenwald told me.  
Greenwald, who won a Pulitzer Prize for reporting on leaked documents from former National Security Agency contractor Edward Snowden in 2014, says the charges are baseless. “Even in democracies —let alone in the authoritarian world — there’s a real struggle to make the law fit criminalizing leaks of this sort,” he said.  
Greenwald, who lives in Rio de Janeiro, is facing charges stemming from his reporting on leaked cellphone messages that raised doubts about a corruption investigation that aided the rise of Brazil's far-right President Jair Bolsonaro. Greenwald is accused of being part of a "criminal organization" that allegedly hacked into public officials' cellphones last year to copy messages that were published on his news site, the Intercept Brazil, as my colleagues Miriam Berger and Paul Farhi report.
Greenwald compared the Brazilian charges against him to the Trump administration’s controversial decision to prosecute WikiLeaks founder Julian Assange last year under the main U.S. anti-hacking law, the 1986 Computer Fraud and Abuse Act. 
“I’ve been particularly concerned given the Bolsonaro government’s subservience to and admiration for the Trump government that they’d look to the precedent the Trump government used to indict Julian Assange,” he told me, “trying to concoct a dubious or tenuous theory that he went beyond passing information to participating in the crime itself.”

You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.

Not a regular subscriber?

The charges come as officials in the United States and elsewhere have faced years of criticism for not updating decades-old hacking laws, which critics say are overly broad and can be used to criminalize innocuous work by anyone who deals with computer networks or large digital files including security researchers and journalists. 
Brazilian prosecutors allege Greenwald crossed a line by encouraging his anonymous sources to delete their copies of stolen messages to evade detection. That explanation drew quick criticism from press freedom advocates in the United States and Brazil who said it criminalized reporters advising their sources on how to work securely. Greenwald told me he’d scrupulously followed Brazilian law and called the charges “an obvious attempt to attack a free press.”
In the Assange case, meanwhile, U.S. prosecutors say he violated the law by offering to help then-military intelligence analyst Chelsea Manning decipher a password so she could get greater access to a military database and pass more secrets to WikiLeaks. Cybersecurity experts at the time criticized the Trump administration for stretching the 34-year-old CFAA law to fit a situation its authors never could have envisioned.
Press freedom advocates were less eager than Greenwald to draw a comparison between the charges against him and Assange. Gabe Rottman, technology and press freedom director at the Reporters Committee for Freedom of the Press, said that Assange's offer to help a source crack a password could be deemed illegal under a reasonable reading of the CFAA, while Greenwald's alleged advice to sources on security does not violate ethical or legal principles. Rottman, who’s written extensively about the Assange charges, says he takes this view even though he considers the CFAA so out of pace with modern technology that it can be applied in an unconstitutional manner in many cases.
Greenwald acknowledged there may be important distinctions between his actions and Assange’s, but he described the two cases as on the same “slippery slope.” Greenwald also warned they could lead to reporters being prosecuted for common journalistic practices such as urging sources to contact them using encrypted apps or accepting document leaks through online tools that anonymize the sender. 
“There’s a general aversion to defending Assange by press freedom groups because they don’t see Assange as a journalist and they do see me as one,” he said. “But there’s no question the [Assange] indictment encourages governments to criminalize a person in the role of a journalist.”
Greenwald added in a statement that he hasn’t been detained and plans to keep publishing.
Though Greenwald has ruffled some feathers in Washington with his reporting on leaked information, he is getting strong support from many lawmakers. 
Rep. Ro Khanna (D-Calif.) said the charges will have a “chilling effect” on journalism and said he’s crafting legislation to protect journalists from prosecution.

Prosecuting reporters for doing their work will have chilling effect on journalism across the world.
I'm crafting legislation to protect journalists from being prosecuted over their published work. https://t.co/vh9cS3eLi0

— Rep. Ro Khanna (@RepRoKhanna) January 21, 2020

Rep. Don Beyer (D-Va.) called the charges “a step backwards that hurts Brazil.”

I've been criticized, I think unfairly, by Greenwald – but public officials deserve scrutiny and criticism. That's what happens under a free press, which is vital in a democratic society. The alternative is far worse.
Persecuting critics is a step backwards that hurts Brazil. https://t.co/r9aRqU2ty3

— Rep. Don Beyer (@RepDonBeyer) January 21, 2020

“No journalist should face prosecution for reporting critical facts about the government or politicians,” Sen. Ron Wyden (D-Ore.) said in an emailed statement reported by the Intercept.
Advocacy groups also came to Greenwald’s defense.  
The American Civil Liberties Union called the charges an “outrageous assault on the freedom of the press.”

Our government must immediately condemn this outrageous assault on the freedom of the press, and recognize that its attacks on press freedoms at home have consequences for American journalists doing their jobs abroad, like Glenn Greenwald. https://t.co/fHycUBq3Dq

— ACLU (@ACLU) January 21, 2020

The Electronic Frontier Foundation called them “a threat to democracy” that “discourages journalists from using technology to best serve the public.”

"@EFF is dismayed to learn of the decision by Brazilian prosecutors to charge journalist Glenn Greenwald under the country’s computer crime law... It is a threat to democracy...and it discourages journalists from using technology to best serve the public." https://t.co/SOT2MUSPVF

— Freedom of the Press (@FreedomofPress) January 21, 2020

Even some former intelligence community officials jumped in. Here’s former NSA attorney Susan Hennessey, a senior fellow at the Brookings Institution who runs the Lawfare blog:

Glenn Greenwald has called me a "deceitful" mouthpiece of the national security state and I assure you I've rarely had a nice thing to say about him. But this is an outrageous assault on press freedom that should alarm every American. https://t.co/7LUKHAtPud

— Susan Hennessey (@Susan_Hennessey) January 21, 2020

PINGED, PATCHED, PWNED

House impeachment managers and President Trump’s defenders agreed early this morning on ground rules for his historic Senate impeachment trial. That trial’s sure to delve into conspiracy theories the president embraced that cast doubt on Russia’s hacking and disinformation campaign against the 2016 election and hacking threats facing 2020. Here’s other big cybersecurity news to start your day.

Jeff Bezos, founder and chief executive officer of Amazon. (Anindito Mukherjee/Bloomberg News)

PINGED: The crown prince of Saudi Arabia, Mohammed bin Salman, may have personally helped to hack the phone of Amazon CEO Jeff Bezos in 2018, a United Nations report to be released Wednesday will find, my colleagues Marc Fisher and Steven Zeitchik report. 
The report details a forensic investigation that found Bezos’s cellphone was hacked in 2018 after he got a WhatsApp message containing a malicious file that came from an account purportedly belonging to MBS, as the crown prince is known. The Guardian was first to report the findings, which appear to confirm suspicions raised by Bezos’s private investigators that Saudis were involved in leaking intimate text messages between Bezos and his girlfriend to American Media Inc., which owns the National Enquirer tabloid, in early 2019.
The hack occurred just five months before the killing of Washington Post contributing columnist Jamal Khashoggi, a veteran Saudi journalist who was highly critical of the royal court.
“Bezos, who owns The Washington Post, has alleged through his security consultant, Gavin de Becker, that the Saudi government had ‘access to Bezos’s phone, and gained private information,’" my colleagues reported. De Becker wrote in the Daily Beast that the Saudis were “intent on harming Jeff Bezos since . . . the Post began its relentless coverage” of Khashoggi's murder.
The revelation could put pressure on the White House, which has maintained friendly ties with the Saudi royal family despite concerns about its human rights record. Bezos's spokesman Jay Carney declined to comment.

Former secretary of state Hillary Clinton speaks at a panel for the Hulu documentary “Hillary.” (Mario Anzuoni/Reuters)

PATCHED: Hillary Clinton had some potent advice for this year’s candidates in a Hollywood Reporter interview yesterday: “If your emails haven’t been stolen yet, they will be.” 
Clinton’s campaign was upended in 2016 after Russian hackers stole troves of emails from her chairman, John Podesta, and dribbled them out to cause as much damage as possible. 
“You’ve got to deal with the theft of your personal information, particularly your emails,” she said in the interview connected with an upcoming documentary about her campaign. “Then you've got to worry about the propaganda, the fake news, the made-up stories. Now you have the additional worry of the deepfakes, and people putting words in your mouth.”
Clinton also warned that Russia is already trying to manipulate the 2020 contest, referring to a suspected Russian hack into computers at Ukrainian gas company Burisma that may have been aimed at digging up dirt on former vice president Joseph Biden, a 2020 candidate, and his son Hunter.
Clinton said she has given the warning about emails personally to most of the 2020 Democratic contenders, including Sens. Amy Klobuchar (Minn.) and Elizabeth Warren (Mass.)
PWNED: Apple reversed plans to allow iPhone users to encrypt backups of their data on iCloud two years ago after the FBI complained that it would hamper investigations, people familiar with the matter tell Joseph Menn at Reuters. The decision demonstrates Apple’s willingness to help U.S. law enforcement despite its public refusal to build police backdoors into its encryption system.
The people he talked to offered varying reasons for why Apple dropped the plan.
“They decided they weren’t going to poke the bear anymore,” one person said, referring to Apple’s court battle with the FBI in 2016 over access to an iPhone used by one of the suspects in a mass shooting in San Bernardino, Calif. Another said Apple’s legal team killed the plan, though the FBI’s criticism was never explicitly cited as the cause.
Apple most recently gave the FBI the iCloud backups of two phones belonging to a gunman behind a shooting at a Florida military base last month but refused to help the bureau hack into messages on the phones themselves.
An Apple spokesman declined to comment. The FBI did not respond to Reuters’s requests for comment.

PUBLIC KEY

— The software industry group BSA launched a “Global Data Alliance” today to lobby governments around the world to promote policies that safeguard companies’ ability to transfer data across borders without legal constraints.
Founding members include Microsoft, American Express, AT&T, Cisco, Mastercard, Panasonic, United Airlines, Verizon and Visa.
— More cybersecurity news from the public sector:

Rep. Jim Banks (R-Ind.) introduced a bill Tuesday aimed at barring the United States from sharing intelligence with any countries that permit Huawei to operate their 5G networks.
The Hill

It took the Federal Bureau of Investigation about two months to unlock the Apple iPhone 11 that was seized from Lev Parnas, the indicted associate of Rudy Giuliani.
Bloomberg

Respondents describe barriers ranging from a lack of resources to intelligence agencies’ classification decisions.
Nextgov

The Trump administration fears Chinese universities are exploiting ties to U.S. businesses and universities to promote Beijing’s economic and military goals. Chinese intelligence services are seeking specific pieces of technology that fill gaps in research.
The Wall Street Journal

PRIVATE KEY

— Cybersecurity news from the private sector:

The Trump administration wants Apple to create a backdoor into the iPhone. District Attorney Cy Vance Jr. has spent millions trying to find other ways in.
Fast Company

THE NEW WILD WEST

— Cybersecurity news from abroad:

New Delhi is inching closer to recommending regulations that would require social media companies and instant messaging app providers operating in the nation to help law enforcement agencies identify users who have posted content — or sent messages — it deems questionable.
TechCrunch

ZERO DAYBOOK

— Today:

• The Senate Commerce Committee will host a hearing on “The 5G Workforce and Obstacles to Broadband Deployment” at 10 a.m.

— Coming up:

• New America’s Open Technology Institute will host an event titled “Privacy’s Best Friend: How Encryption Protects Consumers, Companies, and Governments Worldwide” on Feb. 4 at 12 p.m.
• RSA Conference 2020 is scheduled for Feb. 24-28 in San Francisco.