Pages

Search This Blog

Translate

Search Tool




Jan 23, 2020

Analysis | The Cybersecurity 202: Bezos hack reveals dangerous escalation in use of commercial hacking tools, experts warn

By Joseph Marks




Saudi Crown Prince Mohammed bin Salman and Amazon founder and chief executive Jeff Bezos in Riyadh. (Bandar al-Jaloud/AFP/Getty Images)
THE KEY
An alleged Saudi hacking campaign that compromised the cellphone of Amazon founder and Washington Post owner Jeff Bezos is a chilling example of how even the world's richest person can be hacked with tools that were likely bought off the shelf. 
It marks a significant escalation in the way nations use commercial hacking tools -- and is fueling calls from officials and experts to ban the international sale of spyware. 
“This should be a wake-up call for the international community,” Agnes Callamard, a U.N. investigator who urged such a moratorium in light of the Bezos hack, told me. “We need to take action before we are completely unable to control this technology.”
The breach underscores how the spread of commercial spyware is allowing a new generation of nations to engage in the sort of high-stakes hacking and espionage that was once the exclusive domain of a handful of countries including the United States, Russia and China. 
“It’s become a free-for-all, and anyone can acquire [these tools] now,” former FBI agent and cybersecurity expert Clint Watts told me.
You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.
Not a regular subscriber?
Callamard and another U.N. expert, David Kaye, called on the U.S. government and other authorities yesterday to further investigate the hack, which they said appears to have been part of “an effort to influence, if not silence, The Washington Post's reporting on Saudi Arabia.”
The hacking occurred several months before the murder of Washington Post contributing columnist Jamal Khashoggi, who was critical of the Saudi regime and whose killing the CIA linked to the Saudi government in a December 2018 congressional briefing. The malware appears to have arrived in a WhatsApp message from the personal account of Saudi Crown Prince Mohammed bin Salman, investigators found.
The hack also appears to have been the source for leaked texts between Bezos and his girlfriend, Laura Sanchez, that appeared in the National Enquirer, according to a forensic investigation commissioned by Bezos which was published yesterday by Motherboard.
Saudi Arabia’s foreign minister, Prince Faisal bin Farhan Al Saud, disputed the U.N. report, saying “the idea that the crown prince would hack Jeff Bezos’s phone is absolutely silly,” as my colleague Marc Fisher reported.
Researchers have fretted for years about the way Saudi Arabia and other authoritarian regimes use commercial hacking and surveillance tools to spy on journalists and activists. Facebook even sued a major spyware vendor, Israel's NSO Group, in October for allegedly helping governments hack at least 100 journalists, political activists and human rights defenders across 20 countries using a technical flaw in its WhatsApp messaging service. Cost appears to be no object: Saudi Arabia paid NSO Group $55 million for use of its spyware in 2017, the New York Times has reported citing Israeli news reports on government authorizations for the sale.
But this marks the first known instance of it being used to target a figure as prominent as Bezos. 
The hack also raises troubling questions about the role the U.S. government should play in a hack against a private citizen that nevertheless has major implications for the First Amendment, Watts told me.
Watts compared it to North Korean’s 2014 hack against Sony Pictures Entertainment, which U.S. officials said was sparked by leader Kim Jong Un’s ire at the gross-out buddy comedy “The Interview.” In the wake of the hack, Sony pulled the movie from theaters, leading to criticism it was caving to an adversary that wanted to curtail free speech. The Obama administration imposed new sanctions on North Korea following the hack, pledging to defend U.S. businesses and citizens and respond to foreign attempts to undermine U.S. values.
 “This is one of those gray zones we have not thought through,” Watts said. “There’s no war game in the U.S. military here when a foreign government hacks an important U.S. business and media leader and dumps his information to the National Enquirer. What’s our responsibility in that case? What’s our counter response?”
Investigators hired by Bezos did not find traces of the malware itself but said its effects were similar to sophisticated hacking tools that are commercially available to intelligence and law enforcement agencies. They noted specific similarities to NSO tools, but the company vehemently denied it was the source of the tools in a statement on its website.
Investigators believe the malware was so sophisticated, in fact, that it did not require Bezos to click on the malicious video the crown prince sent him before it started extracting data.
“I think we’re just at the beginning of seeing these tools used in this way, and it’s very frightening,” Kaye told me.
The fact that a figure as prominent as Bezos was compromised also underscores how vulnerable most people without his resources are to spyware, Kaye said. “How does a regular person who doesn’t have their own personal security outfit...protect themselves?" he said. "It’s a pretty grim situation."

PINGED, PATCHED, PWNED


Apple CEO Tim Cook and President Trump tour an Apple manufacturing plant Nov. 20 in Austin. (Evan Vucci/AP)
PINGED: President Trump doubled down on his calls for Apple to assist the Justice Department with cracking into two encrypted iPhones that belonged to the gunman who killed three people at a Florida naval base last month. 
I think we should start finding some of the bad people out there that we can do with Apple. I think it’s very important,” Trump said in an interview with CNBC’s Joe Kernen yesterday morning.
Trump’s comments echoed a tweet he posted last week slamming the tech giant for not complying with the FBI’s requests to help it crack into the iPhones.
Privacy advocates have come to Apple’s defense, warning that government efforts to undermine encryption could hurt national security by making it easier for hackers to compromise encrypted communications. That includes the security of U.S. elections.
It is vital that our nation’s election systems have the strongest possible shield against malicious hackers, especially given the resources that hostile foreign powers could deploy to undermine confidence in our democracy,” a coalition of groups led by the nonprofit watchdog Project on Government Oversight wrote in a letter to Attorney General William P. Barr.

A customer holds an iPhone. (Chris Ratcliffe/Bloomberg News)
PATCHED: As federal officials push for encryption back doors, local law enforcement agencies have increasingly turned to a cottage industry of powerful phone-cracking technology to break into encrypted devices they gather as evidence. At least 11 states have spent millions of dollars to break into the technology, an investigation by Michael Hayes at Medium's OneZero found
The office of Manhattan District Attorney Cyrus R. Vance Jr., for instance, who has long called for an encryption back door, spent at least $200,000 on phone-cracking tools from Israeli company Cellebrite. 
The number of law enforcement agencies using the technology is probably greater than Hayes was able to confirm because a number of agencies did not respond to his public records requests or claimed they were exempt, he noted. 

The Huawei logo is seen at the IFA consumer electronics fair last year in Berlin. (Hannibal Hanschke/AP)
PWNED: U.S. officials have continued to warn Western allies that they will stop sharing intelligence with them if they do not sufficiently secure their next-generation 5G telecom networks against Chinese hacking. Robert L. Strayer, the State Department's top cybersecurity official, urged French officials to take strong security measures against security risks posed by the Chinese telecom Huawei in a meeting yesterday, the Associated Press reports. 
Strayer did not push for a full ban on Huawei but accused the company of being a potential tool for Chinese spying. Data theft by China happens on a regular basis, Strayer said. Huawei has steadfastly denied aiding Chinese espionage. 
The European Union has declined to recommend that members ban Huawei from their 5G buildouts. So far, Poland is the only European Union nation to do so.

PUBLIC KEY

Defending Digital Campaigns, a nonprofit organization that offers free and reduced-price cybersecurity tools to federal election campaigns, announced this morning it's offering services from 11 new companies including Microsoft and the security-key company Yubico. Other new services come from the web security company Cloudflare and the app security firm Kryptowire among others. 
DDC began offering cybersecurity help to campaigns in May after winning a Federal Elections Commission ruling that it could do so without violating campaign finance laws. Other companies working with DDC include the anti-phishing firm Area 1 Security and the encrypted messaging platform Wickr.
— More cybersecurity news from the public sector:

About 1.2 million registered voters in King County will have the option to cast ballots on their smartphones or computers in a local election.
The Wall Street Journal

Democratic campaigns were warned late last year that cybercriminals were seeking to steal their funds by posing online as staff and election vendors, CNN has learned.
CNN

The demands by Trump and his attorney general are raising expectations of a new push for legislation or a precedent-setting court ruling to compel Silicon Valley to give in on encryption.

The U.S. is preparing for a longer and broader campaign to banish Huawei Technologies from next-generation 5G cellular networks around the world, as Washington faces resistance on the front line of its lobbying campaign.
https://www.facebook.com/stuwoo

PRIVATE KEY

Leading Internet Service Providers and global cybersecurity organizations including Deutsche Telekom, Korea Telecom and the Global Cyber Alliance signed on today to a new set of security principles released by the World Economic Forum Center for Cybersecurity. The principles include protecting customers from cyberattacks "by default" and working with manufacturers to raise the minimum level of cybersecurity for the products. 
— More cybersecurity news from the private sector:

Google engineers said a tool Apple Inc. developed to help users avoid web tracking is fundamentally flawed and creates more problems than it solves.
Bloomberg

Almost 250 million records of Microsoft customer service and support reports, including locations and email addresses, were briefly exposed online in late December before the vulnerability was patched, a report published Wednesday found.
The Hill

U.S. insurers are ramping up cyber-insurance rates by as much as 25% and trying ...

THE NEW WILD WEST

— Cybersecurity news from abroad:

Huawei Chief Financial Officer Meng Wanzhou returned to a Vancouver courtroom on Wednesday where Canadian prosecutors defended a U.S. extradition request, saying Meng’s alleged bank fraud is the heart of the case that has strained relations between Ottawa and Beijing.
Reuters

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.