Asian Markets Closing Report

Search This Blog


Search Tool

Jan 23, 2020

Analysis | The Cybersecurity 202: Bezos hack reveals dangerous escalation in use of commercial hacking tools, experts warn

By Joseph Marks

Saudi Crown Prince Mohammed bin Salman and Amazon founder and chief executive Jeff Bezos in Riyadh. (Bandar al-Jaloud/AFP/Getty Images)
An alleged Saudi hacking campaign that compromised the cellphone of Amazon founder and Washington Post owner Jeff Bezos is a chilling example of how even the world's richest person can be hacked with tools that were likely bought off the shelf. 
It marks a significant escalation in the way nations use commercial hacking tools -- and is fueling calls from officials and experts to ban the international sale of spyware. 
“This should be a wake-up call for the international community,” Agnes Callamard, a U.N. investigator who urged such a moratorium in light of the Bezos hack, told me. “We need to take action before we are completely unable to control this technology.”
The breach underscores how the spread of commercial spyware is allowing a new generation of nations to engage in the sort of high-stakes hacking and espionage that was once the exclusive domain of a handful of countries including the United States, Russia and China. 
“It’s become a free-for-all, and anyone can acquire [these tools] now,” former FBI agent and cybersecurity expert Clint Watts told me.
You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.
Not a regular subscriber?
Callamard and another U.N. expert, David Kaye, called on the U.S. government and other authorities yesterday to further investigate the hack, which they said appears to have been part of “an effort to influence, if not silence, The Washington Post's reporting on Saudi Arabia.”
The hacking occurred several months before the murder of Washington Post contributing columnist Jamal Khashoggi, who was critical of the Saudi regime and whose killing the CIA linked to the Saudi government in a December 2018 congressional briefing. The malware appears to have arrived in a WhatsApp message from the personal account of Saudi Crown Prince Mohammed bin Salman, investigators found.
The hack also appears to have been the source for leaked texts between Bezos and his girlfriend, Laura Sanchez, that appeared in the National Enquirer, according to a forensic investigation commissioned by Bezos which was published yesterday by Motherboard.
Saudi Arabia’s foreign minister, Prince Faisal bin Farhan Al Saud, disputed the U.N. report, saying “the idea that the crown prince would hack Jeff Bezos’s phone is absolutely silly,” as my colleague Marc Fisher reported.
Researchers have fretted for years about the way Saudi Arabia and other authoritarian regimes use commercial hacking and surveillance tools to spy on journalists and activists. Facebook even sued a major spyware vendor, Israel's NSO Group, in October for allegedly helping governments hack at least 100 journalists, political activists and human rights defenders across 20 countries using a technical flaw in its WhatsApp messaging service. Cost appears to be no object: Saudi Arabia paid NSO Group $55 million for use of its spyware in 2017, the New York Times has reported citing Israeli news reports on government authorizations for the sale.
But this marks the first known instance of it being used to target a figure as prominent as Bezos. 
The hack also raises troubling questions about the role the U.S. government should play in a hack against a private citizen that nevertheless has major implications for the First Amendment, Watts told me.
Watts compared it to North Korean’s 2014 hack against Sony Pictures Entertainment, which U.S. officials said was sparked by leader Kim Jong Un’s ire at the gross-out buddy comedy “The Interview.” In the wake of the hack, Sony pulled the movie from theaters, leading to criticism it was caving to an adversary that wanted to curtail free speech. The Obama administration imposed new sanctions on North Korea following the hack, pledging to defend U.S. businesses and citizens and respond to foreign attempts to undermine U.S. values.
 “This is one of those gray zones we have not thought through,” Watts said. “There’s no war game in the U.S. military here when a foreign government hacks an important U.S. business and media leader and dumps his information to the National Enquirer. What’s our responsibility in that case? What’s our counter response?”
Investigators hired by Bezos did not find traces of the malware itself but said its effects were similar to sophisticated hacking tools that are commercially available to intelligence and law enforcement agencies. They noted specific similarities to NSO tools, but the company vehemently denied it was the source of the tools in a statement on its website.
Investigators believe the malware was so sophisticated, in fact, that it did not require Bezos to click on the malicious video the crown prince sent him before it started extracting data.
“I think we’re just at the beginning of seeing these tools used in this way, and it’s very frightening,” Kaye told me.
The fact that a figure as prominent as Bezos was compromised also underscores how vulnerable most people without his resources are to spyware, Kaye said. “How does a regular person who doesn’t have their own personal security outfit...protect themselves?" he said. "It’s a pretty grim situation."


Apple CEO Tim Cook and President Trump tour an Apple manufacturing plant Nov. 20 in Austin. (Evan Vucci/AP)
PINGED: President Trump doubled down on his calls for Apple to assist the Justice Department with cracking into two encrypted iPhones that belonged to the gunman who killed three people at a Florida naval base last month. 
I think we should start finding some of the bad people out there that we can do with Apple. I think it’s very important,” Trump said in an interview with CNBC’s Joe Kernen yesterday morning.
Trump’s comments echoed a tweet he posted last week slamming the tech giant for not complying with the FBI’s requests to help it crack into the iPhones.
Privacy advocates have come to Apple’s defense, warning that government efforts to undermine encryption could hurt national security by making it easier for hackers to compromise encrypted communications. That includes the security of U.S. elections.
It is vital that our nation’s election systems have the strongest possible shield against malicious hackers, especially given the resources that hostile foreign powers could deploy to undermine confidence in our democracy,” a coalition of groups led by the nonprofit watchdog Project on Government Oversight wrote in a letter to Attorney General William P. Barr.

A customer holds an iPhone. (Chris Ratcliffe/Bloomberg News)
PATCHED: As federal officials push for encryption back doors, local law enforcement agencies have increasingly turned to a cottage industry of powerful phone-cracking technology to break into encrypted devices they gather as evidence. At least 11 states have spent millions of dollars to break into the technology, an investigation by Michael Hayes at Medium's OneZero found
The office of Manhattan District Attorney Cyrus R. Vance Jr., for instance, who has long called for an encryption back door, spent at least $200,000 on phone-cracking tools from Israeli company Cellebrite. 
The number of law enforcement agencies using the technology is probably greater than Hayes was able to confirm because a number of agencies did not respond to his public records requests or claimed they were exempt, he noted. 

The Huawei logo is seen at the IFA consumer electronics fair last year in Berlin. (Hannibal Hanschke/AP)
PWNED: U.S. officials have continued to warn Western allies that they will stop sharing intelligence with them if they do not sufficiently secure their next-generation 5G telecom networks against Chinese hacking. Robert L. Strayer, the State Department's top cybersecurity official, urged French officials to take strong security measures against security risks posed by the Chinese telecom Huawei in a meeting yesterday, the Associated Press reports. 
Strayer did not push for a full ban on Huawei but accused the company of being a potential tool for Chinese spying. Data theft by China happens on a regular basis, Strayer said. Huawei has steadfastly denied aiding Chinese espionage. 
The European Union has declined to recommend that members ban Huawei from their 5G buildouts. So far, Poland is the only European Union nation to do so.


Defending Digital Campaigns, a nonprofit organization that offers free and reduced-price cybersecurity tools to federal election campaigns, announced this morning it's offering services from 11 new companies including Microsoft and the security-key company Yubico. Other new services come from the web security company Cloudflare and the app security firm Kryptowire among others. 
DDC began offering cybersecurity help to campaigns in May after winning a Federal Elections Commission ruling that it could do so without violating campaign finance laws. Other companies working with DDC include the anti-phishing firm Area 1 Security and the encrypted messaging platform Wickr.
— More cybersecurity news from the public sector:

About 1.2 million registered voters in King County will have the option to cast ballots on their smartphones or computers in a local election.
The Wall Street Journal

Democratic campaigns were warned late last year that cybercriminals were seeking to steal their funds by posing online as staff and election vendors, CNN has learned.

The demands by Trump and his attorney general are raising expectations of a new push for legislation or a precedent-setting court ruling to compel Silicon Valley to give in on encryption.

The U.S. is preparing for a longer and broader campaign to banish Huawei Technologies from next-generation 5G cellular networks around the world, as Washington faces resistance on the front line of its lobbying campaign.


Leading Internet Service Providers and global cybersecurity organizations including Deutsche Telekom, Korea Telecom and the Global Cyber Alliance signed on today to a new set of security principles released by the World Economic Forum Center for Cybersecurity. The principles include protecting customers from cyberattacks "by default" and working with manufacturers to raise the minimum level of cybersecurity for the products. 
— More cybersecurity news from the private sector:

Google engineers said a tool Apple Inc. developed to help users avoid web tracking is fundamentally flawed and creates more problems than it solves.

Almost 250 million records of Microsoft customer service and support reports, including locations and email addresses, were briefly exposed online in late December before the vulnerability was patched, a report published Wednesday found.
The Hill

U.S. insurers are ramping up cyber-insurance rates by as much as 25% and trying ...


— Cybersecurity news from abroad:

Huawei Chief Financial Officer Meng Wanzhou returned to a Vancouver courtroom on Wednesday where Canadian prosecutors defended a U.S. extradition request, saying Meng’s alleged bank fraud is the heart of the case that has strained relations between Ottawa and Beijing.

Market Insider | Biggest Moves Premarket: Stocks making the biggest moves premarket: Comcast, Travelers, American Air, GE & more

Peter Schacknow

Check out the companies making headlines before the bell:

Comcast (CMCSA) – The NBCUniversal and CNBC parent reported quarterly earnings of 79 cents per share, 3 cents a share above estimates. Revenue came in above forecasts as well. The company said its cable division saw record quarterly net additions for customer relationships. Comcast also announced a 10% dividend increase.
Procter & Gamble (PG) – The consumer products giant beat estimates by 5 cents a share, with quarterly profit of $1.42 per share. The company also raised its full-year earnings outlook. Sales missed estimates for the first time in five quarters, however, hurt by a stronger dollar.
Travelers (TRV) – Travelers beat estimates by 3 cents a share, with quarterly earnings of $3.32 per share. Revenue came in just above estimates. The insurance company saw net written premiums increase in all three business segments for the 12th consecutive quarter.
American Airlines (AAL) – The airline beat forecasts by a penny a share, with adjusted quarterly earnings of $1.15 per share. Revenue was essentially in line with estimates. The airline said about 10,000 flights were canceled during the quarter due to the Boeing (BA) 737 Max grounding.
General Electric (GE) – Morgan Stanley upgraded GE to “overweight” from “equal-weight” and raised the price target to $14 per share. Morgan Stanley noted the risks from the power and long-term care businesses, and from pension issues, are declining. It also called GE’s aviation business “best-in-class.”
VF Corp. (VFC) – The parent of North Face and other apparel brands reported adjusted quarterly profit of $1.23 per share, 2 cents a share above estimates. Revenue came in below Wall Street forecasts, however, and VF lowered its full-year guidance amid weak demand for its Timberland brand.
Southwest Airlines (LUV) – The airline reported quarterly profit of $1.16 per share, excluding an item of 18 cents per share from profit-sharing plan contributions related to compensation from Boeing. That compared to a consensus estimate of $1.09 per share. CEO Gary Kelly said more 737 Max-related schedule adjustments are likely to come. Revenue came in slightly above forecasts. (AMZN) – Amazon asked a court to pause Microsoft’s (MSFT) work on the Pentagon’s “JEDI” contract, which Amazon maintains was unfairly awarded to Microsoft.
PG&E (PCG) – PG&E struck a deal with creditors led by Elliott Management and Pimco that will allow the utility to proceed with its reorganization plan. The creditors group had been pushing for a rival plan, but will now support PG&E’s proposal.
Texas Instruments (TXN) – Texas Instruments reported quarterly profit of $1.11 per share, beating estimates by 9 cents a share. The chipmaker’s revenue was also above Wall Street forecasts. The company forecast better-than-expected current-quarter revenue as demand for microchips stabilizes.
Ford Motor (F) – Ford will see a $2.2 billion pre-tax loss for the fourth quarter due to higher contributions to its employee pension plans.
Kinder Morgan (KMI) – Kinder Morgan reported quarterly earnings of 26 cents per share, missing estimates by a penny a share. The pipeline operator’s revenue also fell short of Wall Street forecasts, as prices for natural gas and crude oil fell.

When the Tech Backlash Turns Dangerous: Fake Calls for a SWAT Team

By Sheera Frenkel

Online forums carry personal details of potential targets like industry leaders and their families. The police are struggling to find a solution.
Credit...Sarah Mazzetti
Sheera Frenkel
SAN FRANCISCO — Over the first week of November, the police in San Francisco and New York responded to a series of telephone calls claiming that hostages were being held in the homes of Adam Mosseri, a senior Facebook executive.
The calls appeared to be coming from inside the homes. Officers arrived in force and barricaded the streets outside. Twice. But after tense, hourslong standoffs, they realized the calls were hoaxes. There were no hostages, and no one in the homes had called the police.
Mr. Mosseri was one of a number of tech executives who have been targeted recently in so-called swatting incidents. Swatting is online lingo used to describe when people call the police with false reports of a violent crime of some sort inside a home, hoping to persuade them to send a well-armed SWAT team.
These incidents have become more common in communities rich with tech companies and their billionaire executives, like the Bay Area and Seattle, according to six police departments contacted by The New York Times.
Exact numbers are unclear, the police say, because there is no central repository of information for these sorts of attacks. But as online discourse has become more combative and more personal, some in the industry aren’t surprised that tech executives — the people who decide what is posted on and who is barred from social media — have become regular targets.
Swattings have spiked at Facebook in particular, according to local police departments and security officials at the company, which in recent years has cracked down on false accounts, threatening language and other types of content that violates its rules. They spoke on the condition of anonymity because of the sensitivity surrounding the attacks.
Mr. Mosseri declined to comment, and a Facebook spokesman, Anthony Harrison, said in a statement that “because these things deal with security matters and our employees, we are unable to comment.”
“Like any other type of crime, when the cost is zero and the deterrent is very low, you’ve created a perfect opportunity for people to pour time and resources into that crime,” said Brian Krebs, a swatting victim who writes a widely read blog, Krebs on Security.
The attacks have been aided by forums that have sprung up both on the public internet and on the camouflaged sites of the so-called dark web. These forums name thousands of people, from high-ranking executives to their extended families, who could be targets, providing cellphone numbers, home addresses and other information. Some even discuss techniques that can be used — like cheap, online technology that can spoof a phone number and make the police believe a 911 call is coming from a target’s home.
In the eight months since one online forum was started, nearly 3,000 people have joined.
“Who should we do next?” read one message on the forum last month. The responses included gun emojis — the symbol, in swatting forums, for an attack in which the police were successfully called to the target’s home. Many of the responses were laced with profanity, as well as suggestions for ex-girlfriends who should be swatted.
One forum names at least two dozen Facebook employees as potential targets. They range from executives to product engineers. Some forum participants said that they had been barred from Facebook or Instagram, and that Facebook employees were fair game because they “think they are god.”
On another forum, new names of potential swatting victims are added daily. With each new entry, there is — at a minimum — a home address. Some entries contain more details, including the best time of day to catch the person at home or information about the children’s school.
“Lol, sick,” read many of the replies.
Swatting started in the combative world of online gaming. It was a way to terrorize someone more famous, get even with a rival or retaliate against someone with different political views.
Provoking a heavily armed police response presents obvious risks. Last year, a 26-year-old California man was sentenced to 20 years in federal prison for calling in dozens of fake emergency calls, including one that led to the fatal police shooting of a Kansas resident, Andrew Finch.
Because few people carrying out swattings are ever caught, the police and tech companies can only guess at their motivations. They have seen, however, a correlation between removals of large numbers of accounts for threatening behavior or hate speech and what they believe to be retaliatory attacks against the executives responsible.
While more police departments are recognizing the threat, some have already found practical solutions. In Seattle, people who believe they are at risk of being swatted can include their information and that of their families on a police registry. When an emergency call about a potential threat comes in, the police check to make sure the home isn’t in the registry. If it is, they call the home first to see if they can reach someone inside, and check with neighbors to see if there are any corroborating reports of shots fired or other disturbances.
“The registry is a voluntary thing we created, and it is a small but effective step for people who know they are at risk of being targeted,” said Carmen Best, the police chief of Seattle. “Swatting is not a new thing. It’s been around for a long time, and it weaponizes our 911 system. It’s a lot more than a hoax or a prank.”
In addition to the registry, the Police Department has trained 911 operators to pick up cues to potential swatting in calls, Chief Best said. It has also begun educating officers on the importance of responding to questionable calls with a limited amount of force.
Seattle’s approach is unusual. None of the other police departments contacted by The Times had a similar registry, or had even heard of the idea, despite the recent swattings against tech executives in their jurisdictions.
Because swattings are largely organized online, the people behind them can live anywhere in the world. And despite numerous attempts to create federal legislation banning the practice, there is no specific statute that allows swatting to be investigated and prosecuted as a federal crime.
Facebook, Google and Twitter did not respond to requests for comment on measures they have taken to protect their employees from swatting. In recent months, all three companies have held discussions with employees who they believe are at risk.
They have asked those employees to take added precautions, such as not publicly giving their whereabouts or listing information about their family. The tech companies have also privately let the local police know when certain high-profile executives are at risk, according to police departments in the Silicon Valley area.
The home of Facebook’s chief executive, Mark Zuckerberg, was permanently flagged as high risk, said one Facebook security expert, who asked not to be named because of the sensitivity of the topic.
Facebook, Google and Twitter informally share information about potential swattings, giving warnings to one another if they spot a threat on their platforms, the expert said.
In an attack on another Facebook executive last year, police officers encircled the man’s home in Palo Alto, Calif., after being told that he was at risk of harming himself and his family. The incident was resolved without anyone getting hurt.
Facebook had flagged the executive as a likely target for swatting, and had taken precautions to protect him and his family. The police still sent a SWAT team.
“Anyone can be at risk of being swatted, but people who work in tech are at a particular risk,” Chief Best said. “We have to get a foothold on this, before more people get hurt.”

China coronavirus: The confirmed cases and where they are

Weizhen Tan, Joanna Tan

A new strain of virus that was first reported in China has killed 17 people and infected nearly 600 others.
Sometimes referred to as the Wuhan virus, it has been temporarily named the “2019-nCoV” and belongs to a family of viruses known as coronaviruses, which can be transmitted from person to person.
The deadly pneumonia-like disease was first identified on December 31, 2019, in the Chinese city of Wuhan in Hubei Province. It has since spread beyond Wuhan to major cities such as Beijing, Shanghai, Macau, and Hong Kong. Abroad, Thailand has confirmed cases, and the United States, Taiwan, South Korea, and Japan have each reported one case.
China’s capital city Beijing canceled major public events including two well-known Lunar New Year temple fairs, the state-run Beijing News said on Thursday, as authorities try to curb the spread of a deadly coronavirus outbreak.
Separately, the country’s railway operator, China State Railway Group, said passengers would be able to receive full refunds on tickets nationwide starting on Friday.
On Thursday, China put on lockdown the two cities at the epicenter of a new coronavirus outbreak. Most transport in Wuhan, a city of 11 million people, was suspended on Thursday morning and people were told not to leave. Hours later, state media in neighboring Huanggang, a city of some 6 million people, said it was imposing a similar lockdown.
Wuhan’s city government said it would shut down all urban transport networks and suspend outgoing flights from 10 a.m. (0200 GMT). Domestic media said some airlines were operating after the deadline, however.
State media broadcast images of one of Wuhan’s transport hubs, the Hankou rail station, nearly deserted, with gates blocked or barred. The government is urging citizens not to leave the city.
State media reported highway toll booths around Wuhan were closing down, which would effectively cut off road exits. Guards were patrolling major highways, one resident told Reuters.
Similar measures will take effect starting Friday in the nearby city of Ezhou. Theaters, internet cafes and other entertainment centers were also ordered closed, further increasing the economic costs of the response to the outbreak.
“The lockdown of 11 million people is unprecedented in public health history, so it is certainly not a recommendation the WHO has made,” Gauden Galea, the World Health Organization’s representative in Beijing, told Reuters.
The World Health Organization is debating on whether it should classify the outbreak a global health emergency.
Here’s a snapshot of the number of known cases and where they are, as well as confirmed deaths.
Mainland China: 571
Hong Kong: 2
Macau: 1
Taiwan: 1
South Korea: 1
Japan: 1
Thailand: 4
United States: 1
* Chinese cities or provinces with reported cases include Wuhan (Hubei), Beijing, Shanghai, Zhejiang, Guangdong, Hebei, Liaoning, Jiangsu, Fujian
Reuters and The Associated Press contributed to this report.