I always wonder what it takes to find this kind of exploit. Are the programmers at NSO group just the best in the world? Or are they incredibly lucky? Both? I’d love to know what a normal day at work is like for their engineers. Clock in, sit down at a…crazy expensive hardware and software testing station? Crack open a brand new iPhone and start probing away while referencing internet sourced chip documentation and software manuals? What does it even look like?
I recently learned of this group through the Dark Net Diaries podcast. The host does a pretty good job of covering the NSO group in episode 99 and 100.
I heavily recommend reading “This is How They Tell Me The World Ends” written by one of the guests he had in episode 98, Nicole Perlroth (which also touched a little on the NSO in that episode). She’s The NY Times cybersecurity reporter. A lot of the book focused on the NSO, among others.
The noteworthy angle/point the podcast covers is that NSO is very likely indirectly trying to dig dirt on citizenlab people (same people the post above is from) as they regularly discover their exploits and cost them money. As Jack talks about at the end, this puts NSO group into a whole other category if the above is indeed true.
This episode just came out last week, and this is the second time NSO has made news since it aired (along with Germany being a confirmed client.) Surprisingly apropos, but I imagine Jack's disappointed the big news makes it just after his episode's release on the subject.
If you're interested in infosec/appsec, DND is a great place to get started. The host packages up stories in a well put-together way, has no qualms about breaking to explain a concept or term, and does it all within an hour.
It is increasingly bizarre in my opinion how this company (and others like Toka) can run active terrorist operations, that if anyone else smaller was doing some of the same hacks they would be in prison for a very long time.
People have lost their lives due to these pariahs!
Israel already has a massive PR issue with other countries, it would do them well to reign in these offensive front arms of their government/'companies.'
Citizen Labs is really a great thing for civilization. There are not enough altruistic organizations.
It just makes me so uncomfortable that these things keep happening. We always find out about these things eventually but what percentage of the time are our devices vulnerable? Isn’t it close to 100% of the time that our desktops and mobile devices have significant security vulnerabilities?
The way I describe it to friends and family is that there are basically two levels of protection:
- Protecting yourself from rub of the mill malware that is looking to make money off of you. You can do this pretty effectively by always updating your software as soon as you can and avoiding sketchy and unnecessary apps and websites
- Protecting yourself from an attack by a nation state level agency. I don't think there is any way to be safe from this, and people who are targeted like this need to use protection that go well beyond the choice of cell phone or chat app
Their high-confidence attribution to NSO Group is described as being based on two factors:
1. Incomplete deletion of evidence from a SQLite database, in the exact same manner observed in a previous Pegasus sample;
2. The presence of a new process with the same name as a process observed in a previous Pegasus sample.
But isn't it likely that someone with the skills needed to discover and weaponize a chain of 0-day exploits, is incentivized and able to detect these quirks in Pegasus samples and imitate them, with the goal of misattribution?
Of course, there may be more factors involved in the attribution that aren't being shared publicly.
It seems like incomplete deletion of data is an error. If you are an exploit developer looking to throw investigators off your trail, it is one thing to name your processes with Pegasus names. It is another to deliberately introduce errors in your exploit to appear like Pegasus.
Your proposal is possible. It is just less likely than that this exploit was developed by NSO Group.
Buried lede: Apple has patched that particular exploit [1] and everyone should download iOS14.8 now if you want to be protected (no doubt NSO has other tricks up their sleeve).
Edit: Just realized it also impacts macOS and watchOS as well which were also patched. Patch Monday!
> In March 2021, we examined the phone of a Saudi activist who has chosen to remain anonymous, and determined that they had been hacked with NSO Group’s Pegasus spyware. During the course of the analysis we obtained an iTunes backup of the device.
...
> Citizen Lab forwarded the artifacts to Apple on Tuesday, September 7. On Monday, September 13, Apple confirmed that the files included a zero-day exploit against iOS and MacOS.
I once worked in a 'dissident' org (supported by the US Agency for International Development) - these orgs were fighting for human rights in their countries. In one extreme case/country, my prospective project team mate, no one knew her real name (came to know this later), though she was our colleague, was quite social and pleasant. In her country's expatriate circles in DC, she was worried about foreign spies. Family back home is at risk, and so is she, even if she lives in DC. These are brave people.
She wanted to build a database of something, and we were like, "keep your phone in another room" if you want to come discuss. Something that I am not sure she practices but more people need to practice.
CitizenLab is doing yeoman's service for people's rights to privacy and human rights. They're heroes.
I'm glad you put "dissident" in quotes. USAID is notoriously rife with CIA plants and many CIA operatives use the organization as cover, which implies that a nation targeting its members would have a lot more justification than a homegrown activist. That USAID might be targeted by hackers is mostly a consequence of the US government's decision to use it as a front for clandestine operations overseas.
> supported by the US Agency for International Development
Isn’t it more usual for the NED to do such things? I remark upon this because it occurs to me that using USAID to do politics might make recipients suspicious of aid even when it’s both necessary from a humanitarian perspective and unlikely to threaten the ruling dispensation in the recipient country. (This is a separate question from whether the NED/US government as a whole should even involve itself in such matters, to which my answer is ‘maybe’, since the dubious stuff probably happens anyway and lots of these civil society organisations &c. actually do good work [e.g. the The
Assistance Association for Political Prisoners in Burma.])
It seems like the NSO group is some kind of Hydra where every time their exploits are thwarted they find 2 new ones. The difference is that Hydras go for demigods while NSO products target civil servants and minorities.
> Despite the [gif] extension, the file was actually a 748-byte Adobe PSD file.
I wish programmers would stop "helpfully parsing" files which are named with an "incorrect" extension. If a random unknown person sends me a file with .gif extension that is actually a PSD file, I most definitely do not want my machine parsing whatever that thing is.
Discourse avatars point to a page with a .png extension regardless of what the actual file is (jpg, gif, or svg). Parsing file headers should not be a dangerous operation and in my opinion is the right thing to do.
You joke, but maybe one way to fight this proactively is with fake activist honeypots. Apple, a company with the size and budget of a nation state could certainly pull off such an operation for the security of the devices they sell, but obviously, and maybe unfortunately, this would never happen.
I miss the days when iOS exploits were merely used for jailbreaks and allowing alternative app stores, instead of being weaponized/monetized as they are now.
Image and video decoders seem like exactly the right target for formally verified (i.e. proven) implementations. There are just so many moving parts, and libraries get re-used in many projects, rarely forming the 'special sauce' in any given app.
I have been keeping an eye on the work done by what is now called Project Everest[1] over the years in the communication and cryptographic space.
Is there similar work in the image and video decode space? My seach fu is not yeilding anything beyond some hardware decoding proofs.
The NY Times [1] just reported that "Apple’s security team has been working around the clock to develop a fix since Tuesday, after researchers at Citizen Lab, a cybersecurity watchdog organization at the University of Toronto, discovered that a Saudi activist’s iPhone had been infected with spyware from NSO Group."
What took so long? Did Apple not know about this in March or was someone sitting on it for 6 months?
“Citizen Lab forwarded the artifacts to Apple on Tuesday September 7.” — from article, no need to jump to unwarranted conclusions about Apple. “In March 2021, we examined the phone of a Saudi activist” - it would be interesting to know the reason why Citizen Lab delayed so long. Hopefully they just wanted time to discover who else was being targeted?
PDF is basically a programming language, so instead of sending image data you send a program which is interpreted by the PDF reader to render an image on the client. That makes it really hard to secure completely.
Can someone explain like I'm 5 why it's so hard to prevent this?
I mean with a messenger app, you know you're getting some payload of data from a specific place, that goes through your own server, and is only ever going to be text or picture or video.
Why can't that be sufficiently sanitised en route and as it arrives to not have this kind of thing happen all the time?
Great question. Every cell carrier processes images before delivering to the recipient. Like, if you send 3 or more photos almost every cell carrier will downsize the images. While this isn't an extensive test, I just tried renaming a PDF to a GIF and it failed to send on Google Voice and T-Mobile.
[+] [-] theshadowknows|4 years ago|reply
[+] [-] giarc|4 years ago|reply
https://darknetdiaries.com/episode/
[+] [-] Operyl|4 years ago|reply
[+] [-] ehsankia|4 years ago|reply
[+] [-] adamgordonbell|4 years ago|reply
It sounded like NSO group just considers loosing zero days like this a cost of doing business.
There seemed to be an implication that they have a war chest of these exploits and expect them to each get burnt after a certain amount of usage.
[+] [-] badRNG|4 years ago|reply
[+] [-] trangus_1985|4 years ago|reply
[+] [-] Ms-J|4 years ago|reply
People have lost their lives due to these pariahs!
Israel already has a massive PR issue with other countries, it would do them well to reign in these offensive front arms of their government/'companies.'
Citizen Labs is really a great thing for civilization. There are not enough altruistic organizations.
[+] [-] TaylorAlexander|4 years ago|reply
[+] [-] overkill28|4 years ago|reply
- Protecting yourself from rub of the mill malware that is looking to make money off of you. You can do this pretty effectively by always updating your software as soon as you can and avoiding sketchy and unnecessary apps and websites
- Protecting yourself from an attack by a nation state level agency. I don't think there is any way to be safe from this, and people who are targeted like this need to use protection that go well beyond the choice of cell phone or chat app
[+] [-] r00fus|4 years ago|reply
I am at peace with the fact that I'm doing the best I can and keeping those I love protected.
[+] [-] SheinhardtWigCo|4 years ago|reply
1. Incomplete deletion of evidence from a SQLite database, in the exact same manner observed in a previous Pegasus sample;
2. The presence of a new process with the same name as a process observed in a previous Pegasus sample.
But isn't it likely that someone with the skills needed to discover and weaponize a chain of 0-day exploits, is incentivized and able to detect these quirks in Pegasus samples and imitate them, with the goal of misattribution?
Of course, there may be more factors involved in the attribution that aren't being shared publicly.
[+] [-] Hnrobert42|4 years ago|reply
Your proposal is possible. It is just less likely than that this exploit was developed by NSO Group.
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] Leparamour|4 years ago|reply
Crowdstrike will find out it's clearly Russia behind this and Mandiant will blame China.
[+] [-] r00fus|4 years ago|reply
Edit: Just realized it also impacts macOS and watchOS as well which were also patched. Patch Monday!
[1] https://support.apple.com/en-ca/HT212807
[+] [-] DangerousPie|4 years ago|reply
> In March 2021, we examined the phone of a Saudi activist who has chosen to remain anonymous, and determined that they had been hacked with NSO Group’s Pegasus spyware. During the course of the analysis we obtained an iTunes backup of the device.
...
> Citizen Lab forwarded the artifacts to Apple on Tuesday, September 7. On Monday, September 13, Apple confirmed that the files included a zero-day exploit against iOS and MacOS.
[+] [-] vjust|4 years ago|reply
She wanted to build a database of something, and we were like, "keep your phone in another room" if you want to come discuss. Something that I am not sure she practices but more people need to practice.
CitizenLab is doing yeoman's service for people's rights to privacy and human rights. They're heroes.
[+] [-] abvdasker|4 years ago|reply
[+] [-] eynsham|4 years ago|reply
Isn’t it more usual for the NED to do such things? I remark upon this because it occurs to me that using USAID to do politics might make recipients suspicious of aid even when it’s both necessary from a humanitarian perspective and unlikely to threaten the ruling dispensation in the recipient country. (This is a separate question from whether the NED/US government as a whole should even involve itself in such matters, to which my answer is ‘maybe’, since the dubious stuff probably happens anyway and lots of these civil society organisations &c. actually do good work [e.g. the The Assistance Association for Political Prisoners in Burma.])
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] q_andrew|4 years ago|reply
[+] [-] baobabKoodaa|4 years ago|reply
I wish programmers would stop "helpfully parsing" files which are named with an "incorrect" extension. If a random unknown person sends me a file with .gif extension that is actually a PSD file, I most definitely do not want my machine parsing whatever that thing is.
[+] [-] willis936|4 years ago|reply
[+] [-] stefan_|4 years ago|reply
[+] [-] avnigo|4 years ago|reply
[+] [-] fragmede|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] 9935c101ab17a66|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] United857|4 years ago|reply
[+] [-] 2rsf|4 years ago|reply
[+] [-] verytrivial|4 years ago|reply
I have been keeping an eye on the work done by what is now called Project Everest[1] over the years in the communication and cryptographic space.
Is there similar work in the image and video decode space? My seach fu is not yeilding anything beyond some hardware decoding proofs.
[1] https://project-everest.github.io/
[+] [-] lgats|4 years ago|reply
[+] [-] i_r7al|4 years ago|reply
[+] [-] mortenjorck|4 years ago|reply
[+] [-] defaulty|4 years ago|reply
The NY Times [1] just reported that "Apple’s security team has been working around the clock to develop a fix since Tuesday, after researchers at Citizen Lab, a cybersecurity watchdog organization at the University of Toronto, discovered that a Saudi activist’s iPhone had been infected with spyware from NSO Group."
What took so long? Did Apple not know about this in March or was someone sitting on it for 6 months?
[1] https://www.nytimes.com/2021/09/13/technology/apple-software...
[+] [-] robocat|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] jasonhansel|4 years ago|reply
[+] [-] mr_toad|4 years ago|reply
[+] [-] thinkharderdev|4 years ago|reply
[+] [-] tediousdemise|4 years ago|reply
[+] [-] madeofpalk|4 years ago|reply
[+] [-] kome|4 years ago|reply
[+] [-] jonplackett|4 years ago|reply
I mean with a messenger app, you know you're getting some payload of data from a specific place, that goes through your own server, and is only ever going to be text or picture or video.
Why can't that be sufficiently sanitised en route and as it arrives to not have this kind of thing happen all the time?
[+] [-] danicgross|4 years ago|reply
[+] [-] aacook|4 years ago|reply
[+] [-] onedognight|4 years ago|reply