Newsletter

• A personal welcome to all the new folks who joined the list since the start of the year. It’s incredible to watch the organic growth of this newsletter (I deliberately avoid marketing and promotion) into a fun community of builders and defenders. My main ask, send feedback here or on Twitter (DMs open).
• Coveware CEO Bill Siegel will headline my fireside chat at SecurityWeek’s Ransomware Resilience & Recovery Summit on Jan 26th. I’m looking forward to kicking it with Bill on the murky world of ransomware negotiations, making bitcoin ransom payments, and war stories from high-profile incidents.

Monday blues.

I’m yielding some space for a very important op-ed by my friend and mentor Costin Raiu, a big-game APT researcher with few equals.

_ryan

To be, or not to be: legitimate targets for NSO Pegasus and other legal surveillance malware?

Guest editorial by Costin Raiu

One of the long-running claims by NSO Group is that its Pegasus surveillance tool is only used to target criminals and terrorists. How come we see it in other places?

NSO is an expensive suite; in the range of millions if not tens of millions USD. Law enforcement rarely affords such budgets. A friend of mine who worked in law enforcement said a few years ago his cyber budget to catch criminals was a hefty US$3000.  Yes, three thousand dollars!

Now, imagine you have purchased an expensive spyware suite worth several millions USD that effectively gives you the option to hack any smartphone anywhere with a click of a button. How would you use it? Given the number of “bullets” is limited, one must choose targets very carefully. Let’s look closely at the categories that you might want to target with, say, an iOS 0-click spyware:

Criminals – these are legit targets and constantly highlighted as the reason why governments purchase software such as Pegasus. We should however keep in mind they must be really big criminals to justify the multimillion-dollar investments. Here’s the rub, though, really big criminals don’t use iPhones. As we see from other stories, such as the fake secure phone network that the FBI ran, major criminals stay away from regular devices and instead use various “Secure” phones. So, it’s not very well justified for this purpose.

Terrorists – basically, on the most entry level jihadists forums, in the tech section, “opsec for dummies”, the recommendations are to stay away from iPhones. These fellas standardize on the use of dumb phones, as opposed to smart phones. They use old devices without GPS or capability to run user apps. So, again, 0-click iOS exploits + malware –  it’s not very well justified for this category.  While we’re on the subject, how many terrorists were caught lately, say in Europe or U.S.?

Drug dealers – here, the budget may very well be justified. Actually, there are stories where drug dealers were successfully targeted and caught by such technologies. However, as discussed above, big-fish criminals will likely use custom devices or dumb phones.

Cybersecurity personnel/researchers – these are top threats for governments engaging in shady operations, so it is a perfect targeting case! The budget is not an issue, because it is usually black budget, with no auditing. We are actually aware of security researchers who have been targeted by Pegasus.

Extremists – this can be a very good justification and the budgeting surely fits the purpose. The only issue is that extremism can be relative to the government or governing processes in a certain country. In oppressive regimes, activists can be extremists. These are easy to justify and easy to target because they rarely care about operational security.

Journalists, media, reporters – does not fit the initial goal, but again, plenty of evidence this is happening. The reason is simple – governments are worried about the stories they can write, their sources, and potentially bad PR. Budget can be justified quite easily by designating these as extremists, foreign agents, enemies of the state.

To summarize – the categories for which the usage of highly expensive cyber warfare products is justified with a ROI are drug dealers (sometimes), security researchers, extremist activists, journalists, mass media and reporters.

Is this worrying? Probably. So, what would an ideal, corruption free, legitimate cyber offensive business look like?  It must be unprofitable, independent and externally audited.

When you see that an offensive cybersecurity company is owned by an investment fund or venture capital outfit, this means their top goal is to make as much money as possible. Profit, sell to anyone then try to find arguments or loopholes to justify the sales.

Are these tools a threat to democracy or our civilization as a whole? Democracy – yes, civilization probably not. One thing, though – are these mercenary tools solving the problem (be it criminals, terrorism or extremism)?

We all know the answer is a definitive no.

(Ed’s note: Listen to related podcast.  Also read this breaking news piece on Pegasus usage on targets within Israel)

Sponsored:  Symmetry DataGuard

Using Symmetry DataGuard, cloud-security teams tighten IAM policies around data, incident response teams know precisely what data objects are involved in a breach, and governance teams audit every access across every data store. Schedule a demo.

On to the newsletter…

• Google is calling for a public-private partnership to identify a list of critical open-source projects o help prioritize and allocate resources for the most essential security assessments and improvements
• GitHub CISO Mike Hanley: “As an industry, we must also come together and support the developers who design, build, and maintain the open source projects we depend on.”
• As I previously covered, the ASF published a position paper arguing that upstream producers were not exclusively responsible for bolstering the software ecosystem.
• Red Hat statement: “The core tenets of the Cyber EO remain fundamental to improving the security posture of all software—both proprietary and open source, including assuring that vendors of all stripes maintain greater visibility into their software, take responsibility for its life cycle, and make security data publicly available.”

Newsy leftovers.

• The annual Pwn2Own contest will raise the level of complexity for hacking into Tesla cars. The OG car hacker Charlie Miller has some thoughts.
• Ryan McGeehan forecasts in-the-wild zero-days for 2022
• Decipher’s Lindsey O’Donnell on the muddled world of APT and malware attribution.
• North Korean hackers stole nearly $400 million in cryptocurrencies last year.