Brute Force Attack on UK Parliament User Emails

Inside and outside cyber experts are making attributions to Russia.

The Russian government is suspected of being behind a cyber-attack on parliament that breached dozens of email accounts belonging to MPs and peers.

Although the investigation is at an early stage and the identity of those responsible may prove impossible to establish with absolute certainty, Moscow is deemed the most likely culprit.

The British security services believe that responsibility for the attack is more likely to lie with another state rather than a small group of individual hackers.

The number of states who might mount such an attack on the UK is limited, and, in addition to Russia, includes North Korea, China and Iran.

A security source said: “It was a brute force attack. It appears to have been state-sponsored.”

“The nature of cyber-attacks means it is notoriously difficult to attribute an incident to a specific actor.”

MPs contacted by the Guardian said the immediate suspicion had fallen upon foreign governments such as Russia and North Korea, both of which have been accused of being behind hacking attempts in the UK before. More from the Guardian.

BBC: Up to 90 email accounts were compromised during the cyber-attack on Parliament on Friday.

Fewer than 1% of the 9,000 users of the IT system were impacted by the hacking, said a parliamentary spokesman.

The hack prompted officials to disable remote access to the emails of MPs, peers and their staff as a safeguard.

The spokesman said the attack was a result of “weak passwords” and an investigation is under way to determine whether any data has been lost.

Both Houses of Parliament will meet as planned on Monday and plans are being put in place to allow it to resume its wider IT services, said officials.

A number of MPs confirmed to the BBC they were unable to access their parliamentary email accounts outside of the Westminster estate following the hacking.

‘Passwords for sale’

The spokesman said the parliamentary network was compromised due to “weak passwords” which did not conform to guidance from the Parliamentary Digital Service.

They added: “As they are identified, the individuals whose accounts have been compromised have been contacted and investigations to determine whether any data has been lost are under way.”

The incident comes just over a month after 48 of England’s NHS trusts were hit by a cyber-attack.

International Trade Secretary Liam Fox said: “We have seen reports in the last few days of even cabinet ministers’ passwords being for sale online.

“We know that our public services are attacked so it is not at all surprising that there should be an attempt to hack into parliamentary emails.

“And it’s a warning to everybody, whether they are in Parliament or elsewhere, that they need to do everything possible to maintain their own cyber-security.”

The latest attack was publicly revealed by Liberal Democrat peer Lord Rennard on Twitter as he asked his followers to send any “urgent messages” to him by text.

The National Cyber Security Centre and National Crime Agency are investigating the incident.

WannaCry Hacking Bad, but This is Terrifying

WASHINGTON — CIA Director Mike Pompeo says he thinks disclosure of America’s secret intelligence is on the rise, fueled partly by the “worship” of leakers like Edward Snowden.

“In some ways, I do think it’s accelerated,” Pompeo told MSNBC in an interview that aired Saturday. “I think there is a phenomenon, the worship of Edward Snowden, and those who steal American secrets for the purpose of self-aggrandizement or money or for whatever their motivation may be, does seem to be on the increase.”

Pompeo said the United States needs to redouble its efforts to stem leaks of classified information. More here.

***

A Cyberattack ‘the World Isn’t Ready For’

Golan Ben-Oni, of the IDT Corporation, which was attacked in April with two cyberweapons stolen from the National Security Agency.  Justin T. Gellerson for The New York Times

NEWARK — There have been times over the last two months when Golan Ben-Oni has felt like a voice in the wilderness.

On April 29, someone hit his employer, IDT Corporation, with two cyberweapons that had been stolen from the National Security Agency. Mr. Ben-Oni, the global chief information officer at IDT, was able to fend them off, but the attack left him distraught.

In 22 years of dealing with hackers of every sort, he had never seen anything like it. Who was behind it? How did they evade all of his defenses? How many others had been attacked but did not know it?

Since then, Mr. Ben-Oni has been sounding alarm bells, calling anyone who will listen at the White House, the Federal Bureau of Investigation, the New Jersey attorney general’s office and the top cybersecurity companies in the country to warn them about an attack that may still be invisibly striking victims undetected around the world.

And he is determined to track down whoever did it.

“I don’t pursue every attacker, just the ones that piss me off,” Mr. Ben-Oni told me recently over lentils in his office, which was strewn with empty Red Bull cans. “This pissed me off and, more importantly, it pissed my wife off, which is the real litmus test.”

Two weeks after IDT was hit, the cyberattack known as WannaCry ravaged computers at hospitals in England, universities in China, rail systems in Germany, even auto plants in Japan. No doubt it was destructive. But what Mr. Ben-Oni had witnessed was much worse, and with all eyes on the WannaCry destruction, few seemed to be paying attention to the attack on IDT’s systems — and most likely others around the world.

The strike on IDT, a conglomerate with headquarters in a nondescript gray building here with views of the Manhattan skyline 15 miles away, was similar to WannaCry in one way: Hackers locked up IDT data and demanded a ransom to unlock it.

But the ransom demand was just a smoke screen for a far more invasive attack that stole employee credentials. With those credentials in hand, hackers could have run free through the company’s computer network, taking confidential information or destroying machines.

Worse, the assault, which has never been reported before, was not spotted by some of the nation’s leading cybersecurity products, the top security engineers at its biggest tech companies, government intelligence analysts or the F.B.I., which remains consumed with the WannaCry attack.

Were it not for a digital black box that recorded everything on IDT’s network, along with Mr. Ben-Oni’s tenacity, the attack might have gone unnoticed.

Scans for the two hacking tools used against IDT indicate that the company is not alone. In fact, tens of thousands of computer systems all over the world have been “backdoored” by the same N.S.A. weapons. Mr. Ben-Oni and other security researchers worry that many of those other infected computers are connected to transportation networks, hospitals, water treatment plants and other utilities.

An attack on those systems, they warn, could put lives at risk. And Mr. Ben-Oni, fortified with adrenaline, Red Bull and the house beats of Deadmau5, the Canadian record producer, said he would not stop until the attacks had been shut down and those responsible were behind bars.

“The world is burning about WannaCry, but this is a nuclear bomb compared to WannaCry,” Mr. Ben-Oni said. “This is different. It’s a lot worse. It steals credentials. You can’t catch it, and it’s happening right under our noses.”

And, he added, “The world isn’t ready for this.”

Targeting the Nerve Center

Mr. Ben-Oni, 43, a Hasidic Jew, is a slight man with smiling eyes, a thick beard and a hacker’s penchant for mischief. He grew up in the hills of Berkeley, Calif., the son of Israeli immigrants.

Even as a toddler, Mr. Ben-Oni’s mother said, he was not interested in toys. She had to take him to the local junkyard to scour for typewriters that he would eventually dismantle on the living room floor. As a teenager, he aspired to become a rabbi but spent most of his free time hacking computers at the University of California, Berkeley, where his exploits once accidentally took down Belgium’s entire phone system for 15 minutes.

To his parents’ horror, he dropped out of college to pursue his love of hacking full time, starting a security company to help the city of Berkeley and two nearby communities, Alameda and Novato, set up secure computer networks.

He had a knack for the technical work, but not the marketing, and found it difficult to get new clients. So at age 19, he crossed the country and took a job at IDT, back when the company was a low-profile long-distance service provider.

As IDT started acquiring and spinning off an eclectic list of ventures, Mr. Ben-Oni found himself responsible for securing shale oil projects in Mongolia and the Golan Heights, a “Star Trek” comic books company, a project to cure cancer, a yeshiva university that trains underprivileged students in cybersecurity, and a small mobile company that Verizon recently acquired for $3.1 billion.

Which is to say he has encountered hundreds of thousands of hackers of every stripe, motivation and skill level. He eventually started a security business, IOSecurity, under IDT, to share some of the technical tools he had developed to keep IDT’s many businesses secure. By Mr. Ben-Oni’s estimate, IDT experiences hundreds of attacks a day on its businesses, but perhaps only four each year give him pause.

Nothing compared to the attack that struck in April. Like the WannaCry attack in May, the assault on IDT relied on cyberweapons developed by the N.S.A. that were leaked online in April by a mysterious group of hackers calling themselves the Shadow Brokers — alternately believed to be Russia-backed cybercriminals, an N.S.A. mole, or both.

The WannaCry attack — which the N.S.A. and security researchers have tied to North Korea — employed one N.S.A. cyberweapon; the IDT assault used two.

Both WannaCry and the IDT attack used a hacking tool the agency had code-named EternalBlue. The tool took advantage of unpatched Microsoft servers to automatically spread malware from one server to another, so that within 24 hours North Korea’s hackers had spread their ransomware to more than 200,000 servers around the globe.

The attack on IDT went a step further with another stolen N.S.A. cyberweapon, called DoublePulsar. The N.S.A. used DoublePulsar to penetrate computer systems without tripping security alarms. It allowed N.S.A. spies to inject their tools into the nerve center of a target’s computer system, called the kernel, which manages communications between a computer’s hardware and its software.

In the pecking order of a computer system, the kernel is at the very top, allowing anyone with secret access to it to take full control of a machine. It is also a dangerous blind spot for most security software, allowing attackers to do what they want and go unnoticed. In IDT’s case, attackers used DoublePulsar to steal an IDT contractor’s credentials. Then they deployed ransomware in what appears to be a cover for their real motive: broader access to IDT’s businesses.

Mr. Ben-Oni learned of the attack only when a contractor, working from home, switched on her computer to find that all her data had been encrypted and that attackers were demanding a ransom to unlock it. He might have assumed that this was a simple case of ransomware.

But the attack struck Mr. Ben-Oni as unique. For one thing, it was timed perfectly to the Sabbath. Attackers entered IDT’s network at 6 p.m. on Saturday on the dot, two and a half hours before the Sabbath would end and when most of IDT’s employees — 40 percent of whom identify as Orthodox Jews — would be off the clock. For another, the attackers compromised the contractor’s computer through her home modem — strange.

The black box of sorts, a network recording device made by the Israeli security company Secdo, shows that the ransomware was installed after the attackers had made off with the contractor’s credentials. And they managed to bypass every major security detection mechanism along the way. Finally, before they left, they encrypted her computer with ransomware, demanding $130 to unlock it, to cover up the more invasive attack on her computer.

Mr. Ben-Oni estimates that he has spoken to 107 security experts and researchers about the attack, including the chief executives of nearly every major security company and the heads of threat intelligence at Google, Microsoft and Amazon.

With the exception of Amazon, which found that some of its customers’ computers had been scanned by the same computer that hit IDT, no one had seen any trace of the attack before Mr. Ben-Oni notified them. The New York Times confirmed Mr. Ben-Oni’s account via written summaries provided by Palo Alto Networks, Intel’s McAfee and other security firms he used and asked to investigate the attack.

“I started to get the sense that we were the canary,” he said. “But we recorded it.”

Since IDT was hit, Mr. Ben-Oni has contacted everyone in his Rolodex to warn them of an attack that could still be worming its way, undetected, through victims’ systems.

“Time is burning,” Mr. Ben-Oni said. “Understand, this is really a war — with offense on one side, and institutions, organizations and schools on the other, defending against an unknown adversary.”

‘No One Is Running Point’

Since the Shadow Brokers leaked dozens of coveted attack tools in April, hospitals, schools, cities, police departments and companies around the world have largely been left to fend for themselves against weapons developed by the world’s most sophisticated attacker: the N.S.A.

A month earlier, Microsoft had issued a software patch to defend against the N.S.A. hacking tools — suggesting that the agency tipped the company off to what was coming. Microsoft regularly credits those who point out vulnerabilities in its products, but in this case the company made no mention of the tipster. Later, when the WannaCry attack hit hundreds of thousands of Microsoft customers, Microsoft’s president, Brad Smith, slammed the government in a blog post for hoarding and stockpiling security vulnerabilities.

For his part, Mr. Ben-Oni said he had rolled out Microsoft’s patches as soon as they became available, but attackers still managed to get in through the IDT contractor’s home modem.

Six years ago, Mr. Ben-Oni had a chance meeting with an N.S.A. employee at a conference and asked him how to defend against modern-day cyberthreats. The N.S.A. employee advised him to “run three of everything”: three firewalls, three antivirus solutions, three intrusion detection systems. And so he did.

But in this case, modern-day detection systems created by Cylance, McAfee and Microsoft and patching systems by Tanium did not catch the attack on IDT. Nor did any of the 128 publicly available threat intelligence feeds that IDT subscribes to. Even the 10 threat intelligence feeds that his organization spends a half-million dollars on annually for urgent information failed to report it. He has since threatened to return their products.

“Our industry likes to work on known problems,” Mr. Ben-Oni said. “This is an unknown problem. We’re not ready for this.”

No one he has spoken to knows whether they have been hit, but just this month, restaurants across the United States reported being hit with similar attacks that were undetected by antivirus systems. There are now YouTube videos showing criminals how to attack systems using the very same N.S.A. tools used against IDT, and Metasploit, an automated hacking tool, now allows anyone to carry out these attacks with the click of a button.

Worse still, Mr. Ben-Oni said, “No one is running point on this.”

Last month, he personally briefed the F.B.I. analyst in charge of investigating the WannaCry attack. He was told that the agency had been specifically tasked with WannaCry, and that even though the attack on his company was more invasive and sophisticated, it was still technically something else, and therefore the F.B.I. could not take on his case.

The F.B.I. did not respond to requests for comment.

So Mr. Ben-Oni has largely pursued the case himself. His team at IDT was able to trace part of the attack to a personal Android phone in Russia and has been feeding its findings to Europol, the European law enforcement agency based in The Hague.

The chances that IDT was the only victim of this attack are slim. Sean Dillon, a senior analyst at RiskSense, a New Mexico security company, was among the first security researchers to scan the internet for the N.S.A.’s DoublePulsar tool. He found tens of thousands of host computers are infected with the tool, which attackers can use at will.

“Once DoublePulsar is on the machine, there’s nothing stopping anyone else from coming along and using the back door,” Mr. Dillon said.

More distressing, Mr. Dillon tested all the major antivirus products against the DoublePulsar infection and a demoralizing 99 percent failed to detect it.

“We’ve seen the same computers infected with DoublePulsar for two months and there is no telling how much malware is on those systems,” Mr. Dillon said. “Right now we have no idea what’s gotten into these organizations.”

In the worst case, Mr. Dillon said, attackers could use those back doors to unleash destructive malware into critical infrastructure, tying up rail systems, shutting down hospitals or even paralyzing electrical utilities.

Could that attack be coming? The Shadow Brokers resurfaced last month, promising a fresh load of N.S.A. attack tools, even offering to supply them for monthly paying subscribers — like a wine-of-the-month club for cyberweapon enthusiasts.

In a hint that the industry is taking the group’s threats seriously, Microsoft issued a new set of patches to defend against such attacks. The company noted in an ominously worded message that the patches were critical, citing an “elevated risk for destructive cyberattacks.”

Mr. Ben-Oni is convinced that IDT is not the only victim, and that these tools can and will be used to do far worse.

“I look at this as a life-or-death situation,” he said. “Today it’s us, but tomorrow it might be someone else.”

Investigating the Other Collusion Case

Seems it at least began in 2015, long before Donald Trump was campaigning for the Oval Office.

Also, as an aside, John Podesta is testifying before the House Intelligence Committee next week. He too has financial ties to Moscow operations.

The Vnesheconombank is Russian owned and has been under a sanctions architecture due to the annexing of Crimea. In Russia, by law, the bank’s board chairman is the Prime Minister of Russia. Vladimir Putin increased leading when he became the bank’s chairman in 2008. Now precisely why is Russia investing at all in the United States in the first place? Well soft power and doing business with the Export Import Bank, an agency that is corrupt to the core. Further, Sergei Gorkov is head of the bank and is is/was a Russian spy.

Image result for Vnesheconombank  ABC

BusinessInsider:The U.S. Treasury has added a bunch of entities to its Russia sanctions list, including a sovereign wealth fund that used to be connected to some pretty high-profile U.S. billionaires.

The Treasury’s Office of Foreign Assistance Control on Thursday added The Russian Direct Investment Fund to the list, along with a number of entities linked to RDIF parent Vnesheconombank and energy giant Rosneft.

Vnesheconombank was first sanctioned last year, but RDIF hadn’t been explicitly targeted until the announcement on Thursday.

Private equity moguls Steve Schwarzman of Blackstone, David Bonderman of TPG, and Leon Black of Apollo Global Management all served as board members for RDIF when it was established in 2011, according to a press release at the time.

At some point, those names were removed from the RDIF website.

The Wall Street Journal first reported that the investors’ names had disappeared from the site in September 2014, but said that they still served on the board at that time. There are currently no names listed on the international advisory board on RDIF’s website.

Back in 2011, each board member issued statements about joining the board. Here are some highlights:

“We believe there are many attractive investment opportunities in Russia — the RDIF will provide the strong and experienced local partnership needed for investors to realize those opportunities.” — David Bonderman

“Russia has strong fundamentals that will continue to fuel its growth trajectory and offer attractive investment opportunities. We believe the Russia Direct Investment Fund will help further align U.S. and Russian objectives in terms of identifying paths toward partnership in the private sector.” — Leon Black

“It’s always good to have friends when you are going to a place that you are not as familiar with.”  — Stephen Schwarzman

Bonderman has spoken publicly about investing in the country in recent months, telling an audience at the Milken Global Conference this year that the Russian market remains attractive, according to a report by CNN Money.

He is quoted as saying: “Sanctions are perfectly set up not to work at all but to make a political statement.”

Spokespeople for Blackstone and TPG declined to comment. Apollo could not be reached for comment.

A spokesperson for the Russian Direct Investment Fund said: “For Vnesheconombank subsidiaries the new clarification by the US Department of the Treasury is essentially a technical repetition of sanctions imposed a year ago, which targeted a number of Russian companies including Vnesheconombank and its subsidiaries.

“Given the nature of the Fund’s activity, RDIF has never attracted financing in the USA, it invests its own funds. Since the introduction of sanctions last year RDIF has continued to invest into the Russian economy and build new international partnerships.”

So what you ask?

Image result for sergei gorkov Sergei Gorkov

Well due to sanctions, those on the Trump campaign team, transition team and now in the White House may have violated sanctions. If so, the reason would be why, to what end and how many may be involved? It should also be added that many Republicans have ties to Russians and oligarchs, not all is as it seems. We can only hope, while not knowing details, the Senate is also investigating Hillary Clinton in much the same condition. Yet as Secretary of State, Hillary and Obama had the ability to sign waivers to finesse sanctions. This was likely the case between Hillary and the Kremlin regarding Skolkovo.

Remember, don’t shoot the messenger. Furthermore, it seems some on the Senate committee are leaking too.

Senate investigators are examining the activities of a little-known $10-billion Russian investment fund whose chief executive met with a member of President Donald Trump’s transition team four days before Trump’s inauguration, a congressional source told CNN.

The source said the Senate intelligence committee is investigating the Russian fund in connection with its examination of discussions between White House adviser Jared Kushner and the head of a prominent Russian bank. The bank, Vnesheconombank, or VEB, oversees the fund, which has ties to several Trump advisers. Both the bank and the fund have been covered since 2014 by sanctions restricting U.S. business dealings.
Separately, Steve Mnuchin, now Treasury Secretary, said in a January letter that he would look into the Jan. 16 meeting between the fund’s chief executive and Anthony Scaramucci, a member of the transition team’s executive committee and a fundraiser and adviser for Trump’s presidential campaign. At the time, Mnuchin had not yet been confirmed as Treasury Secretary. The Treasury Department did not respond to a request for an update.
Two Democratic senators had asked Treasury to investigate whether Scaramucci promised to lift sanctions — a policy shift that would help the fund attract more international investment to Russia.
The questions draw attention to the Russian Direct Investment Fund, a government investment arm that has helped top U.S. private-equity firms invest in Russia and that was advised by Stephen Schwarzman, who is now chairman of Trump’s Strategic and Policy Forum, an advisory group of business leaders.
Schwarzman, chief executive officer of Blackstone Group, was named in 2011 to the fund’s International Advisory Board along with other leaders of major equity companies and sovereigh-wealth funds who reviewed the fund’s operations, plans and potential investments. Schwarzman declined to comment. A source close to him said Schwarzman has not spoken to anyone on the fund “for some time.”
The fund also worked with Goldman Sachs, whose former president Gary Cohn is Trump’s chief economic adviser and where Kirill Dmitriev, the fund’s chief executive, worked as an investment banker in the 1990s. Goldman was part of a consortium created in 2012 to invest in large Russian businesses preparing to go public, and was hired in 2013 to burnish Russia’s investment image. The company declined to comment.

‘I would reach out to people to help him”

Senate and House investigators are looking into various Russian entities to determine whether anyone connected to the Trump campaign helped Russians as they meddled in the 2016 presidential election, and whether Trump associates discussed sanctions with Russian officials.
The congressional inquiries, along with a criminal investigation by special counsel Robert S. Mueller, have shadowed the Trump administration. Trump has denied any connection to Russia’s election-meddling, calling the criminal probe “a witch hunt.”
Scaramucci, the founder of SkyBridge Capital, minimized his January meeting with Dmitriev in the resort town of Davos, Switzerland, at the celebrated annual gathering of the World Economic Forum. Scaramucci had met Dmitriev at previous Davos meetings, although at the gathering in January, Scaramucci was expecting to be named White House liaison to the business community.
Dmitriev “came over to say hello in a restaurant, and I was cordial,” Scaramucci said in a recent email to CNN. “There is nothing there.”
The day after the meeting, Scaramucci told Bloomberg TV that he had “as a private citizen” been working with Dmitriev on bringing a delegation of executives to Russia.
“What I said to him last night, in my capacity inside the administration, I would certainly reach out to some people to help him,” Scaramucci said before describing a thicket of ethical clearances he would face. “The idea was many months ago to have more outreach with Russia but also other countries, not just Russia. China, other countries.”
Scaramucci’s comments alarmed Democratic Senators Elizabeth Warren of Massachusetts and Ben Cardin of Maryland, who asked Mnuchin investigate whether Scaramucci sought to “facilitate prohibited transactions” or promised to waive or lift sanctions against Russia.
In a reply Jan. 30, before he was sworn in, Mnuchin said he would “ensure the appropriate Department components assess whether further investigation of this matter is warranted.”
A spokeswoman for the Russian fund said the two men did not discuss sanctions, and that the discussion itself did not violate sanctions that U.S. imposed in 2014 after Russia annexed part of neighboring Ukraine. The spokeswoman declined to describe the conversation, saying, “We do not comment on private meetings.”

An advocate for lifting sanctions

Since Trump’s election, Dmitriev has been one of Russia’s most vocal officials in calling for an end to U.S. sanctions and arguing that joint U.S.-Russia projects can create jobs in the United States.
The fund hired two U.S. lobbying firms in September 2014, after sanctions were imposed, paying them a combined $150,000 over two months for public relations work. The fund has not hired any lobbyists since then.
With a history of helping U.S. manufacturers and asset management companies invest in Russia, the fund is a logical starting point for Russia’s push to lift U.S. sanctions, former State Department chief economist Rodney Ludema said.
“If you’re going to get your nose under the tent, that’s a good place to start,” said Ludema, a Georgetown University economics professor. “I’m sure their objective is to get rid of all the sanctions against the financial institutions. But RDIF is one [sanctioned organizations] where a number of prominent U.S. investors have been involved.”
Scaramucci also questioned U.S. sanctions while he was in Davos and echoed Trump’s statements about improving relations with Russia.
Two weeks after the meeting between Scaramucci and Dmitriev, when President Trump spoke by phone to Russian President Vladimir Putin, the fund announced it would open an office in New York in May.
No New York office has been opened but the fund “still expects to open a representative office in the US this year,” the spokeswoman said.

 

 

Cyber Spy Weapons Software Used Against Activists and Journalists

Mexico ranks 9th in journalists deaths. Find the list here by country.

Related reading: iPhone security flaw discovered, used by cyber weapons dealer

 Geek.com

Mexican Government was spying on Journalists and Activists with Pegasus Surveillance software

Journalists and activists in Mexico accused the government of spying on them with the powerful surveillance software Pegasus developed by the NSO Group.

Journalists and activists in Mexico accused the government of spying on them with a powerful surveillance software. According to the journalists, the authorities used an Israeli spyware to hack their mobile devices. The surveillance software is the questionable Pegasus that is developed by the Israeli surveillance NSO Group and sold exclusively to the governments and law enforcement agencies.

NSO Group is owned by US private equity firm Francisco Partners Management. it made the headlines after the investigation conducted by The New York Times.

People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights.

Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

“There’s no check on this,” said Bill Marczak, a senior fellow at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “Once NSO’s systems are sold, governments can essentially use them however they want. NSO can say they’re trying to make the world a safer place, but they are also making the world a more surveilled place.”

The discovery is the result of an investigation conducted by Mexican NGOs and the CitizenLab organization.

R3D, SocialTic, Article 19 and CitizenLab published a report that details the surveillance illegally operated by the Mexican government through the spyware.

Authorities have been sending malicious links to individuals’ phones, in order to trick victims into opening the messages they were specifically crafted and in some cases, the attack involved also family members if the victims were not compromised.

“The targets received SMS messages that included links to NSO exploits paired with troubling personal and sexual taunts, messages impersonating official communications by the Embassy of the United States in Mexico, fake AMBER Alerts, warnings of kidnappings, and other threats.” states the report. “The operation also included more mundane tactics, such as messages sending fake bills for phone services and sex-lines. Some targets only received a handful of texts, while others were barraged with dozens of messages over more than one and a half years. A majority of the infection attempts, however, took place during two periods: August 2015 and April-July 2016″.

Mexican Govenment surveillance

The Pegasus spyware leverages zero-day exploits to compromise both iOS and Android devices.

The government targeted individuals that exposed evidence on government corruption and activists who revealed human rights violations by the Mexican Government.

The researchers observed at least two periods of intense targeting:

  • Period 1 (August 2015) when the Mexican President was officially exonerated for his role in the “Casa Blanca” scandal on which Carmen Aristegui, a well-known reporter, had first reported, and Carlos Loret de Mola was questioning the government’s role in extrajudicial killings. Aristegui revealed that President Enrique Pena Nieto’s wife had bought a $7 million Mexico City mansion from a government contractor.
  • Period 2 (April- July 2016) when revelations of government involvement in human rights abuses and extra-judicial killings were made public.

Mexican Government spyware

According to the New York Times report, at least three Mexican federal agencies have purchased some $80 million of spyware from NSO Group since 2011.

Companies like the NSO Group operate in the dark, in a sort of “legal gray area,” despite the Israeli government exercises strict control of the export of such kind of software, surveillance applications could be abused by threat actors and authoritarian regimes worldwide.

Let me close with Key Findings of the report

  • Over 76 messages with links to NSO Group’s exploit framework were sent to Mexican journalists, lawyers, and a minor child (NSO Group is a self-described “cyber warfare” company that sells government-exclusive spyware).
  • The targets were working on a range of issues that include investigations of corruption by the Mexican President, and the participation of Mexico’s Federal authorities in human rights abuses.
  • Some of the messages impersonated the Embassy of the United States of America to Mexico, others masqueraded as emergency AMBER Alerts about abducted children.
  • At least one target, the minor child of a target, was sent infection attempts, including a communication impersonating the United States Government, while physically located in the United States.

***

Then comes former National Security Council advisor for President Trump Michael Flynn.

Cyberweapons Group Sold Spyware Used Against Political Dissidents

He earned nearly $1.5 million last year as a consultant, adviser, board member, or speaker for more than three dozen companies and individuals, according to financial disclosure forms released earlier this year.

Two of those entities are directly linked to NSO Group, a secretive Israeli cyberweapons dealer founded by Omri Lavie and Shalev Hulio, who are rumored to have served in Unit 8200, the Israeli equivalent of the National Security Agency.

Flynn received $40,280 last year as an advisory board member for OSY Technologies, an NSO Group offshoot based in Luxembourg, a favorite tax haven for major corporations. OSY Technologies is part of a corporate structure that runs from Israel, where NSO Group is located, through Luxembourg, the Cayman Islands, the British Virgin Islands, and the U.S.

Flynn also worked as a consultant last year for Francisco Partners, a U.S.-based private equity firm that owns NSO Group, but he did not disclose how much he was paid. At least two Francisco Partners executives have sat on OSY’s board.

Flynn’s financial disclosure forms do not specify the work he did for companies linked to NSO Group, and his lawyer did not respond to requests for comment. Former colleagues at Flynn’s consulting firm declined to discuss Flynn’s work with NSO Group. Executives at Francisco Partners who also sit on the OSY Technologies board did not respond to emails. Lavie, the NSO Group co-founder, told HuffPost he is “not interested in speaking to the press” and referred questions to a spokesman, who did not respond to queries.

Many government and military officials have moved through the revolving door between government agencies and private cybersecurity companies. The major players in the cybersecurity contracting world ― SAIC, Booz Allen Hamilton, CACI Federal and KeyW Corporation ― all have former top government officials in leadership roles or on their boards, or have former top executives working in government.

But it’s less common for former U.S. intelligence officials to work with foreign cybersecurity outfits. “There is a lot of opportunity in the U.S. to do this kind of work,” said Ben Johnson, a former NSA employee and the co-founder of Obsidian Security. “It’s a little bit unexpected going overseas, especially when you combine that with the fact that they’re doing things that might end up in hands of enemies of the U.S. government. It does seem questionable.”

What is clear is that during the time Flynn was working for NSO’s Luxembourg affiliate, one of the company’s main products — a spy software sold exclusively to governments and marketed as a tool for law enforcement officials to monitor suspected criminals and terrorists — was being used to surveil political dissidents, reporters, activists, and government officials. The software, called Pegasus, allowed users to remotely break into a target’s cellular phone if the target responded to a text message.

Last year, several people targeted by the spyware contacted Citizen Lab, a cybersecurity research team based out of the University of Toronto. With the help of experts at the computer security firm Lookout, Citizen Lab researchers were able to trace the spyware hidden in the texts back to NSO Group spyware. After Citizen Lab publicized its findings, Apple introduced patches to fix the vulnerability. It is not known how many activists in other countries were targeted and failed to report it to experts.

NSO Group told Forbes in a statement last year that it complies with strict export control laws and only sells to authorized government agencies. “The company does NOT operate any of its systems; it is strictly a technology company,” NSO Group told Forbes.

But once a sale is complete, foreign governments are free to do what they like with the technology. Read more here.

2016 Internet Crime Report

IC3 Releases Annual Report Highlighting Trends in Internet Crime

Giving someone access to your computer is like giving out a key to your front door. A computer can have your bank account information, family photos, and other private documents and data—information that fraudsters would like to steal. That’s why tech support fraud has become a significant trend in online crime, according to the 2016 Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3).

In tech support fraud cases, criminals convince unsuspecting victims to provide remote access to their computer by calling and posing as tech support personnel from a legitimate company. The criminal can then simply charge your credit card for a fake anti-virus product, or, in more sinister situations, they can steal your personal information or install malware. More than 10,000 incidents of tech support fraud were reported to the IC3 in 2016, with victims losing nearly $8 million. Though anyone can be a victim, older computer users are the most vulnerable targets.

“They’ll trick you into letting them into your computer,” said IC3 Unit Chief Donna Gregory. “You open the door and allow them in. You may think you’re just watching them install a program to get rid of a virus, but they are really doing a lot of damage behind the scenes.”

In addition to tech support fraud, the other major fraud categories last year were business e-mail compromise, ransomware, and extortion.

The IC3 receives complaints on a variety of Internet scams and crimes, and it has received more than 3.7 million complaints since it was created in 2000. In 2016, the IC3 received a total of 298,728 complaints with reported losses in excess of $1.3 billion. The IC3 uses the information from public complaints to refer cases to the appropriate law enforcement agencies and identify trends. The IC3’s extensive database is also available to law enforcement. Internet users should report any Internet fraud to IC3, no matter the dollar amount. Additional data helps the FBI and law enforcement gain a more accurate picture of Internet crime.

The IC3 publishes the Internet Crime Report annually to increase public awareness of current trends in Internet crime. For this report, the IC3 has also created a separate state-by-state breakdown that allows users to select their state from a dropdown menu so they can review local trends in Internet crime. The top states for reported dollar amounts lost to Internet fraud in 2016 were California ($255 million), New York ($106 million), and Florida ($89 million).

Though Internet crime is a serious threat, there are ways to help keep yourself safe online. The IC3 recommends computer users update their anti-virus software and operating system. Additionally, the Internet is an especially important place to remember the old adage: If it sounds too good to be true, it probably is.

“Be aware of what you are clicking on and also what you’re posting on social media. Always lock down your social media accounts as much as possible,” Gregory said. “Try to use two factor authentication, and use safe passwords or things more difficult to guess. The tougher the password, the harder it is for someone to crack.”