STE WILLIAMS

The attack early in the morning of October 29 has taken all of the school district’s systems offline.

A ransomware attack against Las Cruces, New Mexico’s public school system has shut down computers and networks across the district. School district IT teams reportedly reacted quickly, shutting down all computers immediately after detecting the attack at 0700 on October 29. According to the district, no student data is believed to have been compromised.

Computer systems currently remain shut down as IT staff evaluate the extent of the damage and develop a remediation plan.

According to EmsiSoft, the first nine months of 2019 saw ransomware attacks against 621 government entities; healthcare service providers; and school districts, colleges and universities. That number includes at least 62 educations institution incidents involving more than 1,000 individual schools.

For more, read here and here.

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/ransomware-attack-hits-las-cruces-new-mexico-public-schools/d/d-id/1336217?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Evidence suggests NSO Group used WhatsApps servers to distribute mobile spyware to targeted devices.

Israeli technology firm NSO Group Wednesday strongly denied allegations by Facebook that it had exploited a security flaw in a WhatsApp’s video-calling feature earlier this year to install surveillance software on mobile devices belonging to some 100 human rights activists, journalists, and others.

Facebook made the claim in a federal complaint filed in US District Court for the Northern District of California this week. In the complaint, the social media giant accused NSO Group of being involved in an intrusion in which WhatsApp’s servers were used to distribute spyware called Pegasus to some 1,400 targeted devices between April and May.

Facebook described NSO’s exploit as giving attackers a way to use WhatsApp’s systems to make a video call to a target device and install Pegasus on the device without the victim even having to answer the call.

NSO sells tools for fighting cybercrime, terrorism, and other crimes to governments and law enforcement organizations around the world. Some — like researchers at the Citizen Lab at the University of Toronto — have warned about NSO’s tools, particularly Pegasus, being used widely by governments with poor human rights records to conduct surveillance on ordinary citizens and targets of interest. Citizen Lab has identified at least 45 countries where Pegasus is being used to spy on mobile device users.

Facebook, which owns WhatsApp, had earlier hinted at NSO’s involvement in the attack, and others had openly speculated about it despite the Israeli firm’s strident denials. This week’s federal complaint marks the first time Facebook has come out and formally accused NSO of breaking US computer fraud and abuse statutes.

In an opinion piece in The Washington Post on Tuesday, Will Cathcart, vice president of product management at Facebook, said months of investigation had confirmed the company’s previous suspicions about NSO Group.

“NSO has previously denied any involvement in the attack, stating that ‘under no circumstances would NSO be involved in the operating … of its technology,'” Cathcart said. “But our investigation found otherwise.”  

Responding to the claim, NSO, which sells cyber and other crime-fighting technology to governments and law enforcement agencies, said its tools are not designed or licensed for use against human rights activists and journalists. 

“In the strongest possible terms, we dispute today’s allegations and will vigorously fight them,” the company said via an e-mailed statement to Dark Reading. “The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime.”

What the Evidence Shows
According to Cathcart, evidence shows the attackers who broke into WhatsApp’s servers used systems and Internet hosting services that were previously associated with NSO. In addition, certain WhatsApp accounts that were used during the attacks point to NSO as well. “While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful,” Cathcart said.

Richard Gold, head of security engineering at Digital Shadows, says Facebook’s claim likely rests on multiple, interlocking pieces of evidence. “WhatsApp/Facebook would have access to the registration details, which were used when NSO Group signed up for the operational WhatsApp accounts that were used in the attacks, including name, mobile phone numbers, and IP addresses,” he said.

While such data can and often is faked, WhatsApp likely had the resources to identify the individuals or entities that were really behind the accounts. Forensic evidence also would have revealed evidence of Pegasus on the compromised devices. “Since Pegasus is believed to be only available to NSO Group customers, it is reasonable to claim that its presence on compromised devices was due to previous successful exploitation events,” Gold says.

NSO, meanwhile, defended its technology as critical to helping law enforcement agencies track down criminals who take advantage of encrypted services such as WhatsApp to carry out malicious activities. “NSO’s technologies provide proportionate, lawful solutions to this issue,” the company said in its statement.

Any other use of NSO products — particularly those targeting human rights activists and journalists — are contractually prohibited and represent a misuse of the tools, the company said.

Chris Morales, head of security analytics at Vectra, says Facebook’s evidence is likely based on origination of traffic and accounts. “The argument will be, who was accountable on the other end of those accounts and who sanctioned the operation of spying?”

Related Content:

• Commercial Spyware Uses WhatsApp Flaw to Infect Phones
• Former NSO Group Employee Steals, Sells Spy Tools
• Mobile Users Targeted With Malware, Tracked by Advertisers
• 8 Tips for More Secure Mobile Computing

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/application-security/facebook-says-israeli-firm-was-involved-in-recent-whatsapp-intrusion-/d/d-id/1336216?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Los Angeles wants to know exactly when you hop on an Uber scooter or bike, when you hop off, and where you go, promising that such location data is “respectful of user privacy” because it’s not asking for personally identifiable information (PII) about users – well, at least not directly.

Uber’s response: Nope. Geolocation data is clearly PII, and LA’s requirements that companies like Uber and Lyft share scooter-sharing data could compromise user privacy, as well as the companies’ own trade secrets.

Uber, better known for its ride-hailing car service, on Monday filed a lawsuit after months of refusing to give the LA Department of Transportation (LADOT) what the city’s after, CNET reports.

The publication quoted an Uber spokesperson:

Independent privacy experts have clearly and repeatedly asserted that a customer’s geolocation is personally identifiable information, and – consistent with a recent legal opinion by the California legislative counsel – we believe that LADOT’s requirements to share sensitive on-trip data compromises our customers’ expectations of data privacy and security.

Therefore, we had no choice but to pursue a legal challenge, and we sincerely hope to arrive at a solution that allows us to provide reasonable data and work constructively with the City of Los Angeles while protecting the privacy of our riders.

Like other cities, LA is wrestling with a newly chaotic traffic situation, with Uber and Lyft drivers whizzing around, picking up, dropping off or waiting for fares, as city buses, bicyclists and scooter riders – some using rent-by-the-hour bikes and scooters – jostle for space.

Those ubiquitous dockless e-scooters and bikes often wind up randomly scattered or piled up in heaps on city sidewalks. Some cities have gone so far as to ban them.

Other cities, including LA, are looking to pull data from the chaos so as to rein it in. They’re hoping that scooter data can help to determine how citizens are getting around, where it makes the most sense to spend money on infrastructure and where to cut back, and whether the companies they’ve allowed to use their public streets and sidewalks are following the rules and not making pig-piled scooter messes.

LA’s plan, which it began work on last year, is a new data standard called the Mobility Data Specification (MDS). It’s based on a standard set of application programming interfaces (APIs) through which mobility companies are required to provide real-time information about how many of their vehicles are in use at any given time, where they are at all times, their physical condition, anonymized trip start and stop times, destinations, and routes, among other data.

Real-time location data? That’s taking it too far, Uber says, and privacy experts have backed it up. It doesn’t matter that the city isn’t collecting PII such as name, age, gender and address, given that, as has been demonstrated time and time again, Big Data can be dissected, compared and contrasted to look for patterns from which to draw inferences about individuals. In other words, it’s not hard to re-identify people – or cats, for that matter – from anonymized records.

The Center for Democracy Technology (CDT) says that LADOT’s plan to collect location data could seriously jeopardize riders’ privacy:

People’s movements from place to place can reveal sexual partners, religious activities, and health information. The U.S. Supreme Court has recognized a strong privacy interest in location data, holding that historical cell site location information is protected by the Fourth Amendment warrant requirement… Even de-identified location data can be re-identified with relative ease.

The Electronic Frontier Foundation added to that list of sensitive PII that can be determined from tracking people:

Los Angeles riders deserve privacy in the bike and scooter trips they take – be they for work, medical appointments, social engagements, prayer, or other First Amendment-protected activities.

Uber claims that LA’s plan will violate California’s Electronic Communications Privacy Act, a law passed in 2015 designed to prevent law enforcement agencies from accessing people’s data without a warrant.

Uber is the last holdout. Companies including Lime, Spin and Lyft are complying with the city’s data requirements, in spite of California’s Legislative Counsel having determined that the location data requirement could be violating the law.

Uber’s suit against LA was filed along with a temporary restraining order so that it can keep its scooters in the city while the case plays out.

In a statement it put out in response to the lawsuit, the LADOT threatened to yank the permit that keeps Uber’s scooters zooming around:

LADOT has the responsibility to manage the public right-of-way, ensuring safety and access for everyone. To be effective, the department requires reasonable information about the tens of thousands of shared vehicles operated by transportation technology companies that use our streets for profit.

While all other permitted scooter and bike companies are complying with our rules, Uber has repeatedly refused. L.A.’s requirements have been clear since last November, and Uber agreed to abide by them. By 5pm tomorrow, we expect Uber to come into compliance or they will face suspension proceedings, which could eventually lead to revocation of their permit.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BqXMC-Elu-8/

Facebook is using trademark law to go after the domain hosts which register phishing or hacking-tools sites that target the platform and its Instagram subsidiary.

CNET reports that on Monday, Facebook filed suit in the US District Court of the Northern District of California against web hosts OnlineNIC and ID Shield. It’s accusing the hosts of trademark infringement and cybersquatting – what’s also known as typosquatting, where crooks register common misspellings of popular websites to snare innocent users who wind up on the pages due to a keystroke slip.

According to the suit, OnlineNIC has registered domains from which to carry out phishing and which claim to sell hacking tools. Facebook listed 20 infringing domains, including hackingfacebook.net, facebookphysician.net, buyinstagramfans.com, instagram01.com, and iiinstagram.com.

Each of those domains was registered by ID Shield: a company that Facebook says is controlled by OnlineNIC.

The lawsuit also includes a screen capture designed to look exactly like a Facebook site. Facebook alleges that such sites are used in phishing attacks, meant to trick visitors into accidentally giving up their logins.

CNET quoted a statement from Facebook:

People count on us to protect the integrity of our apps and services. We don’t tolerate people creating web addresses that pretend to be associated with our family of apps. Today’s lawsuit shows we will take action against those behind this abuse.

This isn’t OnlineNIC’s first trademark waltz. In 2008, Verizon sued the company for registering hundreds of domain names with Verizon trademarks. Verizon won its $33m suit, being awarded a default judgment of $50,000 for each of 663 addresses registered by OnlineNIC.

Facebook said in its lawsuit that OnlineNIC’s history demonstrated a “bad faith intent to profit” off others’ intellectual property. The company is seeking $2 million in damages, which works out to $100,000 per infringing domain.

Let me Microsplain this to you typosquatters

Besides Verizon, Facebook is taking a page from Microsoft, which has seen good results at using the courts to carry out multiple domain-slapdown campaigns – domains with Microsoft branding flavor and criminal intent.

In 2017, Microsoft filed cases against the notorious, likely Russian, hacking group Strontium, better known to the world as Fancy Bear, or APT28.

It might seem quixotic to presume that you can take out nation-state hacking groups with sheaves of legal documents, but Microsoft has found that it’s actually quite effective.

By March 2017, the company had managed to seize 70 web domains used by Fancy Bear (including one used in the 2016 attacks on the Democratic National Committee).

Microsoft did it again this year when, armed with a court order, it swatted 99 domains associated with the Iranian hacking group known as Charming Kitten (or APT35, or Ajax Security Team, or, as Microsoft calls it, Phosphorus).

Among its many escapades, the group sends phishing emails crafted to look like there’s an issue with a victim’s account. They’ll use domain names that look like they’re tied to legitimate brands, including versions of Microsoft products such as, for example, outlook-verify.net, microsoft-update.bid, and verify-linkedin.net.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/g_OViBXsCtw/

Sextortion scammers have started hijacking poorly managed or defunct hosted blog sites to expand an increasingly profitable business. They have now started posting their messages – which dupe people into believing they’ve been filmed watching porn and demand a bitcoin ransom – to WordPress and Blogger sites.

The messages, which appear as blog posts from the administrators, take varying forms but all say the same basic thing: We’ve accessed your computer and filmed you in a compromising position using your webcam. Send bitcoin to our address or we’ll spill the goods.

Bleeping Computer searched for phrases common to many of the sextortion posts and came up with almost 1,500 results on Blogspot, which is the free domain service provider frequently used to host Blogger blogs. It also found around 200 hits on WordPress sites. Both of these are online blog hosting services, but we did not find any hits showing compromised self-hosted blogs.

The posts carry titles like “High danger. Your account was attacked” and “Security Notice. Someone have access to your system.” They begin with messages like:

As you may have noticed, I sent you an email from your account.

This means that I have full access to your device.

This is a different modus operandi than the email versions of these scams, which usually contain one of the victim’s passwords gleaned from a hacked password list. The attacker might have hijacked the account used to manage the hosted site by either compromising an administrator’s machine, or more likely using a simple credential-stuffing attack.

A look at some of these blogs reveals not just one spam message but several, spanning not just sextortion but also everything from romance scams to car loans. One site we saw also redirected us to a fake antivirus page. Some of the blogs are still displaying spam posts made a year or more ago. We encourage readers not to search for such blogs or visit them, in case some of the attackers have embedded drive-by malware downloads in their posts.

The sites have something else in common: many of them have been abandoned. In some cases, there hadn’t been a legitimate post in a year or more.

We reached out to the owners of one such neglected WordPress-hosted site, which had lain dormant from 2014 to 2017. The most recent post, a sextortion attempt, is dated 26 February 2019.

“We don’t actually use it”, she said when we told her that someone else had been using it, going on to say that all the details to access the site were on a computer in the office but that the administrator wasn’t there. We advised her to check the site’s security, and she said: “I will do, if I get a minute, which I never get”.

Neglected sites like these, operated by those without the resources or expertise to manage them, seem to be the main target for these sextortion scammers and other spammers. Are they trying to fool the owners of the sites, or the visitors? Probably both, as long as someone clicks on a scam link or sends bitcoin to their address.

The current wave of sextortion scams started with crooks sending emails, sometimes from the victims’ own email addresses,  that used old, long-exposed passwords as fake “proof” that the recipient’s computer had been hacked. Have the crooks now learned that using those same passwords to compromise unattended blogs is a more convincing form of proof?

The signs are that people are paying up. The address on the disused blog has collected 4.5 bitcoins (£32,780). It received the first payment on the same date that the sextortion post appeared on the site. It’s one of dozens of addresses appearing on different blogs. Those funds could also have come from email sextortion victims, of course, and from other sources, but sad to say, for these attackers crime really does seem to pay.

Watch now

The video below contains answers in plain English to:

• Is there anything at all behind these threats?
• Is it a worry if the crooks know my password or other personal information?
• Is it really possible to be tracked via email as the crooks claim?
• Is there still a risk if I don’t watch porn?
• Is it worth reporting these emails to my ISP?
• What to do next?

(Watch directly on YouTube if the video won’t play here.)

Has this happened to you? Let us know in the comments.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-sDLyHGhvIU/

If you own an Apple iPhone 5, iPhone 4s or one of the early iPads with cellular connectivity, your device is about to be turned into a vintage technology paperweight by the GPS rollover problem that we wrote about in April.

Before we explain why, we should say it is possible to avoid this fate by updating your device to iOS version 10.3.4 (iPhone 5) or version 9.3.6 (iPhone 4 and iPads).

But there’s one critical detail – you must apply this update before 12:00 a.m. UTC on 3 November.

If you don’t follow this advice, the iPhone will, according to Apple, no longer be able to…

Maintain accurate GPS location and to continue to use functions that rely on correct date and time including App Store, iCloud, email, and web browsing.

So, losing the GPS stops the time and date being set, which immediately causes internet synchronisation problems affecting services that need to connect to remote servers.

In addition to the iPhone 5 and 4s, the iPads affected are the cellular-enabled iPad mini, iPad 2, and the third-generation iPad.

You can read the iPhone 5-specific warning or the one that includes the iPhone 4s if you want to confirm the worst in more detail.

Why is this necessary?

Because of the GPS satellite system’s equivalent of the Y2K bug.

The date broadcast by GPS includes a weekly counter with 1,024 possible values. This means it can count 1,024 weeks (which takes 19.7 years) before it has to “rollover” and start the counter again from 0.

The first rollover occurred with little fanfare, in 1999, a time when GPS was far less widely used. The second rollover happened this year, when the GPS week counter reset to 0 on 7 April.

For reasons Apple hasn’t explained, older devices aren’t affected by the rollover until 3 Nov 2019.

Party like it’s 2012

Chances are there are a lot of half-forgotten iPhone 5s out there, buried at the bottom of drawers. Their batteries are shot and they might not have had all the updates they should have since they were put away, but they do, in theory, function as working museum pieces.

Wouldn’t it be nice if your old iPhone 5 continued to be able to connect to the internet? Of course it would.

But the biggest problem of all is that over-the-air updates won’t work. Neither will iCloud backups.

Not updating by 3 November creates a bind – to make the device connect you need an update, but you can’t have that because the iPhone can’t connect to the update server.

At that point, only one rescue mission is possible – restore the device from a Mac or PC – in effect getting the computer to act as an update intermediary.

That won’t seem like a huge problem for some owners, but it does depend on having that facility as well as having made a backup of any data on the device.

What to do?

To check you have received the latest update:

• Open the Settings app.
• Tap ‘General‘, then tap ‘About‘.
• Look for the number next to Software Version.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/zgT62q9uedk/

Security flaws have been found in the European Union’s electronic identity system that could have been exploited by miscreants to impersonate member states’ citizens online.

The programming blunders were buried in the five-year-old eIDAS – that’s electronic IDentification, Authentication and trust Services – that was designed to act as a secure bridge between all the various bureaucracies and ID systems of the 28 countries that make up the world’s largest trading bloc.

Essentially, you can use eIDAS to sign documents, pay taxes, apply for college courses, open bank accounts, access public services, and so on, in one EU country using a digital identity issued by another EU state’s government. For example, a person in France can use their French government-issued electronic ID to access online services in Italy, using eIDAS to identify themselves. All very Brussels, and all a bit complicated.

And it could have been exploited to masquerade as others, somewhat breaking that whole trust-and-verification thing. If you’re running an eIDAS-Node installation – as many member states do – then make sure you’ve updated to version 2.3.1 or higher to avoid these security weaknesses.

The scope of these vulnerabilities, we note, is rather limited: the software is used by countries to talk to the systems of other countries. It could, therefore, potentially, be used by agents of one nation to pretend to be citizens of another nation – or by miscreants that somehow managed to impersonate or compromise an eIDAS-Node deployment, at which point, you’ve got bigger fish to fry.

The real lesson, as explained below, is: check the issuer of cryptographic certificates, and do not ignore return values of functions, especially ones checking whether or not a crypto-key source can be trusted.

We’re told that Wolfgang Ettlinger of infosec biz SEC Consult found and reported the bugs: “During a short crash test SEC Consult identified critical vulnerabilities in the eIDAS-Node software component (EU cross-border authentication). These vulnerabilities could allow an attacker to impersonate any EU citizen,” the firm explained in an advisory on Tuesday.

The security house has this example and diagram to illustrate the authentication process:

If an Italian citizen wants to authenticate against a German online service, first the German eIDAS-Node (eIDAS-Connector) is directed by the web application to initiate the authentication process. It sends a request to the Italian eIDAS-Node (eIDAS-Service). The Italian eIDAS-Node forwards the user to a system that is equipped to authenticate the Italian citizen using the national eID scheme. After authentication, the German eIDAS-Connector receives the citizen’s information which it forwards to the web application.

Click to enlarge … Source: SEC Consult

The holes lurked in eIDAS code that insecurely handled cryptographic certificates passed during the process. Yhe issuer of an entity cert was not validated, and the return value of a validate() function call in the OpenSAML ExplicitKeyTrustEvaluator class to determine whether a certificate should be trusted – true for yes, false for no – was ignored, and the software progressed regardless.

The end result: it was possible to fake security certificates, and thus impersonate strangers.

“SEC Consult recommends to immediately apply the patch provided by the vendor, if this has not happened yet,” it went on. “Moreover, SEC Consult recommends operators of eIDAS-Node installations to conduct a forensic investigation into whether this vulnerability has already been abused.”

The hole, privately reported in July, should have been open for less than a year, the bug hunters reckon, since in 2018 the Ruhr University Bochum in Germany conducted a test on the system that would most likely have spotted the blunder. So it was probably, hopefully, introduced between that audit last year and June this year, when SEC Consult started poking around the source code.

The EU has now released a fix, and a reminder to national administrators to get patching. ®

Sponsored:
Beyond the Data Frontier

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/30/eidas_security_flaw/

2019 has been a bad year for NordVPN on the security front.

And so, in full damage limitation mode, the private networking biz has outlined steps it is taking to improve its defenses. Steps, we note, that should have been in place to begin with, but hey, hindsight is 20-20.

The VPN provider says it will undertake five different projects, each aimed at helping it to beef up security protections of its network and the application code. The plan calls for a number of collaborations with outside researchers and companies.

“We are planning to use not only our own knowledge, but to also take advice from the best cybersecurity experts and implement the best cybersecurity practices there are,” NordVPN head flack Laura Tyrell said of the campaign. “And this is the first of many steps we are going to take in order to bring the security of our service to a whole new level.”

But enough with the lip service, here is what they actually plan to do.

First off, NordVPN says it will subject itself to regular independent security audits. Though it is yet to say who will conduct that assessment, NordVPN promises a third party will be called in to examine everything from the client software to the backend source code and the hardware and architecture used for the servers and network.

Additionally, the VPN biz says it will be calling in hackers-for-hire VerSprite to conduct a series of penetration tests alongside NordVPN’s own internal red team. In addition to hammering on NordVPN’s source code and intrusion prevention system, VerSprite will help form an independent advisory committee for security.

Row erupts over who to blame after NordVPN says: One of our servers was hacked via remote management tool

READ MORE

Flaw finders will be pleased to know that NordVPN is looking to launch its own bug bounty program. Set to launch over the “next few weeks,” the program would look to pay out to researchers who find and report security holes in NordVPN’s stuff to the biz. Hopefully the few weeks will be enough to time properly set up the program, as experts say a poorly run bug bounty system is worse than none at all.

On the hardware side, NordVPN says it plans to take control of all of its servers and improve their design, following a hole discovered in one of its rented systems in Finland. Specifically, the VPN service will transition to co-located servers that it owns and manages.

While NordVPN says it is still in the process of reviewing its infrastructure to catch and eliminate any exploitable vulnerabilities introduced by third-party vendors and developers, one of the measures it already plans to take is to switch entirely to disk-less, RAM-only servers.

This would allow NordVPN to store the server images centrally and push them out to the nodes without the need to store any information, sensitive or otherwise, at rest on the machines. Those machines would then periodically be restarted or otherwise updated to use fresh images.

NordVPN hopes both moves will eliminate the situation that caused the recent security breach: a compromised server in a third-party datacenter that NordVPN was using to route subscribers’ connections.

That server, hosted in a Finland datacenter operated by Creanova, was infiltrated back in 2018 via a remote management account that would have allowed miscreants on the other side of the internet to see some traffic passing through the exit node. Creanova said NordVPN knew the remote management system was installed and that NordVPN failed to lock it down. NordVPN claimed it had no idea this God-mode-level access was present in the box. ®

Sponsored:
What next after Netezza?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/29/nordvpn_security_updates/

Updated Facebook and its WhatsApp subsidiary on Tuesday sued NSO Group alleging the Israel-based spyware maker unlawfully hacked smartphones using a vulnerability in the popular chat app.

The complaint [PDF], filed in a US district court in San Francisco, blames NSO for a cyberattack on WhatsApp users that was publicly disclosed in May and thwarted with a software update.

NSO Group makes a form of snoop-ware called Pegasus. The biz maintains that it sells the software – which silently infects and monitors targets’ phones and devices – only to governments and intelligence agencies to fight terrorism. But human-rights groups have accused the firm of making its surveillance code available for use against lawyers, dissidents, activists, journalists, and other rights advocates.

It is thus believed NSO Group, in this case, compromised people’s gadgets on behalf of a mystery customer.

In a post on its website, WhatsApp said the hack, which exploited CVE-2019-3568 to compromise mobile devices without user interaction, targeted 1,400 people total, including at least 100 journalists, human-rights activists, and other members of civil society.

This is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users

“The complaint alleges [the NSO Group] violated both US and California laws as well as the WhatsApp Terms of Service, which prohibits this type of abuse,” the chat app developer explained. “This is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users.”

According to the complaint, NSO Group reverse engineered WhatsApp and developed a program to produce seemingly legitimate WhatsApp network traffic to hijack targeted smartphones that had the application installed. The spyware maker, it is claimed, created a web of WhatsApp accounts to initiate calls that would spread the group’s malware, using servers leased from various companies around the world, including Choopa, Quadranet, and Amazon Web Services, to send these messages.

Specifically, the NSO Group, it is alleged, crafted call initiation messages booby-trapped with malicious code: whether or not the calls were answered, the initiation messages included specially crafted data that, once received and parsed by the application, exploited a buffer-overflow bug and caused the smuggled code to execute on the target phone. That gave the NSO Group a foothold on the handhelds, enough to start snooping on people’s activities, it is claimed.

Furthermore, the initiation messages were crafted to appear to arrive from WhatsApp’s own servers, it is alleged. It is believed the exploitation began on April 29, and stopped by May 10.

“Disguising the malicious code as call settings enabled Defendants to deliver it to the Target Device and made the malicious code appear as if it originated from WhatsApp Signaling Servers,” the complaint says. “Once Defendants’ calls were delivered to the Target Device, they injected the malicious code into the memory of the Target Device — even when the Target User did not answer the call.”

The court filing suggests a least one member of civil society in Washington, DC, was targeted – a victim’s redacted phone number includes three legible digits, the District of Columbia’s 202 area code. Other targets are understood to be in Europe, Asia, Africa, and the Middle East, as well as North America.

The complaint alleges the NSO Group, and an affiliated corporate entity Q Cyber Technologies, violated America’s Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act, and also violated agreed-upon policies and trespassed on its network.

It’s 2019 and a WhatsApp call can hack a phone: Zero-day exploit infects mobes with spyware

READ MORE

In an op-ed-slash-statement provided to The Washington Post, Will Cathcart, head of WhatsApp, said the affair highlights why tech companies should not be required to intentionally weaken their security systems. “‘Backdoors’ or other security openings simply present too high a danger,” he said.

Technology giants, he said, must do more to protect human rights and must avoid attacking one another. And he endorsed UN Special Rapporteur for Freedom of Expression David Kaye’s call for a moratorium on surveillance technology. That includes facial recognition, a tech WhatsApp’s parent Facebook isn’t ready to disavow.

CitizenLab, a cyber security research group within at the Munk School of Global Affairs and Public Policy at the University of Toronto, Canada, said WhatsApp’s complaint validates concerns that it and similar rights organizations have raised in the past. But fixing this problem, the group said, won’t be easy.

“As it stands, NSO Group and other spyware companies are equipping repressive governments with powerful tools to spy on those who hold them to account,” CitizenLab said in a statement about the WhatsApp attacks. “With powerful surveillance technology such as this roaming free, there is nowhere to hide and no one will be safe from those who wish to cause harm. Not acting urgently on this critical public emergency threatens liberal democracy and human rights worldwide.”

The NSO Group, which last month announced a “new human rights policy and governance framework,” did not respond to a request for comment. ®

Updated to add

After this story was published, NSO Group told us in a statement:

In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years.

The truth is that strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists to shield their criminal activity. Without sophisticated technologies, the law enforcement agencies meant to keep us all safe face insurmountable hurdles. NSO’s technologies provide proportionate, lawful solutions to this issue.

We consider any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited. We take action if we detect any misuse. This technology is rooted in the protection of human rights – including the right to life, security and bodily integrity – and that’s why we have sought alignment with the UN Guiding Principles on Business and Human Rights, to make sure our products are respecting all fundamental human rights.

Sponsored:
What next after Netezza?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/29/whatsapp_sue_nso_group/

Fans of Untitled Goose Game should update their copy of the indie smash-hit following the discovery of a bug that can lead to malicious save files hijacking players’ systems.

Pulse Security bug-hunter Denis Andzakovic took credit for finding and responsibly disclosing the vulnerability, which does not appear to have been assigned a CVE number. Publisher House House has emitted a patch for the remote-code-execution hole.

Released last month for Windows PCs, Macs, and the Nintendo Switch to an instant cult following, Untitled Goose Game pits the player as an evil goose intent on raising havoc in an unsuspecting village of humans. As it turns out, taking on the persona of an angry bird tasked with stealing a child’s glasses and forcing a gardener to maim himself makes for surprisingly satisfying gameplay.

Now back to the flaw, which is more amusing that scary. But, you know, patch anyway.

Andzakovic discovered a deserialization error in the way Goose Game reads game save files. A hacker who was aware of the flaw would be able to create a poisoned game save file that, when loaded, executes arbitrary code, leading to the installation of spyware and other software nasties.

Christmas is coming, the goose is getting fat, look out for must-have toys that are ‘easily hacked’ ♪

READ MORE

“Untitled Goose Game used the .NET BinaryFormatter to read and deserialize save game files. As no SerializationBinder was specified, an attacker who can control the save game file can exploit the deserialization process and execute arbitrary code,” the bug-hunter wrote in his summary.

“This is achieved by writing out a malicious serialized object to a save game file which is later read by Untitled Goose Game.”

In practice, a gamer would have to be tricked into downloading and opening a booby-trapped save game file. For example, a miscreant could by promise a saved game that was near completion, or at a point beyond one of the more difficult challenges in the game.

To demonstrate, Andzakovic crafted a proof-of-concept save file that when opened by the goose game, runs the Windows Calculator. Replace that with something else, and well, now you have code execution on their machine.

This story does have a happy ending, unlike the villagers’ day. House House patched the flaw last week, and anyone who is running a version of the game updated since then will have the bug fixed. If you want to be really careful, don’t open anyone else’s game saves.

In closing, HONK. ®

Sponsored:
What next after Netezza?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/10/29/untitled_goose_game_rce/