Privatized Intelligence and the Future of Safety

Zero-Day Vulnerability Found on Activist’s iPhone Underscores NSO Group Privacy Abuses

On Monday, Apple released an emergency security update across its product lines to patch a zero-day vulnerability associated with Pegasus spyware, a technology developed by the controversial Israeli firm, NSO Group.

Pegasus spyware has been used by various nation-states to target activists, journalists, and political officials all over the world.

The vulnerability was first discovered back in August by Citizen Lab, a watchdog group based at the University of Toronto while investigating an exploit used to hack an iPhone 12 belonging to an undisclosed Bahraini human rights activist who is also a member of the Bahrain Center for Human Rights. Evidence suggests that the activist’s iPhone had likely been compromised as early as February 2021.

During its investigation, Citizen Lab found that the activist’s iPhone had been hacked with a so-called “zero-click” attack, meaning that it doesn’t require any user interaction to compromise the device. The attack exploited a flaw in the way Apple users received GIFs through iMessage to push Pegasus spyware onto the activist’s phone.

The vulnerability is also notable for its ability to circumvent BlastDoor, a new Apple security feature implemented in iOS 14. Researchers at Citizen Lab are calling this latest exploit “ForcedEntry” and Apple has since described the vulnerability issue as when “processing a maliciously crafted PDF may lead to arbitrary code execution.”

Reporting by TechCrunch indicates that Citizen Lab researchers alerted Apple about the vulnerability before the findings of their initial investigation were first reported by news outlets in late August. Citizen Lab later found and shared new artifacts concerning the vulnerability with Apple on Sept. 7.

If “Pegasus” sounds familiar to you, it may be because the spyware made headlines back in July when news outlets from all over the world contributed to an international investigation into the NSO Group, which develops the technology. We’ve also previously written about how the NSO Group’s many incidents of privacy abuse reflect the disastrous impact that the commercial surveillance industry has on human rights and security.

The Effects of the Private Intelligence Industry are More Tangible Than Ever

It’s worth noting that Apple’s vulnerability patch wasn’t the only breaking news story this week that involved human rights violations made by government entities soliciting services from the privatized intelligence market.

On Tuesday, following Apple’s update rollout, the U.S. Department of Justice unsealed an indictment against three former NSA employees for leasing their services to the United Arab Emirates (U.A.E) cybersecurity firm DarkMatter. According to the indictment, the three individuals engaged in activities that violated U.S. cyber criminal law and export control. It also revealed that they may have been working on projects which included “zero-click” technology.

Sean McFate, author of The Modern Mercenary, insists that we are in an era of “neomedievalism”: A reference to a time where the private market for force was an acceptable  – and conventional – method for exacting political will, regardless of any attachment to a state government.

The primary purpose of intelligence operatives, in the eyes of the state, is to act as the most forward-deployed asset in the security apparatus. A secondary purpose might be the protection of the citizenry. But in the case of private intelligence, what allegiance lies beyond the immediate benefactor? Are private intelligence agencies always destined to be a cut-out of their origin nation’s intelligence services?

In the DarkMatter case, it seems that there are definite consequences for operatives who stray beyond the supposed norms of American espionage. What remains to be seen is how our justice system, and the people it seeks to protect, will hold these agencies accountable as they continue to grow, build, and scale.

Increase in Sexploitation and Leaked Facebook Research

• [MIT Technology Review] Researcher Henry Adjer recently discovered an app that allows users to generate pornographic deep fake videos by swapping another individual’s face over a pornstar's body. Needless to say, the app crosses ethical boundaries..
• [Wall Street Journal] Leaked documents to The Wall Street Journal from Facebook reveal that the company’s own internal research found that its products are harmful to teenage girls, but downplayed public concerns anyway.
• [The Record] U.S. residents have lost more than $8 million dollars to sextortion scams so far this year, according to the FBI. The bureau observed a massive uptick in sextortion criminal activity with nearly half of the victims being in the 20-39 age group.

From the Far-Right Field

• [DailyDot] It's been a rough couple of weeks for shitty far-right sting artists. After having their offices destroyed by a hurricane, Project Veritas was apparently targeted by hackers that scammed them out of $165,000.
• [Vice] A major political party in the U.S. has the backing of an online, antisemitic conspiratorial cult. Yeah, we hate that last sentence, too. Vice recently reported that a major financial Trump backer is hosting a Qanon rally in Las Vegas. Sitting Republican state senators are expected to attend.
• [We Hunted the Mammoth] What's “Globohomo”? Some of Hatemail’s staff has been researching far-right catchphrases and stumbled on this excellent 2019 writeup of a term used to decry the so-called “destruction” of “traditional values” and “white genocide.” Whew, I hope you could taste the sarcasm there.

On Our Radar...

• [Washington Post] A secret program started by the Pentagon on the last day of the Trump administration just ended. As a result, 175 million IP addresses sent to an obvious government front company in Florida for a “cybersecurity pilot program” have shifted back under Department of Defense control.
• [Electronic Frontier Foundation] The EFF just introduced a new APK downloader which should allow safer tools to be developed for the public to combat stalkerware and track state-sponsored malicious software.
• [OpenSanctions] Ever wish you had a really cool open-source data set that collected data on persons of interest? OpenSanctions has you covered.
• [Verge] Food delivery workers in New York City are banding together to fight recent attacks against them in parts of the city. It's basically like the movie Escape from New York except with a bacon egg and cheese being delivered by a whole coordinated team of delivery workers.

Hate speech website: lurkmore[.]com

Who hosts: OVH

Today’s site is lurkmore[.]com. Lurkmore is actually a federation of sites that specialize in certain topics like non-consensual pornography, incel ideaology, and racism. Under the Lurkmore brand, these sites accrue hundreds of thousands of unique visitors a month.

We have observed that the primary Lurkmore website resolves to an IP address hosted by OVH, a global hosting and services provider, at 192.95.46[.]112.

The Linux Foundation: Open Source Summit, Embedded Linux Conference, Open Source Program Office (OSPO) CON (Sept. 27 - 30, 2021)

All these conferences are being mushed together this year in Seattle and virtually. This is a good opportunity to keep an eye out for emerging Open Source things as they come to fruition during and around these conferences. Additionally, while the price is steep, these conferences do offer media passes to the press upon request. [More Info]

ShellCon 2021 (Oct. 8 - 9, 2021)

ShellCon is a fantastic information security conference centered out of Los Angeles that additionally holds the fantastic RaiseMe track dedicated to career education and hiring for security yearly. Still running virtually this year, workshop registration is affordable ($20), and so is registration (Pay What You Can option for free). You can find some of us there in the workshops and more! Ps. I have it on good authority they book really good DJs.[Register Here]

Toorcon: San Diego 2021 (Oct. 12 - 14, 2021)

ICYMI: Toorcon, the San Diego mainstay security conference is on for 2021. The CFP and registration have gone live. Per Toorcamp’s site, “This year’s talks will all be 50-minutes in one track on one day and a Demo Day to go in-depth and collaborate on the cutting edge research.” Note: There are limited numbers of tickets per tier and cheaper tickets will go sooner than later. Some LaBac folks will be on-site at Toorcon this year. [Register Here]

---

---