CSOonline: Pegasus can target government and military officials

The controversial spyware Pegasus and its operator, the Israeli NSO Group, is once again in the news. Last week, in documents filed in a judgment between NSO and WhatsApp, they admitted that any of their clients can target anyone with their spyware, including government or military officials because their jobs are inherently legitimate intelligence targets. The lawsuit began in October 2019.

NSO has in the past been very circumspect about who is infected with their spyware, which uses so-called “zero-click” methods meaning that a potential target doesn’t have to click on anything to activate the software. It can access call and message logs, remotely enable the camera and microphone and track the phone’s location, all without any notification to the phone’s owner.

I place the context of the suit in the checkered past of NSO and Pegasus in my latest piece for CSOonline.

How Russia is exploiting Telegram for war funding and news coverage

While lots of focus is on TikTok, I would argue that many of us are missing the influence and role played by the messaging network of Telegram. In this post, I explain why that could be a bigger threat to the online world.

Last fall, I wrote a post for SiliconAngle about how social media accounts are being used by pro-Russia misinformation groups. This was based on a report by Reset sponsored by the EU. One of the results from this report is that Telegram is very permissive in allowing hateful content and propaganda. A new report from  the Atlantic Council’s Digital Forensic Research Lab last week takes a deeper dive into how Telegram has been a communications kingpin for Russia’s war, and how effective and pervasive it is. The social network is not only being used for misinformation purposes, but also to recruit mercenaries, fund their purchases of tactical equipment and medical supplies, and serve as primary sources for Russian TV war coverage. The council calls it a digital front and another battlefield in the Ukraine conflict.

What surprised me was the huge audience that Russian Telegram has: with an estimated 30M monthly active users, billions of views and its cozy relationship with various Russian state-sponsored traditional TV channels. There are even channels run by the NY Times and Washington Post that were created to get around website and other internet content blocks.

By now, most of us are familiar with the term “catch and kill” as it applies to media buying stories that are never intended to run. Pro-Russia Telegram channels are paid not to mention specific persons or companies.

My analysis for Avast’s blog about data privacy of various messaging networks from early 2021 shows that Telegram isn’t as anonymous as many people first thought. The council’s report confirms this, finding government crackdowns on supposedly anonymous Telegram channels that have real-world consequences of arrest and prison terms for those channels that take these anti-government positions. Even so, there are many Telegram channels that continue to be critical of government policies and operations, such as those supporting last summer’s failed Wagner mutiny.  “While Telegram positions itself as a censorship-free platform, the available evidence demonstrates how the service is not a completely safe place for critics of the war,” they wrote. Wagner’s head Yevgeny Prigozhin discovered this first hand and died after declaring his mutinous intentions initially on Telegram.

Some of Russia’s military bloggers offer occasional criticism of the war, which adds to their credibility and popularity. “Users see their efforts as trustworthy and balanced, especially when compared to state media resources,” the council’s report wrote. That is not only insidious but dangerous, especially as many posts are widely shared and get millions of views.

As I mentioned earlier, many of the Telegram accounts openly ask for donations, providing bank account numbers and crypto wallet addresses, mostly in Bitcoin and Tether (ironically, one that is tied to the US dollar). The funds collected have been significant, in the equivalent of millions of dollars. They are also used for recruiting fighters and coordinating hacktivism efforts such as DDoS’ing Ukrainian targets such as civilian infrastructure, government data centers and banks. Ironically, Telegram is also used to help Russians avoid the draft with all sorts of tips and strategies on how to emigrate out of the country.

The final irony is that Telegram was created by two Russian brothers to get around government censorship, and was blocked by the government for several years. The brothers now live in Dubai and the Russian government has decided to leverage the network to amplify its propaganda and complement its communications.

The arrival of the digital guillotine

Our online cancel culture took another step deeper into the morass and miasma that shows how sophisticated, toxic, and partisan it has become. The 2024 version now comes with a new label called digitine, for digital guillotine, meaning cutting off discussion of the other side, boycotting the companies that have taken opposing positions, and moving to a worldwide audience.
Remember the Facebook ad boycott of the summer of 2020? That seems so naive now. Here are a few ways things have gotten worse:
  1. Much of the digitine can be traced to the division over two controversial wars and ratcheted up the hyper-politica volume. Either you are for Hammas (as incredible as that sounds) or for Israel. Pro-Russia or Ukraine. There is no middle ground. 
  2. It is religious. Jew vs Arab. Or more accurately, pro-Jew vs. anti-Jew. Bring out those dusty anti-semite tropes and re-quote the protocols of Zion. They aren’t so dusty after all. This has created all sorts of secondary corporate spillover effects. Say your company announces support for one or the other side. That triggers all sorts of boycotts and protests (as an example, what is happening in Malaysia — a Muslim-majority country — with complaints about Starbucks’ support of Israel). It takes apart our global village.
  3. It is directed at celebs/influencers, not the digital platforms themselves as the 2020 Facebook ad boycott. Makes it easier to digest, to put on placards, to gather media coverage. The viral nature of these clips, gassed up with social networks, feed into the outrage machinery which  brings these campaigns quickly to millions.
  4. Speaking of which — the dis/misinformation tooling has gotten better. Thanks AI. Who needs Russian human-based troll factories when you can generate the memes faster with GPU-laden computers? This is aided and abetted by easy manufacture of deep fake celebs that are “captured” espousing one thing or another. (Scarlett will appear before the House cybersecurity committee later this year, oh boy!)

Sure you can silence the folks on your feed that are caught up in these campaigns. Or leave the worst offending platforms (such as one that uses a single letter). But these are like using a band aid to stop an arterial bleeding.

The latest threat to ecommerce: crackdowns by the US Customs and Border Protection

If you want to ship illegal goods into the US, you might think sending them via air freight as probably the worst way to get them into the country. You would be wrong. Tens of thousands of tons of shipments enter our air freight ports every day, and the vast majority of them receive no inspection whatsoever.

In the past, the US Customs and Border Protection (CBP) agency has made it easier particularly for smaller volume shippers to send their stuff here without having to pay any duties or tariffs, under what is called an Entry Type 86 exception. This means if the value of the item is less than $800 per buyer and per day that the shipment arrives, nothing is owed. Last year a billion such packages came into the US, with many coming from two Chinese shippers, Temu and Shein.

But criminals are clever, at least initially. Many of them have taken advantage of Type 86 exemptions to ship drug precursor chemicals and raw textiles and other things, knowing that their cargo won’t be touched as it moved through the ports. Well, that situation has changed and now CBP is checking things more carefully. As you might imagine, given the tonnage that goes through our ports, this is slowing things down considerably. The stricter scrutiny has had results: CBP has suspended customs brokers from the Type 86 program and seized many illegal shipments.

There are several downstream problems that could happen. First, expect delays on your favorite Amazon package that isn’t in their own warehouse and has to come from overseas. Cargo flights will be delayed or cancelled when the warehouse ports fill up with yet-to-be-inspected merchandise. Second, criminals will undoubtedly migrate to maritime shipments, which don’t get much in the way of inspection either. Third, major shippers will probably shift to consolidating orders and shipping to their own warehouses. All this means longer shipping times and these delays could result in higher prices to the ultimate consumer. All of this turmoil could spell trouble for legit ecommerce businesses that rely on predictable shipments of their goods, which is ironic when you think about it.

The miserable mess that is Microsoft Recall

Last week Microsoft announced a new feature that is a major security sinkhole called Recall. It is a miserable mess, and makes Windows more vulnerable to attack. Sadly, it will be operating by default unless you get out your secret decoder ring and lock it up behind some group policies.

Why is Recall so bad? It combines the features of a keylogger and an infostealer and puts them inside the Windows OS. It automatically takes frequent screenshots of what you are doing, and stores them on your hard drive. This data is stored in a searchable database, so you can rewind what you are doing to a specific point in time. This includes all your passwords, if they are displayed on screen. Kevin Beaumont wrote that Recall fundamentally undermines your security and introduces immense new risks.

It didn’t take long after the announcement at Build, Microsoft’s annual developer conference, for the UK ICO, its privacy agency, to open an inquiry. Yes, hackers would need to gain access to your device and figure out the encryption of the data, but these aren’t big hills to climb. “Something could go wrong very quickly,” said one security researcher. 

Eva Galperin, director of cybersecurity with the Electronic Frontier Foundation, said Recall will “be a gift for domestic abusers,” given that a partner would have physical PC access and perhaps login details too. She said the database of screenshots would be a tempting target for hackers.

Bh187 Total Recall GIF - Bh187 Total Recall Arnie GIFsMicrosoft will start selling its own line of AI-enabled laptops later this summer that will include Recall. Sometimes total recall goes awry, as fans of the original Arnold movie (or Philip Dick short story) might remember. It’s too bad that this is one journey from sci fi to reality that we could do without.  Here is how to disable it.

CSOonline: Third-party software supply chain threats continue to plague CISOs

The latest software library compromise of an obscure but popular file compression algorithm called XZ Utils shows how critical these third-party components can be in keeping enterprises safe and secure. The supply chain issue is now forever baked into the way modern software is written and revised. Apps are refined daily or even hourly with new code which makes it more of a challenge for security software to identify and fix any coding errors quickly. It means old, more manual error-checking methods are doomed to fall behind and let vulnerabilities slip through.

These library compromises represent a new front for security managers, especially since they combine three separate trends: a rise in third-party supply-chain attacks, hiding malware inside the complexity of open-source software tools, and using third-party libraries as another potential exploit vector of generative AI software models and tools. I unpack these issues for my latest post for CSOonline here.

CSOonline: Microsoft Azure’s Russinovich sheds light on key generative AI threats

Generative AI-based threats operate over a huge landscape, and CISOs must look at it from a variety of perspectives, said Microsoft Azure CTO Mark Russinovich during Microsoft Build conference this week in Seattle. “We take a multidisciplinary approach when it comes to AI security, and so should you,” Russinovich said of the rising issue confronting CISOs today. I cover his talk, which was quite illuminating, about AI-based threats here for CSOonline.


A new week and new threats to worry about

This week I saw two stories that sent a chill up my spine. They indicate that cybersecurity is an ever-evolving universe where exploits continue to find new ground, and defenders have to look carefully and remain ever-vigilant. Let’s take a look.

The first one sounds almost comical: two UC Santa Cruz students figured out how to get their clothes cleaned at their dorms’ laundry room for free. But behind the stick-it-to-the-man college prank lies a more sobering tale. The students were able to analyze the data security posture of the laundry vendor and find a combination of weak programs to run endless wash-and-dry cycles almost surgically. The vendor wasn’t some small-time operator either: they run a network of a million machines at hotels and campuses installed around the world. But despite this footprint, they have miserable application security. To wit, there is no way for anyone to report any vulnerabilities, either online or via phone.  The company’s mobile app, used to pay to activate a specific machine, has no authentication mechanisms and so the students were able to top off their accounts without spending any actual money. The APIs used by their apps don’t verify the users, so the students could issue commands to the washers and dryers, commands that were easily discovered with the company’s own documentation.

The students were responsible, although they did “top off” their accounts to the tune of a million dollars, just to make a point. The only thing the laundry vendor did do was zero these accounts out but didn’t fix any of the other flaws. Nor did the company reach out to them or work with them (or any actual security researcher, at least according to what I read), again showing a complete cluelessness.

I will let you spin up the various morals from this story. I was impressed with the level of professionalism that the students demonstrated, and would imagine that they will have no problem getting infosec jobs and will do well once they have to leave the halls of academia and have to start paying for their own laundry operations.

Let’s move on to the second story, about how your Wifi router can be used as another means of surveillance. Brian Krebs broke this one, based on research from two University of Maryland computer scientists. They discovered a way to de-anonymize the locations of Wifi routers based on the network communications of Apple and Google products that connect to them. The problem lies in the design of Wifi positioning systems that are seeking more precise geo-locations: think Apple AirTags and other GPS applications that are tracking your movements. Attackers could leverage these processes to figure out specific movements of people, even people that haven’t given any permission to be tracked and are just moving about the world. Someone with a portable travel router, for example, is ripe for this exploit. The research paper posits three situations that demonstrate what you can learn from this analysis, such as tracking the movements of Gazans after 10/7, the victims of the Maui wildfires last summer, or people involved on both sides of the war in Ukraine.

As they wrote in their paper, “This work identifies the potential for harm to befall owners of Wifi routers. The threat applies even to users that do not own devices for which the Wifi positioning systems are designed — individuals who own no Apple products, for instance, can have their router listed merely by having their Apple devices come within Wifi transmission range.”

For privacy-concerned folks, one solution is to append “_nomap” to the SSID name of your Wifi router, which will prevent Apple and Google from using its location data.

CSOonline: It is finally time to get rid of NTLM across your enterprise networks

It is finally time to remove all traces of an ancient protocol that is a security sinkhole: NTLM. You may not recognize it, and you may not even know that it is in active use across your networks. But the time has come for its complete eradication. The path won’t be easy, to be sure.

The acronym is somewhat of a misnomer: it stands for Windows New Technology LAN Manager and goes back to Microsoft’s original network server operating system that first appeared in 1993.

NTLM harks back to another era of connectivity: when networks were only local connections to file and print servers. Back then, the internet was still far from a commercial product and the web was still largely contained as an experimental Swiss project. That local focus would come to haunt security managers in the coming decades.

In this analysis for CSOonline, I recount its troubled history, what Microsoft is trying to do to rid it completely from the networking landscape, and what enterprise IT managers can do to seek out and eliminate it once and for all. It will not be a smooth ride to be sure.

I remember Myst

I have long been a fan of quirky museums and collections, and heard last week about the Museum of Play, based in Rochester NY. They recently awarded their latest round of “hall of fame” computer video games, and on this year’s list is Myst. This 30+ year old game was a significant moment in its day and a big hit back as I wrote on a blog from 2012. It sold more than six million copies and raised the bar from crude graphics and beeping computer generated noises that were found in many of the early games from that era. After hearing about the news, I wanted to dust off my software and try to take it for another spin (which is what I did back in 2012), but alas, I didn’t have the right vintage of OS and drivers to make it work.

Myst gets a fully modern update in this realtime 3D Masterpiece Edition - PolygonAs I wrote back then in my blog, I observed that Myst’s graphics were not anything like more modern games. Its genius was giving equal weight to both graphics and audio, and while I was clicking about its landscape, I left the sounds of the ocean lapping up against the rocky island playing while I was working, and it was very soothing. The museum says it was slow paced and contemplative but inspired wonder. I concur.

Myst was not a first-person-shooter, but a game that involved solving puzzles, puzzles that had very inscrutable clues that were easy to miss at first glance. It easily got frustrating, and I often found myself going back over ground that I thought I had covered, only to find another hidden puzzle that unlocked a new landscape. Eventually, I bough a cheater book to get to the end of the game, thereby sealing my fate as a forever-novice gamer.

Myst came along at a time when PCs were just getting CD-ROMs installed: I remember buying this add-on package from Soundblaster because those early computers didn’t have any audio support either. And figuring out that puzzle of drivers, OS updates, and rooting around inside my computer to connect everything up was my first foray into building the kind of computer that we now take for granted where sound and optical media (and writable multi-speed ones at that) are part of the package.

Well, at least we can take the sound features for granted —  we seem to be moving away from having DVD drives as standard equipment in the name of streaming and having ultra-thin laptops and tablets. It also came at a time when color monitors were very new to the Mac world and graphics cards came with very little additional memory. This meant that the ability to do full-motion high-resolution video was still far off. Now we have graphic processors that have more horsepower than the CPUs in the same machine, and companies like Nvidia and AMD are finding new markets in providing the GPUs for doing machine learning and AI processing.

And software such as Photoshop and QuickTime were very much v1.0, barely able to keep up with the demands by the game’s two brothers who created it. Creating the three-dimensional images wasn’t easy: rendering took hours per image, because of software and hardware limitations.

And it especially wasn’t easy because the internet hadn’t yet taken off: the Myst dev team had to resort to “tire net” — meaning driving around the latest builds on removable media that were probably all of a 100MB in capacity and delivering them to various team members.

The Miller brothers would also star as actors in the video segments that a player would uncover in the game itself.

Myst was also ahead of its time when it came to non-linear storytelling: we have since had various feature films that are so constructed, such as Sin City in 2005 and Pulp Fiction, just to name a few of them. Rand Miller in a long interview with Ars done a few years ago speaks about how real life is all about embedding stories, and Myst was the first time that a game used this technique to make it more realistic and compelling. It was as if the made-up world was talking back to you, the gamer, directly. Again, now we take this situation very much for granted in modern games.

So I am glad after all these years that Myst is receiving some recognition, even if it is in a quirky Rochester museum, and even if all of my aging PCs can’t run it because they are n’t old enough. But if this essay has piqued your interest and you want to run Myst for yourself, act now and offer to pay the Fedex delivery and it could be yours. I will pick one reader to get the 3-CD package of Myst and its successor games — if you have a vintage machine that is old enough to run it.