Your Computer Isn’t Yours

On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored. It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. Lots of people didn’t realize this, because it’s silent and invisible and it fails instantly and gracefully when you’re offline, but today the server got really slow and it didn’t hit the fail-fast code path, and everyone’s apps failed to open if they were connected to the internet. Because it does this using the internet, the server sees your IP, of course, and knows what time the request came in. An IP address allows for coarse, city-level and ISP-level geolocation, and allows for a table that has the following headings: Date, Time, Computer, ISP, City, State, Application Hash; Apple (or anyone else) can, of course, calculate these hashes for common programs: everything in the App Store, the Creative Cloud, Tor Browser, cracking or reverse engineering tools, whatever.

This means that Apple knows when you’re at home. When you’re at work. What apps you open there, and how often. They know when you open Premiere over at a friend’s house on their Wi-Fi, and they know when you open Tor Browser in a hotel on a trip to another city. “Who cares?” I hear you asking. Well, it’s not just Apple. This information doesn’t stay with them: These OCSP requests are transmitted unencrypted. Everyone who can see the network can see these, including your ISP and anyone who has tapped their cables. These requests go to a third-party CDN run by another company, Akamai. Since October of 2012, Apple is a partner in the US military intelligence community’s PRISM spying program, which grants the US federal police and military unfettered access to this data without a warrant, any time they ask for it. In the first half of 2019 they did this over 18,000 times, and another 17,500+ times in the second half of 2019.

This data amounts to a tremendous trove of data about your life and habits, and allows someone possessing all of it to identify your movement and activity patterns. For some people, this can even pose a physical danger to them. Now, it’s been possible up until today to block this sort of stuff on your Mac using a program called Little Snitch (really, the only thing keeping me using macOS at this point). In the default configuration, it blanket allows all of this computer-to-Apple communication, but you can disable those default rules and go on to approve or deny each of these connections, and your computer will continue to work fine without snitching on you to Apple. The version of macOS that was released today, 11.0, also known as Big Sur, has new APIs that prevent Little Snitch from working the same way. The new APIs don’t permit Little Snitch to inspect or block any OS level processes. Additionally, the new rules in macOS 11 even hobble VPNs so that Apple apps will simply bypass them.

With Israel’s Encouragement, NSO Sold Spyware to UAE and Other Gulf States

The Israeli spyware firm has signed contracts with Bahrain, Oman and Saudi Arabia. Despite its claims, NSO exercises little control over use of its software, which dictatorships can use to monitor dissidents.

The Israeli firm NSO Group Technologies, whose software is used to hack into cellphones, has in the past few years sold its Pegasus spyware for hundreds of millions of dollars to the United Arab Emirates and other Persian Gulf States, where it has been used to monitor anti-regime activists, with the encouragement and the official mediation of the Israeli government.

NSO is one of the most active Israeli companies in the Gulf, and its Pegasus 3 software permits law enforcement authorities to hack into cellphones, copy their contents and sometimes even to control their camera and audio recording capabilities. The company’s vulnerability researchers work to identify security threats and can hack into mobile devices independently (without the aid of an unsuspecting user, who, for example, clicks on a link).

Commercial Spyware is “Out of Control”

Throughout 2016 and 2017, individuals in Canada, United States, Germany, Norway, United Kingdom, and numerous other countries began to receive suspicious emails. It wasn’t just common spam. These people were chosen.

The emails were specifically designed to entice each individual to click a malicious link. Had the targets done so, their internet connections would have been hijacked and surreptitiously directed to servers laden with malware designed by a surveillance company in Israel. The spies who contracted the Israeli company’s services would have been able to monitor everything those targets did on their devices, including remotely activating the camera and microphone.

Who was behind this global cyber espionage campaign? Was it the National Security Agency? Or one of its “five eyes” partners, like the GCHQ or Canada’s CSE? Given that it was done using Israeli-made technology, perhaps it was Israel’s elite signals intelligence agency, Unit 8200?

In fact, it was none of them. Behind this sophisticated international spying operation was one of the poorest countries in the world; a country where less than 5 percent of the population has access to the internet; a country run by an autocratic government routinely flagged for human rights abuses and corruption. Behind this operation was… Ethiopia.

The details of this remarkable clandestine activity are outlined in a new Citizen Lab report published today entitled “Champing at the Cyberbit.” In our report my co-authors and I detail how we monitored the command and control servers used in the campaign and in doing so discovered a public log file that the operators mistakenly left open. That log file provided us with a window, for roughly a year, into the attackers’ activities, infrastructure, and operations. Strong circumstantial evidence points to one or more government agencies in Ethiopia as the responsible party.

We were also able to identify the IP addresses of those who were targeted and successfully infected: a group that includes journalists, a lawyer, activists, and academics. Our access also allowed us enumerate the countries in which the targets were located. Many of the countries in which the targets live—the United States, Canada, and Germany, among others—have strict wiretapping laws that make it illegal to eavesdrop without a warrant. It seems individuals in Ethiopia broke those laws.

If a government wants to collect evidence on a person in another country, it is customary for it to make a formal legal request to other governments through a process like the Mutual Legal Assistance Treaties. Ethiopia appears to have sidestepped all of that. International norms would suggest a formal démarche to Ethiopia from the governments whose citizens it monitored without permission, but that may happen quietly if at all.

Our team reverse-engineered the malware used in this instance, and over time this allowed us to positively identify the company whose spyware was being employed by Ethiopia: Cyberbit Solutions, a subsidiary of the Israel-based homeland security company Elbit Systems. Notably, Cyberbit is the fourth company we have identified, alongside Hacking Team, Finfisher, and NSO Group, whose products and services have been abused by autocratic regimes to target dissidents, journalists, and others. Along with NSO Group, it’s the second Israel-based company whose technology has been used in this way.

Israel does regulate the export of commercial spyware abroad, although apparently not very well from a human-rights perspective. Cyberbit was able to sell its services to Ethiopia—a country with not only a well-documented history of governance and human rights problems, but also a track record of abusing spyware. When considered alongside the extensive reporting we have done about UAE and Mexican government misuse of NSO Group’s services, it’s safe to conclude Israel has a commercial spyware control problem.

How big of a problem? Remarkably, by analyzing the command and control servers of the cyber espionage campaign, we were also able to monitor Cyberbit employees as they traveled the world with infected laptops that checked in to those servers, apparently demonstrating Cyberbit’s products to prospective clients. Those clients include the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, and the Philippine president’s Malacañang Palace. Outlining the human rights abuses associated with those government entities would fill volumes.

Cyberbit, for its part, has responded to Citizen Lab’s findings: “Cyberbit Solutions offers its products only to sovereign governmental authorities and law enforcement agencies,” the company wrote me on November 29. “Such governmental authorities and law enforcement agencies are responsible to ensure that they are legally authorized to use the products in their jurisdictions.“ The company declined to confirm or deny that the government of Ethiopia is a client, but did note that “Cyberbit Solutions can confirm that any transaction made by it was approved by the competent authorities.”

Governments like Ethiopia no longer depend on their own in-country advanced computer science, engineering, and mathematical capacity in order to build a globe-spanning cyber espionage operation. They can simply buy it off the shelf from a company like Cyberbit. Thanks to companies like these, an autocrat whose country has poor national infrastructure but whose regime has billions of dollars can order up their own NSA. To wit: Elbit Systems, the parent company of Cyberbit, says it has a backlog of orders valuing $7 billion. An investment firm recently sought to acquire a partial stake in NSO Group for a reported $400 million before eventually withdrawing its offer.

Of course, these companies insist that spyware they sell to governments is used exclusively to fight terrorists and investigate crime. Sounds reasonable, and no doubt many do just that. But the problem is when journalists, academics, or NGOs seek to expose corrupt dictators or hold them accountable, those truth tellers may then be labelled criminals or terrorists. And our research has shown that makes those individuals and groups vulnerable to this type of state surveillance, even if they live abroad.

Indeed, we discovered the second-largest concentration of successful infections of this Ethiopian operation are located in Canada. Among the targets whose identities we were able to verify and name in the report, what unites them all is their peaceful political opposition to the Ethiopian government. Except one. Astoundingly, Citizen Lab researcher Bill Marczak, who led our technical investigation, was himself targeted at one point by the espionage operators.

Countries sliding into authoritarianism and corruption. A booming and largely unregulated market for sophisticated surveillance. Civilians not equipped to defend themselves. Add these ingredients together, and you have a serious crisis of democracy brewing. Companies like Cyberbit market themselves as part of a solution to cyber security. But it is evident that commercial spyware is actually contributing to a very deep insecurity instead.

Remedying this problem will not be easy. It will require legal and policy efforts across multiple jurisdictions and involving governments, civil society, and the private sector. A companion piece to the report outlines some measures that could hopefully begin that process, including application of relevant criminal laws. If the international community does not act swiftly, journalists, activists, lawyers, and human rights defenders will be increasingly infiltrated and neutralized. It’s time to address the commercial spyware industry for what it has become: one of the most dangerous cyber security problems of our day.

NSW Police and FinFisher spyware

“The New South Wales police have used sophisticated hacking software to monitor the phones and computers of Australians, according to documents published by WikiLeaks.

In a new cache published on Monday NSW police are listed as a client of Gamma International, a German company that develops powerful spyware to remotely monitor computer use.

The documents show that NSW police have used several of the company’s spy programs for a number of investigations at a cost of more than $2m.

The software – known as FinSpy – allows widespread access to computer records, including extracting files from hard drives, grabbing images of computer screens, full Skype monitoring, logging keystrokes and monitoring email and chat communications.

“When FinSpy is installed on a computer system it can be remotely controlled and accessed as soon as it is connected to the internet/network, no matter where in the world the target system is based,” earlier documentation published by WikiLeaks said.”