Six months ago, “professional spyware” vendor NSO Group started exploiting a vulnerability in WhatsApp—or so that Facebook team and Citizen Lab accuse. After a few months of evidence gathering, WhatsApp is now suing NSO, alleging it violated the Computer Fraud and Abuse Act (CFAA).
Will Cathcart (pictured), Facebook’s head of WhatsApp, is putting spyware vendors on notice. Despite NSO’s claim that it sells its Pegasus spyware only to the Good Guys, the victims here seem to be the sort of people you’d want to protect: journalists, dissidents, human-rights activists, etc.
Settle in for a scary ride. In this week’s Security Blogwatch, we crack open the ghostly popcorn.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Hallowtape.
Spooky bug ’sploited by spooks
What’s the craic? Nicole Perlroth reports—WhatsApp Says Israeli Firm Used Its App in Spy Program:
WhatsApp sued the … cybersurveillance firm NSO Group in federal court [claiming] an NSO Group program that was intended to piggyback on WhatsApp was used to spy on more than 1,400 people in 20 countries. … WhatsApp worked closely with Citizen Lab … in its investigation of the attacks, which took place from April to May.
The messaging service said the victims included 100 journalists, prominent female leaders, several people who had been targeted with unsuccessful assassination attempts, political dissidents and human rights activists — as well as their families. … NSO Group, which sells its surveillance technology to governments all over the world, said … it disputed the claims … in the “strongest possible terms” and “will vigorously fight them.”
…
NSO Group is one of dozens of digital spy outfits that provide technology to track everything a target does on a smartphone. … Since NSO Group was founded in 2011, its spy technology, called Pegasus, has become the preferred mobile spy tool of many governments.
…
The investigation started after Citizen Lab charged that NSO Group’s technology had been used to exploit a WhatsApp security hole to hack the phone of a London lawyer [who] had represented several plaintiffs in lawsuits that accused NSO Group of providing tools to hack [their] phones. … The company is seeking a permanent injunction to block NSO from its service, and called on lawmakers to ban the use of cyberweapons like [Pegasus]. For years, commercial spyware makers have been unregulated, in part because governments are the clients.
And Andy Greenberg adds that the Case Against NSO Group Hinges on a Tricky Legal Argument:
WhatsApp just took a hard new line against the malware industry. [But it] may have to win a thorny legal argument, [which] could require some creative contortions.
…
The case represents a bold attempt to use the CFAA in an unusual way. … Some hacking-focused lawyers … warn that—noble as its attempt … may be—its central argument may not fly in court. … WhatsApp will have to show that NSO obtained illegal access to WhatsApp's own systems.
…
WhatsApp … declined to comment—beyond cryptic clues—on the company's legal strategy. "This is a not a typical CFAA case," the spokesperson said. "We look forward to explaining more in court."
…
"The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime," … said NSO in a statement. … "Our technology is not designed or licensed for use against human rights activists and journalists."
What’s ’appening, WhatsApp? Facebook’s WhatsApp honcho, Will Cathcart, explains Why WhatsApp is pushing back on NSO Group hacking:
In May, WhatsApp announced that we had detected and blocked a new kind of cyberattack. … Now, after months of investigation, we can say who was behind this attack.
…
The attackers used servers and Internet-hosting services that were previously associated with NSO. [And] we have tied certain WhatsApp accounts used during the attacks back to NSO. … Their attempts to cover their tracks were not entirely successful.
…
It targeted at least 100 human-rights defenders, journalists and other members of civil society across the world. This should serve as a wake-up call.
…
Tools that enable surveillance into our private lives are being abused, and [it] puts us all at risk. … We are seeking to hold NSO accountable.
…
The attack we saw provides several urgent lessons:
…
- “Backdoors” or other [intentional] security openings simply present too high a danger. …
- Technology companies must deepen our cooperation to protect and promote human rights. …
- Companies simply should not launch cyberattacks against other companies. …
- Leaders of tech firms should join U.N. Special Rapporteur David Kaye’s call for an immediate moratorium on the sale, transfer and use of dangerous spyware.
What would you tell an NSO exec in an elevator? Here’s what Soggie would say:
Are there not things you can do to make a living without helping genocidal dictatorships track people who are risking their lives to fight for freedom? This is just pure evil.
I'm glad WhatsApp is suing. I hope these people get what they deserve.
And what would that be? This Anonymous Coward suggests one remedy:
NSO's leadership and a lot of its employees should be [in] prison. Selling malware and zero-days is not OK.
Self-confessed “situational troll” Zugzwang—@manerdm—is affective: [You’re fired—Ed.]
What a total ****ing outrage. Why does Israel tolerate companies like NSO?
Although this Anonymous Coward is more about the situational irony:
I just can't get over the irony that Facebook has also given very powerful surveillance software to unscrupulous app developers with only a pinky-swear agreement and absolutely zero oversight. There are no good guys in this story.
Wait. Pause. Doesn’t WhatsApp share the blame? After all, it shipped a buggy app. MrNaz shoots down the narrative:
All software has bugs. It's legal to have bugs. It's not legal for state sponsored actors to exploit them, targeting journalists and others who … ought to be immune from hostile state action.
Meanwhile, Applebiter bites back:
What do you expect of people who essentially work outside of the law for people who are above the law?
The moral of the story?
Keep an eye on this story, to see how the courts interpret the CFAA and other laws.
And finally
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Will Cathcart (via LinkedIn)
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
