Pegasus can infect a targets device without the victim knowing and allow a government or organization to access personal data, including turning on cameras and microphones. Activists against surveillance have called on governments to ban or at least heavily regulate spyware companies. And the United Nations human rights office called on governments last year to regulate the sale and use of spyware technologies.

Yet there are still no international accords restricting spyware and even governments that ban Pegasus still face a whack-a-mole problem of other less visible and less regulated spyware companies popping up. As a result, officials are stuck employing low-tech solutions to protect themselves. Macron reportedly replaced his phone and changed his phone number last year after his number was found on a list of 50,000 allegedly targeted by NSO clients using Pegasus.

After researchers reported in April that Pegasus had infected the phones of dozens of Spanish officials including Catalan president Pere Aragons, he started leaving his phone outside the room when he goes into important policy meetings and has sensitive conversations.

When you are having to acknowledge or that someone is listening to you, you are very reluctant to talk privately with your partner or your relatives, Aragons said in an interview a few weeks after the hacks were discovered.

Citizen Lab, a research lab based at the University of Toronto, found strong circumstantial evidence tying the Spanish government to the hacks of Catalan officials (Catalonia has long fought for more autonomy) a charge Spain has denied. It was two weeks later that Spains Prime Minister became a victim himself.

In the U.S. officials have confirmed that the FBI acquired Pegasus technology, though only for testing. And some lawmakers argue that privacy has to be balanced against the need to use all tools available to protect national security.

It is a very tricky area, because we want to protect peoples privacy, but on the other hand, we want to be sure we have the tools to find terrorists and those kind of things, Sen. Angus King (I-Maine), a member of the Senate Intelligence Committee, said in an interview.

Senate Intelligence Committee Vice Chair Marco Rubio (R-Fla.) argued that it isnt a matter of whether governments should go after the groups, but whether they can. They operate in the shadows, largely outside of government control and without set addresses.

Its an enormous challenge, and there is no easy answer to it, Rubio said.

Asked how he approaches the danger of his own phone getting hacked, Rubio said: I tell everybody you should assume anything you do on a mobile device or that is connected to the internet is vulnerable. And no matter how many steps you take, these people, their full-time job is to figure out how to get into things they are not supposed to see.

That is a big part of the conundrum: Even the most sophisticated governments have had trouble finding ways to defend themselves against these phone hacks. Pegasus works by exploiting undisclosed vulnerabilities in iOS and Android operating systems, and NSO has deployed massive resources into finding new vulnerabilities before software makers are aware of them. Pegasus is also virtually invisible: It can be installed with zero clicks, including through a text message just being sent to a user.

Pegasus has become the poster child for an industry that is among the most secretive in the world, but is increasingly widespread. Governments will rarely confirm using spyware against targets, but a spokesperson for NSO claimed to POLITICO this month that Pegasus had been key to a number of governments stopping big terror attacks.

Even so, governments are taking some steps to rein in the use of Pegasus. The Biden administration last year effectively blacklisted both NSO Group and Candiru, another Israeli spyware company, by adding them to the Commerce Departments list of companies considered a threat to U.S. national security.

Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, joined more than a dozen other House and Senate Democrats in December in calling for State and Treasury to sanction NSO and three other spyware companies for alleged human rights offenses. The lawmakers argued in a letter that sanctioning NSO Group along with other surveillance companies DarkMatter, Nexa Technologies, and Trovicor would be a significant financial blow to the spyware industry through cutting off access to the U.S. stock market.

The commercial surveillance industry is a threat to the national security of the United States and other democracies, because it basically makes it possible for a dictator that has a fat checkbook, they can acquire a whole bunch of sophisticated tools, Wyden said in an interview.

On the other side of the Atlantic, Aragons called for the EU to take steps to regulate the spyware industry, stressing that we need public transparency or public supervision by the parliaments to the governments that are the owners of this software.

If the Spanish government could do this, any other government could also do this against its citizens, Aragons said.

Some governments are beginning to take some steps. The European Parliament in March approved the creation of a 38-member committee to investigate Pegasus and whether the use of the spyware had broken EU laws. France is investigating the impact of Pegasus on government officials following last years allegations that Macrons phone was infected with Pegasus spyware. NSO Group denies that Macron was targeted by Pegasus.

The security of the presidents means of communication is constantly monitored with the utmost care, a spokesperson for the president said, adding that incoming ministers and their cabinets would be made aware of this type of risk as soon as they take office.

Still, many governments are moving slowly as they attempt to balance competing interests. A complete ban on spyware would complicate investigations and classified intelligence operations, and could lead to the growth of the surveillance black market. Banning NSO specifically could also complicate many countries relations with Israel, given its ties to the Israeli government. And without an international agreement to halt the use of spyware, governments may try to out-compete the other through using the technology.

As outcry has increased, NSO has been working to improve its image. The organization released a transparency report last year detailing how Pegasus is licensed, which underlined that Pegasus is not a mass surveillance technology, and only collects data from the mobile devices of specific individuals, suspected to be involved in serious crime and terror. The Israeli government regulates Pegasus, with an export license required before NSO can sell Pegasus to a new customer; the company claims to only license the software to governments after investigating their intentions.

NSO continues to evolve as a company and improve its technological and contractual safeguards, customer vetting process and ability to investigate misuse, Ariella ben Abraham, an NSO spokesperson, said during a sit down interview with POLITICO earlier this month. We believe there is no other alternative to prevent terror and crime, and we continue to call for global regulation.

NSO has also claimed that Pegasus cannot be used to target American phone numbers. This does not stop the targeting of Americans using foreign numbers.

As NSO fights back, government officials are not the only individuals in the crosshairs, and journalists, dissidents and their family members are among other targets of spyware. The Guardian and more than a dozen other media outlets reported last year that 50,000 phone numbers may have been targeted by governments using Pegasus since 2016, including a number of journalists and pro-democracy activists along with suspected criminals.

A consortium of 90 human rights groups, including Amnesty International and Human Rights Watch, urged top EU officials last year to sanction NSO Group due concerns over human rights abuses.

Is there a global fairness that requires that every country in the world have the ability to hack the head of state of every country? That sounds to me like a terrifying outcome, said John Scott-Railton, a senior researcher at Citizen Lab. Seems like it will make us all less secure and less safe, but thats exactly the road that NSO has set us on.

Read more:
Why we can expect more hacking of politicians' phones - POLITICO

CERT-In is learnt to be working on releasing more details of the cybersecurity directive issued in April, which has been opposed by industry stakeholders. According to sources, the agency could clarify that the norms apply only to VPN providers who offer Internet proxy like services to general Internet subscribers, and not to corporate VPN service providers.

What are these norms that CERT-In is clarifying?

The norms, released on April 28, asked VPN service providers along with data centres and cloud service providers, to store information such as names, email IDs, contact numbers, and IP addresses (among other things) of their customers for a period of five years. Entities are also required to report cybersecurity incidents to CERT-In within six hours of becoming or being made aware of them.

The norms have triggered concerns over privacy, and CERT-In is expected to clarify that private information of individuals will not be affected by the directions.

These directions do not envisage seeking of information by CERT-In from service providers on a continual basis as a standing arrangement. CERT-In may seek information from service providers in case of cyber security incidents and cyber incidents, on a case-to-case basis, for discharge of its statutory obligations to enhance cyber security in the country, according to a person aware of the clarifications that CERT-In is in the process of finalising.

The agency is also likely to include in its clarifications that the April 28 directive to store such information and share it with CERT-In will override any contractual obligation VPN providers may have with their customers of not disclosing such information.

Queries sent to the IT Ministry and CERT-In Director General Sanjay Bahl were not immediately answered.

But why has CERT-In felt the need to issue a clarification?

Prominent VPN providers, a large part of whose value proposition is ensuring anonymity of their users on the Internet, have questioned the directives, and some providers like NordVPN are even considering pulling their servers from India should the directive be enforced on them.

At the moment, our team is investigating the new directive recently passed by the Indian government and exploring the best course of action. As there are still at least two months left until the law comes into effect, we are currently operating as usual. We are committed to protecting the privacy of our customers, therefore, we may remove our servers from India if no other options are left, Laura Tyrylyte, head of public relations at Nord Security, said.

VPN providers like Surfshark have claimed that their technology does not allow the logging of users information. Surfshark has a strict no-logs policy, which means that we dont collect or share our customer browsing data or any usage information, Gytis Malinauskas, head of the legal department at Surfshark, said.

Newsletter | Click to get the days best explainers in your inbox

Moreover, we operate only with RAM-only servers, which automatically overwrite user-related data. Thus at this moment, we would not be able to comply with the logging requirements even technically. We are still investigating the new regulations and its implications for us, but the overall aim is to continue providing no-logs services to all of our users, Malinauskas said.

How has the government responded to these concerns?

Speaking to The Indian Express earlier this month, IT Minister Ashwini Vaishnaw had said there was nothing to worry about CERT-Ins norms. There is no privacy concern. Suppose somebody takes a mask and shoots, wouldnt you ask them to remove that mask? It is like that, Vaishnaw had said during an interview.

Explaining the need for the rules, he had said, Cybersecurity is something which is continuously evolving. So we have issued very comprehensive guidelines from CERT-In. Ultimately, if there is a threat to you, the police and you would both have to work together.

The basic concept (of the guidelines) is that the people who are actually running the infrastructure should take all possible steps to make sure that things are in place and if there is any breach, immediately inform us so that we can take action, Vaishnaw said.

See more here:
Explained: CERT-Ins new cybersecurity norms, and why it is likely to issue a clarification about them - The Indian Express

The agencies, one from each of the Five Eyes countries that have worked on intelligence since World War Two, were the UKs National Cyber Security Centre, the Cybersecurity and Infrastructure Security Agency (CISA) in the US, National Cyber Security Centre New Zealand, the Canadian Centre for Cyber Security, and the Australian Cyber Security Centre,

But what this will mean for the wholesale telecoms/ICT community that protect not only the infrastructure, but the network layer and in some cases the application layer as well?

According to Alp Toker, founder and director of NetBlocks, a global internet monitor, Ukraine has been a huge wake-up call for the telecoms community in terms of security, but there are also other factors to consider.

Firstly, the pandemic has caused a blurring of lines between business infrastructure and home infrastructure, so you already have this need for resilience that is much more widespread than to the office or to the data centre, says Toker.

At the same time there has been a growing awareness of physical infrastructure and threats to physical infrastructure, including both kinetic attacks and sabotage, so, along with awareness of telecommunications, theres also an awareness of how to disrupt telecommunications.

But by his own admission there is no silver bullet. Instead telcos must adopt a holistic approach with information officers encouraged to track the news and keep up to date with whats going on according to their own processes.

Theres the hardware threat, the software threat, as well as a piggybacking of business infrastructure, increasingly on consumer networks creating this need for increased reliability across the board, added Toker.

Telcos are going to need to improve security by themselves. They cant rely on government or local authorities. Its a task for the entire business.

Despite the need for a holistic approach, a month prior to the publication of the joint Cybersecurity Advisory, the CISA and the Federal Bureau of Investigation (FBI) published an alert on the need for US and international satellite operators to strengthen their cybersecurity citing the current geopolitical situation.

Satellite

In its advisory the Cybersecurity Advisory writes that it strongly encourages critical infrastructure organisations and other organisations that are either satcomm network providers or customers to review and implement the mitigations outlined in this CSA to strengthen satcomm network cybersecurity.

Toker said: Satellite communications have played a significant role in the conflict, despite Ukraine being very well connected via land.

One such incident that supports this need is the attack on the Viasat satellite network in Europe on the morning of the Russian invasion.

It shows you that this kind of instruction will be targeted as a means of preparing the battlefield and as a means of limiting communications, he added.

Further, the introduction of low earth orbit satellites like Starlink brings with it new technological opportunities as it no longer requires bulky equipment and in theory, a receiver and transmitter can be minimised and put on a phone: it can even be scaled down to the size of a wristwatch.

This has been part of what Toker calls the information warfare field. The first is that the technology itself has been classified as a risk by the Russian government, which sees independent communication lines as a threat.

Next, he says is the use of jamming, which refers to the intentional disruption of wireless communications with signal interference to limit the use of devices such as handsets.

The most interesting thing here is this new ability that Starlink has developed to dynamically mitigate these risks, which really speaks to needs that the whole industry faces not just in satellite. When there is a threat, you need to be able to counter it dynamically and in real time.

This functionality enables operators to push updates, including firmware updates and dynamic frequency updates to mitigate these threats because otherwise your device is going to be incapacitated and stuck in the field.

This leads onto another emergent threat: firmware attacks, another type of assault believed to have happened during the Russia-Ukraine war.

This is every telcos nightmare, because once a device is bricked that device is very difficult or impossible to repair, says Toker.

If hackers can push fake firmware or can incapacitate devices, they can knock out significant parts of the network, without even needing to perform a more sophisticated attack or supply chain attack. The more remote the devices, the more of a nightmare it is for the operator to resolve the issue, with the ultimate fear being that satellites themselves could be bricked through remote firmware.

One such example includes the story of Russian looters who, while working with the Russian military, stole 27 pieces of John Deere farm equipment, valued at approximately $5,000,000 from a dealership in Melitopol, Ukraine.

The group attempted to take the equipment back to Chechnya, Russia in an attempt to sell it on, but the John Deere dealership used the internet and bricked the tractors, using an in-built kill-switch.

Security and tech

With so many companies monitoring the situation, Quad9, a global public recursive DNS resolver, intercepted more than 4.6 million attacks against computers and phones in Ukraine and Poland since March of this year.

Bill Woodcock, executive director of Packet Clearing House, said: Theyre being targeted by a huge amount of phishing, and a lot of malware that is getting onto machines is trying to contact malicious command-and-control infrastructure.

Toker says that, due to the varied nature of these attacks, securing the home, and building networking structure that is as reliable as the office, in peoples homes, has really become the new challenge.

AI and machine learning continue to be the biggest technologies to invest in for their ability to monitor and mitigate network activity. As for things like quantum cryptography, Toker says it holds a lot of potential but but there are also questions about how to make it attractive as an investment. There needs to be an increased awareness and desire to protect users data, so that there can be investment in technologies like quantum cryptography.

While blockchain continues to grow in use cases, he says we havent yet seen the real-world applications agreed for the technology.

Tokers advice is to decentralise as much as you can, while increasing peering and reducing choke points that can be targeted by threat actors.

If a telco isnt automating their threat analysis, they really need to get involved with that now, he said. You need to know what attacks are coming in, and you need to be able to automate that, so machine learning would be a deployment that I would prioritise.

Read this article:
Satellites, the first line of defence - Capacity Media

The French data protection authority, the CNIL, has published its annual report for 2021 (in French) which contains some useful information and figures notably on complaints, investigations and sanctions as well as standards of references issued by the CNIL in relation to specific processing activities.

Complaints

In 2021, the CNIL received 14,143 complaints (an increase of 7% compared to 2020 but similar to 2019) out of which:

Some complaints have been transferred to another lead authority under the one stop shop and cooperation rules.

The CNIL has also received 5,882 indirect data subject action requests (the indirect action is the only one available for certain data basis such as the one for the police or secret services).

The CNIL reports that many complaints have been made about organizations that are established outside of the EU (UK, Switzerland, United States of America, Canada, Russia, Australia, South Korea and China) mainly in relation to the publication of data on the Internet.

Investigations

It carried out 384 investigations, 31% of which followed from complaints or reports.

The CNIL highlights:

Cookie compliance has been one of the priority themes set by the CNIL for 2021 and the CNIL has launched an unprecedented control campaign.

The CNIL also continued its control activities on the security of health data by investigating 30 medical analysis laboratories, hospitals, service providers and data brokers, notably in relation to COVID-19 pandemic related data. Some of these procedures are still ongoing.

It controlled 22 organizations, 15 of which are public with respect to the level of internet security. The investigations revealed obsolete cryptographic suites making websites vulnerable to attacks, shortcomings concerning passwords and, more generally, insufficient means with regard to current security issues.

Sanctions

The CNIL issued:

Out of the 18 sanctions,

The most frequent breaches include:

The CNIL also issued two public sanctions against the Ministry of the Interior, concerning the illicit use of drones and poor management of the automated fingerprint file (FAED).

Investigation program for 2022

In February, the CNIL published its priority focuses for investigation in 2022 investigation program, which accounts for around one third of its investigations, on the following three major topics:

This follows the numerous complaints received on this topic and the publication in February 2022, a new commercial management reference framework, in particular framing the carrying out of commercial prospecting. The CNIL intends to investigate data brokers and other intermediaries.

The significant shift to teleworking has led to the development of specific tools, including tools allowing employers to ensure closer monitoring of the daily tasks and activities of employees. The CNIL considers it necessary to check the employers practices in this field.

The CNIL intends to explore issues relating to data transfers and the management of contractual relations between data controllers and cloud solution provider subcontractors.

The CNIL has received 5,037 data breach notifications (a 79% increase compared to 2020) out of which, 63% were due to an external cause (accident or malicious act). The CNIL considers that this figure is still too low compared to actual data breaches which may have occurred.

The CNIL responded to 22 parliamentary hearings and issued 121 opinions on bills and decrees. 16 of these opinions concerned how data processing was implemented in the context of the fight against the COVID-19 pandemic.

The CNIL also handled 576 health authorization applications in 2021 and issued 54 research authorizations on COVID-19.

In 2021, the CNIL adopted several standards of reference and sectorial recommendations. These included:

It has also developed tools to enable the development of virtuous digital innovation, in particular through its start-up strategy deployed in 2017. This year, this has resulted in the implementation of a first personal data sandbox for health. As a result, 12 projects have been supported by the CNIL, including 4 in a reinforced way.

Read this article:
Noteworthy Information in the French Data Protection Authority's (CNIL) Newly Published 2021 Annual Report - Lexology