The dark side of the cybersecurity industry has surfaced once again – companies that provide cyberweapons to organizations with deep pockets. In this case, the cyberweapon is a chain of zero-day exploits that requires no more than clicking on a link from an SMS. Good thing the target is discerning enough not to click on it – which means a million dollars (or two, or three) is wasted.
This report describes how a government targeted an internationally recognized human rights defender, Ahmed Mansoor, with the Trident, a chain of zero-day exploits designed to infect his iPhone with sophisticated commercial spyware.
Source: The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender – The Citizen Lab
Yes any organization can be hacked. Even the NSA. The stolen cyberweapons – there may be more than one group who possess them – are now being auctioned publicly. This is why it’s a bad idea to add backdoors that only governments can use.
A never-before-published NSA manual makes it clear that malware released by a hacker group this week came from the spy agency.
Source: The NSA Leak Is Real, Snowden Documents Confirm
Google launches another video calling app. It’s not the app that caught my eyes though, but comments on Hacker News about Google’s culture:
Google culture is hiring the smartest or most motivated college grads, paying them to babysit legacy money printing systems built by the generation before them, then occasionally encouraging them to team up and clone popular services from other companies and startups.
The clones get passed around the campus for dogfooding until enough interest builds up and the project goes up the chain of command until a VP (at the time Marissa) signs off on it with notes on what to improve along with granting the necessary resources to spin it up.
Then if someone decides the project has legs they figure out how to engineer it for Google’s audience and launch. If it doesn’t work then the team disperse and move on to another project. Or it works and the team gets a moment in the sun.
Every single popular thing on the internet has a Google clone somewhere in the intranet.
Your secrets should be safe as long as your machine is not connected to any network right? Think again. There have been extremely innovative ways of transmitting information from unplugged (or what is known as air-gapped) computers to other devices, including:
and now.. via the sound that a hard drive makes.
“DiskFiltration” siphons data even when computers are disconnected from the Internet.
Source: New air-gap jumper covertly transmits data in hard-drive sounds
More bad news for Volkswagen.
A team of researchers has found that Volkswagen stores secret keys in car components that leave almost all its vehicles since 1995 vulnerable to theft.
Source: A New Wireless Hack Can Unlock 100 Million Volkswagens
Another impressive likely-state-sponsored malware. Data exfiltration from air-gapped machines is the holy grail of the malware world. If they succeeded this will be huge.
The malware—known alternatively as “ProjectSauron” by researchers from Kaspersky Lab and “Remsec” by their counterparts from Symantec—has been active since at least 2011 and has been discovered on 30 or so targets. Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes.
Source: Researchers crack open unusually advanced malware that hid for 5 years
It has long been known that telephony services like SMS are not secure. When your infrastructure provider is hostile it gets challenging to protect your users.
Iranian hackers have compromised more than a dozen accounts on the Telegram instant messaging service and identified the phone numbers of 15 million Iranian users, the largest known breach of the encrypted communications system, cyber researchers told Reuters.
Source: Exclusive: Hackers accessed Telegram messaging accounts in Iran – researchers