Top-secret documents reveal that the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process.

The classified files – provided previously by NSA whistleblower Edward Snowden – contain new details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware “implants.” The clandestine initiative enables the NSA to break into targeted computers and to siphon out data from foreign Internet and phone networks.

The covert infrastructure that supports the hacking efforts operates from the agency’s headquarters in Fort Meade, Maryland, and from eavesdropping bases in the United Kingdom and Japan. GCHQ, the British intelligence agency, appears to have played an integral role in helping to develop the implants tactic.

In some cases the NSA has masqueraded as a fake Facebook server, using the social media site as a launching pad to infect a target’s computer and exfiltrate files from a hard drive. In others, it has sent out spam emails laced with the malware, which can be tailored to covertly record audio from a computer’s microphone and take snapshots with its webcam. The hacking systems have also enabled the NSA to launch cyberattacks by corrupting and disrupting file downloads or denying access to websites.

The implants being deployed were once reserved for a few hundred hard-to-reach targets, whose communications could not be monitored through traditional wiretaps. But the documents analyzed by The Intercept show how the NSA has aggressively accelerated its hacking initiatives in the past decade by computerizing some processes previously handled by humans. The automated system – codenamed TURBINE – is designed to “allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.”

In a top-secret presentation, dated August 2009, the NSA describes a pre-programmed part of the covert infrastructure called the “Expert System,” which is designed to operate “like the brain.” The system manages the applications and functions of the implants and “decides” what tools they need to best extract data from infected machines.

Mikko Hypponen, an expert in malware who serves as chief research officer at the Finnish security firm F-Secure, calls the revelations “disturbing.” The NSA’s surveillance techniques, he warns, could inadvertently be undermining the security of the Internet.

“When they deploy malware on systems,” Hypponen says, “they potentially create new vulnerabilities in these systems, making them more vulnerable for attacks by third parties.”

Hypponen believes that governments could arguably justify using malware in a small number of targeted cases against adversaries. But millions of malware implants being deployed by the NSA as part of an automated process, he says, would be “out of control.”

“That would definitely not be proportionate,” Hypponen says. “It couldn’t possibly be targeted and named. It sounds like wholesale infection and wholesale surveillance.”

The NSA declined to answer questions about its deployment of implants, pointing to a new presidential policy directive announced by President Obama. “As the president made clear on 17 January,” the agency said in a statement, “signals intelligence shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purposes.”

“Owning the Net”

The NSA began rapidly escalating its hacking efforts a decade ago. In 2004, according to secret internal records, the agency was managing a small network of only 100 to 150 implants. But over the next six to eight years, as an elite unit called Tailored Access Operations (TAO) recruited new hackers and developed new malware tools, the number of implants soared to tens of thousands.

To penetrate foreign computer networks and monitor communications that it did not have access to through other means, the NSA wanted to go beyond the limits of traditional signals intelligence, or SIGINT, the agency’s term for the interception of electronic communications. Instead, it sought to broaden “active” surveillance methods – tactics designed to directly infiltrate a target’s computers or network devices.

In the documents, the agency describes such techniques as “a more aggressive approach to SIGINT” and says that the TAO unit’s mission is to “aggressively scale” these operations.

But the NSA recognized that managing a massive network of implants is too big a job for humans alone.

“One of the greatest challenges for active SIGINT/attack is scale,” explains the top-secret presentation from 2009. “Human ‘drivers’ limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture).”

The agency’s solution was TURBINE. Developed as part of TAO unit, it is described in the leaked documents as an “intelligent command and control capability” that enables “industrial-scale exploitation.”

TURBINE was designed to make deploying malware much easier for the NSA’s hackers by reducing their role in overseeing its functions. The system would “relieve the user from needing to know/care about the details,” the NSA’s Technology Directorate notes in one secret document from 2009. “For example, a user should be able to ask for ‘all details about application X’ and not need to know how and where the application keeps files, registry entries, user application data, etc.”

In practice, this meant that TURBINE would automate crucial processes that previously had to be performed manually – including the configuration of the implants as well as surveillance collection, or “tasking,” of data from infected systems. But automating these processes was about much more than a simple technicality. The move represented a major tactical shift within the NSA that was expected to have a profound impact – allowing the agency to push forward into a new frontier of surveillance operations.

The ramifications are starkly illustrated in one undated top-secret NSA document, which describes how the agency planned for TURBINE to “increase the current capability to deploy and manage hundreds of Computer Network Exploitation (CNE) and Computer Network Attack (CNA) implants to potentially millions of implants.” (CNE mines intelligence from computers and networks; CNA seeks to disrupt, damage or destroy them.)

Eventually, the secret files indicate, the NSA’s plans for TURBINE came to fruition. The system has been operational in some capacity since at least July 2010, and its role has become increasingly central to NSA hacking operations.

Earlier reports based on the Snowden files indicate that the NSA has already deployed between 85,000 and 100,000 of its implants against computers and networks across the world, with plans to keep on scaling up those numbers.

The intelligence community’s top-secret “Black Budget” for 2013, obtained by Snowden, lists TURBINE as part of a broader NSA surveillance initiative named “Owning the Net.”

The agency sought $67.6 million in taxpayer funding for its Owning the Net program last year. Some of the money was earmarked for TURBINE, expanding the system to encompass “a wider variety” of networks and “enabling greater automation of computer network exploitation.”

Circumventing Encryption

The NSA has a diverse arsenal of malware tools, each highly sophisticated and customizable for different purposes.

One implant, codenamed UNITEDRAKE, can be used with a variety of “plug-ins” that enable the agency to gain total control of an infected computer.

An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to take over a targeted computer’s microphone and record conversations taking place near the device. Another, GUMFISH, can covertly take over a computer’s webcam and snap photographs. FOGGYBOTTOM records logs of Internet browsing histories and collects login details and passwords used to access websites and email accounts. GROK is used to log keystrokes. And SALVAGERABBIT exfiltrates data from removable flash drives that connect to an infected computer.

The implants can enable the NSA to circumvent privacy-enhancing encryption tools that are used to browse the Internet anonymously or scramble the contents of emails as they are being sent across networks. That’s because the NSA’s malware gives the agency unfettered access to a target’s computer before the user protects their communications with encryption.

It is unclear how many of the implants are being deployed on an annual basis or which variants of them are currently active in computer systems across the world.

Previous reports have alleged that the NSA worked with Israel to develop the Stuxnet malware, which was used to sabotage Iranian nuclear facilities. The agency also reportedly worked with Israel to deploy malware called Flame to infiltrate computers and spy on communications in countries across the Middle East.

According to the Snowden files, the technology has been used to seek out terror suspects as well as individuals regarded by the NSA as “extremist.” But the mandate of the NSA’s hackers is not limited to invading the systems of those who pose a threat to national security.

In one secret post on an internal message board, an operative from the NSA’s Signals Intelligence Directorate describes using malware attacks against systems administrators who work at foreign phone and Internet service providers. By hacking an administrator’s computer, the agency can gain covert access to communications that are processed by his company. “Sys admins are a means to an end,” the NSA operative writes.

The internal post – titled “I hunt sys admins” – makes clear that terrorists aren’t the only targets of such NSA attacks. Compromising a systems administrator, the operative notes, makes it easier to get to other targets of interest, including any “government official that happens to be using the network some admin takes care of.”

Similar tactics have been adopted by Government Communications Headquarters, the NSA’s British counterpart. As the German newspaper Der Spiegel reported in September, GCHQ hacked computers belonging to network engineers at Belgacom, the Belgian telecommunications provider.

The mission, codenamed “Operation Socialist,” was designed to enable GCHQ to monitor mobile phones connected to Belgacom’s network. The secret files deem the mission a “success,” and indicate that the agency had the ability to covertly access Belgacom’s systems since at least 2010.

Infiltrating cellphone networks, however, is not all that the malware can be used to accomplish. The NSA has specifically tailored some of its implants to infect large-scale network routers used by Internet service providers in foreign countries. By compromising routers – the devices that connect computer networks and transport data packets across the Internet – the agency can gain covert access to monitor Internet traffic, record the browsing sessions of users, and intercept communications.

Two implants the NSA injects into network routers, HAMMERCHANT and HAMMERSTEIN, help the agency to intercept and perform “exploitation attacks” against data that is sent through a Virtual Private Network, a tool that uses encrypted “tunnels” to enhance the security and privacy of an Internet session.

The implants also track phone calls sent across the network via Skype and other Voice Over IP software, revealing the username of the person making the call. If the audio of the VOIP conversation is sent over the Internet using unencrypted “Real-time Transport Protocol” packets, the implants can covertly record the audio data and then return it to the NSA for analysis.

But not all of the NSA’s implants are used to gather intelligence, the secret files show. Sometimes, the agency’s aim is disruption rather than surveillance. QUANTUMSKY, a piece of NSA malware developed in 2004, is used to block targets from accessing certain websites. QUANTUMCOPPER, first tested in 2008, corrupts a target’s file downloads. These two “attack” techniques are revealed on a classified list that features nine NSA hacking tools, six of which are used for intelligence gathering. Just one is used for “defensive” purposes – to protect U.S. government networks against intrusions.

“Mass exploitation potential”

Before it can extract data from an implant or use it to attack a system, the NSA must first install the malware on a targeted computer or network.

According to one top-secret document from 2012, the agency can deploy malware by sending out spam emails that trick targets into clicking a malicious link. Once activated, a “back-door implant” infects their computers within eight seconds.

There’s only one problem with this tactic, codenamed WILLOWVIXEN: According to the documents, the spam method has become less successful in recent years, as Internet users have become wary of unsolicited emails and less likely to click on anything that looks suspicious.

Consequently, the NSA has turned to new and more advanced hacking techniques. These include performing so-called “man-in-the-middle” and “man-on-the-side” attacks, which covertly force a user’s internet browser to route to NSA computer servers that try to infect them with an implant.

To perform a man-on-the-side attack, the NSA observes a target’s Internet traffic using its global network of covert “accesses” to data as it flows over fiber optic cables or satellites. When the target visits a website that the NSA is able to exploit, the agency’s surveillance sensors alert the TURBINE system, which then “shoots” data packets at the targeted computer’s IP address within a fraction of a second.

In one man-on-the-side technique, codenamed QUANTUMHAND, the agency disguises itself as a fake Facebook server. When a target attempts to log in to the social media site, the NSA transmits malicious data packets that trick the target’s computer into thinking they are being sent from the real Facebook. By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive. A top-secret animation demonstrates the tactic in action.

The documents show that QUANTUMHAND became operational in October 2010, after being successfully tested by the NSA against about a dozen targets.

According to Matt Blaze, a surveillance and cryptography expert at the University of Pennsylvania, it appears that the QUANTUMHAND technique is aimed at targeting specific individuals. But he expresses concerns about how it has been covertly integrated within Internet networks as part of the NSA’s automated TURBINE system.

“As soon as you put this capability in the backbone infrastructure, the software and security engineer in me says that’s terrifying,” Blaze says.

“Forget about how the NSA is intending to use it. How do we know it is working correctly and only targeting who the NSA wants? And even if it does work correctly, which is itself a really dubious assumption, how is it controlled?”

In an email statement to The Intercept, Facebook spokesman Jay Nancarrow said the company had “no evidence of this alleged activity.” He added that Facebook implemented HTTPS encryption for users last year, making browsing sessions less vulnerable to malware attacks.

Nancarrow also pointed out that other services besides Facebook could have been compromised by the NSA. “If government agencies indeed have privileged access to network service providers,” he said, “any site running only [unencrypted] HTTP could conceivably have its traffic misdirected.”

A man-in-the-middle attack is a similar but slightly more aggressive method that can be used by the NSA to deploy its malware. It refers to a hacking technique in which the agency covertly places itself between computers as they are communicating with each other.

This allows the NSA not only to observe and redirect browsing sessions, but to modify the content of data packets that are passing between computers.

The man-in-the-middle tactic can be used, for instance, to covertly change the content of a message as it is being sent between two people, without either knowing that any change has been made by a third party. The same technique is sometimes used by criminal hackers to defraud people.

A top-secret NSA presentation from 2012 reveals that the agency developed a man-in-the-middle capability called SECONDDATE to “influence real-time communications between client and server” and to “quietly redirect web-browsers” to NSA malware servers called FOXACID. In October, details about the FOXACID system were reported by the Guardian, which revealed its links to attacks against users of the Internet anonymity service Tor.

But SECONDDATE is tailored not only for “surgical” surveillance attacks on individual suspects. It can also be used to launch bulk malware attacks against computers.

According to the 2012 presentation, the tactic has “mass exploitation potential for clients passing through network choke points.”

Blaze, the University of Pennsylvania surveillance expert, says the potential use of man-in-the-middle attacks on such a scale “seems very disturbing.” Such an approach would involve indiscriminately monitoring entire networks as opposed to targeting individual suspects.

“The thing that raises a red flag for me is the reference to ‘network choke points,’” he says. “That’s the last place that we should be allowing intelligence agencies to compromise the infrastructure – because that is by definition a mass surveillance technique.”

To deploy some of its malware implants, the NSA exploits security vulnerabilities in commonly used Internet browsers such as Mozilla Firefox and Internet Explorer.

The agency’s hackers also exploit security weaknesses in network routers and in popular software plugins such as Flash and Java to deliver malicious code onto targeted machines.

The implants can circumvent anti-virus programs, and the NSA has gone to extreme lengths to ensure that its clandestine technology is extremely difficult to detect. An implant named VALIDATOR, used by the NSA to upload and download data to and from an infected machine, can be set to self-destruct – deleting itself from an infected computer after a set time expires.

In many cases, firewalls and other security measures do not appear to pose much of an obstacle to the NSA. Indeed, the agency’s hackers appear confident in their ability to circumvent any security mechanism that stands between them and compromising a computer or network. “If we can get the target to visit us in some sort of web browser, we can probably own them,” an agency hacker boasts in one secret document. “The only limitation is the ‘how.’”

Covert Infrastructure

The TURBINE implants system does not operate in isolation.

It is linked to, and relies upon, a large network of clandestine surveillance “sensors” that the agency has installed at locations across the world.

The NSA’s headquarters in Maryland are part of this network, as are eavesdropping bases used by the agency in Misawa, Japan and Menwith Hill, England.

The sensors, codenamed TURMOIL, operate as a sort of high-tech surveillance dragnet, monitoring packets of data as they are sent across the Internet.

When TURBINE implants exfiltrate data from infected computer systems, the TURMOIL sensors automatically identify the data and return it to the NSA for analysis. And when targets are communicating, the TURMOIL system can be used to send alerts or “tips” to TURBINE, enabling the initiation of a malware attack.

The NSA identifies surveillance targets based on a series of data “selectors” as they flow across Internet cables. These selectors, according to internal documents, can include email addresses, IP addresses, or the unique “cookies” containing a username or other identifying information that are sent to a user’s computer by websites such as Google, Facebook, Hotmail, Yahoo, and Twitter.

Other selectors the NSA uses can be gleaned from unique Google advertising cookies that track browsing habits, unique encryption key fingerprints that can be traced to a specific user, and computer IDs that are sent across the Internet when a Windows computer crashes or updates.

What’s more, the TURBINE system operates with the knowledge and support of other governments, some of which have participated in the malware attacks.

Classification markings on the Snowden documents indicate that NSA has shared many of its files on the use of implants with its counterparts in the so-called Five Eyes surveillance alliance – the United Kingdom, Canada, New Zealand, and Australia.

GCHQ, the British agency, has taken on a particularly important role in helping to develop the malware tactics. The Menwith Hill satellite eavesdropping base that is part of the TURMOIL network, located in a rural part of Northern England, is operated by the NSA in close cooperation with GCHQ.

Top-secret documents show that the British base – referred to by the NSA as “MHS” for Menwith Hill Station – is an integral component of the TURBINE malware infrastructure and has been used to experiment with implant “exploitation” attacks against users of Yahoo and Hotmail.

In one document dated 2010, at least five variants of the QUANTUM hacking method were listed as being “operational” at Menwith Hill. The same document also reveals that GCHQ helped integrate three of the QUANTUM malware capabilities – and test two others – as part of a surveillance system it operates codenamed INSENSER.

GCHQ cooperated with the hacking attacks despite having reservations about their legality. One of the Snowden files, previously disclosed by Swedish broadcaster SVT, revealed that as recently as April 2013, GCHQ was apparently reluctant to get involved in deploying the QUANTUM malware due to “legal/policy restrictions.” A representative from a unit of the British surveillance agency, meeting with an obscure telecommunications standards committee in 2010, separately voiced concerns that performing “active” hacking attacks for surveillance “may be illegal” under British law.

In response to questions from The Intercept, GCHQ refused to comment on its involvement in the covert hacking operations. Citing its boilerplate response to inquiries, the agency said in a statement that “all of GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorized, necessary and proportionate, and that there is rigorous oversight.”

Whatever the legalities of the United Kingdom and United States infiltrating computer networks, the Snowden files bring into sharp focus the broader implications. Under cover of secrecy and without public debate, there has been an unprecedented proliferation of aggressive surveillance techniques. One of the NSA’s primary concerns, in fact, appears to be that its clandestine tactics are now being adopted by foreign rivals, too.

“Hacking routers has been good business for us and our 5-eyes partners for some time,” notes one NSA analyst in a top-secret document dated December 2012. “But it is becoming more apparent that other nation states are honing their skillz [sic] and joining the scene.” source

The infamous Pegasus spyware created by Israeli firm NSO can turn any infected smartphone into a remote microphone or camera. Here’s how to stay safe and know if you’ve been hacked

        "ROWID": 97,
        "guid": "9CCE3479-D446-65BF-6D00-00FC30F105F1",
        "text": "",
        "replace": 0,
        "service_center": null,
        "handle_id": 1,
        "subject": null,
        "country": null,
        "attributedBody": "",
        "version": 10,
        "type": 0,
        "service": "SMS",
        "account": "P:+66********",
        "account_guid": "54EB51F8-A905-42D5-832E-D98E86E4F919",
        "error": 0,
        "date": 718245997147878016,
        "date_read": 720004865472528896,
        "date_delivered": 0,
        "is_delivered": 1,
        "is_finished": 1,
        "is_emote": 0,
        "is_from_me": 0,
        "is_empty": 0,
        "is_delayed": 0,
        "is_auto_reply": 0,
        "is_prepared": 0,
        "is_read": 1,
        "is_system_message": 0,
        "is_sent": 0,
        "has_dd_results": 1,
        "is_service_message": 0,
        "is_forward": 0,
        "was_downgraded": 0,
        "is_archive": 0,
        "cache_has_attachments": 0,
        "cache_roomnames": null,
        "was_data_detected": 1,
        "was_deduplicated": 0,
        "is_audio_message": 0,
        "is_played": 0,
        "date_played": 0,
        "item_type": 0,
        "other_handle": 0,
        "group_title": null,
        "group_action_type": 0,
        "share_status": 0,
        "share_direction": 0,
        "is_expirable": 0,
        "expire_state": 0,
        "message_action_type": 0,
        "message_source": 0,
        "associated_message_guid": null,
        "associated_message_type": 0,
        "balloon_bundle_id": null,
        "payload_data": null,
        "expressive_send_style_id": null,
        "associated_message_range_location": 0,
        "associated_message_range_length": 0,
        "time_expressive_send_played": 0,
        "message_summary_info": null,
        "ck_sync_state": 0,
        "ck_record_id": null,
        "ck_record_change_tag": null,
        "destination_caller_id": "+66926477437",
        "is_corrupt": 0,
        "reply_to_guid": "814A603F-4FEC-7442-0CBF-970C14217E1B",
        "sort_id": 0,
        "is_spam": 0,
        "has_unseen_mention": 0,
        "thread_originator_guid": null,
        "thread_originator_part": null,
        "syndication_ranges": null,
        "synced_syndication_ranges": null,
        "was_delivered_quietly": 0,
        "did_notify_recipient": 0,
        "date_retracted": 0,
        "date_edited": 0,
        "was_detonated": 0,
        "part_count": 1,
        "is_stewie": 0,
        "is_kt_verified": 0,
        "is_sos": 0,
        "is_critical": 0,
        "bia_reference_id": null,
        "fallback_hash": "s:mailto:ais|(null)(4)<7AD4E8732BAF100ABBAF4FAE21CBC3AE05487253AC4F373B7D1470FDED6CFE91>",
        "phone_number": "AIS",
        "isodate": "2023-10-06 00:46:37.000000",
        "isodate_read": "2023-10-26 09:21:05.000000",
        "direction": "received",
        "links": [
            "https://m.ais.co.th/J1Hpm91ix"
        ]
    },

        "attachment_id": 4,
        "ROWID": 4,
        "guid": "97883E8C-99FA-40ED-8E78-36DAC89B2939",
        "created_date": 726724286,
        "start_date": "",
        "filename": "~/Library/SMS/Attachments/b8/08/97883E8C-99FA-40ED-8E78-36DAC89B2939/IMG_0005.HEIC",
        "uti": "public.heic",
        "mime_type": "image/heic",
        "transfer_state": 5,
        "is_outgoing": 1,
        "user_info": ",
        "transfer_name": "IMG_0005.HEIC",
        "total_bytes": 1614577,
        "is_sticker": 0,
        "sticker_user_info": null,
        "attribution_info": null,
        "hide_attachment": 0,
        "ck_sync_state": 0,
        "ck_server_change_token_blob": null,
        "ck_record_id": null,
        "original_guid": "97883E8C-99FA-40ED-8E78-36DAC89B2939",
        "is_commsafety_sensitive": 0,
        "service": "iMessage",
        "phone_number": "*",
        "isodate": "2024-01-12 03:51:26.000000",
        "direction": "sent",
        "has_user_info": true
    }

{
        "domain_id": 22,
        "registrable_domain": "sitecdn.com",
        "last_seen": 1704959295.0,
        "had_user_interaction": false,
        "last_seen_isodate": "2024-01-11 07:48:15.000000",
        "domain": "AppDomain-com.apple.mobilesafari",
        "path": "Library/WebKit/WebsiteData/ResourceLoadStatistics/observations.db"
    }

        "service": "kTCCServiceMotion",
        "client": "com.apple.Health",
        "client_type": "bundle_id",
        "auth_value": "allowed",
        "auth_reason_desc": "system_set",
        "last_modified": "2023-07-11 06:25:15.000000"

To collect data about processes, users can use XCode Instruments.

Note: Developer mode must be enabled on the iOS device.

Image 3: Showcasing XCode instruments profile selection

Process data collection:

Image 4: Process list from iPhone

Overcoming the iOS interception challenge

For the common public

iOS security architecture typically prevents normal apps from performing unauthorized surveillance. However, a jailbroken device can bypass these security measures. Pegasus and other mobile malware may exploit remote jailbreak exploits to steer clear of detection by security mechanisms. This enables operators to install new software, extract data, and monitor and collect information from targeted devices.

Warning signs of an infection on the device include:

• Slower device performance
• Spontaneous reboots or shutdowns
• Rapid battery drain
• Appearance of previously uninstalled applications
• Unexpected redirects to unfamiliar websites

This reinstates the critical importance of maintaining up-to-date devices and prioritizing mobile security. Recommendations for end-users include:

• Avoid clicking on suspicious links
• Review app permissions regularly
• Enable Lockdown mode for protection against spyware attacks
• Consider disabling iMessage and FaceTime for added security
• Always install the updated version of the iOS

For businesses: Protect against Pegasus and other APT mobile malware

Securing mobile devices, applications, and APIs is crucial, particularly when they handle financial transactions and store sensitive data. Organizations operating in critical sectors, government, and other industries are prime targets for cyberattacks such as espionage and more, especially high-level employees.

Researching iOS devices presents challenges due to the closed nature of the system. Group-IB Threat Intelligence, however, helps organizations worldwide identify cyber threats in different environments, including iOS, with our recent discovery being GoldPickaxe.iOS – the first iOS Trojan harvesting facial scans and using them to potentially gain unauthorized access to bank accounts. Group-IB Threat Intelligence provides a constant feed on new and previously conducted cyber attacks, the tactics, techniques, and behaviors of threat actors, and susceptibility of attacks based on your organization’s risk profile— giving a clear picture of how your devices can be exploited by vectors, to initiate timely and effective defense mechanisms.

If you suspect your iOS or Android device has been compromised by Pegasus or similar spyware, turn to our experts for immediate support. To perform device analysis or set up additional security measures, organizations can also get in touch with Group-IB’s Digital Forensics team for assistance. source

HOW TO DEFEND YOURSELF AGAINST THE POWERFUL NEW NSO SPYWARE ATTACKS DISCOVERED AROUND THE WORLD

Even iPhones were vulnerable to the surveillance software, which appears to have been used against activists, journalists, and others.

AN INTERNATIONAL GROUP of journalists this month detailed extensive new evidence that spyware made by Israeli company NSO Group was used against activists, business executives, journalists, and lawyers around the world. Even Apple’s iPhone, frequently lauded for its tight security, was found to be “no match” for the surveillance software, leading Johns Hopkins cryptographer Matthew Green to fret that the NSO revelations had led some hacking experts to descend into a posture of “security nihilism.”

Security nihilism is the idea that digital attacks have grown so sophisticated that there’s nothing to be done to prevent them from happening or to blunt their impact. That sort of conclusion would be a mistake. For one thing, it plays into the hands of malicious hackers, who would love nothing more than for targets to stop trying to defend themselves. It’s also mistaken factually: You can defend yourself against NSO’s spyware — for example, by following operational security techniques like not clicking unknown links, practicing device compartmentalization (such as using separate devices for separate apps), and having a virtual private network, or VPN, on mobile devices. Such techniques are effective against any number of digital attacks and thus useful even if NSO Group turns out to be correct in its claim that the purported evidence against the company is not valid.

There may be no such thing as perfect security, as one classic adage in the field states, but that’s no excuse for passivity. Here, then, are practical steps you can take to reduce your “attack surface” and protect yourself against spyware like NSO’s.

Pegasus Offers “Unlimited Access to Target’s Mobile Devices”

The recent revelations concern a specific NSO spyware product known as Pegasus. They follow extensive prior studies of the company’s software from entities like the Citizen Lab, Amnesty International, Article 19, R3D, and SocialTIC. Here’s what we know about Pegasus specifically.

The software’s capabilities were outlined in what appears to be a promotional brochure from NSO Group dating to 2014 or earlier and made available when WikiLeaks published a trove of emails related to a different spyware firm, Italy’s Hacking Team. The brochure’s authenticity cannot be confirmed, and NSO has said it is not commenting further on Pegasus. But the document markets Pegasus aggressively, saying it provides “unlimited access to target’s mobile devices” and allows clients to “remotely and covertly collect information about your target’s relationships, location, phone calls, plans and activities — whenever and wherever they are.” The brochure also states the Pegasus can:

• Monitor voice and VoIP calls in real-time.
• Siphon contacts, passwords, files, and encrypted content from the phone.
• Operate as an “environmental wiretap,” listening through the microphone.
• Monitor communications through apps like WhatsApp, Facebook, Skype, Blackberry Messenger, and Viber.
• Track the phone’s location via GPS.

For all the hype, Pegasus is, however, just a glorified version of an old type of malware known as a Remote Access Trojan, or RAT: a program that allows an unauthorized party full access over a target device. In other words, while Pegasus may be potent, the security community knows well how to defend against this type of threat.

Let’s look at the different ways Pegasus can potentially infect phones — its various “agent installation vectors,” in the brochure’s own vernacular — and how to defend against each one.

Dodging Social Engineering Clickbait

There are numerous examples in reports of Pegasus attacks of journalists and human rights defenders receiving SMS and WhatsApp bait messages enjoining them to click malicious links. The links download spyware that lodges into devices through security holes in browsers and operating systems. This attack vector is called an Enhanced Social Engineer Message, or ESEM, in the leaked brochure. It states that “the chances that the target will click the link are totally dependent on the level of content credibility. The Pegasus solution provides a wide range of tools to compose a tailored and innocent message to lure the target to open the message.”

“The chances that the target will click the link are totally dependent on the level of content credibility.”

As the Committee to Protect Journalists has detailed, ESEM bait messages linked to Pegasus fall into various categories. Some claim to be from established organizations like banks, embassies, news agencies, or parcel delivery services. Others relate to personal matters, like work or alleged evidence of infidelity, or claim that the targeted person is facing some immediate security risk.

Future ESEM attacks may use different types of bait messages, which is why it’s important to treat any correspondence that tries to convince you to perform a digital action with caution. Here are some examples of what that means in practice:

• If you receive a message with a link, particularly if it includes a sense of urgency (stating a package is about to arrive or that your credit card is going to be charged), avoid the impulse to immediately click on it.
• If you trust the linked site, type out the link’s web address manually.
• If going to a website you frequently visit, save that website in a bookmark folder and only access the site from the link in your folder.
• If you decide you’re going to click a link rather than typing it out or visiting the site via bookmark, at least scrutinize the link to confirm that it is pointing to a website you are familiar with. And remember that it’s possible you will still be fooled: Some phishing links use similar-looking letters from a non-English character set, in what is known as a homograph attack. For example, a Cyrillic “О” might be used to mimic the usual Latin “O” we see in English.
• If the link appears to be a shortened URL, use a URL expander service such as URL Expander or ExpandURL to reveal the actual, long link it points to before clicking.
• Before you click a link apparently sent by someone you know, confirm that the person really did send it; their account may have been hacked or their phone number spoofed. Confirm with them using a different communication channel from the one on which you received the message. For instance, if the link came via a text or email message, give the sender a call. This is known as out-of-band verification or authentication.
• Practice device compartmentalization, using a secondary device without any sensitive information on it to open untrusted links. Keep in mind that if the secondary device is infected, it may still be used to monitor you via the microphone or camera, so keep it in a Faraday bag when not in use — or at least away from where you have sensitive conversations (a good idea even if it’s in a Faraday bag).
• Use nondefault browsers. According to a section titled “Installation Failure” in the leaked Pegasus brochure, installation may fail if the target is running an unsupported browser and in particular a browser other than “the default browser of the device.” But the document is now several years old, and it is possible that Pegasus today supports all kinds of browsers.
• If there is ever any doubt about a given link, the safest operational security measure is to avoid opening the link.

Thwarting Network Injection Attacks

Another way Pegasus infected devices in multiple cases was by intercepting a phone’s network traffic using what’s known as a man-in-the-middle, or MITM, attack, in which Pegasus intercepted unencrypted network traffic, like HTTP web requests, and redirected it toward malicious payloads. Pulling this off entailed either tricking the phone into connecting to a rogue portable device which pretends to be a cell tower nearby or gaining access to the target’s cellular carrier (plausible if the target is in a repressive regime where the government provides telecommunication services). This attack worked even if the phone was in mobile data-only mode, and not connected to Wi-Fi.

When Maati Monjib, the co-founder of the Freedom Now NGO and the Moroccan Association for Investigative Journalism, opened the iPhone Safari browser and typed yahoo.fr, Safari first tried going to http://yahoo.fr. Normally this would have redirected to https://fr.yahoo.com, an encrypted connection. But since Monjib’s connection was being intercepted, it instead redirected to a malicious third-party site which ultimately hacked his phone.

Typing just the website domain into a browser opens you to attacks, because your browser will attempt an unencrypted connection to the site.

Typing just the website domain (such as yahoo.fr) into a browser address bar without specifying a protocol (such as https://) opens the possibility for MITM attacks, because your browser by default will attempt an unencrypted HTTP connection to the site. Usually, you reach the genuine site, which immediately redirects you to a safe HTTPS connection. But if someone is tracking to hack your device, that first HTTP connection is enough of an opening to hijack your connection.

Some websites protect against this using a complicated security feature known as HTTP Strict Transport Security, which prevents your browser from ever making an unencrypted request to them, but you can’t always count on this, even for some websites that implement it correctly.

Here are some things you can do to prevent these kinds of attacks:

• Always type out https:// when going to websites.
• Bookmark secure (HTTPS) URLs for your favorite sites, and use those instead of typing the domain name directly.
• Alternately, use a VPN on both your desktop and mobile devices. A VPN tunnels all connections securely to the VPN server, which then accesses websites on your behalf and relays them back to you. This means that an attacker monitoring your network will likely not be able to perform a successful MITM attack as your connection is encrypted to the VPN — even if you type a domain directly into your browser without the “https://” part.

If you use a VPN, keep in mind that your VPN provider has the ability to spy on your internet traffic, so it’s important to pick a trustworthy one. Wirecutter publishes a regularly updated, thorough comparison of VPN providers based on their history of third-party security audits, their privacy and terms of use policies, the security of the VPN technology used, and other factors.

Zero-Click Exploits

Unlike infection attempts which require that the target perform some action like clicking a link or opening an attachment, zero-click exploits are so called because they require no interaction from the target. All that is required is for the targeted person to have a particular vulnerable app or operating system installed. Amnesty International’s forensic report on the recently revealed Pegasus evidence states that some infections were transmitted through zero-click attacks leveraging the Apple Music and iMessage apps.

Your device should have the bare minimum of apps that you need.

This is not the first time NSO Group’s tools have been linked to zero-click attacks. A 2017 complaint against Panama’s former President Ricardo Martinelli states that journalists, political figures, union activists, and civic association leaders were targeted with Pegasus and rogue push notifications delivered to their devices, while in 2019 WhatsApp and Facebook filed a complaint claiming NSO Group developed malware capable of exploiting a zero-click vulnerability in WhatsApp.

As zero-click vulnerabilities by definition do not require any user interaction, they are the hardest to defend against. But users can reduce their chances of succumbing to these exploits by reducing what is known as their “attack surface” and by practicing device compartmentalization. Reducing your attack surface simply means minimizing the possible ways that your device may be infected. Device compartmentalization means spreading your data and apps across multiple devices.

Specifically, users can:

• Reduce the number of apps on your phone. The fewer unlocked doors your home has, the fewer opportunities a burglar has to enter; similarly, fewer apps means fewer virtual doors on your phone for an adversary to exploit. Your device should have the bare minimum apps that you need to perform day-to-day function. There are some apps you cannot remove, such as iMessage; in those cases you can often disable them, though doing so will also make text messages no longer work on your iPhone.
• Regularly audit your installed apps (and their permissions), and remove any that you no longer need. It is safer to remove a seldom-used app and download it again when you actually need it than to let it remain on your phone.
• Regularly update both your phone’s operating system and individual apps, since updates close vulnerabilities, sometimes even unintentionally.
• Compartmentalize your remaining apps. If a phone only has WhatsApp installed and is compromised, the hacker will get WhatsApp data, but not other sensitive information like email, calendar, photos, or Signal messages.
• Even a compartmentalized phone can still be used as a wiretap and a tracking device, so keep devices physically compartmentalized — that is, leave them in another room, ideally in a tamper bag.

Physical Access

A final way an attacker can infect your phone is by physically interacting with it. According to the brochure, “when physical access to the device is an option, the Pegasus agent can be manually injected and installed in less than five minutes” — though it is unclear if the phone needs to be unlocked or if attackers are able to infect even a PIN-protected phone.

There seem to be no known cases of physically launched Pegasus attacks, though such exploits may be difficult to spot and distinguish from online attacks. Here’s how you can mitigate them:

• Always maintain a line of sight to your devices. Losing sight of your devices opens the possibility of physical compromise. Obviously there is a difference between a customs agent taking your phone at the airport versus you leaving your laptop behind in a room in your residence when you go to the bathroom, but all involve some risk, and you will have to calibrate your own risk tolerance.
• Put your device in a tamper bag when it needs to be left unattended, particularly in riskier locations like hotel rooms. This will not prevent the device from being manipulated but will at the least provide a ready alert that the device has been taken out of the bag and might have been tampered with, at which point the device should no longer be used.
• Use burner phones and other compartmented devices when entering potentially hostile environments such as government buildings, including embassies and consulates, or when going through border checkpoints.

Generally:

• Use Amnesty International’s Mobile Verification Toolkit if you suspect your phone is infected with Pegasus.
• Regularly back up important files.
• And finally, there’s no harm in regularly resetting your phone.

Although Pegasus is a sophisticated piece of spyware, there are tangible steps you can take to minimize the chance that your devices will be infected. There’s no foolproof method to eliminate your risk entirely, but there are definitely things you can do to lower that risk, and there’s certainly no need to resort to the defeatist view that we’re “no match” for Pegasus. source

How to Check if Your Cellphone Is Infected With Pegasus Spyware

NSO Group’s Pegasus spyware can turn any infected smartphone into a remote microphone and camera, spying on its own owner while also offering the hacker – usually in the form of a state intelligence or law enforcement agency – full access to files, messages and, of course, the user’s location.

Pegasus is one of a number of proprietary tools sold as part of the hacker-for-hire industry – and one found at the very high-end of that dark market. Other companies offer less expensive services – for example, only providing geolocation services for its clients. So how can you protect yourself? And how can you check to see if your phone has been targeted in the past or is infected now?

Haaretz offers a simple, nontechnical explanation on how to check and stay safe…

The weakest link

Most cellphone spyware operates in a similar fashion: a message is sent to a phone with a nefarious message. The message usually contains a link that will either download the malware onto your device directly, or refer it to a website that will prompt a download – all unbeknown to the phone’s owner.

There are other ways to get your phone to download something that don’t involve a message. However, from the moment of infection, most spyware tools follow a similar protocol: once installed, the spyware contacts what is called a “command-and-control” server, which provides it with instructions remotely.

“Let’s say the Israel Police are the ones who installed Pegasus on your smartphone and they want to know where you – or, more precisely, your phone – has been in the previous 24 hours. To get that information, instructions to obtain that data are sent to a C&C server connected to the phone,” explains Dr. Gil David, a researcher and cybersecurity consultant.

Many times, the links sent to you will appear innocent. It may look like a message from the Post Office or Amazon. But don’t be fooled: Through some simple social engineering and a process called “DNS spoofing,” even an official-looking URL may be a trap.

Sadly, staying safe is not always possible.

What makes Pegasus so expensive is its ability to not just potentially infect any smartphone selected for targeting remotely, but to do so with a “zero click” infection. This means your phone can be infected without you even having to click on a link – for example, with the code instructing your phone to reach out to the server secretly encoded into a WhatsApp message or even in a file like a photo texted to you via iMessage.

These “zero click” attacks make use of what is called “zero-day” exploits: unknown loopholes in your phone’s defenses that allow these hidden bits of code to kick into action without the victim doing anything.

So, another good practice is to make sure your phone’s operating system is as updated as possible: As new exploits are discovered, they are quickly “patched” by the likes of Apple and Google.

According to digital forensics experts Amnesty International and Citizen Lab, Pegasus’ zero click infections have only been found on iPhones. “Most recently, a successful ‘zero-click’ attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021,” Amnesty notes in its instructive report “How to Catch NSO Group’s Pegasus.”

It seems Pegasus’ ability to infect iPhones was based on a previously unknown loophole in the iMessage service, and this too has subsequently been patched. However, other Israel firms, for instance QuadDream, reportedly have such abilities as well.

“From 2019, an increasing amount of vulnerabilities in iOS, especially iMessage and FaceTime, started getting patched thanks to their discoveries by vulnerability researchers, or to cybersecurity vendors reporting exploits discovered in-the-wild,” Amnesty writes – so make sure your phone is updated.

Indicators of compromise

Groups like Amnesty and Citizen Lab find NSO’s spyware on phones using two different methods. Both involve searching for what is termed “indicators of compromise,” or IOCs.

Amnesty maintains a database of nefarious domains used by NSO’s clients. The list is constantly updating as more bogus URLs are found. Citizen Lab, meanwhile, also maintains a database of so-called vectors: messages sent to victims containing nefarious code or URLS. The two groups each maintain updated lists of Pegasus’ related processes that together permit attribution.

The only thing that has changed with Pegasus over the years is the way your phone is referred to the server, and the way the so-called payload is delivered.

“While SMS messages carrying malicious links were the tactic of choice for NSO Group’s customers between 2016 and 2018, in more recent years they appear to have become increasingly rare,” Amnesty wrote in its July 2021 report.

The newer trend, discovered in the case of Moroccan journalist Omar Radi, who was infected with Pegasus in 2020, is what is known as “packet injection.” This means that the download order is delivered not through a message but instead through your network, in the form of a hidden command “injected” into the phone through what Amnesty describes as “tactical devices, such as rogue cell towers, or through dedicated equipment placed at the mobile operator.

“The discovery of network injection attacks in Morocco signaled that the attackers’ tactics were indeed changing. Network injection is an effective and cost-efficient attack vector for domestic use especially in countries with leverage over mobile operators,” it explained.

As NSO’s clients are state agencies, they can easily make use of the mobile infrastructure to infect phones.

Therefore, and though such injection infections can also be forced upon you, other good practices include never using free Wi-Fi; never connecting to wireless networks you do not absolutely know are secure – as these networks can easily be hacked so they infect your phone and refer it to the snooping server. Not using so-called VPNs is also advisable for the same reason.

Chances are you have not been infected with Pegasus. However, if you have cause for concern and are scared you are or were infected, there are a few options:  Amnesty offers a useful, free and open source tool called the Mobile Verification Toolkit that can check a backup of your device or its logs for any IOC. The MVT will scan your iPhone’s logs for Pegasus-related processes or search your Android’s messages for nefarious links. The tool can be downloaded here. The bad news is that it requires some technical know-how and is currently devoid of a simple-to-use interface. To get it to work, you first need to make a specific type of backup of your phone, and then you need to download the program and run the code on your computer so it can scan the file you created. Running the program requires you to download Python. Luckily, the tool comes with very clear instructions, and even those unskilled in code can make use of it with a bit of effort. Furthermore, it also allows you to conduct the test yourself. A similar product is iMazing, a phone-backup platform that runs on your desktop and provides a MVT-like analysis of your device. It does not prevent infections but can check your phone for IOCs. If the best offense is defense, there’s also a growing cellphone security market. Cyberdefense firms like ZecOps offer organizations like the BBC and Fortune 2000 companies a platform that inspects phones for current infections or traces of historic attacks. ZecOps also provides this service pro bono for journalists involved in the Pegasus Project. Private users can also buy such services. For example, the Israeli-Indian security firm SafeHouse Technologies offers an app called “BodyGuard” that provides defenses for your phone, for a small price. It already has more than a million users, mostly in India. If you can’t get the Mobile Verification Toolkit to work and are reluctant to use an app, and you genuinely fear you have been targeted, you can also drop us a tip here and we at Haaretz will get you checked. source

HOW TO DETECT PEGASUS SPYWARE

As one of the leading commercial spyware programs, Pegasus has been used by a host of companies, governments, and other entities to collect sensitive data from individuals’ smartphones. If Pegasus is deployed on your smartphone, your sensitive data could be at risk.

Read on to learn how to detect Pegasus spyware on your smartphone.

How to Detect Pegasus Spyware on Your Smartphone

The data privacy demands of today’s IT landscape call for robust mobile security, as more individuals rely on smartphone applications for essential day-to-day tasks.

Safeguarding your smartphone data from threats like Pegasus starts with knowing how to:

• Scan for and detect Pegasus spyware on your smartphone
• Identify Pegasus spyware installed on your smartphone
• Remove Pegasus spyware from your Android or iPhone
• Prevent Pegasus spyware from compromising your smartphone data 

Dealing with advanced mobile security risks like Pegasus spyware is much easier with the help of a managed security services provider (MSSP), who can advise on how to detect pegasus spyware on iPhone or Android.

What is Pegasus Spyware?

Developed by the NSO group in Israel, Pegasus is signature spyware that has been implicated in the secret surveillance of individuals worldwide. Pegasus spyware is considered dangerous because it allows an attacker to control a victim’s smartphone.

Using Pegasus spyware, a perpetrator can:

• Wiretap and listen to conversations
• Access photos and videos
• Control applications on a smartphone

It is difficult and often impossible for antivirus solutions to detect Pegasus spyware because it exploits zero-day vulnerabilities, which are unknown to the developers of these solutions.

How to Detect Pegasus Spyware

Over years of extensive research, Amnesty International has developed a methodology to detect Pegasus spyware on smartphones, providing it to the public as a resource on Github.

Using Amnesty International’s methodology, you can find a list of:

• Domain names of Pegasus infrastructure
• Email addresses identified in previous attacks
• Process names associated with Pegasus

Beyond the indicators of Pegasus compromise methodology, Amnesty International also released a Mobile Verification Toolkit (MVT) to help support users interested in detecting Pegasus spyware on their smartphones. With the help of Amnesty International’s spyware detection tools, you can learn how to detect pegasus spyware on Android or iPhone.

How to Detect Pegasus Spyware on iOS

Here’s how to check for pegasus spyware on iOS devices such as iPhones:

• Create a backup of encrypted data on a device other than your smartphone
• Once your smartphone is securely backed up, download the MVT tool onto your iPhone and follow Amnesty International’s instructions for detecting Pegasus.

Whereas other apps can detect Pegasus on iOS, it’s best to follow Amnesty International’s instructions or work with a qualified MSSP to avoid running into any issues while detecting the spyware.

How to Detect Pegasus Spyware on Android

Although the MVT mostly caters to iOS devices, it can still detect Pegasus on Android.

If you are wondering how to detect Pegasus spyware on Android with the MVT, the first places to start looking are potentially malicious text messages and APKs on your smartphone.

How Pegasus Works

For most Pegasus infections, the spyware is installed remotely on victims’ smartphones. However, Pegasus can be installed physically, and, in some cases, it can use the victim’s smartphone for data storage prior to transmitting data to a remote server.

Pegasus Remote Installation

Pegasus spyware can be remotely installed on a smartphone via:

• Zero-click attacks – Zero-click exploits typically leverage applications such as Apple Music or iMessage to send requests to the victim’s smartphone. Here, the victim does not interact with the spyware and is clueless about the download of Pegasus spyware.
• Malicious text messages –  A victim receives a text message containing an exploit link for a Pegasus spyware download. Clicking the link deploys spyware on the victim’s smartphone.
• Network injection attack – While browsing the Internet, a victim is redirected from a clear-text HTTP website to a decoy of a legitimate business. Unknowingly, a victim may then provide access credentials or other sensitive information.

In most cases, remote installation of Pegasus spyware on victims’ phones via zero-click attacks leverages zero-day vulnerabilities, of which the smartphone manufacturer may not be aware.

This makes Pegasus spyware very dangerous to its victims, who may not realize their sensitive data is being surveilled until it is too late.

Pegasus Physical Installation

While it is uncommon, Pegasus can be installed by connecting a victim’s smartphone to another device such as a computer to deploy the spyware. However, this would involve the difficult task of accessing a victim’s smartphone without their knowledge.

Pegasus Data Management

According to NSO, the spyware will transmit data from a victim’s smartphone to a server where the attacker can access the data. However, if Pegasus is unable to send data to a server, it will transmit the data to a “hidden and encrypted buffer” within the phone’s storage.

What Data Can Pegasus Access?

Once deployed on a smartphone, Pegasus spyware can access a range of data, including:

• Text messages
• Emails
• Photos and videos
• Personal contacts
• Location
• Audio messages and recordings

Detecting Pegasus spyware on your smartphone is critical to minimizing the risks of your sensitive data being exposed by perpetrators.

Can Pegasus be Removed?

You can remove Pegasus from your smartphone by attempting the following actions:

• Restarting your smartphone, to put a temporary stop to Pegasus
• Resetting your smartphone to its factory settings, which may remove Pegasus
• Updating your smartphone’s system software and apps to current versions
• Removing any unknown device connections to social media platforms

When removing Pegasus from your smartphone, it is always best to work with the MVT resource provided by Amnesty International. If Pegasus spyware removal becomes difficult, consider consulting an MSSP for help.

What to Do if You Have Pegasus

According to Reporters Without Borders (RSF), here’s what to do if you have Pegasus:

• Buy a new smartphone and stop using the one infected with Pegasus, ensuring the compromised smartphone is not close to you or your work environment.
• Change passwords for all accounts on the new smartphone and remember to sign out of the accounts on the compromised one.

If you have Pegasus, it is best to contact an experienced MSSP, who will point you to Pegasus spyware removal tools that will help remove Pegasus and keep your data safe.

Other Spyware like Pegasus

Besides Pegasus, other types of spyware include:

• Trojans, which can steal a victim’s funds or credentials to make fraudulent purchases.
• Stealware, which can intercept traffic from online shopping sites like those offering credits or rewards for purchases.

With everyone using smartphones or tablets to store sensitive information like account passwords, securing these devices from spyware and other forms of malware is paramount.

In an organizational setting, it is critical for leadership to emphasize the importance of mobile security in defending sensitive data stored on smartphones from various types of spyware.

How to Protect From Pegasus and Other Spyware

Protecting your organization from Pegasus and other spyware revolves around implementing mobile device security best practices such as:

• Encrypting any communication of sensitive data with industry-standard algorithms
• Keeping up-to-date with the latest phishing and malware attempts
• Updating your smartphone or mobile device with the latest security patches
• Using strong passwords and multi-factor authentication on all mobile devices
• Conducting routine penetration testing on mobile devices that contain sensitive data

If you are wondering how to block Pegasus spyware, some of the mobile security best practices above can help. However, it’s best to implement them with the guidance of a leading MSSP. source

Journalists, lawyers and activists hacked with Pegasus spyware in Jordan, forensic probe finds

The NSO File: A Complete (Updating) List of Individuals Targeted With Pegasus Spyware

The Israeli-made Pegasus spyware is suspected of infecting over 450 phones targeted by clients of NSO, who range from Saudi Arabia to Mexican drug lords. Here’s a list of the confirmed Pegasus victims.

The Israeli-made Pegasus spyware, sold by the cyberoffense firm NSO to state intelligence agencies around the world, has become infamous in recent years. Exploiting unknown loopholes in WhatsApp, iMessage and Android has allowed the group’s clients to potentially infect any smartphone and gain full access to it – in some cases without the owner even clicking or opening a file.

Digital forensics groups such as Amnesty International and the University of Toronto’s Citizen Lab have revealed numerous potential targets with traces of the spyware on their phones. Last summer, Project Pegasus – led by Paris-based NGO Forbidden Stories with the help of Amnesty’s Security Lab – organized an international consortium of journalists, including Haaretz and its sister publication TheMarker, to investigate thousands of additional potential targets selected for possible surveillance by NSO Group clients worldwide.

So far, targets have been found across the world: from India and Uganda to Mexico and the West Bank, with high-profile victims including U.S. officials and a New York Times journalist.

Now, for the first time, Haaretz has assembled a list of confirmed cases involving Pegasus spyware.

Though there have been over 450 suspected hacking cases, this list, which was put together with the help of Amnesty’s Security Lab, includes only the cases in which infections were confirmed either by Amnesty or another digital forensics group like Citizen Lab (which also helped construct this list). It also includes a few instances where official bodies such as French intelligence agencies or private firms like Apple or WhatsApp have publicly confirmed attacks.

The list does not include those suspected of being targeted – for example, Amazon’s Jeff Bezos, who was reportedly sent the spyware via a WhatsApp message from no less than Saudi Crown Prince Mohammed bin Salman. Rather, it is those who have actually been found with Pegasus on their phones.

The NSO Group, which refuses to confirm the identity of its clients and claims it has no knowledge of their targets, has denied most of these cases and says digital forensic analysis cannot fully identify its software.

• How to Check if Your Cellphone Is Infected With Pegasus Spyware
• Police Use NSO’s Pegasus to Spy on Israelis Without Warrant, Report Says
• Israeli NSO Spyware Found on Phones of Jordanian, Bahraini Women’s Rights Activists

The gap between the massive list of potential targets and those who were actually infected highlights how hard it is to confirm the presence of Pegasus spyware on phones. For instance, a private investigation commissioned by Bezos himself found that his phone had received a strange message from Crown Prince Mohammed, after which the tycoon’s device began sending out a lot of data. However, Bezos was reluctant to hand his phone over to anyone other than the handpicked investigators he had hired; they said it was very likely his phone had been infected.

Here is the list of most, if not all, known and confirmed Pegasus cases. They are sorted by the nationality of the victims or their country of residence when they were targeted.

The list of confirmed cases is followed by an additional list of names of those who have been confirmed to have been targeted but whose actual infection has not been verified.

Open gallery view

The NSO Group logo on one of its Israeli offices.Credit: AMIR COHEN/REUTERS

AZERBAIJAN

Khadija Ismayilova
The Azerbaijani investigative journalist based in Baku was targeted repeatedly for over three years as part of government persecution as a result of her work, the Project Pegasus investigation revealed.

Sevinc Vaqifqizi
Freelance Azerbaijanii journalist Vaqifqizi was found by Amnesty and Forbidden Stories to have had their phone infected with Pegasus in 2019 and 2020.

BAHRAIN

Moosa Abd-Ali
Moosa Abd-Ali is a Bahraini activist living in exile in London who was found to have been targeted in the past, with the Bahraini government hacking his personal computer in 2011. According to Citizen Lab, Abd-Ali’s iPhone 8 appears to have been hacked with Pegasus at some point prior to September 2020.

Yusuf al-Jamri
A Bahraini blogger who says he was tortured by his government, Yusuf al-Jamri was granted asylum in the U.K. in 2018. According to Citizen Lab, Jamri’s iPhone 7 appears to have been hacked with Pegasus at some point prior to September 2019.

Seven rights activists
At least three members of the Bahrain Centre for Human Rights, another three from the nonprofit Waad and one from the group Al Wefaq were also infected, Citizen Lab found. At least another seven members of BCHR and the other groups were actually targeted, but their infection was not confirmed by Citizen Lab.

EL SALVADOR

Carlos Martínez
A reporter for El Faro, he was one of over 35 journalists and members of civil society groups infected by the Pegasus spyware between July 2020 and November 2021.

Daniel Lizárraga
A Mexican journalist and the editor of El Faro, who was expelled from El Salvador. Citizen Lab found that his phne had been infected.

Nine El Faro journalists
The following journalists with El Faro were all found by Citizen Lab to have been infected by the Pegasus spyware: Gabriela Cáceres, Carlos Dada, Carlos Ernesto Martínez D’aubuisson, Julia Gavarrete (who had two phones hacked), Valeria Guzmán, Ana Beatriz Lazo, Rebeca Monge, Víctor Peña, Nelson Rauda.

El Salvadorian journalists
Citizen Lab discovered that the following journalists were also infected with Pegasus: Efren Lemus, Gabriel Labrador, José Luis Sanz, María Luz Nóchez, Mauricio Ernesto Sandoval Soriano, Óscar Martínez, Roman Gressier, Roxana Lazo, Sergio Arauz, Beatriz Benitez, Ezequiel Barrera, Xenia Oliva, an unnamed journalist from Diario El Mundo, and Daniel Reyes.

Noah Bullock
The head of Cristosal, a human rights organization based in El Salvador, who was also found by Citizen Lab to have been infected.

Ricardo Avelar
A journalist with El Diario de Hoy, Citizen Lab confirmed that his device had been infected.

Jose Marinero
An official with the activism group Fundación DTJ in El Salvador whose phone was found by Citizen Lab to have been infected.

Xenia Hernandez
Another official with the activism group Fundación DTJ in El Salvador whose phone was found by Citizen Lab to have been infected.

Oscar Luna
An activist with the digital rights group Revista Digital Disruptiva. Citizen Lab found that their phone had been infected.

Mariana Belloso
An independent journalist whose phone was found by Citizen Lab to have been infected by the Pegasus spyware.

Carmen Tatiana Marroquín
An economist and columnist whose phone was found by Citizen Lab to have been infected by the Pegasus spyware.

FINLAND

Finnish diplomats
An unknown number of Finnish diplomats stationed abroad were found to have been infected, the Finnish Foreign Ministry confirmed. Their identity was not disclosed, nor was the suspected operator.

FRANCE

Bruno Delport
The phone of the director of Parisian radio station TSF Jazz was found by Citizen Lab to have been infected in 2019, just as he was applying for the presidency of Radio France.

Lénaïg Bredoux
The investigative journalist and general editor of Mediapart was confirmed to have been infected by Pegasus. The confirmation was made by France’s computer security agency following Project Pegasus. Bredoux was involved in a story about the head of Morocco’s intelligence agency, a known NSO client.

Edwy Plenel
The investigative journalist with Mediapart was confirmed to have been infected by Pegasus. The confirmation was made by France’s computer security agency following Project Pegasus.

Unnamed France 24 journalist
A senior journalist with France 24 was confirmed to have been infected by Pegasus in May 2019, September 2020 and January 2021. That was confirmed by France’s computer security agency after Project Pegasus.

Claude Mangin
French national whose husband, Naama Asfari, is jailed in Morocco for advocating for Western Saharan independence. As part of Project Pegasus, it was found that at least two of her phones were infected.

Arnaud Montebourg
A former minister in the government of Manuel Valls, Montebourg was targeted in 2019, most likely by Morocco, an analysis by Amnesty found. Montebourg has given testimony to ANSSI and its investigation into NSO in France.
Suspected operator: Morocco

HUNGARY

Dániel Németh
A Hungarian photojournalist involved in covering President Viktor Orbán and the country’s elites, two of his phones were infected in 2021. Direkt36, working with Citizen Lab and Amnesty’s Security Lab, confirmed the infections.

Zoltán Páva
The former Hungarian politician, now the publisher of an opposition news website, was also infected by Pegasus in March and May 2021.

Adrien Beauduin
A gender studies student at Central European University in Hungary, Beauduin was confirmed to have had his phone infected after being arrested in a protest against Orbán’s policies.

Szabolcs Panyi
The journalist with Direkt36, which was a partner in the Pegasus Project, was infected a number of times in 2019. The confirmation was made by Amnesty as part of the global investigation.

András Szabó
An investigative journalist with Direkt36, Szabó’s phone was infected a number of times in 2019. The confirmation was made by Amnesty as part of the global investigation.

Brigitta Csikász
A Hungarian journalist covering crime stories, Csikász’s phone was infected in 2019 – which was confirmed by Direkt36 and Amnesty.

INDIA

Jagdeep Singh Randhawa
Human rights lawyer and activist from Punjab had his phone hacked in July and August 2019.

Mangalam Kesavan Venu
Founding editor of The Wire – a nonprofit Indian investigative journalism outlet that was part of the Project Pegasus investigation – was found to have been infected with the spyware.

Paranjoy Guha Thakurta
Investigative journalist who was looking into how the Modi government used Facebook to spread disinformation; Amnesty confirmed his phone had been infected by NSO’s spyware as part of the Project Pegasus investigation.

Prashant Kishor
Political pollster working with a number of opposition parties in India, his phone was infected in 2018, Amnesty confirmed, months before an election – in what critics say was an attempt by Modi’s party to use the spyware to collect political information.

Rona Wilson
An activist focused on minorities and prisoners’ rights, digital forensics firm Arsenal Consulting found that his phone had been infected in July 2017 and April 2018. His phone number appeared in the Project Pegasus leaks.

Syed Abdul Rahman Geelani
Geelani (also known as SAR Geelani), a Delhi University professor serving time in India for ties to an outlawed Maoist group and prisoners’ rights activist, was found by Amnesty to have been infected between 2017 and 2019.

Sushant Singh
A journalist who covered defense issues for The Indian Express, and was investigating a massive deal between India and France, was found by Amnesty to have been infected as part of Project Pegasus.

S.N.M. Abdi
Journalist for India’s Outlook had his phone infected by Pegasus in April 2019, May 2019, July 2019, October 2019 and December 2019, Amnesty found as part of Project Pegasus.

Bela Bhatia
An Indian human rights lawyer whose phone was found to have been infected in 2019, and is one of five victims who are part of WhatsApp suit against NSO.

Siddharth Varadarajan
An Indian investigative journalist who is the former editor of The Hindu and founding editor of The Wire, a Pegasus Project partner. He had his phone targeted with NSO-made spyware in April 2018. Forbidden Stories and Amnesty International’s Security Lab’s forensic analysis revealed he was successfully infected.

Unnamed legal officer
The legal officer was also confirmed to have been hacked with spyware following the Project Pegasus investigation.

Ankit Grewal
The lawyer and so-called anti-caste activist was found to have been targeted in 2019 – one of a large group of victims named by WhatsApp in its suit against NSO.

Read our full story on Pegasus in India

ISRAEL

Shai Babad
A former director general of the Finance Ministry who was also a politician and also served in a senior position in Israel’s public broadcaster. Israeli business daily Calcalist said his phone had been infected with Pegasus by the Israel Police. All of the Israeli cases listed below are based on Calcalist reporting that has yet to be confirmed or reviewed by Haaretz or international bodies.

Avi Berger
The former director general of the Communications Ministry and a witness in the ongoing Case 4000 trial against former Prime Minister Benjamin Netanyahu. Calcalist reported that Berger’s phone had been infected with Pegasus by the Israel Police.

Aviram Elad
The former editor of Walla, which allegedly provided Netanyahu with better coverage in a quid pro quo involving its parent company, the telecom giant Bezeq, in Case 4000. Calcalist said his phone was infected by the Israel Police.

Iris Elovitch
The wife of Bezeq owner Shaul Elovitch; both are defendants in Case 4000. Her phone was infected with Pegasus by the Israel Police, Calcalist reported.

Iris Elovitch looking at her iPhone in court with husband Shaul Elovitch last year. Credit: Reuben Castro

Keren Terner-Eyal
A former director general of the transportation and finance ministries, Terner-Eyal assumed the latter position after Babad left the role. Calcalist said her phone was infected with Pegasus by the Israel Police.

Shlomo Filber
A former director general of the Communications Ministry, who was appointed by Netanyahu in 2015 and now serves as a key state’s witness in the Bezeq quid pro quo case. Filber was the first Israeli whose name was published by Calcalist as having been infected with Pegasus by the Israel Police.

Miriam Feirberg
The mayor of Netanya, who was suspected of corruption and investigated by the police until her case was closed in 2019. Calcalist said her phone had been infected with Pegasus by the Israel Police.

Stella Handler
The former CEO of Bezeq, was said by Calcalist to have been infected with Pegasus by the Israel Police. Handler is part of Case 4000.

Yair Katz
The chairman of the workers union at Israel Aerospace Industries and son of former Likud lawmaker Haim Katz was said by Calcalist to have been infected with Pegasus by the Israel Police.

Rami Levy
A prominent Israeli businessman famous for his low-cost supermarket chain who also owns a small telecom firm. Calcalist reported that his phone was infected with Pegasus by the Israel Police. He was investigated by the police in the past.

Topaz Luk
A former adviser to Netanyahu who is considered close to his son, Yair Netanyahu, and served a number of roles in past campaigns. He is also credited with key aspects of the then-prime minister’s media strategy. Calcalist said Luk’s phone had been infected with Pegasus by the Israel Police.

Dudu Mizrahi
The CEO of Bezeq, who took over the telecom company after Handler. Calcalist said his device was infected with Pegasus by the Israel Police.

Avner Netanyahu
The youngest son of former Prime Minister Benjamin Netanyahu. Calcalist reported that Avner Netanyahu’s phone had been infected with Pegasus by the Israel Police.

Emi Palmor
A jurist and former director general of the Justice Ministry who currently serves on Facebook’s Advisory Board. Calcalist reported that his phone had been infected with Pegasus by the Israel Police.

Yaakov Peretz
The mayor of Kiryat Ata, who was suspected of corruption in 2019 and investigated by the police until the case was closed in 2020. Calcalist reported that his phone had been infected with Pegasus by the Israel Police.

Moti Sasson
The six-term mayor of the Tel Aviv suburb of Holon was another mayor whose phone was infected with Pegasus by the Israel Police, according to Calcalist.

Ilan Yeshua
The CEO of the news website Walla, which allegedly provided Netanyahu with better coverage in a quid pro quo involving its parent company Bezeq. Yeshua is also part of Case 4000 and was infected with Pegasus by the Israel Police. Calcalist reported.

Jonatan Urich
A former adviser to Benjamin Netanyahu and considered close to his son, Yair. He served a number of roles in various electoral campaigns and is credited with key aspects in Netanyahu’s media strategy. Urich, whose phone was hacked by Israeli police as part of an investigation, was also said by Calcalist to have been infected with Pegasus by the Israel Police.

Walla journalists
As part of Case 4000, a number of journalists with the news site were said by Calcalist to have been infected with Pegasus by the Israel Police.

Protest leaders
The leaders of three protest movements were said by Calcalist to have been infected with Pegasus by the Israel Police. The protest movements targeted were: Israelis with disabilities; Israelis of Ethiopian descent; and heads of the anti-Netanyahu protests. The first were fighting for better rights, the second demonstrated against police violence and the third sought to oust Netanyahu.

Extreme settlers
A number of extreme settlers were said by Calcalist to have been infected with Pegasus by the Israel Police ahead of the evacuations of illegal outposts.

Read our full story on Pegasus in Israel

JORDAN

Hala Ahed Deeb
Jordanian human rights lawyer, unionizer and feminist activist was found by Front Line Defenders to have been infected with Pegasus since March 2021.

Ahmed al-Neimat
A rights activist focused on workers rights and combating corruption. He works with a reform group called Hirak and has been targeted in the past, facing arrest for “insulting the king” and even a travel ban. Front Line Defenders and Citizen Lab found his phone was hacked at the end of January 2021, likely through the FORCEDENTRY exploit, making him the earliest victim of that particular method. His phone was likely hacked using the exploit’s zero-click capabilities.

Suhair Jaradat
A rights activist and journalist focused on women’s rights in Jordan and the Arab world who serves on the executive committee of the International Federation for Journalists. She was hacked six times between February and December 2021, through the FORCEDENTRY exploit in iPhones. The last hack took place after Apple had patched the breach, informed potential victims across the world and sued NSO. Jaradat did not update her phone and was thus still exposed.

Malik Abu Orabi
A rights lawyer who works with prominent Jordanian unions and was previously arrested by the state for his efforts. He was hacked at least 21 times between August 2019 and July 2021.

Anonymous journalist
A female journalist was also hacked, Front Line Defenders and Citizen Lab found. She requested to remain anonymous.

Read our full story on Pegasus in Jordan

KAZAKHSTAN

Aizat Abilseit, Dimash Alzhanov and Tamina Ospanova
Three members of the opposition group Wake Up, Kazakhstan whose phones were found by Amnesty’s Security Lab to have been infected by Pegasus in June 2021. Apple also warned them about the hack, which it attributed to a “state-sponsored attacker.”

Darkhan Sharipov
The Kazakh activist’s phone was also found by Amnesty to have been infected by Pegasus in June 2021.
Suspected operator: Kazakhstan

Read our full story on Pegasus in Kazakhstan

LEBANON

Lama Fakih
Human Rights Watch’s crisis and conflict director also heads the group’s Beirut office. She was targeted with Pegasus spyware at least five times between April and August 2021, HRW and Amnesty International’s Security Lab found.
Suspected operator: Unknown

Read our full story

MOROCCO

Hicham Mansouri
Freelance investigative journalist and co-founder of the Moroccan Association of Investigative Journalists had his iPhone infected with Pegasus more than 20 times between February and April 2021, the Project Pegasus investigation revealed. Mansouri fled Morocco in 2016 and is now based in Paris.

Mahjoub Mleiha
Human rights activist from Western Sahara who is active in the Collective of Sahrawi Human Rights Defenders, now lives in Belgium, where he is also a citizen. Amnesty found that his phone had been infected.

Joseph Breham
A French lawyer who is involved in a lawsuit against Saudi Crown Prince Mohammed over claims of torture and inhumane treatment in Yemen. Amnesty confirmed that his phone had been infected with Pegasus using the same type of messages other alleged victims in Morocco also received.

Oubi Buchraya Bachir
Sahrawi diplomat who has served as its representative in a number of African countries. Amnesty confirmed as part of Project Pegasus that his phone was infected.

Maati Monjib
Founder of the Moroccan Association for Investigative Journalism and the NGO Freedom Now (dedicated to protecting the rights of journalists and writers), Amnesty found that his phone had been infected in 2019.

Open gallery view

Shawan Jabarin, director of the al-Haq human rights group. One of the Palestinian NGO’s workers’ phones was infected by Pegasus.Credit: Majdi Mohammed/AP

Omar Radi
An independent, award-winning Moroccan journalist whose phone was found by Amnesty to have been infected in 2019.

Aboubakr Jamaï
Jamaï is a journalist who has long inspired the ire of Morocco’s royal family. Citizen Lab together with Access Now found his phone had been infected with Pegasus after materials on it were leaked online in an attempt to tarnish Jamaï and his associates.

Fouad Abdelmoumni
A Moroccan human rights and democracy activist who works with Human Rights Watch and Transparency International Morocco, Abdelmoumni’s phone was found to have been infected, most likely by the Moroccan intelligence services. Citizen Lab investigated the hacking after being commissioned by WhatsApp.
Suspected operator: Morocco

PALESTINIAN TERRITORIES (WEST BANK)

Ghassan Halaika
Human rights activist working for Al-Haq, a Palestinian NGO blacklisted by Israel, whose phone was infected in July 2020. The confirmation was made by human rights organization Front Line Defenders.

Ubai Aboudi
The phone of the director of the Bisan Center for Research and Development, a Palestinian NGO blacklisted by Israel, was infected in 2020 and confirmed by Front Line Defenders.

Salah Hammouri
Lawyer and researcher with the Addameer Prisoner Support and Human Rights Association, a Palestinian NGO blacklisted by Israel, whose phone was infected in 2020, according to Front Line Defenders.

Three unnamed activists
Phones of three activists working with Palestinian NGOs blacklisted by Israel were infected in 2020, and confirmed by Front Line Defenders.

Suspected operator in all six cases: Israel

Open gallery view

Polish prosecutor Ewa Wrzosek holding her phone outside her Warsaw office last month.Credit: Czarek Sokolowski/AP

Read our full story on Pegasus in the West Bank

POLAND

Krzysztof Brejza
Polish senator and member of the opposition party Civic Platform whose phone was confirmed to have been infected over 30 times in 2019. The confirmation was made by Citizen Lab and reported by AP.

Roman Giertych
A lawyer who has represented leaders of Brejza’s Civic Platform party in sensitive cases, and was confirmed to have been infected over 10 times in 2019. The confirmation was made by Citizen Lab.

Ewa Wrzosek
The phone of the prosecutor and critic of the ruling Law and Justice party’s attempt to undermine Poland’s judiciary was confirmed to have been infected a number of times in 2019. The confirmation was made by Citizen Lab after she received a notification from Apple warning that her phone had been hacked.

Michal Kolodziejczak
The agrarian social movement leader was hacked several times in May 2019 ahead of a fall election in which Kolodziejczak was hoping to have his group, AGROunia, become a formal political party. Courts have so far blocked his efforts to form a political party.

Tomasz Szwejgiert
An author and collaborator with Polish secret services who found himself at odds with powerful figures was hacked while co-authoring a book about the head of Poland’s secret services, Mariusz Kaminski. He was hacked 21 times with Pegasus from late March to June 2019.

Suspected operator in all cases: Poland

Read our full story on Pegasus in Poland

RWANDA

Carine Kanimba
A U.S.-Belgian citizen, Kanimba is the daughter of Rwandan activist Paul Rusesabagina, who was arrested and forcibly returned to the country. Her father’s plight inspired the 2004 movie “Hotel Rwanda” and she was confirmed by Amnesty to have been hacked at the start of 2021.

Open gallery view

Hatice Cengiz, fiancee of the murdered Saudi journalist Jamal Khashoggi, talking to the media last year.Credit: MURAD SEZER/REUTERS

Peter Verlinden
The Belgian journalist stationed in Africa has worked for the national Flemish broadcaster VTR. Belgian intelligence services and Amnesty found that his phone had been infected in September, October and November 2020.

Marie Bamutese
The phone of Peter Verlinden’s wife was also found to have been hacked. This was confirmed by Belgium’s General Intelligence and Security Service.

Placide Kayumba
A Rwandan activist and member of the opposition in exile, Kayumba was found to have been targeted as part of an investigation by Citizen Lab commissioned by WhatsApp into hacking of its clients.
Suspected operator: Rwanda

SAUDI ARABIA

Hatice Cengiz
The Turkish national was the fiancée of the late Washington Post columnist Jamal Khashoggi, and her phone was infected a few days after her partner was murdered at the Saudi Embassy in Istanbul in October 2018 – as revealed by Amnesty as part of Pegasus Project.

Omar Abdulaziz
A close friend of Khashoggi’s, Abdulaziz’s phone was infected with Pegasus in the months before the Saudi dissident’s murder in 2018, CItizen Lab found. Based in Canada, he has filed a lawsuit against NSO in Israel.

Wadah Khanfar
Al Jazeera’s former director general and another close friend of Khashoggi, Amnesty found that his phone was infected as recently as July 2021.

Ragip Soylu
A Turkish journalist who heads Middle East Eye’s bureau in Ankara. Amnesty confirmed that his phone was infected several times between February and July 2021.

Ben Hubbard
The phone of the New York Times journalist was confirmed by Citizen Lab to have been infected between June 2018 to June 2021 while he was based in Lebanon, reporting on Saudi Arabia and writing a book about Crown Prince Mohammed.

Suspected operator in all cases: Saudi Arabia

Read our full story on Pegasus in Saudi Arabia

TOGO

Open gallery view

Egyptian dissident Ayman Nour speaking in Istanbul in 2019. Credit: Burhan Ozbilici/AP

Father Pierre Marie-Chanel Affognon
A Catholic priest from Togo who is an anti-corruption activist fighting for constitutional and electoral reform in the West African country. An investigation by Citizen Lab commissioned by WhatsApp into the hacking of its clients found his phone was infected.

UNITED ARAB EMIRATES

Alaa al-Siddiq
Executive director of ALQST, a nonprofit advocating for human rights in the UAE and the Gulf region. Her phone was found to have been infected a number of times from 2015, when she was living in Qatar (where she had moved to flee persecution), and up until 2019, when she had relocated to Britain. She died in a car crash in 2021. Citizen Lab made the hacking confirmation.

Abdulaziz Alkhamis
The former editor of Al Arab, Alkhamis was hacked as part of a showcase NSO organized for the UAE. According to a lawsuit filed on behalf of Alkhamis, the UAE, which were already NSO clients from 2014, were offered an expensive upgrade of the Pegasus spyware. To show the new product’s value, NSO emailed two audio recordings of Alkhamis to Emerati officials, the New York Times reported in 2018.

Ayman Nour
Egyptian dissident, 2005 Egyptian presidential candidate and opposition activist. Citizen Lab found his phone had been infected by Pegasus, as well as an additional spyware called Predator – which was developed by NSO competitor Cytrox.
Suspected operator: UAE

Rania Dridi
A journalist with Alaraby TV, she had her phone infected at least six times during 2020, as confirmed by Citizen Lab.

Tamer Almisshal
Investigative journalist for Al Jazeera in Arabic who has covered the Gulf region extensively, including the Khashoggi killing. His phone was infected in 2020, Citizen Lab confirmed.

Ebtisam al-Saegh
Bahraini human rights activist focused on women’s rights. Front Line Defenders found that her phone was hacked at least eight times between August and November 2019. Saegh had been arrested in Bahrain for her activism in the past and has faced persecution for her work.

34 Al Jazeera staffers
The phones of 34 other journalists, producers, anchors and executives at Al Jazeera were confirmed to have been infected in 2020, Citizen Lab reported.
Suspected operator: Saudi Arabia, Bahrain and/or the UAE

Open gallery view

Mexican President Andres Manuel Lopez Obrador speaking last July about being targeted by the previous administration of President Enrique Pena Nieto after it purchased Pegasus spyware from NSO.Credit: MEXICO’S PRESIDENCY / REUTERS

UNITED KINGDOM

David Haigh
The human rights lawyer and LGBTQ activist who represented Princess Latifa of Dubai was the first British target confirmed to have been infected by Pegasus. He supplied Amnesty with his phone in the wake of Project Pegasus.

Anas Altikriti
Muslim anti-war activist based in the U.K. whose phone was confirmed to have been infected with Pegasus. His interfaith thinktank, the Cordoba Foundation, has been accused of maintaining ties with the Muslim Brotherhood and Hamas. Suspected operator: UAE

UNITED STATES

11 unnamed U.S. officials
Eleven officials with the U.S. State Department in Uganda were confirmed to have been hacked with Pegasus. The revelation led to a U.S. Department of Commerce decision last November to blacklist NSO.
Suspected operator: Uganda or Rwanda

LIST OF THOSE WHO HAVE ALSO BEEN TARGETED BY PEGASUS:

Ahmed Mansoor (Emirati human rights activist)

Rafael Cabrera (Mexican journalist)

Dr. Simon Barquera (Mexican researcher)

Alejandro Calvillo (Mexican whistleblower)

Luis Encarnación (Mexican activist)

Karla Micheel Salas (Mexican human rights lawyer)

David Peña (Mexican human rights lawyer)

Carmen Aristegui (Mexican journalist)

Emilio Aristegui (son of Carmen Aristegui)

Sebastián Barragán (Mexican journalist)

Carlos Loret de Mola (Mexican journalist)

Salvador Camarena (Mexican journalist)

Daniel Lizárraga (Mexican journalist)

Mario E. Patrón (Mexican human rights activist)

Stephanie Brewer (U.S. human rights activist working in Mexico)

Santiago Aguirre (Mexican human rights activist)

Juan Pardinas (Mexican anti-corruption activist)

Juan Pardinas’s wife

Alexandra Zapata (Mexican journalist)

Azam Ahmed (Former New York Times bureau chief for Mexico)

Open gallery view

Family members and supporters of 43 missing college students from Guerrero state. Mexico, carrying pictures of the disappeared, during an event in April 2016.Credit: AP Photo/Rebecca Blackwell

Ricardo Anaya Cortés (Mexican lawyer/politician)

Sen. Roberto Gil Zuarth (Mexican senator)

Fernando Rodríguez Doval (Mexican politician)

Claudio X. González (Mexican anti-corruption activist)

GIEI investigation (Mexican probe into mass disappearances)

Ghanem Almasarir (Saudi dissident)

Yahya Assiri (Saudi activist)

Unnamed Amnesty International employee

Abdessadak El Bouchattaoui (Moroccan journalist)

Griselda Triana (Mexican journalist)

Nihalsing Rathod (Indian human rights lawyer)

Priyanka Gandhi Vadra (General secretary, Indian National Congress)

Santosh Bhartiya (Indian journalist)

Shubhranshu Choudhary (Indian peace activist)

Unnamed U.K. lawyer

Shalini Gera (Indian lawyer)

Degree Prasad Chauhan (Indian human rights activist)

Anand Teltumbde (Indian activist)

Ashish Gupta (Indian activist)

Seema Azad (Indian activist)

Vivek Sundara (Indian activist)

Saroj Giri (Indian activist)

Sidhant Sibal (Indian journalist)

Rajeev Sharma (Indian journalist)

Rupali Jadhav (Indian activist)

Jagdish Meshram (Indian lawyer)

Alok Shukla (Indian activist)

Ajmal Khan (Indian research scholar)

Balla Ravindranath (Indian lawyer/activist)

Mandeep Singh (Indian activist)

P. Pavana (Indian, daughter of activist P. Varavara Rao)

Arunank (Indian law graduate)

Smita Sharma (Indian journalist)

Hanan Elatr (wife of Jamal Khashoggi)

Jorge Carrasco (Mexican journalist)

Álvaro Delgado Gómez (Mexican journalist)

Princess Latifa al Maktoum (daughter of the prime minister of the UAE)

Princess Haya bint Hussein (estranged wife of the prime minister of the UAE)

Juan Mayer (aerial photographer who recorded Princess Latifa’s skydives)

Lynda Bouchikhi (Princess Latifa’s officially sanctioned chaperone)

Sioned Taylor (friend of Princess Latifa)

Martin Smith (head of U.K. private security firm hired by Princess Haya)

Shimon Cohen (British PR expert)

Ross Smith (head of investigations at U.K. private security firm hired by Princess Haya)

John Gosden (British horse trainer, friend of Princess Haya)

Aisha bint Hussein (half sister of Princess Haya)

Stuart Page (British private investigator)

K.K. Sharma (former Indian Border Security Force chief)

Jagdish Maithani (Indian Border Security Force officer)

Jitendra Kumar Ojha (former Indian espionage officer)

Jitendra Kumar Ojha’s wife

Col. Mukul Dev (former Indian army officer)

Rupesh Kumar Singh (Indian journalist)

Rupesh Kumar Singh’s wife

Devirupa Mitra (Indian diplomatic correspondent)

Vijaita Singh (Indian journalist)

Bishop Benoit Alowonou (Togolese clergyman)

Elliott Ohin (Togolese opposition figure)

Raymond Houndjo (Togolese opposition figure)

Roger Torrent (Catalan parliamentary speaker)

A Complete (Updating) List of Individuals Targeted With Pegasus Spyware Plus 1,400 other potential targets who WhatsApp believes were hacked.

source

Fake Cell Towers Allow the NSA and Police to Keep Track of You

The Internet is abuzz with reports of mysterious devices sprinkled across America—many of them on military bases—that connect to your phone by mimicking cell phone towers and sucking up your data. There is little public information about these devices, but they are the new favorite toy of government agencies of all stripes; everyone from the National Security Agency to local police forces are using them.

These fake towers, known as “interceptors,” were discovered in July by users of the CryptoPhone500, one of the ultra-secure cell phones released after Edward Snowden’s leaks about NSA snooping. The phone is essentially a Samsung Galaxy S3 customized with high-level encryption that costs around $3,500. While driving around the country, CryptoPhone users plotted on a map every time they connected to a nameless tower (standard towers run by wireless service providers like Verizon usually have names) and received an alert that the device had turned off their phone’s encryption (allowing their messages to be read).

Map showing the location of rogue cell towers identified by the firewall on CryptoPhones in August via ESD America, a defense and law enforcement technology provider based in Las Vegas.

While the abilities of these interceptors vary, the full-featured versions available to government agencies are capable of a panoply of interceptions. For example, the VME Dominator can capture calls and texts, and can even control the intercepted phone. (In an interview with NBC, Snowden revealed that with this kind of technology the NSA is capable of turning on a powered-down phone and essentially using it as a bug.)

This NSA-style surveillance is spreading to local cops. A growing number of police departments are using tower-mimicking devices, “stingrays,” to track a cell phone’s location and extract call logs. Though little is known about the use of these devices, watchdog groups have scored small victories in their attempts to punch through this veil of secrecy. The map below, courtesy of the ACLU, shows how the use of stingrays is spreading. The map also shows that despite the ALCU’s greatest efforts, it is unable to uncover information about stingray use in most of the country.

A recent case provided a glimpse into what stingrays can do and how they are being used.

Awesome Resources explains how anyone with a mobile interception device can intercept cellular data

Mobile networks are dominant in the age of communication and are used to relay mobile communication signals to Public Switched Telephone Networks (PSTN). There is a lot of information that is exchanged on a daily basis. But is your mobile network confidential?

Even though it started out as an ethical technology for security, there are reports about the misuse of the technology doing the rounds.

However, for those concerned about their privacy during calls, using tools like Call Recorder iCall can provide an added layer of security by recording and securely storing conversations.

How does mobile interception work?

There are three types of mobile networks – NGN (Next Generation Networks like 3G, 4G, and 5G), GSM (Global System for Mobile communications) and CDMA (Code Division Multiple Access). All three of them are targets of multiple surveillance technologies.

When the mobile phone data travels over these networks, they are passively intercepted between the mobile phone and the base station it is communicating to. Both uplink signal (outgoing voice or data) and downlink (incoming voice or data) signals can be intercepted.

Who can intercept your mobile signal?

Mobile Interception technology is extensively used by law enforcement agencies, military & defense, or authorities like government and federal & local law enforcement agencies (LEAs). These are also termed as Lawful Interceptions. But there are unauthorized intercepts too!

Our expert Sam Tilston from AwesomeResources.co.uk, a professional in cyber security for more than 20 years believes that anyone with a mobile interception device can intercept cellular information like- voice, data transmission, and metadata.

Lawful Interception (LI) – The modern legal interception protocol

Lawful Interception or LI refers to a specific facility in telecommunications where LEA or government with court orders or legal authorization can intercept mobile signals. In common parlance it’s also called selective wiretapping or authorized wiretapping.

Lawful interception is different from the dragnet-type mass surveillance and is usually carried out by intelligence agencies. The data is merely passed through a fiber-optic splice where its extracted and filtered.

Many countries follow local, national, and global standards for lawful interception laid down by ESTI. Governments and authorities require PSPs (Public Service Providers) to install a (LIG) legal interception gateway and LIN (legal interception nodes) for real-time interception.

Lawful Interception architecture

Currently the global standard for Lawful Interception and its architecture is provided by ESTI. The standard architecture in recent use is 3GPP Evolved Packet System (EPS) that provides IP based services.

The ESP architecture attempts to define an extensible and systematic means by which LEAs and network operators can interact. There are three stages in the architecture:

1. Collection: target-related call content and data are extracted from these PSP networks.
2. Mediation: data is formatted to match the specific standard.
3. Delivery: The content and data are delivered to the law enforcement agencies.

Delivery function in the architecture is what is used to hide your sensitive interceptions from Intercepting Control Element (ICE). Even when there are multiple targets on the same number, the authorities have no idea about it.

What is the need for mobile interception?

Apart from the malicious effects like snooping and eavesdropping, mobile interception can be used for security. Want to know the uses?

1. Administration Security

The Administrative function (ADMF) keeps all the intercept activities of individual LEAs separate and interfaces to the intercepting network.

After configuring authorized user access within the network, password protection can be enabled using one of the following security mechanisms:

• CUG/VPN
• COLP
• CLIP
• Authentication & Encryption

2. IRI (Intercept Related Information) security

In case of communication failures, IRI can be buffered in the 3G network. After successfully transmitting IRI, the content buffer and total buffer can be deleted via a command or a timer. This prevents the IRI data from being exposed to illegal use.

3. CC (Call Content) security

Data inconsistency, log files, and critically important data like billing information can be suppressed to be viewed by only a fraction of the users over the network. This data can also be deleted after successful transmission to the required personnel.

Can your mobile be intercepted?

If you’re in the crosshairs of the authorities, then chances are that you may be under surveillance right now. Don’t worry, if you’re under one, then you’re not alone!

Lawful interceptions are very common, in fact there are 2000-3000 mobile signals being intercepted and analyzed every day. In fact, if you have a few selected smartphone models from Samsung, chances are that your calls are being intercepted.

The presence of Shannon-branded baseband chips, a tracing IC (integrated circuit) and RF (radio frequency) transceiver make it a device that can be easily intercepted. Calls and messages can be intercepted by creating a proxy base station by frankly anyone with a device.

What is the future of mobile interception market?

The market of mobile interception is estimated at $1.8 billion globally, and $ 226.1 million in the U.S. alone. The market is estimated to grow at a tremendous rate of 5.8% annually for the next decade.

With new developments of communication frequencies, networks and channels, integration with newer interception systems will create a little hurdle. New and portable devices are being deployed every day across the world to hamper the mobile interception market.

In summary

Mobile interception is a debatable topic. On one hand, you are always on someone’s radar and that’s something that you can’t live with knowing. On the other hand, it’s a crucial and apt technology for intercepting malicious calls and threats.

As hard as it may sound, it’s hard to negate the importance of mobile interception, as long as it’s legal, and meets the global standards of lawful interception.

Hey, as long as it continues to save millions of lives by combating increasing criminal activities and security threats, it’s always a handy technology and probably will be in the future too. source

Understanding MIMO (Multiple Input, Multiple Output) – Cellular Speed & Booster Implications

The Wonders of MIMO

For RVers and Cruisers, understanding what MIMO technology is, how it works, and how it can be used to enhance cellular speeds has the potential to make finding great mobile internet on the road an easier experience.

For anyone who knows a thing or two about wireless communications, modern 4G/LTE and 5G cellular radios are borderline miraculous.

Consider the first iPhone – which launched in 2007 with a maximum theoretical cellular speed of around 500 Kbps using AT&T’s 2G EDGE cellular network.

A decade and a half later – the latest flagship cellular devices were able to support maximum theoretical speeds of over 2,000 Mbps.

That’s more than a 4,000x increase!

And as the 5G era has matured and become more mainstream, we see peak theoretical speeds are approaching 10 Gbps, another 10x increase!

Of course, theory rarely equals reality – and the cellular networks need to be substantially upgraded and built out to even come close to being able to deliver speeds like this to real people outside of a lab.

And in the real world – you will be sharing this speed with perhaps hundreds or thousands of others connected to the same cell tower.

But real-world 4G/LTE speeds over 50Mbps are actually not at all uncommon, and speeds over 100Mbps are now widely reported, and things just keep getting faster. Mid band 5G is has become lot more common on most of the carriers and we are now seeing the gap between really good LTE and good mid band 5G become way more prevalent in everyday connectivity. If you are in a mmWave 5G area, the speeds can be blazing fast.

One of the key technologies making these sorts of speeds possible is known as MIMO (Multiple Input, Multiple Output) – an incredibly clever technique for putting multiple antennas to work to increase both data transmission speed and reliability.

MIMO technology is fundamental to both 4G/LTE, 5G, and WI-Fi radios – but cellular boosters and MIMO have some… challenges… working together.

Read on to get a grasp of what MIMO is, how it works, and how you can use a little bit of MIMO awareness to potentially increase your cellular speeds.

MIMO In A Nutshell

MIMO is one of the core technologies enabling 4G/LTE and 5G cellular, and almost every modern mobile device (whether a phone or a hotspot) has two or more cellular antennas on board to enable the magic of MIMO.

On the other end of the line – cell towers typically have multiple antennas working together in tight synchronization to communicate with you.

With more antennas transmitting a signal, there are more possible echoes and reflections (read the “how it works” section below to understand the magic here) for the receiving device to catch a signal.

The ability to make multiple connections on the cell tower the better the transmit speeds, even with weak signals.

The cell tower will have a number of transmit/receive antennas and many LTE devices had two antennas.  This allows those devices to utilize 2×2 MIMO.

Devices with four antennas for 4×4 MIMO is now common, with consumer devices such as flagship hotspots such as the AT&T Netgear Nighthawk M6 Pro Hotspot Pro, the Verizon & T-Mobile MiFi X Pro 5G hotspots, plus all the the latest flagship smartphones from Apple, Samsung, and Google.

Although the latest cellular standards (Category 18 & higher) support 8×8 MIMO, consumer devices with 8 antennas are not common.

These antennas connect to a cell tower that will usually have at least four antennas – and as many as 128!  The number of antennas on the tower gives devices more options to get a good, high-performing connection.

This figure illustrates a relatively simple 4×2 MIMO deployment.  In this case, 4×2 means four transmit/receive antennas on the tower, and two on the user device:

This 4×2 configuration isn’t the only one possible, however, upgraded cell towers can have many more transmit/receive antenna elements. The latest devices typically have four antennas to better take advantage of the cell towers antenna array.

MIMO is one of the key technologies that allow these devices to have such great performance – it really is pretty darn amazing stuff! source

MIMO vs Boosters Video

If your company uses, collects, stores or relies on first-party data (and what successful company these days doesn’t?), you face all kinds of security-related risks.

f you cringe every time you see a headline about a massive data breach, fasten your seatbelt. It’s going to get much worse before it gets better. For most companies, it’s a question of when not if they’re going to have a data breach. The bigger question is how big the blast radius is going to be and what can you do preemptively to avert or contain it.

The facts are sobering: The average annual cost of a data-security breach for a company that misuses or loses data is $4.24 million, according to a recent IBM security survey, nearly 10% higher than it was before the pandemic. And that’s just the initial price tag. The real cost of a data breach cuts much deeper and can be existential: 60% of small- and medium-size businesses go bust within six months of a massive data breach.

Sadly, despite these statistics, most companies still don’t view data security as a top priority. If your company uses, collects, stores or relies on first-party data (and what successful company these days doesn’t?), you face all kinds of security-related risks that can make that $4.24 million seem like a bargain.

1. Someone misuses the data you collect

Here’s a shocker: One in four data breaches is caused by employees rather than outside attackers. That’s important because your company is not just on the hook for securing data you collect; you also need to secure how it’s used. Thanks to the EU’s GDPR and California’s CCPA privacy laws, if someone in your company (or one of your partners) misuses your data, you face steep fines. And if you are fined 4% of the topline for simple data misuse, it could bankrupt your whole company.

2. Your data breach gets media attention

A data snafu at scale is a PR disaster. It erodes consumer trust in your brand and customers’ trust in your relationship. A recent PwC report found that 69% of consumers believe that the companies they use are vulnerable to being hacked, and 87% of consumers are even willing to walk away if a data breach occurs. And that doesn’t even factor in the pricey marketing costs of rebuilding a damaged reputation.

3. Data mishandling exposes you to regulatory action

That’s right, misusing data can open you up to a whole new universe of penalties, fines, sanctions and legal costs, which can be enormous and go on for years. You could easily spend a billion dollars addressing your case — just ask Facebook about that one.

4. A data breach costs you deals

This one hits you directly in the wallet. Once you have a security situation, current business customers can shut off deals. At the very least, you’ll spend countless hours documenting your processes and reassuring partners their data and reputation are safe. And if a data-security issue leads to a court action or some regulatory action, all your business customers now have reasonable cause to back out too. Which leads to this next one …

5. Or it can cost you your entire business model

If the world decides that it just can’t afford to do things the way you’re doing them, you’ll have to change your whole model (we’re looking at you, Ashley Madison). The pivot can be an expensive and existential threat.

6. Lax security locks you out of the deal flow

Once you’re caught in a security disaster, you can be labeled as a business risk in an ecosystem. And that basically cuts you out of a marketplace.

7. Security snafus are a massive time suck

All the time and suffering a security problem demands, especially the attention of key people in the organization, can be a massive operational setback. Plus, who wants to work for a company with a bad rap? Suddenly you can’t attract or retain the most mobile and valuable talent.

8. Data breaches devalue your business

If you can’t secure your data, you won’t be able to do all the good things that can be done today with the secure application of data. And that’s the risk of not doing the right thing for the business — and not realizing your company’s full potential and upside. And that might be the biggest risk of all.

Managing all this risk isn’t easy, and there are lots of stakeholders to wrangle. But nobody’s got their eye on all the data — and all the ways data breaches could bite your company.

But there is one way to mitigate all these risks: Deploy technology that prevents risk from even being created, rather than just tools to clean up better after a breach or violation.

You want technology that does three things well:

• Enables the creation and enforcement of a digital version of the sharing agreement or contract.
• Allows the data to be processed inside a shared enclave.
• Documents every transaction and communicates to the relevant parties, so only agreed-upon recipients receive the insights from processing.

You’ll save money on legal fees and improve productivity since only the most necessary approvals will be required by expensive attorneys. And since you can now trust your data-sharing partnerships, your insights will soar along with accompanying revenues from such projects. You owe it to yourself to have a fully automated security solution that’s got your back.

Your company’s survival depends on it. source

The ‘Mother of All Breaches’ Just Happened — Here’s the Security Implications for Businesses

At the beginning of the year, Security Discovery and Cybernews researchers uncovered a dataset of 26 billion(!) leaked entries associated with LinkedIn, Twitter.com, Tencent, Dropbox, Adobe, Canva, Telegram and other platforms. Government agencies in the U.S., Brazil, Germany, the Philippines, and Turkey are also among the organizations hit by the “mother of all breaches” (MOAB).

As the investigation team reported, a significant share of information in the dataset was compromised during past data breaches. However, the stash also contains new data.

Aftermath for businesses

Simply put, this 12-terabyte behemoth will send shockwaves through the business community, posing a continual threat to personal information and corporate security.

But this is not just a breach; it’s a comprehensive toolkit for threat actors to orchestrate an endless number of cyberattacks, including identity theft. Criminals can maliciously exploit the stolen personal data from the MOAB dataset. It is a powerful weapon capable of wreaking havoc on a global scale.

So, in the coming weeks, it’s time to move to a proactive stance. Here are some signals businesses should listen to when monitoring their infrastructure:

1. Uncommon access scenarios. In light of a data breach like this, keeping a close eye on access logs for any unusual activity is critical. A sudden surge in requests or unfamiliar IP addresses could indicate unauthorized entry. Logins during non-standard hours, especially outside of ordinary business hours, may be considered malicious activity as well.
2. Suspicious account activity. In an attempt to take over the compromised account, scammers may reveal themselves through unexpected adjustments in user privileges or alterations to account roles. Frequent changes in login locations, irregular login times, and spikes in data access are also red flags.
3. Surge in phishing attempts. Massive breaches often provide fertile ground for cybercriminals to launch phishing attacks targeting employees or customers related to affected brands. Unscheduled phishing training or educational campaigns may help your staff and clients recognize phishing scams at early stages.
4. Abnormal network traffic. Another alert of malicious activity is unexplained spikes in outbound traffic and unusual communication patterns between internal systems.
5. Boost in helpdesk requests. A growing volume of user requests to the support team can also indicate a problem, especially when there is a sudden surge in inquiries related to compromised accounts or suspicious activities.
6. Customer feedback. An influx of complaints about unauthorized access, account compromises, or suspicious transactions should trigger an immediate investigation.

A new security paradigm

Unfortunately, the MOAB is just a single event in the never-ending war between cybercriminals and corporations. In an age of the constant growth of security threats, companies must develop a refined sense of foresight. Recognizing patterns and anomalies within their data is not just a skill; it’s a necessity. The MOAB underscores the importance of proactive monitoring, urging companies to invest in robust systems that swiftly detect irregularities.

Importantly, entering this new reality means that user security is again becoming more crucial than user experience. Some companies have a hard time accepting that fact. However, in the long run, it’s worth the gamble.

It doesn’t imply building a kind of imposing wall with menacing guards around your infrastructure that makes users avoid your service. The security measures you deploy can be easy to use for customers. The latest identity verification options — such as self-check-in at airports — prove the concept while staying user-friendly and secure.

Guide to the transformation

Effective information security management powered by global standards such as ISO/IEC 27001 and ISO/IEC 27002 is at the core of the process. By adhering to the standards, an organization guarantees that it has established an Information Security Management System for addressing security risks associated with data owned or managed by the company. Despite certification often being associated with enterprise-level organizations, middle-sized companies, especially those from industries where data safety matters, such as FinTech, should not skip this step. Moreover, unlike ISO 27001, you don’t need certification to prove compliance with ISO 27002, which, being more informative than regulatory, details the controls required.

Enhancing authentication policies may be the next step to take. Unfortunately, you can’t rely on your customers to be prudent while setting logins and passwords. Nevertheless, nudging them to select more advanced options is under your control.

More companies across different sectors now implement multi-factor authentication involving users’ biometrics like fingerprint scans or face recognition. With the idea of a passwordless future pushed by tech giants like Google, this approach is gradually becoming an industry best practice. On the one hand, setting a “Privacy Screen” to secure Google Drive on iOS mobile devices through Touch ID or Face ID requires additional action on the user’s end. On the other, once the feature is enabled, user satisfaction soars as well.

Finally, the adoption of liveness detection technology — both for IDs and selfies — in identity verification procedures is crucial. It helps determine whether the source of a biometric sample is a live individual, and provides evidence that a user-submitted document photo is a genuine passport or other document. Additionally, this step can be made mandatory, not only during registration for a service but also at the purchase stage. Neural networks under the hood of the liveness detection process are constantly improving, showing high accuracy rates. That also contributes to data processing speed, making it possible to perform a liveness check in seconds.

Final thoughts

The MOAB incident serves as a call to action for businesses worldwide. Unfortunately, the brand names on the MOAB list prove that there is room for improvement for all the companies, including enterprise-level. It’s more critical than ever to bolster defenses, sharpen our cyber instincts, and fortify our systems against the impending storm.

Still, there is no need to turn the sign-in or payment processes into a math quiz with a bunch of problems to be solved on the customer’s part. UX still matters, especially for companies from B2C sectors whose success is measured by the number of active users. For this reason, a mobile banking app is always more secure than an e-book subscription service. source

8 Ways a Data Breach Could Take Out Your Company Tomorrow

“The machines wouldn’t take our ticket,” said one MGM Resorts customer.

Five days after a cyberattack crippled operations of MGM Resorts International, including its signature Las Vegas properties the Bellagio and the MGM Grand, the company said Thursday morning it is still working to resolve issues as another major resort operation, Caesars Entertainment, acknowledged it was also the target of a cyberattack.

Hackers struck MGM Resorts on Sunday morning, rendering doors to the chain’s casinos and hotels unusable. Slot machines and ATM machines were also inoperable, elevators were out of order and customers had to wait hours to check into rooms. Even the company’s website remains down.

“We continue to work diligently to resolve our cybersecurity issues while addressing individual guest needs promptly,” MGM Resorts said a statement Thursday. “We couldn’t do this without the thousands of incredible employees who are committed to guest service and support from our loyal customers. Thank you for your continued patience.”

But for MGM Resorts Las Vegas visitors like Walter Haywood, patience is running out.

“It was kind of chaotic,” Haywood told ABC Las Vegas affiliate station KTNV. “The machines wouldn’t take our ticket. Lines everywhere. Just chaos.”

MGM Resorts has acknowledged the attack but has released no details on how it occurred or who might be responsible.

The company said it “took prompt action to protect our system and data, including shutting down certain systems.”

The FBI said it is investigating the attack and has been in contact with the chain since Sunday.

The Cybersecurity and Infrastructure Security Agency, which is part of the U.S. Department of Homeland Security, announced on Thursday that it is in contact with MGM Resorts “to understand the impacts of their recent cyber incident.”

“We are also offering any necessary assistance should the organization need or request it,” the CISA said in a statement.

Nevada Gov. Joe Lombardo and the Nevada Gaming Board released a joint statement, saying they are “monitoring the cybersecurity incident with MGM Resorts and are in communication with company executives.”

“Additionally, the Nevada Gaming Control Board remains in communication with other law enforcement agencies,” the statement from Lombardo and the gaming board said.

VX-Underground — a research group boasting the largest collection of malware source code, samples and papers on the internet — posted to X that the ransomware group “ALPHV,” also known as Black Cat, is allegedly is behind the MGM cyberattack. Authorities have not confirmed the report.

“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation,” VX-Underground said.

Bloomberg News reported Wednesday that the same ransomware group is responsible for a cyberattack this month on Caesars Entertainment Inc. and that the company paid “millions” to get its data back.

Caesars Entertainment — which runs more than 50 resorts including, Caesars Palace and Harrah’s in Las Vegas — acknowledged the attack occurred on Sept. 7 in a filing Thursday with the U.S. Securities Exchange Commission.

“Caesars Entertainment Inc. recently identified suspicious activity in its information technology network resulting from a social engineering attack on an outsourced IT support vendor used by the Company,” Caesars said in its SEC Form 8-K filing.

While the company said it did not pay a ransom, it noted that “we have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter. The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined.”

Caesars Entertainment, according to the filing, said its investigation determined that hackers acquired a copy of its loyalty program database, which includes driver’s license numbers and Social Security numbers “for a significant number of members in the database.”

Caesars added, “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.” source

The Morning After: Hacking a Vegas casino may just take a single phone call

The ALPHV ransomware group used social engineering to attack MGM Resorts.

The ALPHV/BlackCat ransomware group claimed responsibility for the MGM Resorts cyber outage on Tuesday, and it apparently took the group only 10 minutes on a phone call to glean the information needed to shut down systems and slot machines — not the slot machines! — at casinos owned by MGM Resorts.

“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk,” the organization wrote in a post on X. Those details came from ALPHV but have not been independently confirmed by security researchers.

MGM Resorts didn’t respond to a request for comment but said on Tuesday that “Our resorts, including dining, entertainment and gaming, are currently operational.” source

Caesars Entertainment Paid Millions to Hackers in Attack

Hackers stole data, extorted company, people familiar said

Caesars breach came in weeks before MGM announced cyberattack

Both MGM and Caesar’s Entertainment were hacked by a group named “Scattered Spider” in recent weeks. Caesar’s even paid a ransom

A bunch of hackers aged between 19 and 22 are bringing the Las Vegas Strip’s casino-hotels to their knees.

A group dubbed “Scattered Spider” by cybersecurity researchers paralyzed the systems of MGM Resorts International this week. MGM, a $14 billion hospitality and entertainment giant, disclosed its “cybersecurity issue” in a Sep. 12 regulatory filing.

Although MGM claims to have dealt with the issue, social media posts say that everything from slot machines to hotel communication systems have been inoperable at MGM venues in Las Vegas for four days. Check-in lines are growing, room access cards and ATMs won’t work, and people are unable to use food, beverage, and free play credits. Regressing to the past, to use manual cash payouts and physical room keys, is proving slow and clunky. (One tiny silver lining: free parking.)

MGM is investigating the matter, and as is the FBI. Moody’s, the rating agency, warned that the breach, which highlights MGM’s heavy reliance on tech, could affect its credit rating negatively.

Hospitality giant of interest: Caesar’s Entertainment

A Bloomberg report revealed that another casino operator, the $12 billion Caesar’s Entertainment, had been the victim of a similar cyberattack in recent weeks. The hackers, who threatened to leak its data, demanded $30 million in ransom; Caesar’s paid roughly half. In this case too, the hackers belonged to “Scattered Spider,” thought by cybersecurity analysts to be made up of young hackers in the US and the UK.

Hackers demanded a ransom from MGM as well, two anonymous sources told Fortune. But it remains unclear how much was requested and which systems the company was locked out of.

Quotable: Scattered Spider’s modus operandi

“Although members of the group may be less experienced and younger than many of the established multifaceted extortion/ransomware groups and nation state espionage actors, they are a serious threat to large organizations in the United States. Many members are native English speakers and are incredibly effective social engineers.”

—Charles Carmakal, chief technology officer at Mandiant Intelligence, a part of Google Cloud, in a Sep. 15 LinkedIn post

How Scattered Spider hacked MGM and Caesers

Scattered Spider uses social engineering to gather login credentials or one-time-password (OTP) codes, which helps bypass multi-factor authentication, according to a January blogpost by the security research firm CrowdStrike. The group has previously targeted telecom and business process outsourcing (BPO) companies to perform SIM swaps, which can then be used in phishing attacks to steal data and extort ransoms.

In the case of Caesar’s, the hackers breached an outside IT vendor first to subsequently gain access to the company’s network, two people familiar with the matter told Bloomberg.

With MGM, a short telephonic exchange and some collaboration with a ransomware-as-a-service group called ALPHV, also known as BlackCat, was all it took. In April 2022, America’s cyber defense agency issued an alert noting that ALPHV had “compromised at least 60 entities worldwide.”

“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk,” VX-Underground, a malware research group, posted on X. “A company valued at $33,900,000,000 was defeated by a 10-minute conversation.”

The white-hat hacker Rachel Tobac, who uses similar attack methods in her work by posing as an internal teammate, wrote on LinkedIn that organizations are less equipped to deal with phone-based attacks than email. It works for three reasons, according to Tobac: “lack of verification protocols, easy spoofing, compensation tied to how fast they handle requests.”

By the digits: The impact of the MGM hack

$13 million: The revenue that MGM’s Las Vegas Strip properties bring in daily on average, calculated based on the the $1.2 billion in revenue these hotel rooms and casinos earned for in the quarter ended June 30

30: The number of hotel and gaming venues that MGM operates around the world, with a dozen on the Vegas Strip. The websites for MGM’s biggest resorts, including MGM Grand, Mandalay Bay, Bellagio, Aria, and The Cosmopolitan, have been inaccessible for days

6,852: The number of rooms at the MGM Grand, the world’s single largest hotel

$6.99: The ATM fees that guests were charged to withdraw cash, when they wanted to keep playing during the hack, and when credit card machines had stopped working

Charted: Las Vegas’ hacked casino-hotels stocks dropped

One more thing: Casinos are ideal cyberattack victims

Casino cyberattacks aren’t uncommon. The Hard Rock Hotel and Casino was breached twice in 2015 and 2016, when hotel guest names, card numbers, expiration dates, and CVV codes were stolen. In 2019, the personal data of roughly 10 million MGM guests was published on a Russian hacking forum.

In fact, casinos are prime targets for financially motivated crimes because their cybersecurity isn’t top-notch and hackers are “more likely to get paid because they’re disrupting casino operations,” Allan Liska, an intelligence analyst at the security firm Recorded Future, told Reuters. “Casinos around the world should be on heightened alert because ransomware groups love it when they get this kind of attention, so we will likely see copycats.” source

Groups linked to Las Vegas cyber attacks are prolific criminal hacking gangs

Apair of criminal hacking groups have been linked with attacks in recent weeks on two prominent Las Vegas hotel and casino operators that has left one struggling to resume operations and prompted another to reportedly pay a multimillion dollar ransom payment.

The attacks on MGM Resorts and Caesars Entertainment have resulted in widespread outages at MGM properties, and according to a Wall Street Journal report, forced Caesars to pay roughly half of a $30 million ransom demand.

Exactly who is behind the attacks remains unclear, but two hacking groups have been linked with the breaches:ALPHV and Scattered Spider. A person claiming to be a member of the latter told CyberScoop that their group was responsible for the attack on MGM but denied responsibility for the breach of Caesars. Earlier this week VX-Underground, a well-known online malware research repository, wrote on the social media platform X that an ALPHV representative said they were behind the MGM hack.

Late Thursday, ALPHV claimed responsibility for the attack on MGM in a statement on its website. It is unclear whether Scattered Spider’s claim of responsibility for the breach of MGM is false or whether overlaps between the two groups mean that members of both hacking collectives were involved in the breach of MGM. The Scattered Spider member who spoke with CyberScoop described their group as a well-known affiliate of ALPHV.

In a Thursday regulatory filing, Caesars confirmed that the company had identified “suspicious activity in its information technology network resulting from a social engineering attack on an outsourced IT support vendor” used by the company. The attackers gained a copy of “among other data, our loyalty program database, which includes driver’s license numbers and/or social security numbers for a significant number of members in the database,” the company said.

Caesars said it took steps “to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” the company reported, in what may have been a veiled reference to the reported ransomware payment.

Neither Caesars nor MGM responded to multiple requests for comment. The FBI acknowledged that it was investigating the incidents Thursday but declined to comment further.

As of Thursday, MGM appears to be continuing to struggle to recover from the attack. The company’s website remains down, and reports on social media show digital slot machines in MGM casinos bearing error messages.

The member of Scattered Spider who spoke with CyberScoop said that negotiations with MGM were ongoing but would not disclose the terms of any demands. The individual claimed that stolen data included customer information, sexual abuse incident reports and other corporate records. The individual’s claims could not be independently verified.

“If MGM decide they want to discuss if they paid or how much is completely up to them, if they decide they want to pay the money we assure them their systems wont [sic] be breached again,” the person said in an online chat.

The two groups — Scattered Spider and ALPHV — linked to the attacks on the two casino operators are a set of aggressive online criminal groups with well-documented history of carrying out ransomware attacks.

Scattered Spider is the name given to a financially motivated hacking group by private industry researchers. The group was likely behind a “massive phishing campaign” targeting Okta, the U.S.-based authentication firm, which led to follow-on attacks against users of the Signal messaging app, Twilio and Cloudflare, cybersecurity firm Group-IB reported in August 2022.

Scattered Spider has been active since May 2022, and has mostly attacked telecommunications and business process outsourcing organizations until recently, when it began targeting other sectors, including critical infrastructure, according to an Aug. 17 analysis from cybersecurity firm Trellix.

The group “heavily relies on email and SMS phishing attacks and have also been observed attempting to phish other users within an organization once they’ve gained access to employee databases,” according to a May 2023 Mandiant analysis.

Charles Carmakal, Mandiant’s chief technology officer, called Scattered Spider “one of the most prevalent and aggressive threat actors impacting organizations in the United States today.” The group’s members may be “less experienced and younger” than more established criminal hacking groups, but they are “native English speakers and are incredibly effective social engineers,” Carmakal added, referring to the practice of tricking or persuading a person with access to a particular company or network to provide access to someone not authorized to have it.

The exact relationship between Scattered Spider and ALPHV is difficult to determine. Scattered Spider is considered a distinct, financially-motivated cybercrime group that has demonstrated connections to the ALPHV ransomware operation by using some of its tooling, experts say. ALPHV is a well-known ransomware operation, also known as BlackCat, and was perhaps the first entity to operate ransomware using the RUST language in the wild. source

---

MGM Resorts breached by ‘Scattered Spider’ hackers: sources

SAN FRANCISCO/WASHINGTON, Sept 13 (Reuters) – A hacking group named Scattered Spider brought down the systems of the $14 billion gaming giant MGM Resorts International (MGM.N) this week, two sources familiar with the matter said, as U.S. law enforcement officials started a probe into the breach.

Several MGM systems remained paralyzed for a third straight day after it said on Monday it had shut some of them to contain a “cybersecurity issue.” The company, which operates over 30 hotel and gaming venues around the world including in Macau and Las Vegas, said it was investigating the incident.

A Bloomberg report separately said another casino operator, Caesars Entertainment, had been hacked and paid ransom to hackers who threatened to leak its data in recent weeks, citing two people familiar with the mater.

Shares of Caesars Entertainment and MGM both fell on Wednesday.

The cause and the full impact of the breaches was not immediately clear, although social media posts showed slot machines and systems down at MGM venues in Las Vegas.

Two sources familiar with the matter told Reuters the hacking group Scattered Spider was behind it. Identified by analysts last year, this group uses social engineering to lure users into giving up their login credentials or one-time-password (OTP) codes to bypass multi-factor authentication, the security firm Crowdstrike said in a blog post in January.

It is “one of the most prevalent and aggressive threat actors impacting organizations in the United States today,” Charles Carmakal, chief technology officer at Alphabet Inc’s (GOOGL.O) Mandiant Intelligence said in a post on LinkedIn on Wednesday, following reports about the MGM breach.

“Although members of the group may be less experienced and younger than many of the established multifaceted extortion/ransomware groups and nation state espionage actors, they are a serious threat to large organizations in the U.S.,” he added.

Scattered Spider, also known as UNC3944, has hit telecom and business process outsourcing (BPO) companies in the past, but more recently also targeted critical infrastructure organizations, according to analyst reports.

“They leverage tradecraft that is challenging for many organizations with mature security programs to defend against,” Carmakal said.

The FBI said on Wednesday it was investigating the incident, but did not elaborate. The rating agency Moody’s warned the breach could negatively impact MGM’s credit rating.

Such attacks are typical hallmarks of ransomware incidents in which extortionists encrypt victims’ computer systems and demand ransoms in digital currency.

Analysts say casinos are prime targets of financially-motivated cybercrimes.

“They’re more likely to get paid because they’re disrupting casino operations,” said Allan Liska, intelligence analyst at the security firm Recorded Future.

“Casinos around the world should be on heightened alert because ransomware groups love it when they get this kind of attention, so we will likely see copycats.”

Moody’s analysts said in a report that the incident “highlights key risks related to (MGM’s) business operations’ heavy reliance on technology and the operational disruption caused when systems need to go offline or are inoperable.”

Messages seeking further comment from MGM and the U.S. cybersecurity watchdog agency CISA were not immediately returned. MGM Resorts’ website was “currently unavailable,” according to a holding message posted to the group’s homepage.

“Our investigation is ongoing and we are working diligently to determine the nature and scope of the matter,” MGM said in a post on the social media website X on Monday. source

Caesars and MGM grapple with hacks as cybersecurity in Vegas is under scrutiny

Hackers stole Social Security numbers and driver’s license numbers from a “significant number” of loyalty program customers of Caesars Entertainment, the hospitality and casino giant said Thursday.

The disclosure comes as another big Las Vegas brand, MGM Resorts, is recovering from its own apparent cyberattack in which guests on Monday reported being unable to make room charges and access their rooms with their digital keys.

The pair of hacks has put a spotlight on the computer defenses of the multibillion-dollar casino and hospitality business in Las Vegas, which are ripe targets for cybercriminals to extort.

Caesars Entertainment, which owns famous hotel-casinos such as Caesars Palace, confirmed on September 7 that the hackers had stolen a copy of the customer loyalty program database, in a filing with the Securities and Exchange Commission. The hackers broke into computer systems via “a social engineering attack” on an IT support contractor, according to the filing.

“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars Entertainment said. The company did not immediately respond to CNN’s questions as to what steps were taken and whether they included paying a ransom.

For its part, MGM Resorts has repeatedly referred to a “cybersecurity issue” in describing the disruption to some of its computer systems, but the incident has the hallmarks of a cyberattack.

“We continue to work diligently to resolve our cybersecurity issue while addressing individual guest needs promptly,” MGM Resorts said in a statement on Thursday morning. The company said on Monday, when news of the incident broke, that it had shut down certain computer systems to protect its data.

MGM Resorts did not respond to multiple requests for comment from CNN this week on how it was dealing with the apparent hack.

An FBI spokesperson said the bureau was investigating the cybersecurity incident at MGM Resorts but declined further comment, citing an ongoing investigation.

Scattered Spider considered a ‘serious threat’

It’s unclear who exactly was responsible for the cyberattacks. But a cybercriminal group known in the industry as Scattered Spider has been targeting casinos and hotels in recent weeks, according to Mandiant Consulting, a Google-owned cybersecurity firm.

Members of the hacking group “may be less experienced and younger” than many of the established cybercriminal gangs and state-backed cyber-espionage teams, but “they are a serious threat to large organizations in the United States,” said Charles Carmakal, Mandiant Consulting’s chief technology officer.

Some of the members of the group appear to be based in the United States and the United Kingdom, according to Carmakal and other sources interviewed by CNN. Bloomberg News reported on Wednesday that Scattered Spider was responsible for the pair of cyberattacks on Caesars Entertainment and MGM Resorts.

Reports that the hackers had used social-engineering techniques in which, for example, they pose as an IT support employee to gain access to an organization, raised concerns for cybersecurity experts.

“Most organizations focus on email-based threats in their technical tools and protocols,” Rachel Tobac, CEO of SocialProof Security, a social-engineering prevention firm, told CNN. “Many [organizations] are not yet equipped with the social engineering prevention protocols necessary to catch and stop a phone-based attacker in the act.” source

MGM cyberattack continues to create chaos for Vegas operations; SEC notified

MGM Resorts International website remains down

MGM Resorts International in Nevada confirmed a recent cyberattack in a Wednesday filing with the Securities and Exchange Commission (SEC).

The Las Vegas-based company experienced a computer system outage on Monday that affected operations at headquarters as well as its properties and websites.

MGM RESORTS EXPERIENCES ‘CYBERSECURITY ISSUE’ IMPACTING OPERATIONS, PROMPTS INVESTIGATION

“MGM Resorts recently identified a cybersecurity issue affecting certain of the company’s systems,” an MGM spokesperson said in a statement. “Promptly after detecting the issue, we began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and are taking steps to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to resolve the matter. The company will continue to implement measures to secure its business operations and take additional steps as appropriate.”

On Monday, FOX 5 in Las Vegas reported that one of the company’s properties, the Bellagio Las Vegas, confirmed that the computer systems were down at all resorts and that all computer-based operations were forced to go manual.

This view shows the MGM Grand in Las Vegas. (iStock / iStock)

Personnel at the resort also said the outage affected credit card machines at the properties.

When visiting mgmresorts.com, a page comes up that says, “The MGM Resorts website is currently unavailable,” followed by an apology as well as numbers to make reservations, reach out to member services or call a concierge. On social media, the company posted a statement about the technical issues the company is facing.

MGM Resorts International in Las Vegas confirmed a recent cyberattack in a Wednesday filing with the Securities and Exchange Commission. (Ethan Miller / File / Getty Images)

MGM did not immediately respond to inquiries from Fox Digital about the cybersecurity outage. The company operates 19 resorts with more than 40,000 rooms around the world, including the MGM Grand, Mandalay Bay, Luxor and New York-New York in Las Vegas as well as the Borgata in Atlantic City, New Jersey, and more. source

Here Introducing an all-new WiPhone, A Phone for Hackers and Makers. Moreover, WiPhone is a VoIP mobile phone designed to be easily modified, repurposed, and adapted.

Basically, It’s designed to enable hackers by making it easy to extend and modify the electronics and software. Something typical phones are not good for. However, WiPhone is also a VoIP mobile phone. It uses WIFI to make HD voice calls, for free. Though, This means that there is no required service contract.

Additionally, WiPhone solves these problems and gives hackers, makers, and engineers the tool we all wish our phones could be. However, It is direct access to I/O, an easy to program ESP32 processor. However,  All the basics are already set up the user interface, power management, and on/off the circuit, working code.

Furthermore, you also can get straight to work building projects, not setting up the boring parts like power management again and again. Though, No rats nest of wires or ugly stack of dev boards just to get the basic functionality.

WiPhone Tech Specs:

What is the WiPhone?

WiPhone is a unique, minimal phone.

It’s designed to enable hackers by making it easy to extend and modify the electronics and software. Something typical phones are not good for.

WiPhone is also a VoIP mobile phone. It uses WIFI to make HD voice calls, for free. This means that there is no required service contract – and it’s yours for life.

For Hackers:

 Yet So Stylish And Sophisticated!

 WiPhone Pro with Clear Front Face:

source

Smartphones Are A Little Too Smart

What’s the best platform you can imagine for electronics hacking?

It should probably be adaptable, powerful, and programmable. Small and portable would be nice. Maybe with a durable case? What about a built in user interface with things like an LCD screen and button panel? A battery and built-in charging system? Wireless connectivity?

Hey… we just described a mobile phone!

But why aren’t people building more projects based on their smartphones? Well, there are a few issues:

• no electrical connectors to directly connect to the outside world
• no way to easily control the low level hardware, like processor output pins
• opaque development environment and huge IDE
• not designed for easy disassembly, repair, or modification

Enter WiPhone:

WiPhone solves these problems and gives hackers, makers, and engineers the tool we all wish our phones could be. Nice package, direct access to I/O, an easy to program ESP32 processor. All the basics are already set up: user interface, power management and on/off circuit, working code.

You can get straight to work building your project, not setting up the boring parts like power management again and again. And once you’re done it’s durable and looks great. No ratsnest of wires or ugly stack of dev boards just to get the basic functionality.

Modern smartphones are more and more a tool we don’t own, but instead one we’re only allowed to carry around. One that serves the interests of various tracking networks, corporate boards, and government organizations. You don’t own it, it owns you. It tracks you, serves you ads, and sucks away your time with mindless dopamine hits. We want a phone that’s back in our control, optimized for our convenience.

Free Calling! No Hacking Required!

WiPhone is different beast from most smartphones these days. WiPhone uses the existing WiFi around you to make HD Voice calls. For free. Buy it once and it’s yours.

Works on most broadband WiFi networks (including most home WiFi connections). No service contract required, and you can even upgrade the firmware or expand the hardware to do things it wasn’t originally intended for.

What Is This Magical Free Calling You Speak of? Tell me more…

Free calling starts with a SIP account. SIP stands for Session Initiation Protocol, and it’s a standard way to make call over the internet. VoIP is a related term that you may have heard of. There are commercial services that provide SIP/VoIP accounts, and some of them have free accounts. Most consumers use VoIP apps like Skype and Whatsapp, but we can still use the underlying technology directly. After the campaign we’ll spend more time testing services to make our software and instructions work as seamlessly as possible.

Step 1: Get a SIP account (many different ways to do this, but we wrote up a simple how-to that might get you started).

Step 2: Log in on your WiPhone using the credentials from your SIP account (user name, password, and server):

Step 3: Make a Call:

That’s it!

Note: we’re still working through compatibility with various SIP providers since many of them implement the standard in various ways. Once the WiPhones ship we’ll update our getting started instructions to use the servers we find to be most reliable.

What people are saying about WiPhone:

“This is a great cross over between what people know (phones) and what people really want to do (hack).” -Nathan Seidle, Sparkfun Founder

“The WiPhone is a really rather neatly put together project.” -Alasdair Allan, Hackster.io

“If you want a phone that respects your right to repair, this is the project to look at.” -Brian Benchoff, Hackaday.com

“So excited by this project I tried to make one myself” -Random Guy On Our YouTube Channel

First Class Expansion Capabilities

WiPhone is expandable through daughter boards. The whole back of the phone is a replaceable panel that accepts a standard 1.6mm thickness PCB, which you can use to add whatever functionality you like.

Some Examples

We made a WiPhone into an RC car:

And we also made the coolest way to ever to answer a phone:

The daughterboard headers have power, digital I/O, and all the common embedded busses like SPI, I2C, and UART.

 Easy Development

Develop in Arduino/C++ or Python. We’ll also provide basic tutorials covering how to write to the screen, connect to the hardware, save data to memory, etc.  We’ll let you give us feedback on what’s most important to you.

No-Mess Prototyping

————————————————————————————————

Note: Based on the backer survey, we’ll prioritize adding a cellular radio (LTE), and secure communications after the campaign. Back now to get first access to the new hardware as it becomes available.

See the relevant Project Update for details.

————————————————————————————————

We have big plans for the WiPhone, but we also need to start off on solid footing. We’ve set a relatively low funding goal of $40k that will let us cover the costs to finish production of the phones themselves and not much more. That way we can get phones in the hands of people that want them.

But there’s a lot of potential waiting to be unlocked. If we reach $100k of phones, we’ll have enough of a cushion to thoroughly test the design and ultimately deliver a better product. It will also allow us to start taking on extra work. If we reach $100k we’ll start letting backers choose stretch goals.

Some stretch goals would add software features to the WiPhone itself. Others will be to take on design and production of daughterboards and other accessories.

•  Wireless Firmware Updates:Wireless firmware updates will allow you to easily upgrade your firmware.
•  Integrated Python Interpreter: Currently we’ll ship the WiPhone with a separate firmware that allows running MicroPython apps. This stretch goal would allow us to merge the Python interpreter into the main phone firmware to run user apps directly within the phone firmware.
•  Remote Desktop: View and control your WiPhone through a webpage.
•  Encrypted Communications: Add secure communication to calls and messages
•  Threaded Messaging: Add an advanced view to text messages for a more modern chat experience
•  Additional Colors: Add some variety to the clear/gray options we have now for face colors.
•  Advanced Tutorials: Deeper tutorials than the basic ones we’ll ship for the basic campaign. We could go step-by-step through writing a complete app, using the phone to build an entire project, or designing a daughterboard from scratch. We’ll let you give us feedback on what’s most important to you.

First Class Expansion Capabilities – People Like The WiPhone Hack It Like It’s Yours

Pen Test Tool for Securing Network, Wifi, Bluetooth, NFC Signals 
Securing Communications within a secure zone

Whether you are a hacker just starting out or you have been at it for a while, the debate over which hacking device is better — Flipper One vs Flipper Zero, is one that is sure to spark some debate. The bottom line is that both of these devices have their advantages and disadvantages, so which one you choose really depends on your specific needs. In this blog post, we will take a closer look at both devices and help you decide which is best for you.

After the successful launch of Flipper One, many people have been asking about its successor – Flipper Zero. So which is better? Let’s take a look at their features and find out!

What is Flipper One?

Flipper One is a USB Wi-Fi adapter that can be used for hacking. It is designed to be small and portable, making it easy to take with you wherever you go. In short, Flipper One is a Wi-Fi hacking device that allows you to hack any Wi-Fi network without knowing the password. It is a small, portable device that can be used to get into any locked network in just a few seconds.

Flipper One was created by two security experts who were tired of being locked out of their own networks. They realized that there had to be a better way to break into Wi-Fi networks without having to guess passwords, so they created this little device that does the job for you.

Now anyone can hack into any Wi-Fi network with ease using the Flipper One Wi-Fi hacking device. This tiny device is also very affordable, making it an ideal choice for anyone who wants to gain access to locked networks without having to spend a lot of money.

P.S. we have a definitive guide of Pwnagotchi vs Flipper Zero, although both of them have legends of their own, you are welcome to look deeper into each of them.

Key features

1. Attack both 2.4GHz and 5GHz Wi-Fi networks

2. Monitor and attack Wi-Fi clients

3. Deauthenticate clients from access points

4. Captures packets in promiscuous mode

5. Supply power via a USB port

Advantages

1. The Flipper One Wi-Fi hacking device is small and discreet, making it easy to conceal and use inconspicuously.

2. It is also very fast and easy to set up – you can be up and running in minutes.

3. It provides high-quality Wi-Fi connections, even in areas with poor signal strength.

4. Furthermore, it is affordable and easy to use, making it a great choice for anyone on a budget.

5. Finally, Flipper One comes with a 100% satisfaction guarantee, ensuring that you are completely happy with your purchase.

Disadvantages

1. Increased signal interference – Flipper One Wi-Fi hacking device can create a lot of signal interference, which can interfere with the performance of other wireless devices in the area.

2. However, its use in intercepting and decrypting data also makes it more vulnerable to viruses and malware than other wireless devices.

3. It should also be noted that while it can be used for legitimate purposes, it can also be used for malicious intent by hackers seeking to access sensitive information.

4. Can be difficult to configure and use – The Flipper One Wi-Fi hacking device can be difficult to configure and use, especially for beginners. It’s important to read the instructions carefully before using this device.

What is Flipper Zero?

Flipper Zero is a Wi-Fi hacking device that exploits vulnerabilities in WPA/WPA2 security protocols to allow users to access other people’s Wi-Fi networks without their permission. It does this by brute force attacking the Wi-Fi network’s password until it finds the right one.

While Flipper Zero is certainly effective in breaking into secured Wi-Fi networks, it’s also essential to note that using such a device can be illegal in some cases. So if you’re thinking of using Flipper Zero to hack into someone’s Wi-Fi network, be sure to check your local laws first!

Key Features

1. The Flipper zero Wi-Fi hacking device is very easy to use. It’s a small, portable gadget that you can take with you wherever you go.

2. It has a long range and can hack into any Wi-Fi network from up to 500 feet (0.15 km) away.

3. The Flipper zero Wi-Fi hacking device is very fast and can crack even the most complex passwords in just a few seconds.

4. The device is completely undetectable and cannot be traced or tracked by any security software or system.

5. Furthermore, the device comes with a lifetime warranty, providing protection for your investment.

Advantages

1. The Flipper Zero Wi-Fi hacking device is user-friendly, requiring only a few clicks to control.

2. Its small and discreet design allows for easy concealment.

3. It is incredibly fast and can hack into any Wi-Fi network in just a matter of seconds.

4. It is very reliable and has never let me down so far.

5 The customer support is excellent, and they are always available to help you if you encounter any problems while using the device.

Disadvantages

There are a few potential disadvantages of using the Flipper Zero Wi-Fi hacking device.

1. First, it’s possible that law enforcement or other government agencies may find a use for such a device and try to restrict or ban its use.
2. Second, it’s possible that hackers or other malicious individuals could find ways to exploit the vulnerabilities in the Flipper Zero device, compromising the security of networks and data.
3. Finally, there is always some risk that using any kind of hacking device could result in fines or imprisonment if caught.

Flipper one vs Flipper zero

There are many key differences when it comes to Flipper One vs Flipper Zero that you should be aware of before making your purchase. First and foremost, Flipper Zero is a Bluetooth-only device, which means that it cannot be used to hack into networks that are not within close proximity. Flipper One, on the other hand, can be used to hack into both Wi-Fi and Bluetooth networks.

Secondly, Flipper Zero can only be used to crack passwords up to 8 characters in length, while Flipper One can crack passwords up to 12 characters in length. Lastly, Flipper One is equipped with an advanced encryption system that makes it much more difficult for hackers to detect its presence on your network. If you’re looking for the most secure Wi-Fi hacking device available, Flipper One is the better choice.

Which device is better for specific purposes?

Some factors that might help you decide include the range of the device, the type of security it can penetrate, and how easy it is to use.

Flipper One is a good choice for those who need a device with a wide range. It can penetrate most types of security and is relatively easy to use. Flipper Zero is good for those who require a device with a short range or who are looking for greater penetration power. It can penetrate even the most secure networks, but may be more difficult to use than Flipper One.

Conclusion

So, which is the best Wi-Fi hacking device? The Flipper Zero or the Flipper One? In our opinion, the Flipper Zero is better because it is easier to use and has longer battery life. Plus, it comes with a money-back guarantee if you’re not satisfied with your purchase. If you want to be able to hack into any Wi-Fi network in no time at all, we recommend purchasing the Flipper Zero.

The Making of the First Computer Virus —

TheBrain Computer Shop – Pakistan

The first call came late one winter night. A journalist working for a university magazine in Miami, Florida, wanted to know about a mischievous computer programme that was driving students crazy.

“Hello, can I talk to Amjad or Basit Alvi?” she asked. Her American accent and the fact that Amjad, who took the call, was half asleep, made the conversation difficult.

“My [spoken] English is not really good,” says Amjad. It took him some time to realise she was talking about a code that he and his younger brother, Basit, had written a few months before on the Microsoft operating system.

“How the hell did she come across it?” he wondered.

That telephone conversation took place in 1986 when Amjad was 24 years old and still lived with his parents in Lahore, Pakistan.

It was an era before the internet came to be what we know it as today. Connections between computers were largely limited to scientists and a few research organisations in the United States, Europe and Japan.

Most IBM personal computers ran on MS-DOS and data was stored on 5.25-inch floppy disks, which could store 160 kilobyte of files. It was on one such disk that Amjad had copied the ‘Brain Virus’ or, the Pakistani Brain, which became the first viral computer infestation the world had seen.

Somehow a copy of that floppy found its way to the United States.

The self-replicating virus that automatically copied onto the disks spread like wildfire. Students came across it on disks in the universities of Pittsburgh, Pennsylvania, Delaware and George Washington University.

It slowed systems at the Providence Journal-Bulletin newspaper and popped up in trading terminals in Hong Kong. Users found it on their personal computers in places as far as Australia.

Some estimates suggest that between 1986 and 1989, the Brain Virus hit more than 100,000 computers — 10,000 of them at Washington DC’s Georgetown University alone.

Everyone knew the name of the culprit because Amjad had put his address and phone number in between the code along with this message:

“WELCOME TO DUNGEON…Beware of this Virus…Contact Us for Vaccination”

Brain was a benign virus as it wasn’t written to erase data or damage hardware. However, within a few months it opened the floodgates for newer variants and copycats which applied the same logic as Amjad’s to infiltrate computers and cause widespread damage.

Viral computer infestations jumped tenfold from 3,000 in the first two months of 1988 to around 30,000 in its last two months, a US-based software trade organisation noted at the time.

“We were just showing off our skills to each other and trying to identify vulnerability in the DOS system. I didn’t think it would become so big,” says Amjad.

But big it became. In September 1988, the Alvi brothers were featured in a Time magazine cover story and tech historians still regard their virus as one of the most sophisticated of its time.

No history of computer viruses is complete without mention of the Pakistani Brain. It was the Brain that gave the idea to some programmers to write the first anti-virus software.

Among the people who were awed by the novelty of its code was a software engineer named John McAfee, the eccentric US millionaire and guru of the anti-virus industry. And he called the Alvi brothers geniuses.

“I read a story in San Jose Mercury News and I go ‘how the hell did they do that?’”

“Nobody had ever thought about using software to act like bacteria and viruses. That’s a genius idea,” he told TRT World in a recent Skype interview.

McAfee, who at the time was running a computer firm Interpath, studied Brain and wrote a programme to counter it.

“I posted it on my electronic bulletin board and two weeks later I had a million users.”

That’s how the famed McAfee, the first commercial antivirus software, was born.

But how did two Pakistanis from Lahore, famous for its food and hospitality, come up with the idea in the first place? How did a young man with no formal education in information technology and no mentor to guide him figure out a complex process to infiltrate computers undetected?

The boy who bunked school 

When it’s time to have fun, most boys in Lahore head to their rooftops to fly kites. Others would go out to play Pakistan’s most popular sport, street-cricket. Amjad Alvi, however, stayed in his room and tinkered with electronic gadgets.

Born in 1962 in a middle-income family, Amjad was the second-youngest of Muhammad Farooq Alvi’s six children. Senior Alvi was a medical doctor who encouraged his kids from an early age to read books and magazines.

“My father wanted me to become a fighter pilot. When I was 10 years old he bought me two books. One was about airplanes and the other about electronic experiments. I just got into electronics,” Alvi explains.

He vividly recalls the first time he took details and sketches from a how-to book to put together a crystal radio.

“It needed a coil, a gang capacitor, a diode and a headphone. It didn’t need a battery. You just give it earth, attach a long antenna and it catches local transmission,” he told TRT World.

“Same thing prisoners of war made during WWII to know what was happening outside.”

From improvised radios, Amjad moved on to experimenting with walkie-talkies and music synthesisers that involved the use of transistors.

“OC-72. I still remember the transistor number. Finding the components was not always easy.”

Often after school he would scavenge through the narrow lanes of Lahore’s Hall Market where scores of stores sell parts ranging from capacitors to electric switches.

In the 1970s it was a struggle to find electronic parts and even more difficult to get a hold of the right instruction manuals. That’s where the Alvi siblings were lucky.

They had a library membership of the British Council, an initiative of the United Kingdom to impart education in mostly developing countries. That gave Amjad access to journals such as Wireless World and Practical Electronics.

“They didn’t allow you to take anything home from the library. I spent hours copying the descriptions and drawings.”

He often bunked school to come to the library. “That didn’t go down well with my parents once they found out. I was banned from visiting the library for a while.”

In his own words, Amjad was “always a third class student” and failed a calculus exam in college. The method he used to solve an integration problem didn’t go down well with his evaluator. It was not that he didn’t know the answer, he just did it in another way.

Students were supposed to attempt the question based on the standard course book. Amjad relied on a reference from an American book he had come across at the library.

Why else would he fail, he wondered. After all, he never forgot his fifth grade teacher at Saint Andrews school, Miss Benjamin, telling the class on their first day: “Mathematics is the mother of all sciences.”

If you knew that, if you knew the logic that goes into solving a problem, if you had learned about the flip flop in electronic circuitry on your own and you also had a computer, then the possibilities to make things were endless, he says.

“Do you see what I mean by that? With limited resources in Pakistan where it’s difficult to get hold of components, if you had a computer and a bit of imagination, you can do anything.”

Love at first sight

Amjad eventually completed his masters in physics from University of Punjab. But having read everything about computers from all the magazines he could get his hands on, he fell in love with the machines.

In the early 80s he came across an advertisement in a newspaper about a local distributor who was selling Sinclair computers.

The Sinclair ZX80 was launched in 1980 by a British company, Science of Cambridge. Though it wasn’t the first personal computer and left users annoyed over its display issues, it came with a price tag of 99 pounds or around $230, the cheapest personal computer to hit the stores.

“That was my first computer. A good thing about it was that it was sold as a do-it-yourself kit. So you’d get to know the ins and outs of the computer,” says Amjad.

Like elsewhere in the world, personal computers such as the IBMs, Commodore 64, RadioShack and Atari were slowly becoming common in Pakistan. Yet there were just a handful of technicians who knew how to repair them.

That’s where Amjad put his electronic know-how to use and carved out a niche market for himself. He opened a makeshift computer repair shop within the premises of his father’s clinic in mid-80s. The business was named Brain Services.

“We’d say Amjad was a brainy kid. That’s how the name stuck,” says Basit, who was 17 at the time.

Very soon the distributors of Sinclair and other brands were referring broken computers to Amjad. “I still have the logs — the record of the computers I serviced. I made good money with that.”

Over the years, while the story of Brain virus has been told many times, the narrative has missed some key points. Amjad was a pioneer in key IT-related developments in Pakistan.

In 1987, he set up a shop in Singapore to buy monitors, power supply units, processors and motherboards from different companies and assembled them as clones, making Brain among the first suppliers of custom-made computers.

The availability of clones helped many people buy their first computers as they cost much less than branded machines, which were out of reach of many Pakistanis.

Along the way, Amjad honed his programming skills, reading ever-more advanced books and articles in professional journals, mostly to work on mathematical functions.

The first programme to make him money was one designed to convert measuring units. Jewellers and goldsmiths in Lahore had electronic scales which displayed weight in grams and milligrams. But in their daily dealings they relied on Indian units of tola, ratti, and masha.

“I didn’t design the system. I took the idea from somewhere and then built the electronic interface including the port and everything myself,” he said.

By the early 1990s, Brain Services had transformed into Brain NET. Amjad, Basit and their elder brother, Shahid, pitched in whatever capital they had to expand the enterprise. The obvious transition to make was to Bulletin Board Services, which were a sort of an online community before the arrival of the World Wide Web.

They also introduced Pakistan’s first email service around that time. However, the potential customers, who were mostly factory owners, were content with fax machines.

“Our customers would often say, ‘We don’t need to send any communication outside the country, so why bother with email?’ So we built servers and nodes in all the major cities and laid a domestic communication infrastructure. It worked,” says Amjad.

Brain Net would eventually become one of the first internet service providers in Pakistan.

But what Amjad is remembered for is the computer virus.

The making of the Brain

The jury is still out on the question of who wrote the first computer virus.

Most researchers say it was Richard Skrenta who in 1982 as a 15-year-old high school student pranked his friends with Elk Cloner, probably the first self-replicating programme.

Elk Cloner spread via gaming disks, which Skrenta, who is now a tech entrepreneur, loaned to his friends. It slowed down their Apple IIs or abruptly shut the systems.

The moniker, virus, was conceived a year later in 1983 by professor Len Adleman for a programme that his student Fred Cohen wrote.

Cohen demonstrated the ability of his code at a security conference in Pennsylvania. That virus, which could spread through bulletin boards, was able to give Cohen control of a mainframe computer within minutes. His experiment is well documented.

There’s also Creeper and the famous Core War game from the mid-1970s, which was famously featured in Scientific American and gave the world a peek into what the rogue programmes can do.

Like the crystal radio and the unit programme, Amjad says he took the concept to stealthily insert a code into a computer from other programmers and tweaked it a bit.

In the late 1960s, students at the Massachusetts Institute of Technology wrote a computer programme they called the “Cookie”. Computer users would be interrupted by the word cookie that kept flashing on their screen until you type the word ‘cookie’ for it to go away.

Amjad says before writing Brain, he and some of his friends had modified Cookie into a programme which told stories if the computer was left idle for a few minutes.

If a programme can run in the background like this, then why not use it as a harmless virus, he asked himself.

“Initially DOS didn’t give you the option of multitasking. Then they included a new procedure in the code called Terminate and Stay Resident, which basically allowed you to push a programme to the background and pull it back without terminating it,” said Amjad.

Brain was a BOOT Sector Virus and loaded onto the computer from the infected floppy when it was switched on — without the user ever finding out.

What made Brain unique was its ability to load into the computer even before the operating system.

“It was seen as sophisticated for its time by the use of relocation of the boot sector rather than overwriting it, and by marking the moved boot sector as unavailable on the disk,” Gene Spafford, a cyber security expert, told TRT World.

The Brain in its original form was not meant to erase data or even slow down machines. It was simply a way for Amjad and his brother to keep track of who was using their software.

“An NGO wanted us to write a patient management programme. But they were paying us very little. So I copied Brain on to their floppy and explicitly told them not to give it to anyone,” says Amjad.

Despite his warning the infected floppy was apparently shared, copied and the virus started to move and take on a life of its own.

Brain was quickly followed by far more lethal programmes and the Alvi brothers moved on to focus on their internet service and telecommunication applications.

McAfee doesn’t believe that Elk Cloner or Cohen’s virus were the first. He made a fortune from McAfee AntiVirus and was estimated to be worth $100 million before the 2007 financial crash.

He has done a lot over the years — built mansions in the US, tried to make natural antibiotics, ran a cybersecurity firm and ventured into the business of cryptocurrencies.

But his view on the Brain hasn’t altered.

“(The) first virus was the Pakistani Brain. Trust me. There were no viruses before. The word had not even been invented. No one was discussing it or writing about it or considering it. It was not an idea that could come into your brain if you had not seen it.”

source