Apr 12 2022

NSO Group Spied on European Union—on French Orders?

Category: Cyber Espionage,Cyber Spy,SpywareDISC @ 10:46 am

An espionage attempt was made by an NSO Group customer to hack the phones of senior EU officials. Although there’s some suggestion that it might have been QuaDream—a similar Israeli spyware firm.

Commissioner for Justice Didier Reynders (pictured) seems to have been the main target, along with several of his staffers at the Directorate-General for Justice and Consumers. They were warned of the attack five months ago—by Apple.

But who ordered the hack? Might it have been the French government? In today’s SB Blogwatch, we’re shocked—SHOCKED—to discover un peu d’espionnage fratricide.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Shrimp can lobster.

What Did Didier Do?

What’s the craic? Raphael Satter and Christopher Bing claim this exclusive for Reuters—“Senior EU officials were targeted with Israeli spyware”:

“Remotely and invisibly take control of iPhones”
Among them was Didier Reynders, a senior Belgian statesman who has served as the European Justice Commissioner since 2019. … At least four other [Justice and Consumers] commission staffers were also targeted.
The commission became aware of the targeting following messages issued by Apple to thousands of iPhone owners in November telling them they were “targeted by state-sponsored attackers.” … The warnings triggered immediate concern at the commission. … A senior tech staffer sent a message to colleagues with background about Israeli hacking tools: … “Given the nature of your responsibilities, you are a potential target.”
Recipients of the warnings were targeted between February and September 2021 using ForcedEntry, an advanced piece of software that was used by Israeli cyber surveillance vendor NSO Group to help foreign spy agencies remotely and invisibly take control of iPhones. A smaller Israeli spyware vendor named QuaDream also sold a nearly identical tool.

So which was it? And why? Lucas Ropek shrugs—“Sophisticated Spyware Attack”:

“Comes at potentially the worst possible time”
It’s not totally clear why these officials were targeted or who used the malware against them. … NSO has denied that it had any involvement. … Reuters also reached out to QuaDream … but did not get any sort of comment or response.
The claims that EU officials were targeted with NSO Group software comes at potentially the worst possible time for the company as it continues to battle both legal and financial troubles, as well as multiple government investigations. … NSO is now appealing to the U.S. Supreme Court in a new effort to rid itself of a hefty lawsuit filed by … WhatsApp, [which] sued NSO in October of 2019 after the surveillance firm’s malware was allegedly discovered on some 1,400 users’ phones. … The company is also currently battling another lawsuit from Apple filed last November on similar grounds.

Government investigations? Malcolm Owen isn’t scared to say whodunnit—“EU officials’ iPhones were targets of NSO Group’s spyware”:

“Use of surveillance software”
The discovery of the misuse of NSO Group’s tools certainly doesn’t help the company’s profile following the Pegasus scandal, when it was found the tool was used by governments to spy on journalists, activists, and government opponents, instead of for fighting crime. The adoption of Pegasus and other tools by government agencies led to lawmakers in the U.S. asking Apple and the FBI about the latter’s acquisition of NSO Group tools.
Meanwhile, the European Parliament will be launching a committee on April 19 to investigate the use of surveillance software in European member states.

The European Union, huh? FOHEng thinks this should be a teachable moment:

Many of these same EU people think The App Store should be forced to open, increasing the vectors for … exploits to make it into devices. They’re as stupid as some US Senators, who aren’t allowed to sideload Apps on their devices over security concerns, yet want to force Apple to allow this. They are truly delusional.
Third party stores with Apps being vetted for security? An oxymoron if ever there was one. … You think iOS third party stores are going to somehow be secure and Apps checked?

Worthless politicians? zeiche seems to think so:

“No big deal until it happens to me.” This story has been unfolding slowly for years, yet these EU officials didn’t seem too bothered until Apple notified them about their phones being hacked. … Thanks for all the concern.

But what of Apple in all this? Heed the prognostications of Roderikus:

More fines for offering a platform that is basically compromised while being marketed as “safe.”

However, mikece is triggered by a certain word in the Reuter hed:

Throwing the adjective “Israeli” into the title is misleading as it suggest the state of Israel is somehow involved. … Blaming Israel for this is like blaming Japan for all of the Toyota Hiluxes converted into gun platforms around the world.

Yet we’ve still not dealt with the “who” question. For this, we turn to Justthefacts:

CitizenLab did some clever geographic fingerprinting, and have a list of which countries are doing this. … Out of these, the credible list is: France, Greece, Netherlands, Poland, UK, USA.

The target was the European Justice Minister from 2019 onwards. He doesn’t have military or external trade secrets. Neither the UK nor USA are impacted in any way by what goes on in his office. So it’s either France, Greece, Netherlands, Poland.

If you have a look at the heat-map produced by CitizenLab, it’s the French government snooping on the EU. What were you expecting?

Nor the “why”: What else do we know about the named victim? ffkom ffills us in: [You’re ffired—Ed.]

Didier Reynders is [one of] those politicians who have continuously undermined EU data protection laws by agreeing to sham contracts like “Safe Harbour” and “Privacy Shield,” … knowing those were contradicting EU law … and not worth the paper they were written on. He, personally, is also responsible for not enforcing … GDPR.
It serves Mr. Reynders right that his data is exposed, just as much as he has helped to expose EU citizen’s data.

Ultimate spyware' — How Pegasus is used for surveillance

Tags: European Union, NSO Group Spied

Aug 30 2010

Cyber attacks against Water, Oil and Gas Systems

Category: CybercrimeDISC @ 9:49 am
National Security Authority
Image via Wikipedia

“This summer the Norwegian National Security Authority (NSM) discovered for the first time targeted computer attacks directed against internal process and control systems to ensure supply of electricity and water. Similar attacks were discovered in Germany and Belarus. EU’s cyber-security unit, ENISA, will in late October or early November carry out the first ever pan-European cyber security exercise.”

Cyber Criminals Attack Critical Water, Oil and Gas Systems

Tags: Belarus, Business, Computer security, Control system, European Union, Germany, National Security Authority, NSM

Feb 25 2009

Small business and assessment of IT risks

Category: Security Risk AssessmentDISC @ 5:02 pm

Network and Information Security Agency
According to a study released by European Union ENISA, Small-to-Medium-Sized (SME) enterprises require extra guidance in assessment of IT security risks of their assets.

Agency also established that in the first implementation it is improbable that SME can utilize a risk assessment & risk management approach without external assistance and simplified information security approach was extremely useful for security awareness on the part of business to improve their information security management approach. One of the main drivers that have pushed ENISA towards a simplified Risk Assessment and Management approach was the idea that SMEs need simple, flexible, efficient and cost-effective security solutions.

Regarding the entire process applied for the life-cycle of the simplified approach, ENISA has applied the Plan-Do-Check-Act model:
o PLAN: creation of a simplified Risk Assessment & Risk Management approach for SMEs
o DO: run pilots in different contexts inside EU
o CHECK: get feedback from pilots and aggregate and analyze it
o ACT: review and improve the simplified approach starting from the feedback
It is expected that through repetitions of the above life-cycle a proper maturity of the simplified ENISA method will be achieved.
Diagram: Overview of the phases of the ENISA simplified approach
ENISA simplified and standardized approach for risk assessment for SMEs is designed for untrained users and organization with small IT infrastructure. Security of SMEs is crucial for European economy, since they represent 99% of all enterprises in EU and around 65 million jobs, said ENISA said.

ENISA report and findings

As economic slowdown is looming ahead in US economy, it makes sense to adopt a lifecycle approach which is simplified, standardized in managing and securing the SMEs data. SME is the core engine of US economy as well; taking a standard based approach for data protection will not only serve to increase awareness and secure businesses but will also satisfy various compliance needs. Complexity is an enemy of security and SME most of the time don’t have inside expertise to tackle organizations information security needs. The main idea is to build a simple, flexible and cost efficient risk assessment and risk management program for non-expert users and management with relatively less complex IT infrastructure which fits the needs of all SME. This program will serve as an IT risk assessment tool; fulfill the needs of several regulations and serves as a great security awareness tool as well. As business needs change, risk assessment and risk management process can be improved utilizing Deming PDCA model. Start with a base model program and improve the process to tailor your business needs down the road.

Another methodology which is worth mentioning here for simplified risk assessment approach for SME is Facilitated Risk Analysis and Assessment Process (FRAAP) created by Tom Peltier which can be utilized to identify and quantify threats to IT infrastructure. Tom also teaches a class how to complete a risk assessment in 5 days or less utilizing FRAAP and his book on “Information security risk analysis” where he explains his FRAAP methodology.

Computer Security

Reblog this post [with Zemanta]

Tags: Business, Computer security, Consultants, European Network and Information Security Agency, European Union, information security risk analysis, Risk management, Security, Security Risk Assessment, Small and medium enterprises, SME