The NSO Group, Pegasus and ripping the fabric of intelware

22 July 2021 (Siracusa, Sicilia) – A contentious relationship with the “real news” organizations can be fun, or risky. Not both. During my ill spent youth I once had a real job as a copyboy at the New York Times, during the waning heydays of newsprint in America. I had actually been around newspapers since I was 14, running several newspaper delivery routes (we had to stuff the damn things in those plastic shields before each route), earning $25.50 a week … and an extra few bucks for working the weekends to help them get out the Sunday edition.

Most of the kids on the copy bench were college graduates aching for a career in journalism. I just wanted to learn the industry, maybe even become a reporter. Being a copyboy was a traditional path into big city newspaper reporting jobs and we felt no sense of being lesser because of our menial role in the newsroom.

The tenacity of some of my former colleagues is comparable to the grit one associates with an Army Ranger or Navy Seal, just with a slightly more sensitive wrapper. Journalists favored semi “with it” clothes, not bushy beards. The editorial team was more comfortable with laptops than an FN SCAR.

But things were clean-cut back then. You were a “journalist”. The “others” were politicians, military, whatever. I mention this because as I read the communications associated with NSO Group – the headline magnet among the dozens of Israel-based specialized software companies (a very, very close-in group by the way, as I have noted in my previous cybersecurity posts) – may have finally torn the fabric shrouding the relationship among former colleagues in the military, government agencies, their customers, and their targets.

Who is to blame? The media? Oh, maybe. I do have a dog in this particular fight as I noted in an earlier post this week. The action promises to be interesting and potentially devastating to some comfortable business models. NSO Group is just one of many firms working to capture the money associated with cyber intelligence and cyber security. The spat between the likes of journalists at the Guardian and the Washington Post and the NSO Group appears to be diffusing like spilled ink on a camouflage jacket.

I noted the piece “Pegasus Spyware Seller: Blame Our Customers Not Us for Hacking”. The main point seems to be that NSO Group allegedly suggests that those entities licensing the NSO Group specialized software are responsible for their use of the software. Some snips from the write-up:

But a company spokesman told BBC News: “Firstly, we don’t have servers in Cyprus.

“And secondly, we don’t have any data of our customers in our possession.

“And more than that, the customers are not related to each other, as each customer is separate.

“So there should not be a list like this at all anywhere.”

And the number of potential targets did not reflect the way Pegasus worked.

“It’s an insane number,” the spokesman said.

“Our customers have an average of 100 targets a year.

“Since the beginning of the company, we didn’t have 50,000 targets total.”

For me, the question becomes “What controls exist within the Pegasus system to manage the usage of the surveillance system?” If there are controls, why are these not monitored by an appropriate entity; for example, an oversight agency within Israel? If there are no controls, has Pegasus become an “on premises” install set up so that a licensee has a locked down, air tight version of the NSO Group tools?

The second piece I noticed was “NSO Says ‘Enough Is Enough,’ Will No Longer Talk to the Press About Damning Reports”. At first glance, I assumed that an inquiry was made by the online news service and the call was not returned. That happens to me several times a day. I am an advocate of my version of cancel culture. I just never call the entity again and move on. I am too old for this shit, to fiddle with the egos of a younger person who believes that a divine entity has given that individual special privileges. Nope, delete.

But not NSO Group. According to the write-up:

“Enough is enough!” a company spokesperson wrote in a statement emailed to news organizations. “In light of the recent planned and well-orchestrated media campaign lead by Forbidden Stories and pushed by special interest groups, and due to the complete disregard of the facts, NSO is announcing it will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign.” NSO has not responded to Motherboard’s repeated requests for comment and for an interview.

Okay, the enough is enough message is allegedly in “writing.” That’s better than a fake message disseminated via TikTok. However, the “real journalists” are likely to become more persistent. Despite a lack of familiarity with the specialized software sector, a large number of history majors and liberal arts grads can do what “real” intelligence analysts do. Believe me, there’s quite a bit of open source information about the cozy relationship within and among Israel’s specialized software sector, the interaction of these firms with certain government entities, and public messages parked in unlikely open source Web sites to keep the “real” journalists learning, writing, and probing.

In my opinion, allowing specialized software services to become public (that is, actually talk about the capabilities of surveillance and intercept systems) was a very, very bad idea. But money is money and sales are sales. Incentive schemes for the owners of specialized software companies guarantee than I can spend eight hours a day watching free webinars that explain the ins and outs of specialized software systems. I don’t spend that much time but some of the now ignited flames of “real” journalism will certainly do so. They will learn almost exactly what is presented in classified settings. Why? Capabilities when explained in public and secret forums use almost the same slide decks, the same words, and the same case examples which vary in level of detail presented. This is how marketing works.

Some random observations:

1. A PR disaster is, it appears, becoming a significant political issue. This may pose some interesting challenges within the Israel centric specialized software sector. NSO Group’s system ran on cloud services like Amazon’s until AWS allegedly pushed Pegasus out of the Bezos stable.

2. There’s a breaker of the specialized software business model of selling to governments and companies. The cost of developing, enhancing, and operating most specialized software systems keeps companies on the knife edge of solvency. The push into commercial use of the tools by companies or consumerizing the reports means government contracts will become more important if the non-governmental work is cut off. Does the world need several dozen Dark Web indexing outfits and smart time line and entity tools? Nope.

3. Wow – the boost to bad actors. The reporting in the last week or so has provided a detailed road map to bad actors in some countries about [a] What can be done, [b] How systems like Pegasus operate, [c] the inherent lack of security in systems and devices charmingly labeled “insecure by design” by a certain big software company, and [d] specific pointers to the existence of zero day opportunities in blast door protected devices. That’s all one hell of a “lessons learned”.

Net net: The NSO Group “matter” is a very significant milestone in the journey of specialized software companies. The reports from the front lines will be fascinating. I anticipate excitement in Belgium, France, Germany, Israel, the United Kingdom, and a number of other countries. I’m awaiting a specialized software Covid Delta.

When I began my deep dive into cybersecurity 12 years ago, courtesy of two major cybersecurity vendors who had the patience to allow me to muddle through until I “got it”, their mantra was that surveillance software and technology would get ever more sophisticated and difficult to detect because millions of dollars and thousands of hours were being spent to make such software difficult (impossible?) to detect and infections and attacks very hard to identify … unless somebody spilled the beans.

I have spent the last 2 days with two of my security researcher contacts at their home in Sicilia (Sicily) as they demonstrated how the most recent versions of Pegasus only ever inhabit the phone’s temporary memory, rather than its hard drive, meaning that once the phone is powered down virtually all trace of the software vanishes. One of the most significant challenges that Pegasus presents to journalists and human rights defenders is the fact that the software exploits undiscovered vulnerabilities, meaning even the most security-conscious mobile phone user cannot prevent an attack.

But my biggest issue right now is that the increasing complexity of cloud, multi-cloud, and hybrid network environments and the rapidly evolving nature of adversary threats has exposed the Achilles heel of traditional network cybersecurity defenses. Traditional defenses with multiple layers of disjointed security technologies are ineffective against modern threat actors. With impaired visibility, risk-ignorant access decisions, and manual detection and response, we cannot prevent breaches.

I suspect this will all blow over and NSO.2 or Pegasus.6 will be out amongst us. The journalists have their work cut out for them if they want to alter that trajectory.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

scroll to top