|
25 APRIL 2023 -- Coming hard on the heels of the International Cybersecurity Forum in Lille, France 2 weeks ago, I hopped a plane to attend the annual U.S. National Cyber Crime Conference, another "must attend" event for the cybersecurity industry. The event is actually restricted to actively employed law enforcement/prosecutorial agency investigators, forensic examiners, prosecutors and respective support personnel, and its sessions are a collective "Master Class" in using electronic evidence in (mostly) criminal cases. Which is why a few high-profile eDiscovery vendors have snagged tickets (everybody pays to get in; there are no freebies).
The event starts today but there was an interesting dinner kick-off last night and the primary topic of conversation was "What companies offer NSO-type mobile phone capabilities? That seems to be our biggest threat". Two well-known cyber experts who track NSO and its progeny had their thoughts and said "there are quite a few NSO types out there today".
But one of them noted "a far more interesting question is why is Israel-based NSO Group the pointy end of a three meter stick aimed at mobile devices?” He suggested that to get some public information (his more private thoughts cost a lot of $$$$) about newly recognized NSO Group/Pegasus tricks, read “Triple Threat. NSO Group’s Pegasus Spyware Returns in 2022 with a Trio of iOS 15 and iOS 16 Zero-Click Exploit Chains".
He pointed out that the article's reference to Access Now is interesting, and a crime analyst may find a few minutes examining what the organization does, its “meetings,” and its hosting services time well spent. And he said "now let’s consider the question regarding the productivity of the NSO technical team". He made a few points:
First, Israel’s defense establishment contains many bright people and a world-class training program. What happens when you take well educated people, the threat of war without warning, and an outstanding in-service instructional set up? The answer is, “Ideas get converted into exercises. Exercises become test code. Test code gets revised. And the functional software becomes weaponized.”
Second, the “in our foxhole” mentality extends once trained military specialists leave the formal service and enter the commercial world. As a result, individuals who studied, worked, and in some cases, fought together set up companies. These individuals are a bit like beavers. Beavers do what beavers do. Some of these firms replicate functionality similar to that developed under the government’s watch and sell those products. Please, note, that NSO Group is an exception of sorts. Some of the “insights” originated when the founders were repairing mobile phones. The idea, however, is the same. Learning, testing, deploying, and the hiring individuals with specialized training by the Israeli government. Top shelf mobile hacking techniques.
Third, directly or indirectly, important firms in Israel or, in some cases, government-assisted development programs provide: [a] money, [b] meet up opportunities like the multitude of “tech fests” in Tel Aviv (I attend at least one every year), and [c] suggestions about whom to hire, partner with, consult with ... or be aware of.
Do these conditions exist in other countries? In his experience, to some degree this approach to mobile technology exploits does in several countries, but he was not naming them. At least at our dinner. However he did note "there are important differences in these other countries, and they cannot all replicate Israel technological prowess".
But his major point was the expertise, insights, systems, and methods of what the media calls “the NSO Group” have diffused, across at least 14 other companies (he let that number slip out). As a result, there are more sophisticated choices than ever before when it comes to exploiting mobile devices, and cyber attackers know this.
So where’s Apple? Where’s Google? Where’s Samsung? He said "those firms are in reactive mode, and, in some cases, they really don’t know what they don’t know. They will continue to be easy targets. The mobile attack surface just keeps widening: the technology stack (mobile device technology stack), communication (mobile and local network protocol stacks), supply chain, and the greater mobile ecosystem".
| 
