Spyware

Bad traffic: New Citizen Lab report finds Sandvine’s PacketLogic devices used to deploy government spyware in Turkey and redirect Egyptian users to affiliate ads

noreen.rasbach — Fri, 09 Mar 2018 20:44:59 +0000

Bad traffic: New Citizen Lab report finds Sandvine’s PacketLogic devices used to deploy government spyware in Turkey and redirect Egyptian users to affiliate ads

noreen.rasbach Fri, 03/09/2018 - 15:44

Cutline

Map shows locations of the targets of spyware injection in Turkey, as well as the observed targets in Syria (map by Citizen Lab)

Topic

Global Lens

Citizen Lab

Munk School of Global Affairs & Public Policy

Research & Innovation

Spyware

A new report by the Citizen Lab at the University of Toronto’s Munk School of Global Affairs outlines an investigation into the apparent use of networking equipment, offered by a company based in Canada and the United States, to deliver malware in Turkey and indirectly into Syria.

Such equipment also appears to have been used to covertly raise money through affiliate ads and cryptocurrency mining in Egypt.

Through internet scanning, Citizen Lab researchers found Deep Packet Inspection (DPI) middleboxes on Türk Telekom’s network. The middleboxes were being used to redirect hundreds of users in Turkey and Syria to spyware when those users attempted to download certain legitimate Windows applications.

Additionally, researchers found similar middleboxes at a Telecom Egypt demarcation point. On a number of occasions, the middleboxes were apparently being used to hijack Egyptian internet users’ unencrypted web connections en masse and redirect the users to revenue-generating content such as affiliate ads and browser cryptocurrency mining scripts.

“Leaked documents have long indicated that a number of governments are targeting their opponents by surreptitiously injecting spyware into their internet connections,” said researcher Bill Marczak of Citizen Lab at the Munk School. “For the first time ever, we have the proof.”

After an extensive investigation, researchers matched characteristics of the network injection in Turkey and Egypt to Sandvine PacketLogic devices. The investigation involved researchers developing a fingerprint for the injection found in Turkey, Syria, and Egypt and matching that fingerprint to a second-hand PacketLogic device that they procured and measured in a lab setting. The report was peer reviewed by academic experts in the field.

Read the Citizen Lab report

The company that makes PacketLogic devices was formerly known as Procera Networks, but was recently renamed Sandvine after Procera’s owner, U.S.-based private equity firm Francisco Partners, acquired the Ontario-based networking equipment company Sandvine and combined the two companies in 2017. Francisco Partners has a number of investments in dual-use technology companies, including providers of internet surveillance and monitoring tools such as NSO Group, an Israeli company that develops and sells mobile spyware – the use of which was previously documented by Citizen Lab in several countries to target journalists, lawyers, and human rights defenders.

The apparent use of Sandvine devices to surreptitiously inject malicious and dubious redirects for users in Turkey, Syria, and Egypt raises significant human rights concerns, particularly in light of the “strong safeguards” that Sandvine asserts it maintains “regarding social responsibility, human rights, and privacy rights.”

“Sandvine’s PacketLogic Deep-Packet Inspection (DPI) system, as currently advertised, is classic ‘dual-use’ technology, marketed as benign-sounding ‘quality of service’ or ‘quality of experience’ functionality. But as our report shows, these types of DPI systems can also surreptitiously redirect users to sophisticated spyware, or permit the hijacking of their browsers to mine cryptocurrency for profit,” said Professor Ron Deibert, director of the Citzen Lab.

“The power of such systems is in the hands of the local operator – operators that answer to autocratic rulers like Turkey’s Erdogan or Egypt’s el-Sisi. Targeted injection of spyware at the nation-state level represents a major public safety risk, and technologies that facilitate such injection should be regulated accordingly.”

Lawyers for murdered Mexican women targeted with spyware: ��˾��ֱ��'s Citizen Lab

ullahnor — Thu, 03 Aug 2017 16:48:42 +0000

Lawyers for murdered Mexican women targeted with spyware: ��˾��ֱ��'s Citizen Lab

ullahnor Thu, 08/03/2017 - 12:48

Cutline

A woman places banners during a protest of the July 2015 murder of journalist Rubén Espinosa, government critic Nadia Vera and two other women in Mexico City (photo by Daniel Cardenas/Anadolu Agency/Getty Images)

Topic

Munk School of Global Affairs & Public Policy

Faculty of Arts & Science

Lawyers representing the victims of three Mexican women slain in suspicious execution-style killings were targeted by spyware developed by an Israeli company, says the University of Toronto's Citizen Lab.

The Internet watchdog group, based at ��˾��ֱ��'s Munk School of Global Affairs, says Karla Michelle Salas and David Peña were targeted with NSO Group’s Pegasus spyware in September and October 2015 as questions grew about government accounts of the killings, as well as the reported torture and sexual assault of the victims.

NSO's digital surveillance technology can infect and spy on mobile phones.

“In total, we have now publicly reported 21 cases in Mexico of abusive targeting with NSO’s spyware,” the lab says in its latest report. “A pattern has emerged in a subset of these cases: lawyers and investigators working on targeted killings in Mexico have been targeted with NSO Group’s spyware when their investigations questioned official accounts provided by the authorities.”

Read about the report at ABC News

While Citizen Lab cannot technically attribute the spyware's deployment to the Mexican government, researchers say in the latest report that there's “abundant evidence” to suggest NSO Group isn't doing enough to prevent misuse of its digital surveillance technology.

Researchers from Citizen Lab have also found that a human rights defender was targeted with NSO spyware in the United Arab Emirates. In addition, a former Panamanian president, who is being detained in the United States and facing extradition, is accused of diverting money to purchase NSO’s spyware to target his opponents.

“Clearly, there is a serious control problem around commercial spyware that needs to be urgently addressed lest such cases continue to mount,” Citizen Lab director and Faculty of Arts & Science Professor Ron Deibert writes on his blog. “One way to prevent such abuses is to encourage ownership groups to exercise greater due diligence over companies like NSO Group.”

Read the story at Forbes

Read the full report

��˾��ֱ��'s Citizen Lab uncovers spyware campaign against Mexican journalists and civil society

ullahnor — Mon, 19 Jun 2017 20:02:02 +0000

��˾��ֱ��'s Citizen Lab uncovers spyware campaign against Mexican journalists and civil society

ullahnor Mon, 06/19/2017 - 16:02

Cutline

Mexican President Enrique Peña Nieto has talked about taking steps to ensure the safety of journalists in Mexico (photo by Alfredo Estrella/AFP/Getty Images)

Topic

Munk School of Global Affairs & Public Policy

Faculty of Arts & Science

The New York Times reports that a new investigation by the University of Toronto's Citizen Lab has uncovered a spyware campaign targeting Mexican journalists, lawyers and anti-corruption investigators.

“The targets include lawyers looking into the mass disappearance of 43 students, a highly respected academic who helped write anti-corruption legislation, two of Mexico’s most influential journalists and an American representing victims of sexual abuse by the police,” The Times reports. “The spying even swept up family members, including a teenage boy.”

��˾��ֱ��'s Citizen Lab reports proponents of Mexico’s soda tax targeted by spyware

ullahnor — Mon, 13 Feb 2017 20:55:41 +0000

��˾��ֱ��'s Citizen Lab reports proponents of Mexico’s soda tax targeted by spyware

ullahnor Mon, 02/13/2017 - 15:55

Cutline

New Citizen Lab report looks into spyware targeting supporters of Mexico's soda tax (photo by Omar Bárcena via Flickr)

Topic

Global Lens

Munk School of Global Affairs & Public Policy

Citizen Lab

Spyware

Ron Deibert

Is an Israeli cyberarms dealer's spyware being used to tap into the phones of vocal proponents of Mexico's 2014 soda tax, the first national tax of its kind targeting consumption of sugary drinks in Mexico?

That's the question being raised by Citizen Lab at ��˾��ֱ��'s Munk School of Global Affairs in its latest report entitled, “Bitter Sweet: Supporters of Mexico’s Soda Tax Targeted With NSO Exploit Links.”

The report, authored by Citizen Lab researchers John Scott-Railton, Bill Marczak, Claudio Guarnieri and Masashi Crete-Nishihata, says links sent to activists, policy makers and government employees opposed to the Mexican soda industry were laced with an invasive form of spyware developed by NSO Group, which sells digital spy tools to governments and has contracts with multiple agencies inside Mexico.

Read the full story at the New York Times

Below, Faculty of Arts & Science professor Ron Deibert, director of Citizen Lab, explains the story behind the investigation.

In recent years, the research of the Citizen Lab and others has revealed numerous disturbing cases involving the abuse of commercial spyware: sophisticated products and services ostensibly restricted in their sales to government clients and used solely for legitimate law enforcement.

Contrary to what companies like Hacking Team, Gamma Group, NSO Group and others claim about proper industry self regulation, we have repeatedly uncovered examples where governments have used these powerfully invasive tools to target human rights defenders, journalists and legitimate political opposition.

To this list, we can now add research scientists and health advocates.

The “Bitter Sweet” case has its origins in a prior Citizen Lab investigation – our Million Dollar Dissident report, in which we found that a UAE-based human rights defender, Ahmed Mansoor, was targeted by UAE authorities using the sophisticated “Pegasus” spyware suite, sold by Israeli cyber warfare company, NSO Group.

As part of that report, we published technical indicators – essentially digital signatures associated with the NSO Group’s infrastructure and operations – and encouraged others to use them to find evidence of more targeting. When we published our report in August 2016, we knew there was at least one Mexican targeted – a journalist – and so suspected there might be some targeting there.

Shortly after the publication of our report, Citizen Lab was contacted by Access Now, which had received a request for assistance on its digital helpline from two Mexican NGOs working on digital rights and security, R3D and SocialTIC. Together, we worked to track down suspicious messages received by Mexicans, which led us to the Bitter Sweet case.

The title of our report refers to the fact that all of those whom we found targeted in this campaign were involved in a very high-profile “soda tax” campaign in Mexico. A soda tax is part of an anti obesity effort to add taxes to lower consumption of sugary drinks and sodas. Although many in Mexico are behind the campaign, some in the beverage industry and their stakeholders are obviously not.

In the midst of controversy around the soda tax campaign, at least three prominent research scientists and health advocates received similar (in some cases, identical) suspicious SMS messages that included telltale signs of NSO Group’s attack infrastructure. Had any of them clicked on the links, their iPhones would have been silently compromised, allowing the perpetrators to listen in on their calls, read their emails and messages, turn on their camera and track their movements – all without their knowledge.

What is most remarkable about the targeting are the steps the perpetrators took to try to trick the scientists and advocates to click on the links. For example, one of the targets, Dr. Simon Barquera, a well respected researcher at the Mexican Government’s Instituto Nacional de Salud Pública, received a series of increasingly inflammatory messages. The first SMSs concerned fake legal cases in which the scientist was supposedly involved. Those following got more personal: a funeral, allegations his wife was having an affair (with links to alleged photos), and then, most shocking, that his daughter, who was named in the SMS, had been in an accident, was in grave condition and that Dr. Barquera should click a link to see which hospital emergency room into which she was admitted.

While we can’t attribute this campaign to a particular company or government agency, it is obvious those behind the targeting have a stake in getting rid of the soda tax, and that points to the beverage industry and their investors and backers in the Mexican government. It is important to point out that Mexico is on record purchasing NSO Group’s services, and NSO Group itself asserts it only sells to legitimate government representatives. But clearly the NSO’s “lawful intercept” services are not being used in Mexico to fight crime or hunt terrorists, unless those who are advocating against obesity are considered criminal terrorists. We feel strongly that both the Mexican and the Israeli governments (the latter approves exports of NSO products) undertake urgent investigations.

Finally, our report shows the value of careful documentation of suspicious incidents and ongoing engagement between researchers, civil society organizations and those who are targeted by malicious actors who wish to do harm. The epidemic of targeted digital attacks facing civil society will require an all-of-society defence. The cooperation shown on this investigation by Citizen Lab researchers, Access, R3D, and SocialTIC is a model of how it can be done.

The above excerpt was reposted from Professor Ron Deibert's blog

Spyware

Bad traffic: New Citizen Lab report finds Sandvine’s PacketLogic devices used to deploy government spyware in Turkey and redirect Egyptian users to affiliate ads

Read the Citizen Lab report

Lawyers for murdered Mexican women targeted with spyware: ��˾��ֱ��'s Citizen Lab

Read more at the Guardian

Read about the report at ABC News

Read the story at Forbes

Read more at CBC News

Read the full report

��˾��ֱ��'s Citizen Lab uncovers spyware campaign against Mexican journalists and civil society

Read more at The New York Times

��˾��ֱ��'s Citizen Lab reports proponents of Mexico’s soda tax targeted by spyware

Read the full story at the New York Times