Pegasus Affair

One year of the Pegasus Project: Hacking Tools Multiplying Daily, Threat Growing — Sandrine Rigaud https://www.youtube.com/watch?v=j4x_A_jPYko&t=56s
 Jul 19, 2022 On July 18, 2021, revelations of the “Pegasus Project” shocked the world. The product of a collaborative investigation by multiple media organisations including The Wire in India, the Guardian in the UK and Washington Post, details of a chilling surveillance attack emerged. A zero click hacking tool called Pegasus had been developed by the Israel based NSO Group. Governments around the world had bought and were using Pegasus. In India, investigations revealed that several activists, academics, journalists, opposition members and lawyers were targeted using Pegasus by exploiting a vulnerability in the WhatsApp platform. The attack is invisible. Once “infected”, your phone becomes your worst enemy. From within your pocket, it instantly delivers your private conversations, personal photos, almost every detail about you. Amnesty International’s Security Lab used digital forensic tests to confirm evidence of targeting and infections on scores of phones around the world. Today a year has passed since the revelations. The Pegasus Project was a collaboration by journalists from 17 media organizations in 10 countries, coordinated by Forbidden Stories. Mitali Mukherjee spoke with Sandrine Rigaud editor in chief of Forbidden Stories and the one who coordinated the “Pegasus Project” on the threats and challenges that still remain.

Forget Pegasus, new spyware 'Hermit' now being used by governments Hermit is a modular spyware that hides its malicious capabilities in packages downloaded after it's deployed  https://www.deccanherald.com/international/world-news-politics/forget-pegasus-new-spyware-hermit-now-being-used-by-governments-1119178.html  Jun 18 2022

Cyber-security researchers have unearthed a new enterprise-grade Android spyware. "Based on our analysis, the spyware, which we named 'Hermit' is likely developed by Italian spyware vendor RCS Lab and Tykelab Srl, a telecommunications solutions company we suspect to be operating as a front company,"
RCS Lab, a known developer that has been active for over three decades, operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher. RCS Lab has engaged with military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar and Turkmenistan.

Collectively branded as "lawful intercept" companies, they claim to only sell to customers with legitimate use for surveillanceware, such as intelligence and law enforcement agencies. "In reality, such tools have often been abused under the guise of national security to spy on business executives, human rights activists, journalists, academics and government officials,"

Hermit is a modular spyware that hides its malicious capabilities in packages downloaded after it's deployed. These modules, along with the permissions the core apps have, enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages.

 Ronald Deibert from Citizen Lab on Cyber Surveillance, Digital Subversion, and Transnational Repression https://democracyparadox.com/2022/05/10/ronald-deibert-from-citizen-lab-on-cyber-surveillance-digital-subversion-and-transnational-repression/ 

Extracts...

a very famous piece in the Journal of Democracy called “Liberation Technology” by Larry Diamond that outlines this thesis and there’s a lot of merit to it. Actually, when you look on the face of it, many, many examples of people using digital technologies do hold governments and private companies accountable, do connect with each other to organize, to mobilize.

But what’s happened over time is the tables have turned. Part of it has to do with the fact that computers and networks, internet networks are two-way streets, if you will. We communicate out, but they also look at us and they are increasingly, especially with social media, designed to monitor us. And generally speaking, the entire ecosystem is insecure and that means that it has become a very convenient tool for those who want to do some sort of malfeasance to use the internet for that purpose. What’s happened is we’ve seen this real explosion of the spread of transnational repression practices tied to digital technologies, because of the way in which the architecture is constructed and how the devices that we carry around with us at all times are highly invasive, but insecure and poorly regulated.

There are a lot of wealthy people in the world. A lot of oligarchs that are flaunting their wealth and using that wealth to circumvent laws to operate in gray areas. Once that sort of becomes acceptable, you can understand how they would be led down a path of contracting out with private investigators.

So, that’s coming from the private sector and then governments, of course, have always had an appetite to spy on adversaries, each other, their own citizens, citizens abroad. It’s just that now they have so many more tools and capabilities and resources that enable them to do this. Like I said before, people are kind of set up to be spied on by default.

the concept of transnational repression 

the fact of the matter is governments can intimidate, harass, repressed people abroad. They have done it for centuries. You can think of many examples where governments have organized some kind of secret crew to go abroad undercover. Maybe murder somebody abroad. But it takes a lot of effort. It’s very risky. It can easily be exposed. It obviously requires physical proximity. With digital technologies, all of those constraints are removed.

So, digital transnational repression is not only very effective directly. It also has these indirect impacts on people’s psychological state and emotional wellbeing which happens to be the title of our recent report on this topic, “Psychological and Emotional War.” We did an extensive study of transnational repression in Canada and found that people fleeing from abroad to this country were experiencing this new type of control method that’s quite insidious and is transnational in nature.

Since you have access to somebody’s device, it’s not inconceivable that you could plant falsely incriminating information. It would be very difficult to disprove. So, if I hacked your phone and I put on your phone horrible images that are illegal and then called the cops and they grab your phone,o, you know, you can anticipate meetings of people, you can plant falsely incriminating information, you can find out where someone is going and kidnap them or murder them, all sorts of things. It’s very powerful. I think the fact that the market is mostly unregulated, it’s kind of Wild West right now. It’s really daunting to think about those two in combination: extremely powerful technologies in the hands of autocrats, despots, and even democracies as we’re finding out with a report on Spain that we just produced and then very poor regulation. That’s a dangerous combination.

The companies like NSO group claim they only sell it to governments. Let’s take them at their word for now. But even assuming it’s restricted just to governments, that doesn’t give me much solace because there are so many governments in the world that are nasty, brutal, despotic regimes, especially their security agencies in countries where there’s no oversight or whatever. But then on the less technologically sophisticated side of the spectrum, we’ve seen many, many examples of people succumbing to the same problems, but with very simple techniques that trick them.

Citizen Lab

Seymour Martin Lipset Lecture “Digital Subversion: The Threat to Democracy” by Ronald Deibert

“Subversion Inc: The Age of Private Espionage” by Ronald Deibert in Journal of Democracy

SC-Appointed Pegasus Probe Committee Seeks Responses from Public on 11 Queries  https://thewire.in/law/sc-appointed-pegasus-probe-committee-seeks-responses-from-public-on-11-queries  The queries pertain to the safeguards in place to check state surveillance, the extent to which state surveillance is justified and seek suggestions on how to strengthen cyber security and balance individual rights with national security interests. 

https://pegasus-india-investigation.in/invitation-to-comment/  Link to on-line form to be filed. Questions are

1.Whether the existing boundaries of State surveillance  for the purposes of national security, defence of India, maintenance of public order, and prevention and investigation of offences, are well defined and understood?  any other purposes? 

2.  Whether the procedures and rules .. surveillance  are sufficient to effectively prevent unwarranted excessive routine use/misuse;

3. What substantive and procedural safeguards – would you suggest? 

3b) How can existing procedures be improved? 

4. What should be the grievance redressal mechanism

5: Should there be special safeguards, in what form,  for certain categories of persons?

 6: contexts and  extent of State immunity/access for acts of hacking,  unauthorised access etc

6 b)  legal mandates to share data with (IT)  intermediaries. Data Protection? 

7 Should the State be obliged to record or disclose surveillance technology/access ? To whom? What form? 
Should these records be accessible ?

8. Practicality and Feaseability  under the Indian federal constitutional framework,

9. steps  to improve  cyber security of the Nation and its assets?
Is there a need for a separate authority or organisation to (i) investigate cyber security vulnerabilities for threat assessment relating to cyber-attacks and (ii) to ensure cybersecurity of public and private digital infrastructure?

10. What laws and safeguards should be put in place by the State to protect its citizens from targeted surveillance by non-State/private entities and foreign agencies?

11 Any other suggestion