Monday, July 19, 2021

CRIMINAL CAPITALI$M
Lordstown Motors acknowledges subpoenas, investigation

In this June 22, 2021, file photo, the Lordstown Motors Baja truck is displayed during a media tour to the Lordstown Motors complex in Lordstown, Ohio. Lordstown Motors, an Ohio company that has come under scrutiny over the number of orders it claimed it had for the electric trucks that it wants to produce, acknowledged that it has received two subpoenas from federal regulators and that prosecutors in New York have opened an investigation. The Securities and Exchange Commission asked in a pair of subpoenas for documents related to the company's merger with DiamondPeak, a special purpose acquisition company. Credit: AP Photo/David Dermer, File

Lordstown Motors, an Ohio company under scrutiny over the number of orders it claimed it had for the electric trucks that it wants to produce, acknowledged receiving two subpoenas from federal regulators and that prosecutors in New York have opened an investigation.

The Securities and Exchange Commission asked in a pair of subpoenas for documents related to the company's merger with DiamondPeak, a special purpose acquisition company.

Special purpose acquisition companies, or SPACs, have gained prominence this year as a quick route to becoming publicly traded and listing shares on an exchange.

SPACs can cut up to 75% off the time it takes for a company to get its stock trading on an exchange, versus the traditional process of an initial public offering. SPACs can also make it easier to get prospective buyers on board. Companies going the SPAC route often feel more license to highlight projections for big growth they're expecting in the future, for example. In a traditional IPO, the company is limited to listing its past performance, which may not be a great selling point for young startups that typically fail to put up big profits or revenue.

That dynamic is playing out as Lordstown's operations come under increasing scrutiny, which it was partially shielded from when it went public through a SPAC.

In this June 22, 2021, file photo, a mural is displayed on the wall outside the Lordstown Motors plant in Lordstown, Ohio. Lordstown Motors, an Ohio company that has come under scrutiny over the number of orders it claimed it had for the electric trucks that it wants to produce, acknowledged that it has received two subpoenas from federal regulators and that prosecutors in New York have opened an investigation. The Securities and Exchange Commission asked in a pair of subpoenas for documents related to the company's merger with DiamondPeak, a special purpose acquisition company. Credit: AP Photo/David Dermer, File

In this June 22, 2021, file photo, employees stand near Endurance truck beds during a media tour of the Lordstown Motors complex in Lordstown, Ohio. Lordstown Motors, an Ohio company that has come under scrutiny over the number of orders it claimed it had for the electric trucks that it wants to produce, acknowledged that it has received two subpoenas from federal regulators and that prosecutors in New York have opened an investigation. The Securities and Exchange Commission asked in a pair of subpoenas for documents related to the company's merger with DiamondPeak, a special purpose acquisition company. Credit: AP Photo/David Dermer, File

Last month, Lordstown acknowledged that it had no firm orders for its vehicles days after its president said the company had enough of them to maintain production through 2022.

The company's CEO and chief financial officer resigned the same week.

In its regulatory filing with the SEC, Lordstown said that the U.S. Attorney's Office for the Southern District of New York is "investigating these matters."

It said that it is cooperating with all investigations and inquiries.

Shares of Lordstown Motors Corp., which have been hammered in recent weeks, fell 2% Friday. The shares are down almost 60% since the start of the year.

There are now questions about whether Lordstown, which is named after a village just west of Youngstown, Ohio, has enough funding to continue operations. Last month Angela Strand, the company's new chairwoman, said that the developments won't interrupt the company's day-to-day operations or its plans to start making its electric truck called the Endurance

Lordstown Motors' rough road continues; CEO and CFO are out

© 2021 The Associated Press.

Consumer watchdog sues Amazon to push recall of 'potentially hazardous' products

by Brett Molina

The Consumer Product Safety Commission said it is suing Amazon to push the recall of several products they say are "potentially hazardous."

In a statement, the consumer agency said the tech giant is legally responsible for recalling the products, claiming many "are defective and pose a risk of serious injury or death to consumers."

Among the products cited by the CPSC include 24,000 faulty carbon monoxide detectors that fail to alert and children's sleepwear that violate the flammable fabric safety standard.

"We must grapple with how to deal with these massive third-party platforms more efficiently, and how best to protect the American consumers who rely on them," said Robert Adler, acting chairman of the CPSC, in a statement.

Amazon could not be immediately reached for comment. In a statement to CNN, Amazon said the company takes quick action when alerted to products with safety issues.

"We are unclear as to why the CPSC has rejected that offer or why they have filed a complaint seeking to force us to take actions almost entirely duplicative of those we've already taken," said Amazon in its statement to CNN.

This is not the first time this year the CPSC has clashed with a company over recalls. In April, Peloton initially resisted a push by the agency to recall some of its treadmills after the CPSC warned owners with small kids and pets to stop using them, citing serious risks including death. Roughly a month later, both the CPSC and Peloton jointly announced voluntary recalls, and the fitness company's CEO apologized for fighting back against regulators.

Peloton recalls treadmills following child's death, numerous injuries

Misconceptions plague security and privacy tools

by Daniel Tkacik, Carnegie Mellon University

As ransomware attacks continue to rise, tools to protect security and privacy are important. But if you think surfing the web via private browsing mode, virtual private networks (VPNs), or Tor browser protects you from security threats, you're wrong, but you're also not alone.

According to a new study out of Carnegie Mellon University CyLab, people hold a myriad of misconceptions about the security and privacy tools out there meant to help protect our privacy and online security. The study was presented at this week's Privacy Enhancing Technologies Symposium.

"There are certainly some people who know everything about these tools and can answer questions about them correctly, but that's far from the norm," says CyLab's Peter Story, a Ph.D. student in the Institute for Software Research (ISR) and the lead author of the study.

The researchers conducted a survey of 500 demographically representative U.S. participants to measure their use of and perceptions of five web-browsing-related tools: private browsing, VPNs, Tor Browser, ad blockers and antivirus software. Participants were asked how effective each tool would be in a variety of scenarios, such as preventing hackers from gaining access to their device, or preventing law enforcement from seeing the websites they visit.

For all but one scenario—whether different tools would prevent friends or family with physical access to your device from seeing the websites you visit in your browser history—participants answered more than half of the assessment questions incorrectly.

"People know some things about what these tools can do, but they often assume incorrectly that the tools can do other things as well," says Norman Sadeh, a professor in the ISR and the study's principal investigator. "People who are more familiar with these tools may be more likely to answer a question about them—either correctly or incorrectly—than recognize they are unsure."

For example, one participant said that private browsing can be effective at preventing their employer from seeing the browsing they do on the employer's network. But this is false.

"Private browsing does not keep your history," the participant explained.

This is true, Story says, but when you're connected to someone else's network, the administrator can see which websites you are talking to by nature of the company or organization being in control of it. Private browsing does nothing to shield that from your employer. However, Story says, using a VPN or Tor Browser can prevent your employer from seeing what websites you visit.

Perhaps the most concerning misconception participants had is that they often conflated privacy protections of tools with security protections.

"Some participants suggested that private browsing, VPNs, and Tor Browser would also protect them from security threats," Story says. "This misconception might lead risky behavior."

Given the vast array of misconceptions—as well as the feeling of resignation of many participants who felt that there was nothing they could really do to protect themselves—the researchers suggest some recommendations for designing "nudging" interventions. "Nudging" interventions might be used to promote security and privacy tools and to help people use them effectively.

"We think interventions should warn people not to assume tools do more than they actually do," says Story. "It seems especially important to remind people that privacy-focused tools like private browsing do not provide security protections, such as against malware."

The researchers also suggest reassuring users of the efficacy of the tools, emphasizing the lack of effectiveness of other tools and practices in preventing certain threats, and of course, interventions should debunk common misconceptions.

Private browsing: What it does – and doesn't do – to shield you from prying eyes on the web

Provided by Carnegie Mellon University

Cryptographic vulnerabilities on popular Telegram messaging platform

by Royal Holloway, University of London

Credit: CC0 Public Domain

Researchers from Royal Holloway, University of London are part of a team who have completed a substantial security analysis of the encryption protocol used by the popular messaging platform, Telegram, with over half a billion monthly active users.

Cryptography is the science protecting information from eavesdropping or tampering. We use it every day when we browse the web, make a bank transaction or chat on WhatsApp or Telegram. Cryptographers secure computer and information technology systems by creating and studying, for example, algorithms for encryption or for digital signatures.

As a result of their work, the researchers found several cryptographic weaknesses in the protocol that ranged from technically trivial and easy to exploit, to more advanced.

The team included Chair of Information Security and Director of the Cryptography Group, Professor Martin Albrecht and Ph.D. researcher, Lenka Mareková, from the Information Security Group (ISG) at Royal Holloway, along with Professor Kenneth G. Paterson and Dr. Igors Stepanovs, from the Applied Cryptography Group at ETH Zurich.

Talking about the findings, Professor Martin Albrecht, said: "The results from our analysis show that for most users, the immediate risk is low, but these vulnerabilities highlight that prior to our work, Telegram fell short of the cryptographic guarantees given by other deployed cryptographic protocols such as Transport Layer Security (TLS)."

TLS is a cryptographic protocol designed to provide communications security over a computer network and is widely used in applications such as web browsing, instant messaging and email.

He added: "Our work was motivated by other research we have recently done in the Information Security Group at Royal Holloway, which examined the use of technology by participants in large-scale protests such as those seen in 2019/2020 in Hong Kong. Our findings were that protesters critically relied on Telegram to coordinate their activities, but that Telegram had not received a security check from cryptographers."

Telegram uses its bespoke "MTProto' protocol to secure communication between its users and its servers as a replacement for the industry standard TLS protocol.

By default, Telegram only offers a basic level of protection by encrypting traffic between clients and servers. In contrast, end-to-end encryption, which would protect communication also from the prying eyes of Telegram employees or anyone who breaks into Telegram's servers, is only optional and not available for group chats. Since prior research indicated that many users in higher risk environments rely on these group chats, the research team focussed their efforts on the use of MTProto to secure communication between Telegram clients and servers.

For more information on the vulnerabilities that were discovered, click here.

However, the results also show that Telegram's MTProto can provide security comparable to TLS after the changes suggested by the research team were adopted and if special care is taken when implementing the protocol. The Telegram developers have told the research team that they have adopted these changes.

This good news comes with significant caveats:

Cryptographic protocols like MTProto are built from cryptographic building blocks such as hash functions, block ciphers and public-key encryption. In a formal security analysis, the security of the protocol is reduced to the security of its building blocks. This is no different to arguing that a car is road safe if its tires, brakes and indicator lights are fully functional. In the case of Telegram, the security requirements on the building blocks are unusual and because of this, these requirements have not been studied in previous research. Other cryptographic protocols such as TLS do not have to rely on these special assumptions.

The researchers only studied three official Telegram clients and no third-party clients. However, some of these third-party clients have substantial user bases. Here, the brittleness of the MTProto protocol is a cause for concern if the developers of these third-party clients are likely to make mistakes in implementing the protocol in a way that avoids, e.g. the timing leaks mentioned above. Alternative design choices for MTProto would have made the task significantly easier for the developers.

UPDATE (7/17/2021): These findings helped further improve the security of the protocol: the latest versions of official Telegram apps already contain the changes that make the four observations made by the researchers no longer relevant: telegra.ph/LoU-ETH-4a-proof-07-16

Telegram app raises $1 bn by selling bonds: founder

More information: The analysis is available online: mtpsym.github.io/

Provided by Royal Holloway, University of London

Probe: Journalists, activists among Israel firm's spyware targets

Frank Bajak
The Associated Press Staff
Published Sunday, July 18, 2021

In this July 3, 2020, file photo, Hatice Cengiz, the fiancee of slain Saudi journalist Jamal Khashoggi, talks to members of the media in Istanbul. (AP Photo/Emrah Gurel, File)

BOSTON -- An investigation by a global media consortium based on leaked targeting data provides further evidence that military-grade malware from Israel-based NSO Group, the world's most infamous hacker-for-hire outfit, is being used to spy on journalists, human rights activists and political dissidents.

From a list of more than 50,000 cellphone numbers obtained by the Paris-based journalism nonprofit Forbidden Stories and the human rights group Amnesty International and shared with 16 news organizations, journalists were able to identify more than 1,000 individuals in 50 countries who were allegedly selected by NSO clients for potential surveillance.

They include 189 journalists, more than 600 politicians and government officials, at least 65 business executives, 85 human rights activists and several heads of state, according to The Washington Post, a consortium member. The journalists work for organizations including The Associated Press, Reuters, CNN, The Wall Street Journal, Le Monde and The Financial Times.

Related Stories

Microsoft says it blocked spying on rights activists, others

Foreign interference by Saudi Arabia, China, Rwanda hurts democracy: report

NSO Group denied in an emailed response to AP questions that it has ever maintained "a list of potential, past or existing targets." In a separate statement, it called the Forbidden Stories report "full of wrong assumptions and uncorroborated theories."

The company reiterated its claims that it only sells to "vetted government agencies" for use against terrorists and major criminals and that it has no visibility into its customers' data. Critics call those claims dishonest -- and have provided evidence that NSO directly manages the high-tech spying. They say the repeated abuse of Pegasus spyware highlights the nearly complete lack of regulation of the private global surveillance industry.

The source of the leak -- and how it was authenticated -- was not disclosed. While a phone number's presence in the data does not mean an attempt was made to hack a device, the consortium said it believed the data indicated potential targets of NSO's government clients. The Post said it identified 37 hacked smartphones on the list. The Guardian, another consortium member, reported that Amnesty had found traces of Pegasus infections on the cellphones of 15 journalists who let their phones be examined after discovering their number was in the leaked data.

The most numbers on the list, 15,000, were for Mexican phones, with a large share in the Middle East. NSO Group's spyware has been implicated in targeted surveillance chiefly in the Middle East and Mexico. Saudi Arabia is reported to be among NSO clients. Also on the lists were phones in countries including France, Hungary, India, Azerbaijan, Kazakhstan and Pakistan.

"The number of journalists identified as targets vividly illustrates how Pegasus is used as a tool to intimidate critical media. It is about controlling public narrative, resisting scrutiny, and suppressing any dissenting voice," Amnesty quoted its secretary-general, Agnes Callamard, as saying.

In one case highlighted by the Guardian, Mexican reporter Cecilio Pineda Birto was assassinated in 2017 a few weeks after his cell phone number appeared on the leaked list.

AP's director of media relations, Lauren Easton, said the company is "deeply troubled to learn that two AP journalists, along with journalists from many news organizations" are on the list of the 1,000 potential targets for Pegasus infection. She said the AP was investigating to try to determine if its two staffers' devices were compromised by the spyware.

The consortium's findings build on extensive work by cybersecurity researchers, primarily from the University of Toronto-based watchdog Citizen Lab. NSO targets identified by researchers beginning in 2016 include dozens of Al-Jazeera journalists and executives, New York Times Beirut bureau chief Ben Hubbard, Moroccan journalist and activist Omar Radi and prominent Mexican anti-corruption reporter Carmen Aristegui. Her phone number was on the list, the Post reported. The Times said Hubbard and its former Mexico City bureau chief, Azam Ahmed, were on the list.

Two Hungarian investigative journalists, Andras Szabo and Szabolcs Panyi, were among journalists on the list whose phones were successfully infected with Pegasus, the Guardian reported.

Among more than two dozen previously documented Mexican targets are proponents of a soda tax, opposition politicians, human rights activists investigating a mass disappearance and the widow of a slain journalist. In the Middle East, the victims have mostly been journalists and dissidents, allegedly targeted by the Saudi and United Arab Emirates governments.

The consortium's "Pegasus Project" reporting bolsters accusations that not just autocratic regimes but democratic governments, including India and Mexico, have used NSO Group's Pegasus spyware for political ends. Its members, who include Le Monde and Sueddeutsche Zeitung of Germany, are promising a series of stories based on the leak.

Pegasus infiltrates phones to vacuum up personal and location data and surreptitiously control the smartphone's microphones and cameras. In the case of journalists, that lets hackers spy on reporters' communications with sources.

The program is designed to bypass detection and mask its activity. NSO Group's methods to infect its victims have grown so sophisticated that researchers say it can now do so without any user interaction, the so-called "zero-click" option.

In 2019, WhatsApp and its parent company Facebook sued NSO Group in U.S. federal court in San Francisco, accusing it of exploiting a flaw in the popular encrypted messaging service to target -- with missed calls alone -- some 1,400 users. NSO Group denies the accusations.

The Israeli company was sued the previous year in Israel and Cyprus, both countries from which it exports products. The plaintiffs include Al-Jazeera journalists, as well as other Qatari, Mexican and Saudi journalists and activists who say the company's spyware was used to hack them.

Several of the suits draw heavily on leaked material provided to Abdullah Al-Athbah, editor of the Qatari newspaper Al-Arab and one of the alleged victims. The material appears to show officials in the United Arab Emirates discussing whether to hack into the phones of senior figures in Saudi Arabia and Qatar, including members of the Qatari royal family.

NSO Group does not disclose its clients and says it sells its technology to Israeli-approved governments to help them target terrorists and break up pedophile rings and sex- and drug-trafficking rings. It claims its software has helped save thousands of lives and denies its technology was in any way associated with Khashoggi's murder.

NSO Group also denies involvement in elaborate undercover operations uncovered by The AP in 2019 in which shadowy operatives targeted NSO critics including a Citizen Lab researcher to try to discredit them.

Last year, an Israeli court dismissed an Amnesty International lawsuit seeking to strip NSO of its export license, citing insufficient evidence.

NSO Group is far from the only merchant of commercial spyware. But its behavior has drawn the most attention, and critics say that is with good reason.

Last month, it published its first transparency report, in which it says it has rejected "more than $300 million in sales opportunities as a result of its human rights review processes." Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and a strident critic, tweeted: "If this report was printed, it would not be worth the paper it was printed on."

A new, interactive online data platform created by the group Forensic Architecture with support from Citizen Lab and Amnesty International catalogs NSO Group's activities by country and target. The group partnered with filmmaker Laura Poitras, best known for her 2014 documentary "Citzenfour" about NSA whistleblower Edward Snowden, who offers video narrations.

"Stop what you're doing and read this," Snowden tweeted Sunday, referencing the consortium's findings. "This leak is going to be the story of the year."

Since 2019, the U.K. private equity firm Novalpina Capital has controlled a majority stake in NSO Group. Earlier this year, Israeli media reported the company was considering an initial public offering, most likely on the Tel Aviv Stock Exchange.

Israeli Pegasus spyware used 'zero click-attack' to infect smartphones

An Israeli firm accused of supplying spyware to governments has been linked to a list of tens of thousands of smartphone numbers, including those of activists, journalists, business executives and politicians around the world, according to reports. FRANCE 24's Peter O'Brien tells us more.

1,000 journalists, politicians and activists targeted by Pegasus spyware

Activists, journalists and politicians around the world have been spied on using cellphone malware developed by a private Israeli firm, reports said Sunday, igniting fears of widespread privacy and rights abuses. The use of the software, called Pegasus and developed by Israel's NSO group, was reported on by the Washington Post, the Guardian, Le Monde and other news outlets who collaborated on an investigation into a data leak. The leak was of a list of up to 50,000 phone numbers believed to have been identified as people of interest by clients of NSO since 2016, the reports said. Journalist and Founder, Forbidden Stories, Laurent Richard tells us more.

50,000 phone numbers worldwide on list linked to Israeli spyware: reports

Pegasus activates a phone's camera and microphone, acting as a pocket spy.

The NSO Group and its Pegasus malware—capable of switching on a phone's camera or microphone, and harvesting its data—have been in the headlines since 2016, when researchers accused it of helping spy on a dissident in the United Arab Emirates.

Sunday's revelations—part of a collaborative investigation by The Washington Post, The Guardian, Le Monde and other media outlets—raise privacy concerns and reveal the far-reaching extent to which the private firm's software could be misused.

The leak consists of more than 50,000 smartphone numbers believed to have been identified as connected to people of interest by NSO clients since 2016, the news organizations said, although it was unclear how many devices were actually targeted or surveilled.

NSO has denied any wrongdoing, labelling the allegations "false."

On the list were 15,000 numbers in Mexico—among them reportedly a number linked to a murdered reporter—and 300 in India, including politicians and prominent journalists.

Last week, the Indian government—which in 2019 denied using the malware to spy on its citizens, following a lawsuit—reiterated that "allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever."

The Post said a forensic analysis of 37 of the smartphones on the list showed there had been "attempted and successful" hacks of the devices, including those of two women close to Saudi journalist Jamal Khashoggi, who was murdered in 2018 by a Saudi hit squad.

Among the numbers on the list are those of journalists for Agence France-Presse, The Wall Street Journal, CNN, The New York Times, Al Jazeera, El Pais, the Associated Press, Le Monde, Bloomberg, The Economist, and Reuters, The Guardian said.

The use of the Pegasus software to hack the phones of Al Jazeera reporters and a Moroccan journalist has been reported previously by Citizen Lab, a research center at the University of Toronto, and Amnesty International.

Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty originally shared the leak with the newspapers.

Pocket spy

The Post said the numbers on the list were unattributed, but other media outlets participating in the project were able to identify more than 1,000 people in more than 50 countries.

They included several members of Arab royal families, at least 65 business executives, 85 human rights activists, 189 journalists and more than 600 politicians and government officials—including heads of state, prime ministers and cabinet ministers.

Many numbers on the list were clustered in 10 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.

Pegasus is a highly invasive tool that can switch on a target's phone camera and microphone, as well as access data on the device, effectively turning a phone into a pocket spy. In some cases, it can be installed without the need to trick a user into initiating a download.

NSO issued a denial on Sunday that focused on the report by Forbidden Stories, calling it "full of wrong assumptions and uncorroborated theories," and threatening a defamation lawsuit.

"We firmly deny the false allegations made in their report," NSO said.

It said it was "not associated in any way" with the Khashoggi murder, adding that it sells "solely to law enforcement and intelligence agencies of vetted governments".

Roughly three dozen journalists at Qatar's Al-Jazeera network had their phones targeted by Pegasus malware, Citizen Lab reported in December, while Amnesty said in June the software was used by Moroccan authorities on the cellphone of Omar Radi, a journalist convicted over a social media post.

Founded in 2010 by Israelis Shalev Hulio and Omri Lavie, NSO Group is based in the Israeli hi-tech hub of Herzliya, near Tel Aviv.

Pegasus spyware affair 'completely unacceptable' if true: EU chief

European Commission chief Ursula von der Leyen said Monday the spyware scandal involving an Israeli software firm and up to 50,000 smartphone numbers was "completely unacceptable" if true.

"This has to be verified, but if it is the case, it is completely unacceptable," she told reporters in Prague.

Media outlets including The Washington Post, The Guardian and Le Monde drew links Sunday between the Israel-based NSO Group, accused of supplying spyware to governments, and a list of tens of thousands of smartphone numbers, including those of activists, journalists, business executives and politicians around the world.

Von der Leyen, who was in Prague to present a Czech post-COVID recovery plan worth 7 billion euros ($8.2 billion) approved by the EU, slammed the alleged attack on journalists' phones.

"Free press is one of the core values of the European Union," she said after meeting Czech Prime Minister Andrej Babis.

NSO has denied any wrongdoing.

Founded in 2010 by Israelis Shalev Hulio and Omri Lavie, NSO Group is based in the Israeli hi-tech hub of Herzliya, near Tel Aviv.

Pegasus spyware: how does it work?

by Katy Lee

More recent versions of Pegasus have exploited weak spots in software commonly installed on mobile phones.

Governments around the world are facing bombshell allegations that they used Israeli-made malware to spy on the phones of activists, journalists, corporate executives and politicians.

But how exactly does the Pegasus spyware work? How does it get onto people's phones—and what can it do once it's there?

How does Pegasus sneak its way onto a phone?

Researchers believe that early versions of the hacking software, first detected in 2016, used booby-trapped text messages to install itself onto the phones of targets.

The recipient would have to click on a link in the message in order for the spyware to download.

But this limited the chances of a successful installation—particularly as phone users have grown increasingly wary of clicking on suspicious links.

More recent versions of Pegasus, developed by the Israeli firm the NSO Group, have exploited weak spots in software commonly installed on mobiles.

In 2019 the messaging service WhatsApp sued NSO, saying it used one of these so-called "zero-day vulnerabilities" in its operating system to install the spyware on some 1,400 phones.

By simply calling the target through WhatsApp, Pegasus could secretly download itself onto their phone—even if they never answered the call.

More recently, Pegasus is reported to have exploited weaknesses in Apple's iMessage software.

That would potentially give it access to the one billion Apple iPhones currently in use—all without the owners needing to even click a button.

What does the malware do once it's installed?

"Pegasus is probably one of the most capable remote access tools there is," said Alan Woodward, cybersecurity professor at the University of Surrey in the UK.

"Think of it as if you've put your phone in someone else's hands."

It can be used to read the target's messages and emails, look through the photos they've taken, eavesdrop on their calls, track their location and even film them through their camera.

Pegasus' developers have got "better and better at hiding" all trace of the software, making it difficult to confirm whether a particular phone has been bugged or not, Woodward said.

That is why it remains unclear how many people have had their devices tapped, although new reports by international media say more than 50,000 phone numbers had been identified as being of interest to NSO clients.

However, Amnesty International's Security Lab, one of the organisations investigating Pegasus, said it had found traces of successful attacks on Apple iPhones as recently as this month

How did NSO develop such powerful spyware?

Multi-billion-dollar tech companies like Apple and Google invest vast amounts of cash each year in making sure they aren't vulnerable to hackers who could bring their systems crashing down.

They even offer "bug bounties" to hackers, paying handsome rewards if they warn the company about flaws in their software before they can be used to launch an attack.

Woodward said Apple, which prides itself on a reputation for security, had "made some fairly big efforts" to identify weak spots.

But "inevitably there will be one or two" flaws in such complex software.

Analysts also believe NSO, whose staff includes elite former members of the Israeli military, likely keeps a close eye on the dark web, where hackers frequently sell information about security flaws they have found.

"It's also worth saying that not everyone has an up-to-date phone with up-to-date software on it," Woodward added.

"Some of the old vulnerabilities that Apple has closed down, and which Google have closed down with Android—they can still be out there."

Is it possible to remove the spyware?

Since it's extremely difficult to know for sure if your phone is carrying the malware, it's also difficult to know definitively that it has been removed.

Woodward said Pegasus may install itself onto the phone's hardware or into its memory, depending on the version.

If it's stored in the memory, rebooting the phone could in theory wipe it off—so he recommended that people at risk of being targeted, such as business leaders and politicians, regularly switch their devices off and on again.

"It sounds like overkill to a lot of people, but there is anti-malware software out there for mobile devices," he added.

"If you're someone at risk, you probably want to have some anti-malware software installed on your phone."

Spyware campaign targeted journalists, activists: researchers

Researchers say a sophisticated spyware campaign was used to target activists, journalists and others.

A spyware campaign using tools from a secretive Israeli firm was used to attack and impersonate dozens of human rights activists, journalists, dissidents, politicians and others, researchers said Thursday.

Statements from Microsoft security researchers and the University of Toronto's Citizen Lab said powerful "cyberweapons" were being used in precision attacks targeting more than 100 victims around the world.

Microsoft said it patched this week the vulnerability exploited by the group, known by the names Candiru and Sourgum.

Citizen Lab said in a blog post that "Candiru is a secretive Israel-based company that sells spyware exclusively to governments," which can then use it to "infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts."

"We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities," Citizen Lab said.

Microsoft observed at least 100 victims in the Palestinian territories, Israel, Iran, Lebanon, Yemen, Spain, Britain, Turkey, Armenia and Singapore.

The US tech firm said it moved to thwart the attacks with Windows software updates that prevent Candiru from delivering its malware.

"Microsoft has created and built protections into our products against this unique malware, which we are calling DevilsTongue," a Microsoft statement said.

"We have shared these protections with the security community so that we can collectively address and mitigate this threat."

According to Microsoft, DevilsTongue was able to infiltrate popular websites such as Facebook, Twitter, Gmail, Yahoo and others to collect information, read the victim's messages and retrieve photos.

"DevilsTongue can also send messages as the victim on some of these websites, appearing to any recipient that the victim had sent these messages," said the statement from Microsoft Threat Intelligence Center.

"The capability to send messages could be weaponized to send malicious links to more victims."

Citizen Lab researchers found evidence the spyware can exfiltrate private data from a number of apps and accounts, including Gmail, Skype, Telegram and Facebook.

It can also capture browsing history and passwords, as well as turn on the target's webcam and microphone, according to the findings.

Citizen Lab said the Israeli firm's current name is Saito Tech Ltd, and that it has some of the same investors and principals as NSO Group, another Israeli firm under scrutiny for surveillance software.

Trump hacker and friends on a mission to fix the internet

by Katy Lee

Victor Gevers describes himself and other ethical hackers as a 'volunteer fire brigade' for the internet.

When a massive cyberattack took out everything from Swedish supermarkets to New Zealand kindergartens this month, a group of Dutch ethical hackers breathed a collective sigh of frustration. They had been so close to stopping it.

If the Dutch Institute for Vulnerability Disclosure (DIVD) sounds obscure, that's in keeping with its discreet presence on the internet.

This volunteer army of unpaid tech geeks have quietly prevented hundreds of cyberattacks since 2019 by finding holes in websites and software that could be exploited by hackers.

"You can see us as a volunteer fire brigade," said DIVD chairman Victor Gevers in an interview from his home in The Hague, a dog yapping at his ankles.

"Your house is on fire, there's flames coming out of it, and then random people with a Dutch accent show up and start putting out the fire."

The bearded hacker declined to give his age, but he has been carrying out these "responsible disclosures" for the best part of two decades.

Most famously, he successfully accessed Donald Trump's Twitter account—not once, but twice.

'Oh God, why him?'

Just before the 2016 US election swept Trump to power, Gevers and two friends decided to make sure the then-candidate wasn't using a password that had previously been leaked online.

Gevers managed to access Trump's Twitter account twice, once using the password 'yourefired' and then the password 'maga2020!'

A huge hack of LinkedIn revealed that the password "yourefired"—Trump's catchphrase from his days on TV show The Apprentice—had been used for an account in his name on the business networking site.

And after trying the same password on Twitter alongside several different email addresses, the Dutch hackers were horrified to see Trump's personal page load up before their eyes.

They rushed to inform Trump's campaign and US authorities, stressing that if they could access his account, so might more malevolent hackers. But they never heard back.

So when Gevers succeeded in hacking Trump's Twitter again last year—this time, with the password "maga2020!"—his heart sank.

"Honestly, it was like, 'Oh God, why him?'," Gevers recalled. He knew that he would again have to make rigorous efforts to contact Trump, which would likely be ignored—all the while leaving his account open to attack.

That was an alarming prospect. Trump's febrile Twitter presence gave him a megaphone to directly address some 90 million people. And as the violence at the US Capitol showed a few months later, his posts were capable of fuelling an incendiary atmosphere.

There was a tweet that said something like, 'start throwing axes at police officers'," Gevers said. "There would be a lot of followers who blindly followed him."

This time, instead of being ignored, Gevers' hack sparked international headlines and a stressful criminal investigation.

The Kaseya ransomware attack forced Swedish supermarket chain Coop to shut hundreds of stores.

While the White House denied it had ever happened, Dutch prosecutors said in December that they were satisfied Gevers had indeed accessed Trump's account.

And fortunately for Gevers, they determined that he "met the criteria that have been developed in case law to go free as an ethical hacker".

Racing against 'the bad guys'

This law makes it easier for ethical hackers to operate in the Netherlands than countries like the US or UK, where forays into people's accounts—even when well-intentioned—run greater legal risks, says Gevers.

He has also founded the GDI, a similar "online fire brigade" working internationally, from India to Portugal.

"We do this volunteering work because we have to leave behind something that is good for the next generation," he said.

During the pandemic, the volunteers have grown increasingly worried about weak spots in VPNs and other tools that allow computers to be managed remotely—tools that are being used more and more, with no end in sight to the working-from-home trend.

Kaseya, the Miami-based IT company targeted in a spectacular cyberattack on July 3, had been in the DIVD's sights for months. Thousands of companies use its software to manage their networks of printers and computers.

Gevers has personally carried out more than 5,000 ethical disclosures, warning organisations that they are vulnerable to hackers.

Fellow DIVD researcher Wietse Boonstra had spotted a major problem with Kaseya's software in April, and the ethical hackers had been frantically helping the company develop a fix.

To their dismay, the Russian-speaking hacking outfit REvil got there first. They exploited the vulnerability to stage a massive ransomware attack, encrypting the data of hundreds of companies and demanding $70 million in bitcoin in exchange for its release.

"It sucks," Gevers said. "I don't mind that the bad guys are faster—what I mind is that there are victims."

The hack hit around 1,500 businesses worldwide and wiped out the cash registers of Swedish supermarket chain Coop. Gevers is still working with those affected.

"If the Red Cross can help victims worldwide, why not us?" Gevers said. "The only thing is that we do it from behind a keyboard."

Trump Twitter account hacked, no charges: Dutch prosecutors

High temperatures increase workers' injury risk, whether they're outdoors or inside

by Les Dunseith, University of California, Los Angeles

A UCLA study published today shows that hot weather significantly increases the risk of accidents and injuries on the job, regardless of whether the work takes place in an indoor or outdoor setting.The report is based on data from California's workers' compensation system, the nation's largest.

"The incidence of heat illnesses like heat exhaustion and heat stroke definitely go up on hotter days," said the study's lead researcher R. Jisung Park, an assistant professor of public policy at the UCLA Luskin School of Public Affairs. "But what we found is that ostensibly unrelated incidents—like falling off a ladder or being hit by a moving truck or getting your hand caught in a machine—tend to occur more frequently on hotter days, too."

By comparing records from more than 11 million California workers' compensation claims from 2001 to 2018 to high-frequency local weather data, Park and his co-authors isolated the impact of hotter days on the number of injury claims.

The study shows that on days with high temperature above 90 degrees Fahrenheit, workers have a 6% to 9% higher risk of injuries than they do on days with high temperatures in the 50s or 60s. When the thermometer tops 100, the risk of injuries increases by 10% to 15%.

Those findings are particularly alarming in the context of climate change, which is expected to produce more high-temperature days each year. The researchers estimate that high temperatures already cause about 15,000 injuries per year in California.

"Heat is sometimes described as a silent killer," said Nora Pankratz, a UCLA postdoctoral scholar. "But if you look into the data and do the statistical analysis, you find that heat has a significant impact on mortality and health outcomes."

It's not surprising that hot weather would lead to injuries and illness among workers in predominantly outdoor industries such as agriculture, utilities and construction. But the data consistently show that industries in which most people work indoors are affected as well. In manufacturing, for example, days with high temperatures above 95 degrees have an injury risk that is approximately 7% higher than days with high temperatures in the low 60s.

"A lot of manufacturing facilities are not air conditioned," said Stanford University postdoctoral scholar A. Patrick Behrer, the study's other co-author. "Because you're inside, you don't necessarily think about the temperature as being a major threat."

The reality is that overheated workers face numerous risks, regardless of where the work occurs.

"Heat affects your physiology," Park said. "It affects your cognition. It affects your body's ability to cope. It seems possible that what we're observing in the data for these workers is that they're more likely to make mistakes or errors in judgment."

The researchers found that heat-related workplace injuries are more likely to be suffered by men and lower-income workers. In addition, younger people suffer more heat-related injuries, possibly in part because they're more likely to hold jobs with greater physical risks on construction sites, in manufacturing plants or at warehouses.

For an office worker at a computer desk, nodding off on a hot summer afternoon is unlikely to cause an injury. "But if you have a huge chainsaw in your hand, you're not in a great situation," Park said.

Among the paper's other conclusions:

The number of heat-related injuries actually declined after 2005, when California became the first state to implement mandatory heat illness prevention measures for outdoor workplaces on days when temperatures exceed 95 degrees.
The financial costs of heat-related injuries may be between $750 million and $1.25 billion per year in California alone, considering health care expenditures, lost wages and productivity, and disability claims.
Inequalities in the labor market are exacerbated in part by the fact that low-income communities tend to be situated in hotter parts of the state. People in the state's lowest household income tier are approximately five times more likely to be affected by heat-related illness or injury on the job than those in the top income tier, the study found.As heatwaves become more extreme, which jobs are riskiest?
More information: R. Jisung Park et al, Temperature, workplace safety, and labor market inequality, IZA Institute of Labor Economics, July 2021. https://www.iza.org/publications/dp/14560/temperature-workplace-safety-and-labor-market-inequality
Provided by University of California, Los Angeles

ALIENATION

Word gap: When money's tight, parents talk less to kids

by Yasmin Anwar, University of California - Berkeley

Credit: Unsplash/CC0 Public Domain

Three decades ago, child development researchers found that low-income children heard tens of millions fewer words in their homes than their more affluent peers by the time they reached kindergarten. This "word gap" was and continues to be linked to a socioeconomic disparity in academic achievement.

While parenting deficiencies have long been blamed for the word gap, new UC Berkeley research implicates the economic context in which parenting takes place—in other words, the wealth gap.

The findings, published this month in the journal Developmental Science, provide the first evidence that parents may talk less to their kids when experiencing financial scarcity.

"We were interested in what happens when parents think about or experience financial scarcity and found evidence that such strain could suppress their speech to their children," said study senior author Mahesh Srinivasan, a professor of psychology at UC Berkeley.

"Our results suggest that parenting training may not be sufficient to close the academic achievement gap without addressing the broader issue of income inequality," Srinivasan added.

The study's preliminary results lend credence to the developmental and educational benefits of such poverty-cutting government programs as the federal American Rescue Plan's Child Tax Credit and other supplemental cash payouts for needy families.

"Existing interventions toward eliminating the word gap have often focused on improving parenting skills," Srinivasan said. "But our findings suggest that relieving parents of their financial burdens, such as through direct cash transfers, could also substantially change the ways they engage with their kids."

How they conducted the study

In the first experiment, researchers sought to observe how parents would interact with their children (in this case, 3-year-olds) after the parents were asked to describe times in which they had recently experienced scarcity. A control group of parents were instead asked to describe other recent activities.

Of the 84 parents in the study, those in the experimental group who described their experiences of financial scarcity spoke less to their 3-year-olds during laboratory observations than parents who reflected on other forms of scarcity (like not having enough fruit), or parents who had not been asked to recollect experiences of resource insecurity.

The second experiment used existing data collected via LENA technology, tiny "talk pedometer" devices worn by children that record their conversations and count the words they hear and say.

As the researchers predicted, analyses revealed that parents engaged in fewer conversational turns with their children at the month's end, a time that typically coincides with money being tight as parents await paychecks or other sources of income.

"Because we had recordings from the same parents at different times of the month, we could essentially use parents as their own controls," said study lead author Monica Ellwood-Lowe, a Ph.D. student in psychology at UC Berkeley. "This allowed us to really pinpoint differences in their speech patterns when they were more or less likely to be experiencing financial strain, independent of any of their own personal characteristics."

The term "word gap" was coined in the early 1990s when University of Kansas researchers Betty Hart and Todd Risley tracked verbal interactions in the homes of 42 families to study early language development in the children's first three years.

Each day, the researchers recorded an hour of conversation in each household, then counted all the words the children heard during those recording times.

The results were detailed in their 1995 book, Meaningful Differences in the Everyday Experience of Young American Children, and in a 2003 follow-up article, "The Early Catastrophe: The 30 Million Word Gap by Age 3."

While some have questioned Hart and Risley's methodology, their basic finding has been replicated many times, prompting calls for approaches to narrow the disparity. Enter Srinivasan and his research team:

"It struck us that what was missing from the conversation about the word gap was the possibility that poverty, and the many difficult experiences associated with it, could itself affect parents' speech," Srinivasan said.

Preliminary findings support the researchers' hypothesis but also call for a deeper dive into the relationship between money worries and parents' verbal engagement with their children, he said.

"This research doesn't mean that children whose parents are struggling financially are doomed to have smaller vocabularies," Ellwood-Lowe said. "The takeaway here is really just the importance of making sure parents have the resources they need to parent."

"If you are worried about putting food on the table tonight, or scraping together money for that medical bill, or figuring out where to enroll your child in school now that you have been evicted from your neighborhood, you may be less likely to narrate the color of the sky to your child as you ride together on the bus," the study concludes.

Explore further

New study finds that iconicity in parents' speech helps children learn new words

More information: Monica E Ellwood-Lowe et al, What causes the word gap? Financial concerns may systematically suppress child-directed speech, Developmental Science

(2020). DOI: 10.31234/osf.io/byp4k

Journal information: Developmental Science

Provided by University of California - Berkeley

LA REVUE GAUCHE - Left Comment