Hi folks, it’s another week of CS 6035 Intro to Information Security! I’m going to talk about a recent CVE and then rehash a post from Spring 23 about the NSO Group Pegasus malware used by governments to spy on journalists, among other things.
Chrome Zero-Day Announced Last Week
On Wednesday this came out:
A new Chrome 0-day is sending the Internet into a new chapter of Groundhog Day
The sub-headline: “If your software package involves VP8 video encoding, it’s likely vulnerable to attack.”
There’s not much of an explanation of what this vulnerability actually does:
… stem from buffer overflows that allow remote code execution with little or no interaction on the part of an end user other than to visit a malicious webpage.
OK that’s bad, and it mirrors another CVE that was release on September 11. That one only identified Chrome as vulnerable, this new one identifies the libvpx library as vulnerable. This expands the area of concern quite a bit, as a plethora of software developers use libvpx. It’s apparently only a concern if they are using libvpx for VP8 encoding. Decoding is safe. So it’s not clear just because you use libvpx that you have a problem on your hands. It’s how you use it.
When Our Friends are Making the Malware that Spies on Us
Did you know that Israel allows development of software that is illegal for the US government to use? There are two companies I’m aware of, NSO Group with the famous Pegasus software/malware, and QuaDream, makers of competing malware. Now I see that in August QuaDream shut down:
Offensive cyber company QuaDream shutting down amidst spyware accusation
Despite being banned in the US, these spyware companies were (and NSO Group continues) doing a thriving business out of Israel. Here’s an article by Haaretz about the Citizen Lab report on QuaDream.
I’m going to recycle a post I made at the end of the Spring 23 semester, the rest is from five months ago, when the use of NSO Group and QuaDreams tools against journalists was in the news:
What does this mean to you? In theory, this state-actor hacking, to the extent they are not legitimately going after bad guys, is quite offensive to a free society. It may not affect you directly but you should find it offensive that it can happen to the supposedly free press.
The idea that governments exert influence on news and social media organizations is a hot topic right now. Yet there are countless examples of NSO Group’s Pegasus spyware, and now QuaDream’s Reign software, that show us this type of tool, in the hands of the wrong government(s), appears to be subject to abuse.
The people involved in the latest Citizen Lab expose who were hacked by QuaDream tools have not had their names made public yet. They are identified as “journalists, politicians and a civil society activist” — certainly not people you would expect to be on a Pegasus- or QuaDream-using government’s list of people to surveil.
If you find this subject interesting, I suggest you spend some time at the Citizen Lab site looking at the abuses committed with these state-directed malware tools:
You can just search for terms like Pegasus and see a good history, or check out some of these articles:
PEGASUS / NSO GROUP
- Peace through Pegasus – Jordanian Human Rights Defenders and Journalists Hacked with Pegasus Spyware
- The Washington Post — A UAE agency put Pegasus spyware on phone of Jamal Khashoggi’s wife months before his murder, new forensics show
- HIDE AND SEEK — Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries
REIGN / QUADREAM
- Israel-based Spyware Firm QuaDream Targets High-Risk iPhones with Zero-Click Exploit
- Microsoft — DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia
Featured image generated on Canva