Connect with us

Technology

American diplomats’ iPhones reportedly compromised by NSO Group intrusion software • The Register

Voice Of EU

Published

on

The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group’s Pegasus spyware, according to a report published Friday by Reuters.

NSO Group in an email to The Register said it has blocked an unnamed customers’ access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

“Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations,” an NSO spokesperson told The Register in an email. “To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case.”

The Israel-based company, recently sanctioned by the US for allegedly offering its intrusion software to repressive regimes and sued by both Apple and Meta’s (Facebook’s) WhatsApp for allegedly supporting the hacking their customers, says that it will cooperate with any relevant government authority and pass on what it learns from its investigation of the incident.

The spyware company insisted it is unaware of the targets designated by customers using its software.

“To clarify, the installation of our software by the customer occurs via phone numbers. As stated before, NSO’s technologies are blocked from working on US (+1) numbers,” NSO’s spokesperson said. “Once the software is sold to the licensed customer, NSO has no way to know who the targets of the customers are, as such, we were not and could not have been aware of this case.”

According to Reuters, affected State Department personnel were based in Uganda or were focused on matters related to that country and so had phone numbers with a foreign country prefix rather than the US prefix.

On November 23rd, when Apple announced its lawsuit against the NSO Group, the iPhone maker also said that it will notify iPhone customers targeted by state-sponsored hacking. That same day, Norbert Mao, a lawyer and President of the Democratic Party in Uganda, posted on Twitter that he’d received an Apple threat notification.

In June, the Washington Post reported that NSO’s Pegasus software was implicated in the attempted or successful hacking of 37 phones belonging to journalists and rights advocates, including two women close to murdered Saudi journalist Jamal Khashoggi. The report said the findings undermined NSO Group’s claims that its software was only licensed for fighting terrorists and for law enforcement.

That same month, the NSO Group published its 2021 Transparency and Responsibility Report [PDF], in which the company insists its software is used exclusively for use against groups that have few allies like terrorists, criminals, and pedophiles.

“Myth: Pegasus is a mass surveillance tool,” the report says. “Fact: Data is collected only from individual, pre-identified suspected criminals and terrorists.”

Numerous reports from cybersecurity research and human rights groups have contradicted that assertion, to say nothing of UN, EU, and US claims about the company.

A US State Department spokesperson declined The Register’s request to confirm the Reuters report but said the State Department takes its responsibility to safeguard its information seriously. We were also told that the Biden-Harris Administration is working to limit the use of digital tools of repression.

NSO Group maintains that it has turned away $300m in revenue to date based on unresolved human rights concerns and that, between May 2020 and April 2021, it rejected 15 per cent of new business opportunities for the same reason.

The company, which does not name its customers in its Transparency and Responsibility Report but includes numerous unattributed endorsement quotations about its products, has not yet published documents that allow its claims to be verified. ®



Source link

Technology

Facebook given EU go-ahead to pursue controversial Kustomer acquisition

Voice Of EU

Published

on

The EU’s antitrust chief Margrethe Vestager said she was satisfied for the company now known as Meta to pursue its Kustomer acquisition after it struck a deal for rivals.

Meta, the company formerly known as Facebook, has secured antitrust approval from the EU to pursue its acquisition of US customer services software start-up Kustomer.

The social media giant’s decision to acquire the start-up attracted EU scrutiny last April, months before its rebrand. Then known as Facebook, the company planned to integrate Kustomer’s products, including a chatbot, into its service.

Now, Meta has assured the European Commission that it will provide rivals free access to its messaging channels for 10 years.

The EU was satisfied that this addressed competition concerns which previously arose from the company’s decision to acquire Kustomer.

“Our decision today will ensure that innovative rivals and new entrants in the customer relationship management software market can effectively compete,” EU antitrust chief Margrethe Vestager said in a statement.

Last December, Vestager’s Digital Markets Act was passed by EU lawmakers as part of the body’s plans to tighten the monopoly large multinationals hold in Europe’s digital space.

Facebook had initially announced its acquisition plan in November 2020. In February 2021, the Irish Council for Civil Liberties wrote to the European Commission outlining its concerns over data that Kustomer had gathered and what might happen to that data under Facebook’s watch. The Commission also received a referral request from Austria flagging concerns over the Kustomer deal.

Other Meta acquisitions have also attracted the scrutiny of competition regulators. Last November, the UK ordered Meta to sell Giphy after its acquisition of the GIF making company was found to have breached competition rules. In the US, it is facing an antitrust suit that could force the company to sell WhatsApp and Instagram.

The EU’s decision to allow Meta to pursue the acquisition of Kustomer comes following a recent vote in the European Parliament in favour of the Digital Services Act, a companion of the Digital Markets Act. The act represents the EU’s attempt to shift the balance of power away from Big Tech in favour of ordinary people.

The long-debated act was hailed by Facebook whistleblower Frances Haugen as a “gold standard”.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Source link

Continue Reading

Technology

Now that I’ve finally played The Last of Us, who wants to talk about that ending? | Games

Voice Of EU

Published

on

‘OK, Dad, this is an incredible essay on the effects of grief and grey morality in a postapocalyptic society,” says the eldest child, AKA the millennial. “It’s got proper female characters, progressive takes on sexuality and tonnes of rain.”

“They’ve made a video game of The Handmaid’s Tale?”

“No, Dad. It’s The Last of Us. Don’t worry. It’s still a zombie shooter. And both games have the best ending ever.”

Now she has my interest. Video game endings fascinate me, because my generation started out with arcade games that didn’t have them. Pac-Man kept eating dots and chasing ghosts and the Space Invaders kept coming, wave after incessant wave. The first arcade game that had an actual ending was Dragon’s Lair and nobody actually saw that because it was so hard to complete.

I have a tough start with The Last of Us because I hate games where you search for stuff in every room of a house. I spend my normal life doing that with car keys and headphones. I want games where you walk into a room and all the objects get sucked into a magic pocket. But that isn’t realistic, I hear you cry. Well, neither is only being able to carry three shivs in a world where, despite the zombie apocalypse, cargo pants clearly still exist.

The Last of Us.
Jaw-dropping … The Last of Us. Photograph: Sony

I also hate any form of crafting, because that was what my generation had to do for “fun” as kids before we had video games. Whether it’s smoke bombs from sugar and explosives or a set of Action Man drawers from matchboxes, it’s all boring to me.

“Keep going,” I tell myself. “The millennial says it’s got the best ending ever.”

Throughout the first chapter of Joel and Ellie’s jaunt across a post-infected US I keep trying to guess what this great ending will be. Maybe Ellie isn’t immune to infection after all? Maybe Joel is her real father? Maybe they’re both unwitting participants in some reality TV show, I’m Infected Get Me Out of Here?

As you will all know by now – and if you’ve yet to play The Last of Us then please stop reading – the ending has Joel murder a perfectly innocent and well-intentioned doctor who wants to cut Ellie open to find a cure that will save humanity. But Joel has no truck with utilitarian philosophy, because Ellie has now become a replacement for the daughter he lost. So, he disregards mankind’s future and, by stopping the operation, effectively murders the entire human race (alongside a whole hospital’s worth of doctors).

“Why does he do that?” I asked the millennial, in one of many fantastic discussions we had about the game.

“Because he’s a white male,” came the answer, because it’s 2022 and she’s in her 20s. And maybe she’s right. Either way it is a jaw-dropping, supremely brave ending and the terrific Left Behind side-story also brought the feels.

The Last of Us Part 2
Grey morality … Ellie in The Last of Us Part 2. Photograph: Naughty Dog

So, when it came to The Last of Us Part 2, I was beyond excited. Fifty million hours later I was beyond disappointed.

Don’t get me wrong, the millennial nailed it when she said it was a great exploration of the effects of grief and grey morality. But after spending the whole game switching between two strong female characters (literally, have you seen Abby’s arms?) and contrasting factional creeds, you have the final confrontation. They fight. And … they both live. And go their separate ways. The only real damage is Ellie losing a couple of fingers, and the game portrays the worst consequence of this as not being able to play guitar any more. Seriously? That’s the biggest drawback to being fingerless in a zombie apocalypse? The first game ended with Joel murdering an entire civilisation, the second ends with Ellie murdering one song on a guitar. It’s a scene you might have found in The Secret of Monkey Island. It’s hilarious.

The Last of Us Part 2 leaves us with exactly the same non-ending as those original arcade games. Ellie and Abby will go on killing to keep their respective postapocalyptic factions going, both driven by the grief of murdered loved ones. They are both trapped, endlessly chasing ghosts. Sounds familiar…

The millennial says this shows there are no winners when it comes to revenge. I say they want both protagonists alive for The Last of Us 3. It’s a cynical cop out. But then, The Last of Us Part 2 is a game that features the most cynical scene ever, where apropos of nothing, after genuinely bravura portrayals of women, transgender and gay characters, alpha female Abby suddenly gets rogered from behind by some guy. It happens out of nowhere. The game spends umpteen hours portraying progressive sexuality, and then it’s like some marketing man decided they needed to toss the incels a piece of red meat to stop them hate-bombing all over 4chan (which didn’t work). It is easily the most gratuitous bit of nudity I have ever seen in games, and I have played The Witcher 3. The rogerer in question even has a girlfriend. Who is pregnant. Way to shit on a sister, Abby.

“It’s basically Pac-Man with gratuitous boobs,” I say to my eldest, who sighs and pours herself a large cup of coffee. This will be another long discussion.

Source link

Continue Reading

Technology

Texts from HMRC could show taxpayers’ location • The Register

Voice Of EU

Published

on

Exclusive Britain’s tax collection agency asked a contractor to use the SS7 mobile phone signalling protocol that would make available location data of alleged tax defaulters, a High Court lawsuit has revealed.

Her Majesty’s Revenue and Customs had the potential to use SS7 to silently request that tax debtors’ mobile phones give up location data over the past six years, according to papers filed in an obscure court case about a contract dispute.

SMS provider MMGRP Ltd, operators of HMRC’s former 60886 text messaging service, filed a suit against the tax agency after losing the contract to send text messages on its behalf. Court documents obtained by The Register show that the secret surveillance capability was baked into otherwise mundane bulk SMS sending carried out by MMGRP Ltd.

The tax collection agency, which has the power to retrospectively change laws, had been using SMS reminder messages as an enforcement tool.

We asked HMRC for comment, posing a series of questions including how long had it used HLR look-up techniques against taxpayers; did HMRC obtain necessary warrants to carry out HLR lookups and, if so, under what legislation and from which courts; how many times it had used this technique; under what circumstances it was deployed; and is the capability present in a contract with its new supplier.

In response, the Brit tax collection agency admitted to using home location register (HLR) checks, although it maintained: “HLR checks were used solely to check if a customer’s phone number was still active before sending a SMS message.”

What the papers say

The since-settled lawsuit over an alleged breach of public procurement laws was filed by the company which operated HMRC’s former 60886 SMS sender number and brought the HMRC surveillance powers to light.

MMGRP sued the HMRC last summer alleging breach of public contract regulations after the tax authority awarded a multi-million pound deal to one of MMGRP’s rivals in March.

Particulars of claim filed in the High Court in July last year by the SMS provider said:

The document also said the agency had asked for the capability of doing more than merely verifying that tax demands sent by text had been delivered, quoting the contract between the pair as requiring, under “Existing Services”:

In its defence document filed a month later, on 19 August last year, HMRC’s legal team admitted that part of MMGRP’s case, meaning they did not contest its truth.

The Reg wonders why HMRC did not dispute this is the legal papers, and and why the capability was baked into the contract the tax collector was not going to use it.

Describing the contract outlined in the lawsuit as “slightly odd”, Professor Alan Woodward, the University of Surrey-based compsci expert, told The Register: “I can see how this might be required if HMRC must later prove that a letter was received and read in a specific jurisdiction. Someone they are taking to court might claim they never received it or that it had no effect where they were when they were served with some form of formal notice.”

He added: “As with other powers, provided there is suitable legislation, oversight and transparency then it may have a place in chasing some of the tax evaders.”

GSM security expert Tobias Engel told The Register this location-finding service looked like a natural bolt-on to the SMS systems MMGRP was providing to HMRC, characterising it as a fairly routine service feature.

“A few years back this was still very easy,” said Engel, “since getting SMS routing information (the infamous so-called ‘HLR lookup’) already revealed a coarse location of the phone, and that same routing information could then be used to query the network for a more precise location.”

How does it work?

Signalling System Number 7 (SS7) is the signalling protocol used by mobile phone networks to route Short Messaging Service (SMS) messages.

Using SS7 to detect where messages were received is relatively simple. In essence SS7 tells mobile networks where to send messages based on which mast a particular phone number was last connected to. A register of those connections is kept and can be queried.

Thus the technique is called Home Location Register (HLR) lookup. Commands exist for querying a network’s HLR for a particular Mobile Station Integrated Services Digital Network number (MSISDN, or “phone number” to you and I). If you know the location of a mast where that MSISDN was last connected, you’ve got a radius of where the phone could be located. Cross-referencing that radius with multiple masts helps triangulate a specific phone, and thus its user.

This is the data used by police forces and others to locate criminals by tracking their mobile phones.

Bitter contract dispute

MMGRP’s lawsuit came about after HMRC had repeatedly extended the contract following its original expiry date of July 2020.

HMRC leaned heavily on the SMS provider for those short-duration extensions, raising the spectre of “reputational damage to HMRC, to outer [sic] Government Departments who utilise the service and ultimately to [MMG] as a provider” if the company didn’t agree.

For its part, MMGRP admitted that director Daniel Layton, “in the heat of the moment” threatened to shut off HMRC’s SMS services altogether when the tax authority told him it was awarding the contract to another company instead of renewing at the end of its existing term in early 2021.

“Mr Layton rapidly withdrew that threat,” the company’s particulars of claim added.

Ultimately the service was awarded to rival business IMImobile after lots of short-term extensions with MMGRP.

MMRGP owns the old HMRC 60886 SMS shortcode, which is why taxpayers are no longer advised to look out for messages from that number.

The court case has since been settled. HMRC does not say on its website that it makes use of HLR technology to identify taxpayers’ locations – but does list a range of ways in which it might try to contact them. ®

Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!