I. TECHNOLOGY
18 #‘Zero-Click’ hacks are growing in popularity. There’s practically no way to stop them
Once the preserve of a few intelligence agencies, the technology needed for zero-click hacks is now being sold to governments by a small number of companies, the most prominent of which is Israel’s NSO Group.
As a journalist working for the Arab news network Alaraby, Rania Dridi said she’s taken precautions to avoid being targeted by hackers, keeping an eye out for suspicious messages and avoiding clicking on links or opening attachments from people she doesn’t know.
Dridi’s phone got compromised anyway with what’s called a “zero-click” attack, which allows a hacker to break into a phone or computer even if its user doesn’t open a malicious link or attachment. Hackers instead exploit a series of security flaws in operating systems — such as Apple Inc.’s iOS or Google’s Android — to breach a device without having to dupe their victim into taking any action. Once inside, they can install spyware capable of stealing data, listening in on calls and tracking the user’s location.
With people more wary than ever about clicking on suspicious links in emails and text messages, zero-click hacks are being used more frequently by government agencies to spy on activists, journalists and others, according to more than a dozen surveillance company employees, security researchers and hackers interviewed by Bloomberg News.
Once the preserve of a few intelligence agencies, the technology needed for zero-click hacks is now being sold to governments by a small number of companies, the most prominent of which is Israel’s NSO Group. Bloomberg News has learned that at least three other Israeli companies — Paragon, Candiru and Cognyte Software Ltd. — have developed zero-click hacking tools or offered them to clients, according to former employees and partners of those companies, demonstrating that the technology is becoming more widespread in the surveillance industry.
There are certain steps that a potential victim can take that might reduce the chances of a successful zero-click attack, including keeping a device updated. But some of the more effective methods — including uninstalling certain messaging apps that hackers can use as gateways to breach a device — aren’t practical because people rely on them for communication, said Bill Marczak, a senior research fellow at Citizen Lab, a research group at the University of Toronto that focuses on abuses of surveillance technology.
Dridi, who is based in London, said the hack forced her to shut down some of her social media accounts and left her isolated and fearful for her safety.
“They ruined my life,” said Dridi, who suspects she was targeted because of her reporting on women’s rights in the Arab world or her connection to other journalists who are high-profile critics of Middle Eastern governments. “I tried to just go back to normal. But after that I suffered from depression, and I didn’t find any support.”
It’s not known how many people have been targeted with zero-click hacks, because they are done in secret and the victims are often unaware.
Human rights groups have tied zero-click technology from NSO Group to attacks by governments on individuals or small groups of activists. A 2019 lawsuit filed by Facebook accused NSO Group of using a zero-click hacking method to implant spyware on the devices of 1,400 people who used its WhatsApp service. NSO Group has disputed the allegations.
The attacks can be difficult for security experts to detect and pose new challenges for technology giants such as Apple and Google as they seek to plug the security holes that hackers exploit.
“With zero clicks, it’s possible for a phone to be hacked and no traces left behind whatsoever,” Marczak said. “You can break into phones belonging to people who have good security awareness. The target is out of the loop. You don’t have to convince them to do anything. It means even the most skeptical, scrupulous targets can be spied on.”
Sometimes a zero-click hack doesn’t go as planned and leaves traces that investigators can use to identify that a device has been compromised. In Dridi’s case, administrators at Alaraby noticed suspicious activity on their computer networks and followed a digital trail that led them to her phone, she said in an interview.
Attackers use zero-click hacks to gain access to a device and then can install spyware — such as NSO Group’s Pegasus — to secretly monitor the user. Pegasus can covertly record emails, phone calls and text messages, track location and record video and audio using the phone’s inbuilt camera and microphone.
Marczak and his colleagues at Citizen Lab analyzed Dridi’s iPhone XS Max and found evidence that it had been infected at least six times between October 2019 and July 2020 with NSO Group’s Pegasus. On two occasions in July 2020, Dridi’s phone was targeted in zero-click attacks, Citizen Lab concluded in a report, which attributed the hacks to the United Arab Emirates government.
Dridi is now pursuing a lawsuit against the UAE government. Her solicitor, Ida Aduwa, said she will be seeking permission from a High Court judge in London in the next few weeks to proceed with the case. “We want an acknowledgement that this is something that states cannot get away with,” Aduwa said.
A representative for the UAE Embassy in Washington didn’t respond to messages seeking comment.
Marczak, from Citizen Lab, said most of the documented cases of zero-click hacks have been traced back to NSO Group. The company began deploying the method more frequently around 2017, he said.
NSO Group, which was blacklisted by the U.S. in November for supplying spyware to governments that used it to maliciously target government officials, journalists, businesspeople, activists and others to silence dissent, has said it sells its technology exclusively to governments and law enforcement agencies as a tool to track down terrorists and criminals.
“The cyber intelligence field continues to grow and is much bigger than the NSO Group,” a spokesperson for the company said in a statement to Bloomberg News. “Yet an increasing number of ‘experts’ who claim to be ‘familiar’ with NSO Group are making allegations that are contractually and technologically impossible, straining their credibility.”
The spokesperson said that NSO Group has terminated customer relationships due to “human rights issues” and won’t sell cyber intelligence products to approximately 90 countries. “The misuse of cyber intelligence tools is a serious matter,” the spokesperson said.
In December, security researchers at Google analyzed a zero-click exploit they said was developed by NSO Group, which could be used to break into an iPhone by sending someone a fake GIF image through iMessage. The researchers described the zero-click as “one of the most technically sophisticated exploits we’ve ever seen,” and added that it showed NSO Group sold spy tools that “rival those previously thought to be accessible to only a handful of nation states.”
“The attacker doesn’t need to send phishing messages; the exploit just works silently in the background,” the Google researchers wrote.
[Source: indianexpress.com dated 19th February, 2022.]
19 #Google moves to make Android apps more private
Google’s plan to limit data tracking on its Chrome browser has been extended to cover apps on its Android-based smartphones. Its so-called Privacy Sandbox project aims to curb the amount of user data that advertisers can gather.
Rival Apple now forces app developers to ask permission from users before tracking them. The news will be a blow to firms like Meta, which rely on putting their code on apps to track consumer behaviour. Meta said this month that Apple’s changes would cost it $10bn (£7.3bn) this year. Google’s Android operating system is used by about 85% of smartphone owners worldwide.
Third-party cookies, which use people’s browsing history to target adverts, will be phased out on Google’s Chrome browser by 2023.
In a blog, Google said it was now extending what it calls its Privacy Sandbox to Android apps, and working on solutions that will limit sharing users’ data and “operate without cross app identifiers, including advertising ID”. These identifiers are tied to smartphones and are used by apps to collect information. Google said that it will keep them in place for at least two years, while it works “with the industry” on a new system.
“We’re also exploring technologies that reduce the potential for covert data collection, including safer ways for apps to integrate with advertising SDK (software developer kits),” it added. The tech giant did not detail how it plans to do this. Apple decided in April last year that app developers had to explicitly ask for permission from users to use IDFA (Identifier for Advertisers). Data from advertising company Flurry Analytics, and published by Apple, suggests that US users are choosing to opt out of tracking 96% of the time.
Google’s blog did not name Apple, but referred instead to “other platforms” which it said “have taken a different approach to ads privacy, bluntly restricting existing technologies used by developers and advertisers”. “We believe that – without first providing a privacy-preserving alternative path – such approaches can be ineffective,” it added.
Google, unlike Apple, relies on advertising revenue. Google’s attempts to create alternatives to third party cookies on its Chrome browser have not gone entirely smoothly. Its first proposal -a system called Federated Learning of Cohorts (Floc) – was disliked by privacy campaigners and advertisers alike. Floc aimed to disguise users’ individual identities by assigning them to a group with similar browsing histories.
[Source: www.bbc.com dated 17th February, 2022.]
II. SCIENCE AND ENVIRONMENT
20 #Amazon deforestation: Record high destruction of trees in January
The number of trees cut down in the Brazilian Amazon in January far exceeded deforestation for the same month last year, according to government satellite data.The area destroyed was five times larger than 2021, the highest January total since records began in 2015.
Environmentalists accuse Brazil’s President Jair Bolsonaro of allowing deforestation to accelerate.Protecting the Amazon is essential if we are to tackle climate change. Trees are felled for their wood as well as to clear spaces to plant crops to supply global food companies. At the climate change summit COP26 in Glasgow last year, more than 100 governments promised to stop and reverse deforestation by 2030.
The latest satellite data from Brazil’s space agency Inpe again calls into question the Brazilian government’s commitment to protecting its huge rainforest, say environmentalists. “The new data yet again exposes how the government’s actions contradict its greenwashing campaigns,” explains Cristiane Mazzetti of Greenpeace Brazil. Greenpeace are calling on supermarkets in the UK and elsewhere to drop suppliers who are involved in deforestation from their meat and dairy supply chains suppliers.
Deforestation totalled 430 square kilometres (166 square miles) in January – an area more than seven times the size of Manhattan, New York.
• Which countries are cutting down trees?
• The illegal Brazilian gold you may be wearing.
• An indigenous leader trying to protect the Amazon.
Felling large numbers of trees at the start of the year is unusual because the rainy season usually stops loggers from accessing dense forest. Brazil’s vast rainforest absorbs huge amounts of greenhouse gases from the atmosphere, acting as what’s known as a carbon sink. But the more trees cut down, the less the forest can soak up emissions. But the area is also home to communities who say they need to use the forest for mining and commercial farming in order to make a living.
At the same time, indigenous communities living in the Amazon fight to protect the rainforest and their ways of life. Mr Bolsonaro has weakened environmental protections for the region and argued that the government should exploit the area to reduce poverty. There are a number of factors driving this level of deforestation.
Strong global demand for agricultural commodities such as beef and soya beans is fuelling some of these illegal clearances – Another is the expectation that a new law will soon be passed in Brazil to legitimise and forgive land grabbing. The Brazilian government argues that in the period between August last year and January 2022, overall deforestation was lower compared to the same period twelve months ago.
Environmentalists say that they are not surprised by the record January felling, given that President Bolsonaro has significantly weakened legal protections since he took office in 2019. At the COP26 climate summit in Glasgow last year, Mr Bolsonaro was one of the world leaders who promised to halt and reverse deforestation by the end of this decade. Political observers argue that despite this change in tone, the policies on the ground remain the same.
[Source: www.bbc.com dated 11th February, 2022.]
21 #Sunlight helps clean up oil spills in the ocean more than previously thought
Sunlight may have helped remove as much as 17 percent of the oil slicking the surface of the Gulf of Mexico following the 2010 Deepwater Horizon spill. That means that sunlight plays a bigger role in cleaning up such spills than previously thought, researchers suggest February 16 in Science advances.
When sunlight shines on spilled oil in the sea, it can kick off a chain of chemical reactions, transforming the oil into new compounds (SN: 6/12/18). Some of these reactions can increase how easily the oil dissolves in water, called photo dissolution. But there has been little data on how much of the oil becomes water-soluble.
To assess this, environmental chemists Danielle Haas Freeman and Collin Ward, both of Woods Hole Oceanographic Institution in Massachusetts, placed samples of the Macondo oil from the Deepwater Horizon spill on glass disks and irradiated them with light using LEDs that emit wavelengths found in sunlight. The duo then chemically analyzed the irradiated oil to see how much was transformed into dissolved organic carbon.
The most important factors in photo dissolution, the researchers found, were the thickness of the slick and the wavelengths of light. Longer wavelengths (toward the red end of the spectrum) dissolved less oil, possibly because they are more easily scattered by water, than shorter wavelengths. How long the oil was exposed to light was not as important.
Though the team didn’t specifically test for seasonal or latitude differences, computer simulations based on the lab data suggested that those factors, as well as the oil’s chemical makeup, also matter.
The researchers estimate irradiation helped dissolve from 3 to 17 percent of surface oil from the Deepwater Horizon spill, comparable to processes such as evaporation and stranding on coastlines. What impact the sunlight-produced compounds might have on marine ecosystems, however, isn’t yet known.
[Source: www.sciencenews.org dated 15th February, 2022.]
