Archivio di tutti i clip:
(Notebook di Evernote).
Journalist’s phone hacked by new ‘invisible’ technique: All he had to do was visit one website. Any website.By Marco Chown OvedStaff ReporterSun., June 21, 2020timer10 min. readThe white iPhone with chipped paint that Moroccan journalist Omar Radi used to stay in contact with his sources also allowed his government to spy on him.They could read every email, text and website visited; listen to every phone call and watch every video conference; download calendar entries, monitor GPS coordinates, and even turn on the camera and microphone to see and hear where the phone was at any moment.Yet Radi was trained in encryption and cyber security. He hadn’t clicked on any suspicious links and didn’t have any missed calls on WhatsApp — both well-documented ways a cell phone can be hacked.Instead, a report published Monday by Amnesty International shows Radi was targeted by a new and frighteningly stealthy technique. All he had to do was visit one website. Any website.Forensic evidence gathered by Amnesty International on Radi’s phone shows that it was infected by “network injection,” a fully automated method where an attacker intercepts a cellular signal when it makes a request to visit a website. In milliseconds, the web browser is diverted to a malicious site and spyware code is downloaded that allows remote access to everything on the phone. The browser then redirects to the intended website and the user is none the wiser.While Amnesty could not definitively state that the Moroccan authorities were behind the attack, the group was able to use forensic evidence to conclude this was very likely the case.The episode reveals not that authoritarian governments are actively listening to the calls, monitoring the web traffic and reading the emails of journalists and human rights activists — but that they can do so undetected.“I kind of suspected (I was hacked),” said Radi on an encrypted video chat from Rabat. “The Moroccan authorities are buying every possible and imaginable surveillance and espionage product. They want to know everything.”Radi is an investigative journalist who co-founded the local news site Le Desk, a partner with the Star in the International Consortium of Investigative Journalists. He specializes in the connections between politicians and business people as well as social movements and human rights. In other words, he’s a thorn in the government’s side and a prime target for surveillance, hacking and harassment.In 2017, he was arrested while reporting on a security crackdown in the Rif region, and again this past December after one of his tweets described a local judge as an “executioner.”“I was prosecuted for contempt of court, but that’s just the official charge. In fact, I was punished for my entire body of work. They pile things up and then they look for a pretext to arrest,” he told Forbidden Stories, an investigative journalism group that coordinated this report with the Star and 14 other outlets. Radi spent a week in pretrial detention, was later convicted to four months and is currently out pending appeal.Shortly after his release, he was approached by Amnesty International, which asked to look at his phone. The spyware they found — commonly known as “Pegasus” — can be traced back to the Israeli cyber surveillance company, NSO Group.NSO Group, which was valued at $1 billion USD last year, sells surveillance software to governments and law enforcement agencies intended to combat terrorism. Over the last several years, however, reports from around the world have implicated NSO Group’s spyware in the targeting of journalists and human rights activists.Radi is the third prominent Moroccan human rights figure to have been targeted using the NSO group’s network injection spyware. Last October, Amnesty International documented the cases of activist Maati Monjib and human rights lawyer Abdessadak El Bouchattaoui. A recent report by The Citizen Lab at the University of Toronto’s Munk School identified 13 journalists, including a reporter for the New York Times, targeted by Pegasus software employed by the Mexican and Saudi Arabian governments.But what makes Radi’s case unique is that he was infected last September, only three days after the Israeli company issued a policy that vowed the company would cut off clients if they were found to misuse the surveillance technology to target journalists and human rights activists.“We fully understand the potential for our products to be misused by our customers, thereby resulting in adverse human rights impacts. Therefore, as responsible corporate citizens, we have committed ourselves to high ethical business standards, seeking to ensure that only vetted and legitimate government agencies will use our products and that we take all reasonable steps to prevent and mitigate the risks of adverse impact on human rights from their misuse,” the policy states.“We include obligations to respect and protect human rights in our contractual agreements with our business partners and customers…We have an escalating set of remedies culminating in the termination of use of our products after a substantiated case of severe misuse, material breach of commitments or a refusal to co-operate in an investigation.”Contacted for this story, NSO said due to client confidentiality it could not confirm if the Moroccan government was using its software.In response to questions about what actions it took after learning that Monjib and El Bouchattaoui were targeted, NSO said it followed the steps outlined in its Human Rights Policy, which it described in a letter sent this month to UN Special Rapporteur On the Promotion and Protection of the Right to Freedom of Opinion and Expression David Kaye.“In recent instances in which NSO has received concerns or complaints regarding alleged misuse, it has immediately stopped the customer’s use of the system,” it stated in the UN letter.“NSO has reinstated the system only after gaining comfort that the system was not misused.”Amnesty’s new report notes that the NSO server used to hack Monjib and El Bouchattaoui was shut down shortly after the previous report was made public. Shortly afterward, a new server that operated in the same manner was set up and used to hack Radi’s phone, the report said.The NSO group said it was “deeply troubled by the allegations” in the new report. “We are reviewing the information therein and will initiate an investigation if warranted,” the company said.Bill Marczak, a research fellow at The Citizen Lab, says NSO has promoted its Human Rights Policy as groundbreaking but hasn’t backed it up with examples of cracking down on misuse of its spyware.“There hasn’t been a whole lot of public evidence that NSO’s Human Rights Policy has helped human rights at all,” he said. “We’re still waiting for that evidence.”Amnesty International found files and altered code on Radi’s phone that indicate he was hacked several times over the course of 2019 and most recently on January 29, 2020.“I started to think: what could I have said on the phone that was sensitive? Do I have sources that might be in trouble if the people listening to me find out who I’m talking to?” Radi asked.This month, an article on the Moroccan news website Chouftv reported that Radi was part of a group of journalists organizing a support campaign for an imprisoned colleague. Radi says the article contained details taken from conversations he had on the encrypted apps Signal and WhatsApp, and he suspects government intelligence officers leaked the information gleaned from his phone.“It’s a way of saying: ‘You are being watched,’ ” he said.Radi’s sources have grown more reluctant to talk as it has become evident that journalists’ phones are being tapped.Get more of what matters in your inboxStart your morning with everything you need to know, and nothing you don’t. Sign up for First Up, the Star’s new daily email newsletter.Sign Up Now“I think the monitoring tool is working really well right now,” he said.Unlike previous hacking methods, network injection leaves virtually no trace, according to the Amnesty Report. There is no email with a malicious link. No missed call on WhatsApp. The malicious code even wipes crash logs, making it impossible to determine exactly what weaknesses were exploited to take over the phone, said Claudio Guarnieri, head of Amnesty International’s Security Lab, in an interview.“The attackers took measures to eliminate traces that would reveal the vulnerability that they were using, which is useful to prevent (it) from being found and fixed,” he said.Guarnieri said it is reasonable to conclude that the Moroccan government is behind the attack.“The NSO, by their own admission, only sell to law enforcement and governments,” he said. “That coupled with the context…who would be interested in going after these individuals?” he said.“And then, the way the network injection attacks are being conducted. They require some level of access to either the person itself — the ability to be in proximity in the case where the network injection is performed using tactical equipment. Think of (an ISMI catcher, also known as a Stingray) placed in a van that is parked in front of a house — or having access to the mobile operators themselves,” said Guarnieri. Stingrays mimic cell phone towers and any phone within a certain distance will connect to the device automatically. This will give the operator technical data about the phones, which can then be used to identify an individual’s cell phone number and figure out who they are talking to.Amnesty International says that it cannot be sure a Stingray was used to hack Radi’s phone, but the only other way the group says the spyware could have been remotely injected was with access to the mobile network infrastructure, something only the phone company would have (and the Moroccan government could commandeer).Either way, the attacker identifies the phone being targeted and waits for that phone to connect to a website over the cellular data network. The website must use “clear text” which means the URL starts with “http” not “https.” When the phone makes a request to visit a clear text site, the attacker intercepts the demand and redirects the phone to another website, where the Pegasus spyware is downloaded before the phone proceeds to the requested website.“Amnesty asked me if there were URL redirects, if there were URLs that changed quickly and that’s when it rang a bell. I realized that indeed, this had happened. But I didn’t realize at the time that it was really an injection,” said Radi. “On the phone, there are a lot of things that can trigger a URL change or that kind of thing, so I didn’t think that was it at first.”Normal people are unlikely to be targeted by NSO spyware, said The Citizen Lab’s Marczak, because it’s so expensive that states only use it to target a small number of people. “It’s a niche tool that is used on people who the government is interested in,” he said, adding that the more people are hacked, the greater the chance that the phone’s weakness will be found and fixed.“Then NSO’s product is useless,” he said. “The average user does not really need to worry,” he said. “But certainly journalists, dissidents, civil society organizations and lawyers, these are targets that typically repressive governments that buy the spyware are interested in.”Amnesty has advised Radi on what to do to avoid surveillance, including making sure everything on his phone is updated to the latest version and using a Virtual Private Network (VPN), but Radi says it’s a battle you can never win.“We change phones. We try to protect ourselves. It’s David vs. Goliath. They still have a way of knowing what’s going on in our phones, in our computers. The goal is not to protect ourselves 100 per cent but to avoid it, to make it difficult for them, and to learn certain reflexes.”He has started using friends’ phones and swapping SIM cards to change his number frequently. Amnesty says there is some evidence that turning off your phone and restarting it could sever the connection with the attacker.Even if he’s able to protect his sources, Radi fears the surveillance will be used to develop a smear campaign against him.“That’s how they operate. It’s destroying people’s image, digging up things about them and making them public,” he said.Radi recounts the recent episode of journalist Hajar Raissouni, who was arrested on her way out of a gynecologist’s office with her fiancé. Along with the doctor, they were imprisoned for having had an abortion, which is illegal in Morocco.“How did they know she was at her gynecologist’s office?” Radi asked. Radi says the government falsified documents to make it look like Raissouni had an abortion even though the medical expert hired by Raissouni reviewed her records and concluded it did not happen. Amid international outcry, she was pardoned in October.“But all the press insulted Hajar because she (supposedly) had an abortion in addition to having sex outside of marriage. So defamation and discredit has already been thrown at her.”“It’s gibberish that has no limits. There are no ethics, no morals. It’s the height of immorality that governs the operation of these services,” he said. “It’s a state that protects itself, that protects its interests by denouncing, by discrediting people who point the finger.”Forbidden Stories is an international consortium of 40 journalists publishing in 30 media organizations around the world, including the Toronto Star, that pursues the work of reporters who were threatened, jailed or assassinated.Marco Chown Oved is a Toronto-based investigative reporter for the Star. Reach him at firstname.lastname@example.org. Follow him on Twitter: @marcoovedSHARE: