Ron Deibert

Global

International

Spyware

Faculty of Arts & Science

The New York Times reports that a new investigation by the University of Toronto's Citizen Lab has uncovered a spyware campaign targeting Mexican journalists, lawyers and anti-corruption investigators.

“The targets include lawyers looking into the mass disappearance of 43 students, a highly respected academic who helped write anti-corruption legislation, two of Mexico’s most influential journalists and an American representing victims of sexual abuse by the police,” The Times reports. “The spying even swept up family members, including a teenage boy.”

Citizen Lab reveals cyber espionage, disinformation campaign with Russian connections

ullahnor — Thu, 25 May 2017 19:03:19 +0000

Citizen Lab reveals cyber espionage, disinformation campaign with Russian connections

ullahnor Thu, 05/25/2017 - 15:03

Cutline

Citizen Lab discovers a massive cyber espionage campaign with more than 200 targets in 39 countries, pointing to Russia (photo by Krystian Dobuszynski/NurPhoto via Getty Images)

Topic

��ֱ��'s Citizen Lab has uncovered an extensive disinformation and cyber espionage campaign with Russian ties, targeting high-profile individuals around the world. Researchers say they also found similarities to phishing links targeting the 2016 U.S. presidential election and the 2017 French presidential election.

The campaign targets at least 218 individuals, including a former Russian prime minister, ambassadors, members of cabinets from Europe, journalists, CEOs of energy companies and activists from at least 39 countries, as well as the United Nations and NATO. It plants false information within “leaks” of stolen official documents.

“We do not conclusively attribute the technical elements of this campaign to a particular sponsor, but there are numerous elements in common between the campaign we analyzed and that which has been publicly reported by industry groups as belonging to threat actors affiliated with Russia,” the report states.

Read the Financial Times story

Read the CBC story

Citizen Lab’s investigation began with a single targeted phishing operation against American journalist David Satter, whose personal information was stolen, laced with false information and then published in a tainted leaks campaign on a Russian-linked website, named CyberBerkut. Satter, who is known for his book Darkness at Dawn, has written extensively about the rise to power of Russian President Vladimir Putin.

The tainted leaks plant fake information in between largely accurate information “in an attempt to make them credible by association with genuine, stolen documents,” says John Scott-Railton, a senior researcher at Citizen Lab, located at the Munk School of Global Affairs.

Citizen Lab researchers were able to determine that Satter’s targeting was part of a larger campaign. In 2015, the Open Society Foundations (OSF) had also experienced a breach of confidential data, and materials from the breach then turned up on CyberBerkut and another leak-branded site. The tainted leaks were all designed to discredit prominent critics of the Russian government and falsely indicated that they received foreign funding.

“The motivations behind Russian cyber espionage are as much about securing Putin’s kleptocracy as they are geopolitical competition,” says Ron Deibert, director of the Citizen Lab. “This means journalists, activists and opposition figures – both domestically and abroad – bear a disproportionate burden of their targeting.”

Researchers also found similarities in domain naming and subdomain structures between the campaign and phishing operations linked to a “threat actor routinely associated with the Russian government.”

In France's recent presidential election, tainted leaks appear to have been used in an attempt to discredit Emmanuel Macron. Citizen Lab researchers cite earlier reports indicating that the same threat actor showed up with those leaks. And the link used to phish the emails of John Podesta, the former chairman of the 2016 Hillary Clinton presidential campaign, also shares “the distinct naming and subdomain similarities with domains linked to the phishing operation against Satter.”

“We identify marked similarities to a collection of phishing links now attributed to one of the most publicly visible information operations in recent history: the targeting of the 2016 US Presidential Campaign,” the report states. “The phishing URLs in this campaign were encoded with a distinct set of parameters....an identical approach to parameters and encoding has been seen before: in the March 2016 phishing campaign that targeted Hillary Clinton’s presidential campaign and the Democratic National Committee. This similarity suggests possible code re-use: the two operations may be using the same phishing ‘kit.’”

Read the full report

��ֱ��'s Citizen Lab reports proponents of Mexico’s soda tax targeted by spyware

ullahnor — Mon, 13 Feb 2017 20:55:41 +0000

��ֱ��'s Citizen Lab reports proponents of Mexico’s soda tax targeted by spyware

ullahnor Mon, 02/13/2017 - 15:55

Cutline

New Citizen Lab report looks into spyware targeting supporters of Mexico's soda tax (photo by Omar Bárcena via Flickr)

Topic

Spyware

Is an Israeli cyberarms dealer's spyware being used to tap into the phones of vocal proponents of Mexico's 2014 soda tax, the first national tax of its kind targeting consumption of sugary drinks in Mexico?

That's the question being raised by Citizen Lab at ��ֱ��'s Munk School of Global Affairs in its latest report entitled, “Bitter Sweet: Supporters of Mexico’s Soda Tax Targeted With NSO Exploit Links.”

The report, authored by Citizen Lab researchers John Scott-Railton, Bill Marczak, Claudio Guarnieri and Masashi Crete-Nishihata, says links sent to activists, policy makers and government employees opposed to the Mexican soda industry were laced with an invasive form of spyware developed by NSO Group, which sells digital spy tools to governments and has contracts with multiple agencies inside Mexico.

Read the full story at the New York Times

Below, Faculty of Arts & Science professor Ron Deibert, director of Citizen Lab, explains the story behind the investigation.

In recent years, the research of the Citizen Lab and others has revealed numerous disturbing cases involving the abuse of commercial spyware: sophisticated products and services ostensibly restricted in their sales to government clients and used solely for legitimate law enforcement.

Contrary to what companies like Hacking Team, Gamma Group, NSO Group and others claim about proper industry self regulation, we have repeatedly uncovered examples where governments have used these powerfully invasive tools to target human rights defenders, journalists and legitimate political opposition.

To this list, we can now add research scientists and health advocates.

The “Bitter Sweet” case has its origins in a prior Citizen Lab investigation – our Million Dollar Dissident report, in which we found that a UAE-based human rights defender, Ahmed Mansoor, was targeted by UAE authorities using the sophisticated “Pegasus” spyware suite, sold by Israeli cyber warfare company, NSO Group.

As part of that report, we published technical indicators – essentially digital signatures associated with the NSO Group’s infrastructure and operations – and encouraged others to use them to find evidence of more targeting. When we published our report in August 2016, we knew there was at least one Mexican targeted – a journalist – and so suspected there might be some targeting there.

Shortly after the publication of our report, Citizen Lab was contacted by Access Now, which had received a request for assistance on its digital helpline from two Mexican NGOs working on digital rights and security, R3D and SocialTIC. Together, we worked to track down suspicious messages received by Mexicans, which led us to the Bitter Sweet case.

The title of our report refers to the fact that all of those whom we found targeted in this campaign were involved in a very high-profile “soda tax” campaign in Mexico. A soda tax is part of an anti obesity effort to add taxes to lower consumption of sugary drinks and sodas. Although many in Mexico are behind the campaign, some in the beverage industry and their stakeholders are obviously not.

In the midst of controversy around the soda tax campaign, at least three prominent research scientists and health advocates received similar (in some cases, identical) suspicious SMS messages that included telltale signs of NSO Group’s attack infrastructure. Had any of them clicked on the links, their iPhones would have been silently compromised, allowing the perpetrators to listen in on their calls, read their emails and messages, turn on their camera and track their movements – all without their knowledge.

What is most remarkable about the targeting are the steps the perpetrators took to try to trick the scientists and advocates to click on the links. For example, one of the targets, Dr. Simon Barquera, a well respected researcher at the Mexican Government’s Instituto Nacional de Salud Pública, received a series of increasingly inflammatory messages. The first SMSs concerned fake legal cases in which the scientist was supposedly involved. Those following got more personal: a funeral, allegations his wife was having an affair (with links to alleged photos), and then, most shocking, that his daughter, who was named in the SMS, had been in an accident, was in grave condition and that Dr. Barquera should click a link to see which hospital emergency room into which she was admitted.

While we can’t attribute this campaign to a particular company or government agency, it is obvious those behind the targeting have a stake in getting rid of the soda tax, and that points to the beverage industry and their investors and backers in the Mexican government. It is important to point out that Mexico is on record purchasing NSO Group’s services, and NSO Group itself asserts it only sells to legitimate government representatives. But clearly the NSO’s “lawful intercept” services are not being used in Mexico to fight crime or hunt terrorists, unless those who are advocating against obesity are considered criminal terrorists. We feel strongly that both the Mexican and the Israeli governments (the latter approves exports of NSO products) undertake urgent investigations.

Finally, our report shows the value of careful documentation of suspicious incidents and ongoing engagement between researchers, civil society organizations and those who are targeted by malicious actors who wish to do harm. The epidemic of targeted digital attacks facing civil society will require an all-of-society defence. The cooperation shown on this investigation by Citizen Lab researchers, Access, R3D, and SocialTIC is a model of how it can be done.

The above excerpt was reposted from Professor Ron Deibert's blog

Watching the watchers: ��ֱ��’s Ron Deibert blazing new trails with the Citizen Lab

ullahnor — Sun, 04 Dec 2016 19:44:57 +0000

Watching the watchers: ��ֱ��’s Ron Deibert blazing new trails with the Citizen Lab

ullahnor Sun, 12/04/2016 - 14:44

Cutline

Ron Deibert heads the Citizen Lab at the Munk School of Global Affairs (photo by Riley Stewart)

Jennifer Robinson

Author legacy

Jennifer Robinson

Topic

Security

Faculty of Arts & Science

Political Science

Faculty of Arts & Science professor Ron Deibert is director of the Citizen Lab, a “hacktivist hothouse” that is internationally renowned for detecting abuses of power online.

Cybercrime is a serious problem, but governments deploying the tools of cybercrime for political repression and control are an existential threat. In 2009, Deibert and the Citizen Lab, located at ��ֱ��'s Munk School of Global Affairs, made headlines around the world for their role in exposing GhostNet, a massive espionage ring that had compromised the computer networks of civil rights organizations and the government agencies of dozens of countries.

Deibert’s team made global headlines again in August 2016, after human rights activist Ahmed Mansoor showed them a suspicious text message. They discovered an exploit designed to remotely jailbreak and spy on iPhones, prompting Apple to issue a rapid security update.

Read Deibert talking about China

Deibert was awarded a 2013 Queen Elizabeth II Diamond Jubilee Medal for recognizing and mitigating the “growing threats to communications rights, openness and security worldwide,” but he says there is still much more to do.

“Targeted digital attacks are a silent epidemic that threaten us all. We need to work together to protect cyberspace as an open and secure forum for free expression and access to information for all citizens.”

Deibert recently spoke with ��ֱ�� News reporter Jennifer Robinson about his journey in “lifting the lid” on the Internet, as well as what the future holds for the pioneering work of the Citizen Lab.

Professor Ron Deibert (left) and Citizen Lab researcher Adam Senft (photo by Riley Stewart)

What is the Citizen Lab and what kind of research does it do?

The Citizen Lab is a research lab that I found in 2001. Our mission is to document information control that impacts the openness and security of the Internet and threatens human rights.

We produce evidence-based research on cyber-security issues that are associated with human rights concerns like tracking Internet censorship, documenting cyber-espionage attacks against civil society networks and carefully analyzing privacy and security risks associated with widely used applications and services.

You’ve had some recent successes that have gotten a lot of attention. For example, I know there was a piece in The New York Times not too long ago. Can you tell us about some of the big successes that your lab and researchers have had?

We’ve been fortunate to have a lot of media interest in our reporting – something like 13 separate reports of ours over the last eight years have been featured on the front pages of either The New York Times, Washington Post, The Globe and Mail or Toronto Star, which I think is probably an unparalleled track record.

One recent one that I think you might be referring to concerned our research into a targeted digital attack on the human rights defender in the United Arab Emirates. We did a technical analysis of a link that was sent over SMS [text message] to this human rights defender who shared it with our researchers. They were able to determine he was being targeted by an Israeli company called the NSO Group, which had apparently been contracted for services by the United Arab Emirates security service.

When we analyzed the attack, we discovered it involved three separate, what are known as, zero day or unpatched vulnerabilities in his iPhone operating system. Those are extraordinarily rare, precious commodities worth millions of dollars each. When we discovered it, we reported it to Apple resulting in a patch of not only the iOS but OSX and Safari, as well, for probably close to a billion people worldwide. That was an unusually big impact from our research but like I said we’re fortunate to receive a lot of media attention for the work that we do.

We often hear that Canadians don’t care all that much about the privacy of their information. Why should people care about the work you do with the Citizen Lab?

Well, the aim of our research is, to put it metaphorically, to lift the lid on the Internet or cyberspace or the big data universe or whatever you want to call it that surrounds us and within which we communicate. It’s essentially the new environment in which we live and for most users there’s very little recognition of what goes on beneath the surface of this environment.

It is important to lift the lid on the Internet and see what goes on underneath the surface because often that’s where decisions are made and power is exercised, hidden from the view of the average Internet user. A simple analogy would be the terms of service that few people actually read may constrain what you can do online or with certain applications.

Then going further, when we reverse-engineer applications we sometimes find there’s hidden surveillance or content filtering that applications many hundreds of millions of people use affect and structure what they can do and this is sometimes being done at the request of government. For example, our work on Chinese live streaming and mobile browser application has found extensive Internet censorship and surveillance hidden in the application.

The Citizen Lab seems to involve collaborations among a wide variety of different faculties and people with expertise at ��ֱ��. Can you give us an example of some of the different groups you work with here?

Within ��ֱ��, we’ve had some pretty fruitful collaborations with students and researches from computer science ad electrical engineering and the Faculty of Information Studies.

Outside the University of Toronto, we have partnerships with researchers from most disciplines in universities ranging from Princeton, Berkeley, Harvard, Cambridge and others.

The importance of this type of mixed methods approach to the topic can’t be stressed enough. It’s one of those areas that requires being able to incorporate methods and techniques from not only computer science and engineering but also law and social sciences.

We also work a lot with groups in the developing world – sometimes advocacy groups, sometimes researchers – because a growing number of Internet users come from the global south and that’s where I think the most important challenges are.

Here in Canada, it may feel like we’re communicating using infrastructure developed here in North America, but the reality is now and into the future, we’re going to be communicating on terms largely determined elsewhere primarily within innovation centres in the global south. So we really need to understand the political context within which that technological development is occurring because it’s going to affect us down the road.

When you started the Citizen Lab in 2001 was there anything else like it? And are you starting to see similar operations set up at other universities in the world now?

When I started there were very few other centres that I can think of that were doing exactly what we aim to do.

Now, it certainly is a growing community of researchers of which we’re a part, and we try to help spearhead that through our collaborations, workshops and our annual summer institute, which was seeded by the Connaught Fund and now is self-sustaining thanks to our funders who recognize the importance of this event. We bring together researchers who are working on the information controls from the next methods perspective. We’ve had hundreds of researchers from dozens of universities attend this annual event and because of that we’re seeing now centres like the Citizen Lab sprouting up different universities.

You're a professor of political science at the Faculty of Arts & Science and the Munk School of Global Affairs. What made you in 2001 come up with this idea?

My area of expertise in political science has been international security with a special focus on information technology.

Early in my career, I was very much interested in how intelligence agencies operate and looking at the methods that they employ, especially signals intelligence. It dawned on me that there is no analogue in the civil society world. By that I mean, you know watching government, watching the watchers so to speak, wasn’t very well developed.

Meanwhile in academia, approaches to the Internet were really siloed. You had engineers and computer science experts working on technical issues, political scientists to social
scientists looking at policy issues and not understanding the technology.

I was lucky to receive a grant from the Ford Foundation in 2000. They asked me to put together a project proposal. I had this idea to build a lab where I would bring together or recruit researchers from computer science and engineering, take their tradecraft and skills to set up something like a civil society counter-intelligence capacity.

At the beginning this sounded like a lot of hubris – and it was – but now we’ve come close to building that sort of capacity. It’s really rewarding to see how it has evolved.

What comes next? What would you like the University of Toronto to do next with the Citizen Lab?

I think we’re very fortunate to have funders who recognize the work that we do and most of our grants are of the general support variety. In other words, we don’t have to put in project grants. We received a large endowment – a $1-million-dollar award – from the MacArthur Foundation in 2013 that we hope to build upon.

Of course, an issue for the Citizen Lab is sustainability and also succession because it really is a professor’s lab. It’s not a centre or an institute in the way we think about those terms in the university environment. If it’s going to sustain itself beyond my career then I have to start thinking about succession and putting in that foundation for long-term sustainability.

If anyone, say in the developing world, that’s involved in human rights work feels like they’re being watched, what’s the best way to get in touch with you guys?

We get a lot of outside contact from many people who read about our work or are worried about something they read in the news, like maybe the Snowden disclosures or some kind of surveillance happening. We’re overwhelmed with types of requests for a small research lab. We’re not a service organization. We can’t receive inquiries from the public and investigate every concern that comes our way. I wish we could but it’s just not within our capacity.

But there is a community of human rights groups, advocacy groups and technology groups of which we’re a part, and we can point people in the right direction so if anyone has concerns they can definitely contact us at info@citizenlab.ca. We’d hopefully steer them in the right direction.

Ron Deibert’s Citizen Lab at the Munk School of Global Affairs is just one example of extraordinary innovation and impact at ��ֱ��. Learn more at utoronto.ca/uoft-world.

��ֱ��'s Citizen Lab implicates Canadian company in Bahrain Internet censorship

lavende4 — Wed, 21 Sep 2016 14:19:48 +0000

��ֱ��'s Citizen Lab implicates Canadian company in Bahrain Internet censorship

lavende4 Wed, 09/21/2016 - 10:19

Cutline

Protest in Bahrain in June 2016 (photo by Sayed Baqer AlKamel/NurPhoto via Getty Images)

Topic

Faculty of Arts & Science

Researchers at the University of Toronto’s Citizen Lab found detailed evidence that the Kingdom of Bahrain is censoring access to the Internet using technology from Canadian company Netsweeper, Inc.

Internet censorship is growing globally, and many countries now block access to large swathes of Internet content for their entire populations. Some of these countries, like Bahrain, use Western technologies to filter the Internet, raising corporate social responsibility concerns about the provision of technology, such as that sold by Netsweeper, Inc.

“Bahrain is an autocratic regime, and one of the world’s worst offenders of human rights," said Ron Deibert, director of Citizen Lab at ��ֱ��'s Munk School of Global Affairs. "Provision of Internet censorship services to Bahrain helps aggravate the Kingdom’s poor human rights record, and runs counter to the Canadian government’s explicit support of human rights online.”

Bahrain has been in a period of extended political crisis since a stifled uprising in 2011, and the Bahraini government has engaged in a series of repressive tactics against oppositional political figures and human rights activists, including torture, arbitrary arrests and the revocation of oppositional figures’ citizenship. Internet censorship is another means by which the government limits access to information and stifles freedom of speech, not just for activists or human rights defenders, but to everyone else in the country.

Read the Vice story on Netsweeper

Citizen Lab, which has been uncovering Internet censorship practices around the world and identifying the products and services used to undertake them, spent several months conducting the research, including a variety of in-country and remote network measurement and technical interrogation techniques. The group's latest report, entitled “Tender Confirmed, Rights at Risk: Verifying Netsweeper in Bahrain,” provides evidence that Netsweeper installations are present on nine Internet Service Providers (ISPs) in Bahrain. Testing on one of these ISPs, Batelco, shows the Netsweeper installation is being used to filter political content, including content relating to human rights, oppositional political websites, Shiite websites, local and regional news sources, and content critical of religion.

“The sale of technology used to censor political speech and other forms of legitimate expression, to a state with a highly problematic human rights record, raises serious questions about the corporate social responsibility practices of Netsweeper, Inc,” the report says.

Read the Globe and Mail story about Citizen's Lab's latest findings on Internet censorship in Bahrain

The installations appear to have become active between May and July 2016, a few months after the release of a public tender by Bahrain’s Telecommunications Regulatory Authority in January 2016 indicating Netsweeper won a bid to provide a "national website filtering solution," according to the report.

Netsweeper has a track record of providing Internet censorship services to countries with poor human rights records. Prior research by the OpenNet Initiative (2003-2013), of which Citizen Lab was a part, identified the existence of Netsweeper’s filtering technology on ISPs operating in the Middle East, including Qatar, United Arab Emirates (UAE), Yemen, and Kuwait. Citizen Lab also outlined evidence of Netsweeper’s products on the networks of Pakistan’s leading ISP, Pakistan Telecommunication Company Limited (PTCL), in a report published in 2013, and subsequently published research showing Netsweeper products were being used by three ISPs based in Somalia, raising questions about the human rights implications of selling filtering technology in a failed state. In a report on information controls in Yemen in 2015, Citizen Lab examined the use of Netsweeper technology to filter critical political content, independent media websites, and all URLs belonging to the Israeli (.il) top-level domain.

Included in some of these reports were letters with questions that Citizen Lab sent to Netsweeper, which also offered to publish in full any response from the company. Aside from a defamation claim filed in January 2016, and then subsequently discontinued in its entirety on April 25, 2016, Netsweeper has not responded to the Citizen Lab. Citizen Lab’s letter to Netsweeper concerning the use of its technology in Bahrain is available here.

Canadian documentary "Black Code" based on the research of ��ֱ��'s Citizen Lab premiers at TIFF

ullahnor — Wed, 14 Sep 2016 15:25:21 +0000

Canadian documentary "Black Code" based on the research of ��ֱ��'s Citizen Lab premiers at TIFF

ullahnor Wed, 09/14/2016 - 11:25

Daviel Lazure Vieira

Author legacy

Daviel Lazure Vieira

Topic

City & Culture

TIFF

For over a decade, Citizen Lab at ��ֱ��'s Munk School of Global Affairs has been working to expose cyber espionage campaigns, major security flaws in our phones and the potential threats emerging from the intersection of digital technology, human rights and global security.

Now a film adaptation of Ron Deibert's 2013 book Black Code will draw people into a much-needed discussion about how the very same technologies that can accelerate democratic change can also be used to restrict individual liberties through censorship, surveillance and information warfare.

The Canadian documentary, also titled Black Code, is premiering this week at the Toronto International Film Festival, taking viewers to Tibetan exiles under Chinese surveillance in India, media activists in Brazil who share their views via online platforms and Syrian citizens tortured for opposing the regime through Facebook posts.

"I feel as though we are serving a kind of early warning function for civil society in the same way that state intelligence agencies are supposed to provide such a warning for governments," says Deibert, who heads Citizen Lab.

Read about Citizen Lab research on government's cellphone monitoring

Deibert was familiar with documentary films produced by Nicholas de Pencier and his wife Jennifer Baichwal, notably Manufactured Landscapes and Watermark. The idea to adapt Black Code for the big screen came after de Pencier read the book.

“I was pretty amazed by how much I didn’t know,” says de Pencier, who is the documentary's filmmaker and cinematographer. “There were things in Ron’s book that were revelatory about the exposure we face through our electronic communications. If I’m that impressed and shocked, I thought, presumably other people will be too.”

A few weeks after their initial meeting to discuss a collaboration, news of Edward Snowden’s leak of classified information from the National Security Agency broke, and the work of many researchers, including Citizen Lab drew international attention. It became yet another reason to increase public awareness.

“The experiences of these research efforts were the perfect vehicle to tell stories that would at the same time inform the public about what is going on ‘beneath the surface’ of the Internet, and which are having an adverse effect on human rights and the prospects for democracy,” Deibert says.

Read about Citizen Lab's research showing Syrian dissidents targeted by hackers and an iPhone attack on a prominent UAE activist.

He adds that society needs to encourage a culture of curiosity about technology, to encourage users to read terms of service and take apart their devices to understand what is happening beneath the hood.

"And to extend that same persistent curiosity to governments and corporations,” Deibert says. “It’s about encouraging a diligent attitude among the citizenry to digital technologies embodied by the original notion of ‘hacking’ as ‘taking things apart and experimenting with them.’ My entire career I have fought against that misappropriation of the term as ‘breaking the law.’ To be a hacker today is to be an informed and empowered digital citizen.”

See more about TIFF's premiere of the Black Code

Citizen Lab researchers discover attack on iPhone belonging to UAE activist

lavende4 — Thu, 25 Aug 2016 18:12:27 +0000

Citizen Lab researchers discover attack on iPhone belonging to UAE activist

lavende4 Thu, 08/25/2016 - 14:12

Cutline

(Photo by Carl Court/Getty Images)

Topic

Global