(Un)Ethical Hacking

The NSO Group is in the news again, and you’ll never guess why! Well, maybe you can. Yet again one of the NSO Group’s surveillance products – which it claims are only sold to governments for law enforcement purposes and

(Un)Ethical Hacking

The NSO Group is in the news again, and you’ll never guess why! Well, maybe you can. Yet again one of the NSO Group’s surveillance products – which it claims are only sold to governments for law enforcement purposes and are aimed at terrorists and criminals – was used against law-abiding citizens.

This time international investigators of GIEI were targeted, joining the ranks of the lawyers, politicians, journalists, anti-corruption activists, scientists, public health campaigners, government officials, and their family members, as victims of this targeted spying.

With all this attention, NSO Group has been trying out different branding and names to escape the bad PR, most recently using the Q Cyber Technologies trademark. Understandably, a history of enabling human rights abuses isn’t a good look. The NSO Group claims: “NSO’s mission is to make the world safer, by providing authorized governments with technology."

But apparently, once the deal is done, they have no control over how their spyware is actually used by these authorized governments.

Hijacking The .io TLD

Matthew Bryant recently evaluated the security of DNS infrastructure, taking note of a particular feature: a Top-Level Domain (TLD) that can have authoritative nameservers at arbitrary domain names. This opens the TLD up to attack by registering the name for an authoritative nameserver for a TLD out from under the legitimate owners, like nabbing the domain name of a site that didn’t renew in time.

But with a TLD, the attack could be massive, effecting every server under the .io TLD, instead of simply a few. Similar attacks have been carried out on smaller scales to deliver malware, though an attacker could more stealthily use this access to spy on what domains users were visiting, or intercept traffic to specific servers.

While DNSSEC can be used to mitigate this attack, DNSSEC support is still not widespread, and this specific instance had to be addressed by protecting access to the authoritative names themselves. This and other mitigations are discussed by Matthew in the conclusion of previous research into DNS hacking he’s done.

are aimed at terrorists and criminals – was used against law-abiding citizens.

 

This time international investigators of GIEI were targeted, joining the ranks of the lawyers, politicians, journalists, anti-corruption activists, scientists, public health campaigners, government officials, and their family members, as victims of this targeted spying.

With all this attention, NSO Group has been trying out different branding and names to escape the bad PR, most recently using the Q Cyber Technologies trademark. Understandably, a history of enabling human rights abuses isn’t a good look. The NSO Group claims: “NSO’s mission is to make the world safer, by providing authorized governments with technology."

But apparently, once the deal is done, they have no control over how their spyware is actually used by these authorized governments.

Hijacking The .io TLD

Matthew Bryant recently evaluated the security of DNS infrastructure, taking note of a particular feature: a Top-Level Domain (TLD) that can have authoritative nameservers at arbitrary domain names. This opens the TLD up to attack by registering the name for an authoritative nameserver for a TLD out from under the legitimate owners, like nabbing the domain name of a site that didn’t renew in time.

But with a TLD, the attack could be massive, effecting every server under the .io TLD, instead of simply a few. Similar attacks have been carried out on smaller scales to deliver malware, though an attacker could more stealthily use this access to spy on what domains users were visiting, or intercept traffic to specific servers.

While DNSSEC can be used to mitigate this attack, DNSSEC support is still not widespread, and this specific instance had to be addressed by protecting access to the authoritative names themselves. This and other mitigations are discussed by Matthew in the conclusion of previous research into DNS hacking he’s done.

About the Cylance Research and Intelligence Team

The Cylance Research and Intelligence team explores the boundaries of the information security field identifying emerging threats and remaining at the fore front of attacks. With insights gained from these endeavors, Cylance stays ahead of the threats.