Best Infosec-Related Long Reads for the Week, 10/7/23
How Intellexa sold spyware to Egypt, How phone phreakers created Apple, How one writer lost $31,000 in a pool-related BEC scam, The best password manager, PCLOB's view on Sec. 702
Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long-form infosec-related pieces we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!
Investigation: How Israeli Spyware Was Sold to Egypt and Pitched to Qatar and Saudi Arabia
Haaretz’s Omer Benjakob recaps the results of a bombshell investigation into spyware company Intellexa called the "Predator Files," which is based on documents and evidence obtained by French magazine Mediapart and Germa’ Der Spiegel and involved 15 media outlets led by the European Investigative Collaborations (EIC). The investigation found that Intellexa sold its spyware to Egypt, where it was used against regime critics, and pitched its capabilities to Saudi Arabia, Malaysia, Cameroon, Mauritius, Sierra Leone, and others.
The investigation is based on documents and communications linked to a firm called Nexa. The partnership between Intellexa and Nexa was signed in 2019 and continued at least until 2021. Nexa is a French firm that is de facto a rebranding of an older mass surveillance firm called Amesys whose first known client was Libyan dictator Muammar Gaddafi. Alongside Nexa, which is registered in France, a sister-firm in Dubai called Advanced Middle East Systems, or AMES, was set up to help market the alliance’s different technologies.
According to the investigation, there were a number of attempts to pitch the technology to Egypt over the years - and after Nexa and Intellexa joined together there were at least two attempts in 2020 to sell surveillance technologies to the regime of Egyptian President Abdel-Fattah al-Sissi. In 2021, it was discovered that exiled politician Ayman Nour was infected with the Predator spyware alongside another unnamed victim. This year, it was revealed that it was Egyptian lawmaker Ahmed Altantawy and that numerous attempts were made to hack his phone in recent months. Altantawy has announced he is running in the upcoming Egyptian election.
Per the investigation, in September 2020 plans were made for a demo meeting to be held in Cairo. To prepare the demo, a joint WhatsApp group was opened with senior representatives from both the French and Israeli sides - including Oz Liv, one of the group's founders, himself a former commander of a senior intelligence unit. This was despite past concerns at the country’s human rights record and that the tech would be used to target members of the LGBTQ community, per messages sent by the officials.
According to the communications, Israelis and perhaps even people based in Israel were to be involved in the sales pitch, which was to include a live demonstration of phone hacking capabilities. The group was also informed that the Egyptians were scared that the visit would be exposed - by a different Egyptian state agency - due to the VIP treatment for Nexa and Intellexa officials at the airport.
But the demonstration in Cairo was successful: At the end of 2020 a contract was signed. The French CEO reported this in the Nexa-Intellexa WhatsApp group - adding three champagne bottle emojis. "Amazing," Intellexa's VP of Sales replied, with Dilian adding: "Great!!! Happy New Year." The French official noted that he would soon request to see a signed copy of the contract: "You never know with the pharaohs".
How Phone Hackers Paved the Way for Apple
Mental Floss’ Jake Rossen profiles revered phone phreaker John Draper and his colorful cohort of 1960s and 1970s fellow hackers, two of whom ended up building Apple and one of whom, Draper, ended up in prison.
Draper is perhaps best known for weaponizing a cereal toy. In the late 1950s, a man named Joe Engressia discovered that he could whistle at 2600Hz, effectively mimicking the tones that were the language of the telephone system. By doing this, he was able to reset the phone line, which allowed calls to be made at no charge. It sounded bizarre, but it was effective. (Engressia, who was blind, grew obsessed with exploring the telephonic world. His high school photo showed him inside of a phone booth.)
Word of Engressia’s feat quickly spread, but there was a problem—few could whistle like that. Then, in the 1960s, Quaker Oats began including a prize in boxes of Cap’n Crunch: A whistle dubbed the Bo’sun after the boatswains that used them to signal mealtimes or commands on ships. A phone hacker named Sid Bernay may have been the first to discover that the Bo’sun’s frequency was 2600Hz, provided you covered one of the air holes on the trinket. That information was shared with others in the community, including Draper, a former U.S. Air Force electronics specialist turned radar technician. In an era of toll calls, this was a golden ticket. (Or whistle.)
“If I wanted to dial 234, I would just dial the numbers by repeatedly blowing the whistle that many times, and then that would make a free call,” Draper explained at a security conference. “You would do that by calling an information number or 800 toll-free number, and blow the whistle in, and you hear a little chirp sound, and that indicates to you that you are actually connected to an internal trunk line that is a raw trunk line. This trunk line is not the same kind of line you as a subscriber would use; this line is nothing more than an internal trunk line. It’s like getting root access to the phone system.”
Draper earned the nickname Captain Crunch as well as a good bit of infamy for his habit of using the cheap toy to avoid toll charges. The whistle was effective, but limited, so he and other hackers built so-called “blue boxes” that could get the phone system under their control. (Others called them “MFers,” for “multi-frequency.”) The handheld devices resembled dialing pads and emitted tones that mimicked the ones controlling long-distance connections that Bell Telephone once published in a technical journal. Some phreakers even phoned up Engressia so he could check their tones for accuracy.
The Great Zelle Pool Scam
Writer Devlin Friedman recounts in Business Insider a painful personal story of how he and his wife got caught in a business email compromise scam when a criminal got a hold of the email account of his pseudonymous pool build “Gary Kruglitz” and stole $31,000 by asking for a series of payments via Zelle.
We were in the kitchen when we hung up with Gary. My wife and I exchanged a look, and in that look was contained a universe of knowledge: The scales fell and the gauze unwound and everything we for some reason couldn't see in the previous two weeks fell into a terrible, humiliating focus. The way we had been goaded every day for two weeks to send the max Zelle amount. The way the email messages from Gary were subliterate in a completely different way from the way a classic Gary email is subliterate. The receipt we'd made him email, which, when we opened it now in our kitchen, we realized didn't really look like the other receipts we'd gotten from Royal Palace Pools and Spas. The letterhead had typos on it.
And the email addresses. Jesus, the email addresses.
Now is when I need to make some confessions. When Gary Kruglitz told us to Zelle him, he didn't really tell us to Zelle him. He told us to Zelle two people we had never met before. What I'm confessing is that we sent $30,500 of our hard-earned money to sunshineyasmin48@gmail.com and personalbreezy@gmail.com. Yes, someone emailed us and said, "Hey, will you Zelle 30 grand to a perfect stranger who goes by the name Personal Breezy and has no identification except for a Gmail account?" And our response was: Done!
Sitting there in the kitchen, we instantly understood our role in this drama: In a world of marks and cons, we were … complete fucking idiots. We were the people who write $10,000 checks to Sri Lankan princes who'd been wrongly imprisoned in Amsterdam but were lucky enough to get your phone number from a friend of your son. We were our own clueless elderly parents whom we make fun of because they are such naive morons, and they were us.
The Best Password Managers to Secure Your Digital Life
Wired’s Scott Gilbertson walks through why users should rely on password managers and not rudimentary browser password features and reviews the top password managers, picking Bitwarden as the best.
Most web browsers offer at least a rudimentary password manager. (This is where your passwords are stored when Google Chrome or Mozilla Firefox ask if you’d like to save a password.) This is better than reusing the same password everywhere, but browser-based password managers are limited. In recent years, Google has improved the password manager built into Chrome, and it's better than the rest, but it's still not as full-featured or widely supported as a dedicated password manager like those below.
The reason security experts recommend using a dedicated password manager comes down to focus. Web browsers have other priorities that haven’t left much time for improving their password manager. For instance, most of them won’t generate strong passwords for you, leaving you right back at “123456.” Dedicated password managers have a singular goal and have been adding helpful features for years. Ideally, this leads to better security.
WIRED readers have also asked about Apple’s macOS password manager, which syncs through iCloud and has some nice integrations with Apple’s Safari web browser. There’s nothing wrong with Apple’s system. In fact, I have used Keychain Access on Macs in the past, and it works great. It doesn’t have some of the nice extras you get with dedicated services, but it handles securing your passwords and syncing them between Apple devices. The main problem is that if you have any non-Apple devices, you won’t be able to sync your passwords to them. All-in on Apple? Then this is a viable, free, built-in option worth considering.
A Look at the PCLOB Report on Section 702
In Lawfare, Steptoe & Johnson’s Stewart Baker delves into the long-expected, 300-page report on Section 702 of the Foreign Intelligence Surveillance Act (FISA) from the Privacy and Civil Liberties Oversight Board (PCLOB) and what changes need to be made to it before its renewal later this year to enable the National Security Agency to continue targeted surveillance of foreign persons outside the US, which often sweeps up data on persons inside the US.
The question that divided the board was what changes should be made in the renewed law. All the board members supported reforms. Many of these centered on FBI searches of its database of 702 intercepts. The FBI database contains only a small portion (under 5 percent) of 702 intercept targets—essentially those already tied to an existing FBI investigation. In 2022, the FBI had access to data on “approximately 3.2 percent of the total number of Section 702 targets, or about 8,000 of them.” But the FBI has conducted millions of searches using the names or other identifiers (phone number, IP address) of U.S. persons.
Critics of the program (including the three Democrat-appointed PCLOB members) maintain that the FBI is exploiting the fact that many American communications have been incidentally collected without a court order, and adding to the problem by searching for the Americans’ conversations directly, again without going to court for approval. Defenders of the practice (including the two Republican-appointed members) argue that there is no reason to restrict the government’s ability to search data it has collected lawfully and already has in its files.
The split in the board over this issue is brought to a head in Recommendation 3: “Congress should require [Foreign Intelligence Surveillance Court (FISC)] authorization of U.S. person query terms.” Three of the members believe that 702 materials should not be searched for U.S. person identifiers unless the FISA court agrees that the search is justified. Two of the members, Edward Felten and Travis LeBlanc, think the search would be justified in most cases by showing that the search is “reasonably likely” to yield foreign intelligence.
Only one member, Board Chair Sharon Bradford Franklin, takes the position shared by left-leaning advocacy groups and some law professors, who argue that Congress should allow searches based only on probable cause.
The two dissenters, in contrast, see no reason to bring the FISA court into the picture at all. Instead, with a few tweaks, they would allow the FBI to continue to make queries of the 702 database under recently tightened Justice Department standards, supplemented by more active congressional oversight.