Here’s a first: Journalists and a U.S. citizen are suing NSO Group

It’s the latest salvo in a multi-front battle against foreign commercial spyware. That battle has been pursued in the executive branch, Congress, the courts and the tech industry. In fact, the lawsuit came the same day that Google called out a Spanish firm it says is a spyware vendor.

Wednesday’s lawsuit accuses NSO Group of violating the main federal anti-hacking law, as well as a computer access and fraud law in California, the location of the federal court where the plaintiffs filed their complaint. The plaintiffs are reporters and others who work for El Faro, a Salvadoran news organization, who allege they were targets of NSO Group’s Pegasus spyware.

The plaintiffs want a judge to declare that NSO Group has violated U.S. law. They also want a judge to order the company to disclose the client who spied on them, Carrie DeCell, senior staff attorney with the Knight First Amendment Institute, told me.

“We do view the use of spyware against members of the press in particular as one of the biggest threats to democracy and independent press freedom today,” said DeCell, whose organization is co-representing the plaintiffs with Columbia University. “We think an order requiring NSO Group to disclose its client would really deter future government actors from seeking to use NSO’s technology in their own efforts to repress journalism and stifle free speech.”

The lawsuit relies on research from the University of Toronto’s Citizen Lab, Access Now and Amnesty International. Researchers at those organizations determined that the El Faro employees were targets of Pegasus “zero-click” spyware that allows attackers to install it without human interaction.

NSO Group criticized those groups in a statement responding to the lawsuit. The three organizations “repeatedly recycle each other’s reports and knowingly release speculative, inaccurate and incomplete reports to the media,” according to the emailed statement from an NSO spokesperson.

Ronan Farrow of the New Yorker detailed the experience of U.S. citizen Roman Gressier, a case plaintiff and journalist working abroad. There have been U.S.-based lawsuits against NSO Group, most prominently the one filed by Meta, the parent company of Facebook and WhatsApp. 

• The Supreme Court is expected to decide soon on if it will hear a case on whether Meta can pursue its lawsuit, which alleges that NSO Group illegally targeted its users with spyware. NSO Group maintains that its work for foreign governments makes it immune to such lawsuits, but the Biden administration has a differing interpretation.

The plaintiffs in the latest case are especially interested in holding NSO Group to account in U.S. courts, DeCell said. The most important reason is because “the value of the spyware really derives from its ability to infect the most smartphones around the world,” and U.S. infrastructure and companies give them the best opportunity to do so, DeCell said.

NSO Group says “it is technologically impossible for Pegasus to operate on U.S. soil,” a claim some have rebutted.

“NSO is a software provider, the company does not operate the technology or is privy to the collected data,” its emailed statement reads. “The company does not and cannot know who the targets of its customers are, yet developed and implements rigorous and unique compliance policies, and has terminated contracts when misuse was found following its investigations.” The company argues that its spyware has been used to find criminals.

Like the Meta lawsuit, the El Faro lawsuit leans on the much-criticized Computer Fraud and Abuse Act (CFAA), the main federal anti-hacking statute enacted in 1986. That law’s past use against journalists and researchers is concerning, DeCell said.

“But this case is a clear, core violation of the CFAA,” she said. “This violates what the CFAA was originally intended to prohibit, which is classic computer hacking.” (Meta’s lawsuit also accused NSO of violating the CFAA.)

“We hope it really deters any investors around the world, but particularly U.S. investors, from continuing to fund spyware manufacturers, whether it’s in an advisory capacity or they’re in more direct control,” DeCell told the New Yorker, noting in an interview with The Cybersecurity 202 that that wasn’t the focus of the suit. American company L3Harris dropped a bid to acquire NSO Group amid concerns raised by the Biden administration.

NSO Group may be the most prominent spyware company, but Google’s Threat Analysis Group (TAG) believes it discovered another such company, which wasn’t previously known. Barcelona-based Variston IT has “likely ties” to a hacking tool known as “Heliconia,” which exploited vulnerabilities in the Chrome and Firefox browsers as well as a Windows security app, Google said.

Google says it patched the vulnerabilities. While researchers hadn’t “detected active exploitation,” the previously unknown bugs appear to have been used for hacks. The company found out about Heliconia after an anonymous tipster submitted three bug reports, the firm said.

“TAG’s research has shown the proliferation of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities that were previously only available to governments with deep pockets and technical expertise,” Google’s blog post reads. “The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups.”

Variston, which bills itself as a security company, did not respond to a request for comment Wednesday. A company official said it hadn’t been made aware of Google’s research but cast doubt on it, Carly Page reported for TechCrunch.

Major web browsers spurn TrustCor certificates

Mozilla’s Firefox and Microsoft’s Edge browsers won’t accept new certificates from TrustCor Systems that vouched for the legitimacy of websites, and other tech companies are also expected to take similar actions, Joseph Menn reports. The decisions came after technology experts, researchers and TrustCor — which said it doesn’t have ongoing ties of concern — argued online in the wake of a Post report on the company this month. 

“Certificate Authorities have highly trusted roles in the internet ecosystem, and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware,” Mozilla’s Kathleen Wilson wrote to a browser security mailing list. “TrustCor’s responses via their Vice President of CA operations further substantiates the factual basis for Mozilla’s concerns.”

The Post reported this month that TrustCor’s Panama registration records showed the same agents, officers and partners as a spyware firm identified as an affiliate of Packet Forensics, which has sold communication interception services to the U.S. government.

Packet Forensics has said it doesn’t have an ongoing business relationship with TrustCor. TrustCor executive Rachel McPherson told Mozilla that the same holding companies had invested in TrustCor and Packet Forensics, but TrustCor ownership was transferred to employees. 

Easterly deletes tweets recommending books

CISA Director Jen Easterly has deleted three tweets recommending books after the agency was asked about U.S. government ethics rules directing officials to not use their government positions or titles to endorse most products. Politico Playbook on Wednesday reported that Easterly’s account deleted a Twitter endorsement of a recent book after the outlet flagged it to the agency. After The Cybersecurity 202 requested comment on Easterly tweets from January and July that praised other nonfiction books, those tweets were deleted as well.

“Director Easterly is committed to strictly adhering to the ethics rules that apply to federal officials,” CISA spokesperson Michael Feldman said in a statement. “She has removed several tweets in order to ensure compliance with those rules and to avoid the appearance of any inconsistency.”

Australia boosts fines for data breaches in wake of high-profile hacks

Australia’s Parliament passed a bill increasing the penalties for companies that suffer repeated or serious data breaches dramatically, Bleeping Computer’s Bill Toulas reports. The bill increases the maximum penalties from 2.22 million Australian dollars ($1.5 million) to one of three penalties, whichever is largest:

• 50 million Australian dollars ($34 million).
• 30 percent of the firm’s adjusted turnover for 12 months or the breach’s duration, whichever is longer.
• Three times the value of what the firm has gained directly or indirectly “and that is reasonably attributable” to the breach.

The new rules come in the wake of breaches of telecommunications giant Optus and health-insurance firm Medibank, affecting millions of Australians. “Significant privacy breaches in recent months have shown existing safeguards are outdated and inadequate,” Australian Attorney General Mark Dreyfus said in a statement. “These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business.”

U.S. committee recommends that FCC deny application for Cuba cable, citing counterintelligence concerns

An interagency committee…