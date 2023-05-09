Comment on this story Comment Gift Article Share

Welcome to The Cybersecurity 202! Shout out to my colleagues who were Pulitzer Prize winners or finalists. Halfway decent newspaper, this one. Was this forwarded to you? Sign up here. Below: Apple loses a bid to revive its copyright lawsuit against Corellium, and the FBI seizes more DDoS-for-hire sites. First:

Regulations potentially on deck for E.U. following spyware report approval

A European Parliament committee on Monday finalized its report on the use of spyware on the continent, condemning multiple member countries’ handling of the technology and making recommendations for regulating it.

In Hungary, the use of spyware was “part of a calculated and strategic campaign to destroy media freedom and freedom of expression by the government,” the committee found. In Poland, its use was part of “a system for the surveillance of the opposition and critics of the government — designed to keep the ruling majority and the government in power,” according to the committee. The committee also faulted Cyprus, Greece and Spain to a lesser degree.

Advertisement

The report calls for stricter regulation of spyware, including rules for law enforcement, prohibition of surveillance of certain kinds of targets (such as doctors) absent criminal evidence and mandatory notifications in some instances to targets of surveillance.

Thirty members of the Parliament voted to advance the report to the full body, with three voting against it and four abstaining.

Its advancement comes after a lengthy probe in Europe, and not long after the Biden administration issued an executive order prohibiting U.S. agencies from purchasing commercial spyware for “operational” use when they find that it presents a counterintelligence or national security risk to the United States.

“Our inquiry has made it clear that spyware has been used to violate fundamental rights and endanger democracy in several E.U. member states, Poland and Hungary being the most blatant cases,” Committee Chair Jeroen Lenaers said. “Stricter E.U.-level scrutiny is needed to ensure that spyware use is the exception, to investigate serious crimes, and not the norm.”

A response

The report is the work of a panel formally known as “European Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware.” It’s a reference to the biggest name in spyware, the Pegasus product made by NSO Group.

Advertisement

The committee formed in March 2022 following reports by a consortium of newspapers, including The Washington Post, about governments using Pegasus to spy on politicians, journalists and activists. (NSO Group says that it terminates contracts with governments when there is abuse, and that its technology helps prevent crime and terrorism.)

Some of the committee’s recommendations are for specific countries:

The committee calls on “Hungary and Poland to comply with European Court of Human Rights judgements and restore judicial independence and oversight bodies,” according to a news release. “They should also ensure independent and specific judicial authorisation before the deployment of spyware and judicial review afterwards, launch credible investigations into abuse cases, and ensure citizens have access to proper legal redress.”

It called on Spain to fully investigate the use of spyware in that country, especially in 47 cases where it’s unclear who authorized its use.

The government of Greece should “urgently restore and strengthen the institutional and legal safeguards” on the use of spyware.

Cyprus, which the committee said had become a hub of spyware exports, should repeal export licenses “that are not in line with E.U. legislation.”

Others are for the E.U. in general:

Nations should only use spyware under certain circumstances, such as when there’s national legislation in place that’s in line with human rights law and when allegations of spyware abuse have been vigorously investigated.

Law enforcement should only use it “in exceptional cases for a pre-defined purpose and a limited time.”

Doctors, journalists, politicians and data that’s part of lawyer-client privilege should be off-limits unless there’s evidence of a crime.

Notifications to targets should also include potential legal remedies and standards for admissibility of evidence obtained by spyware.

Furthermore, the committee proposed an independent research institute to investigate surveillance, as well as a joint E.U.-U.S. strategy and talks with Israel — home to NSO Group and some other spyware firms — on rules for spyware exports.

Potential difficulties

One other recommendation could pose some issues: “a common legal definition of the use of national security as grounds for surveillance.” Rapporteur Sophie in 't Veld said that investigations in Europe had been “hampered by obstruction, intimidation and harassment” and argued that some governments had wrongly invoked "national security" to shield Pegasus use, Agence France Presse reported.

Advertisement

Nations invoking national security is an obstacle I reported on after an interview I did last year with Sandor Ronai, vice chair of the committee.

But In ‘t Veld said she’d continue the fight no matter what.

“Not one victim of spyware abuse has been awarded justice. Not one government has really been held accountable,” she said. “The member states and the European Commission should not sleep easy because I intend to keep on this case until justice is being done.”

The keys

Apple loses bid to revive iOS simulation copyright case against cybersecurity firm

Apple was unsuccessful in reviving a lawsuit against cybersecurity firm Corellium that alleged the company violated copyright law by simulating Apple’s iOS operating system to help security researchers find flaws, Isaiah Poritz reports for Bloomberg Law.

Advertisement

“The US Court of Appeals for the Eleventh Circuit on Monday ruled that Corellium’s CORSEC simulator is protected by copyright law’s fair use doctrine, which allows the duplication of copyrighted work under certain circumstances,” the report says.

A three-judge appeals panel added that CORSEC “furthers scientific progress by allowing security research into important operating systems.”

Apple claimed the simulator was a wholesale copy of its iOS system software and that it acted as a market substitute for its own security research products, while Corellium said the use of Apple code and icons was just for research purposes, Poritz writes.

The appeals panel sent the case back to a lower court to “reconsider Apple’s claims of contributory copyright infringement and infringement of the iOS icons and wallpaper,” the report says.

NextGen Healthcare says it was breached and hackers stole data on over 1 million patients

Electronic health records provider NextGen Healthcare said it was breached by hackers that pilfered data on over 1 million patients, Carly Page reports for TechCrunch.

“In a data breach notification filed with the Maine attorney general’s office, NextGen Healthcare confirmed that hackers accessed the personal data of 1.05 million patients, including approximately 4,000 Maine residents,” Page writes.

Patient names, dates of birth, addresses and Social Security numbers were stolen by the hackers. “Importantly, our investigation has revealed no evidence of any access or impact to any of your health or medical records or any health or medical data,” the company said.

Advertisement

NextGen said the hackers gained system access between March 29 and April 14.

“When we learned of the incident, we took steps to investigate and remediate, including working together with leading outside cybersecurity experts and notifying law enforcement,” NextGen spokesperson Tami Andrade told TechCrunch. “The individuals known to be impacted by this incident were notified on April 28, 2023, and we have offered them 24 months of free fraud detection and identity theft protection.”

The company was also hit in a ransomware attack in January, The Cybersecurity 202 previously reported.

FBI seizes 13 more DDoS-for-hire domains

The FBI announced yesterday it seized an additional 13 platforms linked to DDoS-for-hire campaigns, Sergiu Gatlan reports for Bleeping Computer.

The coordinated operation titled Operation PowerOFF was part of an international law enforcement effort against platforms that offer to launch distributed denial-of-service attacks against targets in exchange for money, also known as “booter” and “stressor” services, according to the report. Those cyberattacks aim to overload websites with malicious traffic.

“The seizures this week are the third wave of U.S. law enforcement actions against prominent booter services that allowed paying users to launch powerful distributed denial-of-service, or DDoS, attacks that flood targeted computers with information and prevent them from being able to access the internet,” the Justice Department said.

The Justice Department added that 10 of the 13 seized domains were “reincarnations” of past services that were taken down in a prior December operation.

Advertisement

“​According to the affidavit, the FBI tested the booter services whose domains were seized by opening or renewing accounts with each of them and assessed the effects on target computers via DDoS attacks launched on computers controlled by the agency,” Gatlan writes.

Privacy patch

Government scan

Hill happenings

Industry report

Global cyberspace

Cyber insecurity

Daybook

The Center for Strategic and International Studies holds an event on countering gender-based harassment and disinformation tomorrow at 11 a.m.

Technology officials from the Pentagon and Central Intelligence Agency speak at a CSIS event on AI technologies at 12:30 p.m.

Jen Easterly CISA Director speaks at Hack the Capitol 2023 tomorrow at 10 a.m.

Secure log off

A win is a win 🙏 https://t.co/8UGTgwTlYc — Rosslyn, Virginia (@RosslynVA) May 7, 2023

Thanks for reading. See you tomorrow.

GiftOutline Gift Article