🔑 Key Takeaways
- Before making important career choices, it's vital to consider not only monetary gains but also personal morals and ethics. Soul-searching can lead to a fulfilling career path and prevent potentially harmful situations.
- To excel in a field, it's important to never give up and constantly find ways to improve. Self-motivation and being open to new opportunities can lead to success beyond limits.
- Before accepting job offers, thoroughly read and understand job responsibilities and contracts to avoid being misled or doing something outside of your comfort zone.
- The UAE government hired a group of ex-NSA agents and ex-military intelligence-trained individuals to conduct hacking and spying operations. The group used fake identities and Bitcoin to anonymously rent server space to avoid being traced back to the villa.
- Hacking is legal to learn and teach, but hacking into foreign government systems without permission is illegal. Default credentials and common passwords make it easier for hackers to get in, so change your passwords regularly.
- When selecting a managed service provider, organizations must ensure they are cautious and vigilant to protect their sensitive data and prevent potential cyber attacks, as MSPs can be a lucrative target for cyber espionage.
- Cybersecurity professionals need to consider the ethical implications of their work, especially when operating in foreign countries, and organizations must be transparent about their objectives while abiding by laws. It's essential to protect civil liberties while using off-the-shelf tools to prevent exploitation.
- Speak up against unethical practices, prioritize human rights, and strive for a positive change.
- Citizen Lab helps protect privacy and security of those targeted by government surveillance. It's crucial to condemn human rights abuses and safeguard the rights of journalists and activists.
- The UAE government employs tactics such as imprisonment, false charges, and surveillance to silence those who speak out against their policies, even respected human rights activists like Ahmed Mansoor.
- The UAE's Project Raven, with the help of DarkMatter, targeted journalists using the Karma tool which exploited Apple's iMessage flaws. The operation exemplifies the need for more accountability and transparency in government-led cyber espionage.
- Project Raven's offensive missions highlight a lack of oversight from Cyber Point, while DarkMatter faces consequences as major browsers revoke their certificate authority. Google's investigation sheds light on potential vulnerabilities.
- Think twice before accepting overseas contracting jobs. Do research on job responsibilities, location, and company background. Stay vigilant and disclose vulnerabilities to companies to prevent exploitation.
📝 Podcast Summary
The Internal Conflict of Mercenaries and the Importance of Self-Reflection
Mercenaries may work for monetary gains, but they have internal conflict and emotions that can affect their loyalty. David, a former Navy SEAL, rejected the idea of becoming a weapon expert and wanted to make a real difference in people's lives. He pursued a career as an offensive intelligence analyst to track foreign intelligence hacking in the United States. His morals and ethics from majoring in religion and philosophy were still important to him. The rigorous training he underwent made him realize the potential to become someone he didn't want to be. It's important to soul-search and consider the impact of our choices on ourselves and others.
Pushing Boundaries and Pursuing Passion: David's Story of Success in Hacking
To push beyond your own limits, you have to really want what you're working for. David's story shows the importance of not giving up and always trying to learn to excel in one's field. He built his own lab to practice and improve, and this quality got him recruited into the NSA. With the Navy teaching him formally and his home lab, David became good at hacking and his specialty was not just getting in but also pivoting around, moving laterally, and finding what else is in that network. His story teaches us the benefits of self-motivation, pushing boundaries, and being open to new opportunities.
The Importance of Understanding Job Responsibilities and Contracts.
David was recruited by CyberPoint, a hacking company contracted by the US government to conduct offensive work such as tracking terrorist organizations. He and his wife decided to move to Abu Dhabi for a two-year contract with CyberPoint's hacking unit called Project Raven. However, David soon realized that the details given about his duties were not entirely true. He was shown two folders, one for a cover story and the other for his actual offensive cyber operations. Despite the red flags that were present, David thought it was common to experience such fronts and covers for his official duties. This incident highlights the importance of thoroughly understanding job responsibilities and contracts before accepting job offers.
The secret hacking group hired by the UAE government.
The UAE government hired a group of mostly American ex-NSA agents and ex-military intelligence-trained individuals to conduct hacking and spying operations. This group, called Project Raven, worked from a villa with facilities like a server room, management office, conference room, operations center, data-processing room, and kitchens. They used fake identities and Bitcoin to anonymously rent server space to avoid being traced back to the villa and the targets included those planning terrorist activity or attacks on UAE infrastructure. It's unclear if Project Raven was legal as sharing classified information is illegal, but David and the mostly Emirati team worked on cyber-spying techniques together to train the Emirati team in hacking.
The Legalities and Consequences of Hacking
Hacking, including setting up phishing emails and using Metasploit, is legal to learn and teach as long as it does not involve proprietary tactics. However, hacking into foreign countries' systems without express written consent from the State Department is illegal. Project Raven, a group working under the UAE government, was collecting communications of potential terrorist threats with the necessary approvals. However, requests to access a foreign government country's network to check if they were funding terrorists and gaining access to the VPN using default credentials was beyond their sanctioned activities. Using easy-to-guess passwords for routers, firewalls, computers, phones, e-mails, and VPN servers makes it easier for hackers to break into the system and move laterally, so it is important to change passwords and not use common ones.
MSPs: A Target for Cyber Espionage
Managed service providers (MSP) are hired by organizations to manage, patch, oversee, and troubleshoot their network devices. Accessing an MSP can provide unauthorized access to numerous clients, making them a lucrative target for cyber espionage. In this case, David's team gained access to the MSP's network, which in turn provided them exposure into multiple government networks including Ministry of Foreign Affairs, their royal family heir line, and military infrastructure among others in the target country. Along with the UAE government, other organizations must be cautious and vigilant while choosing their MSP to ensure the protection of their sensitive data and avoid possible cyber attacks.
Ethical dilemmas faced by cyber-mercenaries and the need for accountability in cybersecurity.
The story highlights the ethical dilemma faced by David, a cyber-mercenary, who was hired to fight terrorism but was eventually asked to collect intelligence on journalists and human rights activists. The story highlights the need for cybersecurity professionals to consider ethical implications, even when working in a foreign country. David's questioning of his work and Lori's suspicion of the motives of UAE underline the need for organizations to clearly convey their objectives and abide by the laws of the land. The story also emphasizes the importance of using off-the-shelf tools to avoid exposing exploits to potential hackers and the need to protect First Amendment rights to protect the freedom of press and right to peaceably assemble.
Standing up against unethical orders in Project Raven and paving the way for human rights advocacy.
Project Raven was asked by the UAE to consider targeting US computers and collecting data on US citizens, which went against the laws set by FISA. David and Lori raised concerns and advised management to push back on this objective. The work done by Project Raven made some of its employees feel uneasy and hesitant. David and several other employees left for the United States. Project Raven continued operations and tasks. Rori Donaghy set up a human rights group that highlighted human rights abuses in the UAE, which gained attention from bigger journalists and changed the international image of the UAE.
UAE Government Targeting Journalists and Activists with Digital Surveillance
The UAE government is surveilling and targeting journalists and activists, including infiltrating their computers and phones to spy on them. The government uses common tactics like controlling social media accounts of arrested dissidents to lure in more activists. This is a frightening and effective way of surveillance that can happen silently and pervasively without the victim's knowledge. Citizen Lab helps those who suspect they're being targeted by spyware or malware from a government. The incident highlights the importance of protecting the privacy and security of journalists and activists, and the need to condemn such human rights abuses.
Human rights activist Ahmed Mansoor imprisoned and spied on by UAE government
The UAE government is capable of torturing and imprisoning people who speak up against their policies. Ahmed Mansoor, a respected human rights activist, was arrested and charged with a made-up crime of damaging the country's unity. He was sentenced to ten years in prison and his family is also spied on. His arrest was due to him being the lone light in covering human rights abuses in the UAE for many years and his growing stature as an international human rights defender. The government hired ex-NSA people to spy on him and was surveilled through a hacking tool called Karma which was purchased from an outside vendor.
Project Raven: The Secret Surveillance Operation Targeting Journalists
Project Raven, a secret surveillance operation carried out by the UAE and previously contracted by DarkMatter targeted journalists, including American citizens, through a tool called Karma that exploited flaws in Apple's iMessage. The FBI is investigating the operation and DarkMatter is still operating and working with the UAE government. Lori Stroud, a former employee of Project Raven, came forward with her story to Reuters earlier this year. The story sheds light on the extent of cyber-espionage carried out by governments through private contractors and highlights the need for greater transparency and accountability in such operations.
Controversial Hacking Unit and Company DarkMatter Come Under Fire
Project Raven, a hacking unit based in Baltimore, was set up to help the Emiratis defend their network but over time, the missions changed and it became offensive all on its own without proper oversight from Cyber Point. DarkMatter, a company denied any wrongdoing when Reuters published a report about Project Raven, was granted a sort of certificate authority in 2017. Now, certificates from DarkMatter will show up as untrusted sources after Firefox and Google revoked their root certificate from being trusted. Natalie Silvanovich from Google's Project Zero team took a deep dive to find vulnerabilities in software and tried to figure out how Karma could have worked, after hearing about Project Raven's activities.
Natalie Uncovers iPhone Vulnerabilities & Warns Against Foreign Contracting Jobs
Natalie, a researcher at Project Zero, found three vulnerabilities on iPhone due to which she warned Apple and waited for the company to patch their phones. She then published her report in Black Hat citing that by sending a zip file, an object file inside it could instruct the phone to open a URL that could give a rough idea of a person's location and execute a payload to perform malicious activities. This exploit could make Karma, a notorious spyware tool that uses such vulnerabilities, completely useless. The speaker also cautioned about taking foreign contracting jobs and advised creating a safety net before accepting such offers. One should be aware of the job responsibilities, location, and company's background before going overseas.