Gamma International markets a digital spying software called FinFisher, expressly made and marketed to hack your phone and computer. Marketed to governments.
Way back in 2006 I recognized the anti-value of running Windows (PC or Mac—Making a Sensible Choice): the security risks were unacceptable, and this remains the case today.
Apple OS X is certainly not immune from Trojans, but it seems that every security hack article I read has only Windows screen shots, as is this case.
But since this report shows that iOS is susceptible (Android and all the others too), and since iOS and OS X increasingly share code, one has to assume that OS X does have weaknesses as well.
It also makes one wonder about the wisdom of iOS-ifying OS X, unpalatable to begin with as far as I’m concerned. Ultimately it’s a bad design if both one’s phone and one’s computer can both be compromised by the same weakness, so let us hope thing don’t go that far (become that well shared).
I would like to see Apple be much more proactive on security:
- Submitting to 3rd-party security audits (apparently not done at present!),
- Using legal hammers: patents, cease and desist lawsuits using anti-hacking laws, lobbying for federal legislation blacklisting such nefarious companies and so on. Get creative Apple!
- A prominent “hacker award” program with large cash rewards for finding exploitable security holes.
- Apple becomes a customer of these nefarious commercial hacker companies, and with every new release, defeat the mechanisms involved.
The unscrupulous already sell zero-day security exploits which are then kept hidden so they can be exploited to build internet surveillance tools by your favorite government agency (whatever the country).
These tools provide substantial surveillance functionality; however, we’d like to highlight that, without exploitation of the underlying platforms, all of the samples we’ve described require some form of interaction to install.
As with the previously analyzed FinSpy tool this interaction might involve some form of socially engineered e-mail or other delivery, prompting unsuspecting users to execute the program. Or, it might involve covert or coercive physical installation of the tool, or use of a user’s credentials to perform a third- party installation.
The thing is, Illegitimi Carborundum in some countries. But here in the USA it is foolish to think one is secure given the international nature of the internet.
Schneier on Security
Bruce Schneier, an outspoken security expert, reports on the FinFisher software deployment among government across the world:
- We have identified FinFisher Command & Control servers in 11 new Countries. Hungary, Turkey, Romania, Panama, Lithuania, Macedonia, South Africa, Pakistan, Nigeria, Bulgaria, Austria.
- Taken together with our previous research, we can now assert that FinFisher Command & Control servers are currently active, or have been present, in 36 countries.
Meaning that there are at least 36 governments that consider it just fine to hack phones and computers for monitoring their citizens, or anyone for that matter.