Jessica Lyons Hardcastle The document also revealed that Sherlock could breach Windows-based computers as well as iPhones and Androids. Until now, different companies have specialized in breaching...
Jessica Lyons Hardcastle
The document also revealed that Sherlock could breach Windows-based computers as well as iPhones and Androids. Until now, different companies have specialized in breaching different devices. Candiru focused on PCs, NSO could hack iPhones, and its competitors specialized in Androids. But with this system, as the documents show, every device could effectively be breached.
Israeli software maker Insanet has reportedly developed a commercial product called Sherlock that can infect devices via online adverts to snoop on targets and collect data about them for the biz's clients.
The newspaper's report claimed that the spyware system had been sold to a country that is not a democracy. We're told, marks the first time details of Insanet and its surveillanceware have been made public. Furthermore, Sherlock is capable of drilling its way into Microsoft Windows, Google Android, and Apple iOS devices, according to cited marketing bumf.
"According to the findings of the investigation, this is the first case in the world where a system of this sort is being sold as technology, as opposed to a service," journo Omer Benjakob wrote, adding Insanet received approval from Israel's Defense Ministry to sell Sherlock globally as a military product albeit under various tight restrictions, such as only selling to Western nations.
"Even to present it to a potential client in the West, a specific permit must be obtained from the Defense Ministry, and it’s not always given," Benjakob noted.
To market its snoopware, Insanet reportedly teamed up with Candiru, an Israel-based spyware maker that has been sanctioned in the US, to offer Sherlock along with Candiru's spyware – an infection of Sherlock will apparently set a client back six million euros ($6.7 million, £5.2 million), mind you.
Method
"This method of surveillance and targeting uses commercially available data that's very difficult to erase from the internet," Kelley told The Register. "Most people have no idea how much of their information has been compiled or shared by data brokers and ad tech companies, and have little ability to erase it."
It's an interesting twist. Sherlock seems designed to use legal data collection and digital advertising technologies — beloved by Big Tech and online media — to target people for government-level espionage. Other spyware, such as NSO Group's Pegasus or Cytrox's Predator and Alien, tends to be more precisely targeted.
Two staged
"In this case, however, it seems that this is a two-staged attack wherein users are first profiled using advertising intelligence (AdInt) and then they are served malicious payloads via advertisements. Unsuspecting users are definitely susceptible to such attacks."
Threat level is [probably] minimal
The good news for some, at least: it likely poses a minimal threat to most people, considering the multi-million-dollar price tag and other requirements for developing a surveillance campaign using Sherlock, Kelley noted.
Still, "it's just one more way that spyware companies can surveil and target activists, reporters, and government officials," he said.
Measures to avoid
There are some measures netizens can take to protect themselves from Sherlock and other data-harvesting technologies.
"Since these ads are being served using known advertisement networks, anti-adware technologies such as not loading JavaScript, using ad blockers or privacy-aware browsers, and not clicking on advertisements should act as a guardrail against this attack," Dani suggested.
And more broadly: "Pass consumer data privacy laws," Kelley said.
"Data finds its way to being used for surveillance, and worse, all the time," he continued. "Stop making the data collection profitable, and this goes away. If behavioral advertising were banned, the industry wouldn't exist."
So, I can tell my security manager I need adblock for National Security purposes and not look like a loon now? I mean, they know I'll just use it for YouTube either way but still.
So, I can tell my security manager I need adblock for National Security purposes and not look like a loon now?
I mean, they know I'll just use it for YouTube either way but still.
"Sherlock seems designed to use legal data collection and digital advertising technologies — beloved by Big Tech and online media — to target people for government-level espionage." So does this...
"Sherlock seems designed to use legal data collection and digital advertising technologies — beloved by Big Tech and online media — to target people for government-level espionage."
So does this mean something will finally be done about data collection, since it's affecting the military/government?
Also, why can't we just make it so people have copyright over the data they generate or something? I wish this would just finally be addressed.
National security is what funds these spyware companies. NSO and these other companies exist to sell their software/services to nations. But its sort of a double edged sword so maybe. As an...
National security is what funds these spyware companies. NSO and these other companies exist to sell their software/services to nations.
But its sort of a double edged sword so maybe. As an example, the NSA already gives out a bunch of good cyber security advice despite the fact that they're the NSA.
One of my favourite examples of that is when the NSA publicly hardened DES against an attack only they knew about, without mentioning it: https://en.m.wikipedia.org/wiki/Data_Encryption_Standard
Because the IDF is one of the leaders in cyber security and attacks. The same knowledge that's used to fight Hamas and Hezbollah can, unfortunately, be used against everyone else.
Because the IDF is one of the leaders in cyber security and attacks.
The same knowledge that's used to fight Hamas and Hezbollah can, unfortunately, be used against everyone else.
Jessica Lyons Hardcastle
The document also revealed that Sherlock could breach Windows-based computers as well as iPhones and Androids. Until now, different companies have specialized in breaching different devices. Candiru focused on PCs, NSO could hack iPhones, and its competitors specialized in Androids. But with this system, as the documents show, every device could effectively be breached.
Method
Two staged
Threat level is [probably] minimal
Measures to avoid
Am I meant to be okay with it when it's sold to an ostensibly democratic country? Because I'm not.
Spyware shouldn't exist. Full stop.
So, I can tell my security manager I need adblock for National Security purposes and not look like a loon now?
I mean, they know I'll just use it for YouTube either way but still.
"Sherlock seems designed to use legal data collection and digital advertising technologies — beloved by Big Tech and online media — to target people for government-level espionage."
So does this mean something will finally be done about data collection, since it's affecting the military/government?
Also, why can't we just make it so people have copyright over the data they generate or something? I wish this would just finally be addressed.
I doubt that copyright would be a workable mechanism, but it sounds like you’re looking for something similar to the GDPR right to erasure?
It won't happen, but it would be absolutely hilarious if NatSec espionage was the reason Big Data was taken down.
National security is what funds these spyware companies. NSO and these other companies exist to sell their software/services to nations.
But its sort of a double edged sword so maybe. As an example, the NSA already gives out a bunch of good cyber security advice despite the fact that they're the NSA.
One of my favourite examples of that is when the NSA publicly hardened DES against an attack only they knew about, without mentioning it: https://en.m.wikipedia.org/wiki/Data_Encryption_Standard
Why does it seem like Israel is the hub for military spyware companies?
Because the IDF is one of the leaders in cyber security and attacks.
The same knowledge that's used to fight Hamas and Hezbollah can, unfortunately, be used against everyone else.