Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
John Scott-Railton Profile picture
@jsrailton
Nov 3 14 tweets 7 min read Twitter logo Read on Twitter
Got a threat notification from Apple this week?

✅Take it seriously.

Devices that get warnings usually show signs of spyware infection (or an attempt).

✅Then take action.

If you're part of civil society, you should reach out to a digital security org for assistance.
Apple threat notifications are *clear & invaluable* signs something serious is going on.

They've triggered major investigations & uncovered widespread spyware abuses.

For example, #Pegasus hacking against activists & opposition figures in Thailand...
citizenlab.ca/2022/07/geckos…



Image
Image
Image
Image
Since Apple began delivering threat notifications we @citizenlab & others like @AmnestyTech have used them as a key indication that investigation is needed.

Another country where the threat notifications uncover likely-political hacking? #Poland.

Image
Image
Image
@citizenlab @AmnestyTech Apple's threat notifications have also helped confirm + expand our understanding of cases we're already investigating, like #Pegasus infection clusters in #ElSalvador and #Mexico.


Image
Image
Image
Image
@citizenlab @AmnestyTech Apple's threat notifications turbocharged our research into mercenary spyware.

And they are a blinking red light that a government is likely trying to get up to something on your phone.

Which is why, since they started back in 2021, some actors pushed disinformation about them.
@citizenlab @AmnestyTech Another case where Apple's threat notifications led to a major investigation & string of hacking discoveries?

Extensive #Pegasus hacking #Armenia.

Report by @accessnow in collaboration with @CyberHubAm @citizenlab @amnestytech @RubenMuradyan accessnow.org/publication/ar…



Image
Image
Image
Image
@citizenlab @AmnestyTech @accessnow @CyberHubAm @RubenMuradyan The US took vigorous action against mercenary spyware proliferation. Including an executive order.

Key early sign something needed to be done?

Apple threat notifications in the inboxes of #US diplomats...

Many more cases were eventually found.

Image
@citizenlab @AmnestyTech @accessnow @CyberHubAm @RubenMuradyan Apple threat notifications on spyware, key takeaways:

✅We researchers see all signal, no noise
✅Points to targeting & attempted targeting by a gov
✅Track record of major finds & accountability impacts

Take them with great seriousness. Patterns must be investigated.
@citizenlab @AmnestyTech @accessnow @CyberHubAm @RubenMuradyan If you or someone you know got an Apple threat notification, seek assistance.

At risk because of who you are or what you do?

Enable Lockdown Mode.

Our research throughout 2023 has *not* found cases of #Pegasus & #Predator infection when it's enabled.
@citizenlab @AmnestyTech @accessnow @CyberHubAm @RubenMuradyan If Apple, Meta, Google, Yahoo threat notifications are landing anywhere in your vicinity...

The canary in your coal mine has just passed out.

Seek out orgs with digital security expertise. There is nubstitute for competent assistance when the threat is serious. Image
@citizenlab @AmnestyTech @accessnow @CyberHubAm @RubenMuradyan Apple has a world class threat intelligence team hunting mercenary spyware & other bad things.

The notifications come from their finds.

Like all the other companies that do notifications, they tend to read as a bit low on details of exactly who & what they found. Why?...
@citizenlab @AmnestyTech @accessnow @CyberHubAm @RubenMuradyan Threat notifications are big deal for a recipient.

They're also *closely scrutinized by spyware operators*

So threat hunting teams try to balance what they share in warnings with not "burning" their investigative techniques so they can keep tracking spyware groups.
@citizenlab @AmnestyTech @accessnow @CyberHubAm @RubenMuradyan There's a vital conversation happening now about improving impact & value of notifications for victims and researchers while not burning investigations.

But if you're puzzled by why some find the current generation of warnings from Apple/Google/Meta 'vague' I hope this helps.
Personally, I'm on the side of rebalancing notifications to be more informative & impactful for recipients.

Also, evidence-based tuning of language & UX to make next steps clear & easy

Things getting better, but it's a slow road w/tricky problems & equities to balance.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Scott-Railton

John Scott-Railton Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jsrailton

John Scott-Railton Profile picture
Oct 13
When you @whatsapp or @Signal a friend, your phone directly connects to their phone.

A shady gov can't 'read' that traffic (thanks e2e encryption!)...

But @sandvine wanted to proliferate tech to track *who* you're messaging with. 1/

By @rj_gallagher
bloomberg.com/news/articles/…
Image
2/ Does @Sandvine sound familiar?

Maybe it's because, the US-Canadian company's tech... keeps showing up used for bad things by repressive regimes.

Russian censorship, Belarusian internet blocks, spyware targeting..

There's one bit of positive news here though...


Image
Image
Image
Image
@Sandvine 3/ For years, @Sandvine's shadier customers leaned into surveillance dual-use.

Sounds to me like Sandvine decided to *lean in* to those uses & try to grow them.

Bad strategic move.

Signal: expanding list of governments showing discomfort w/proliferators of surveillance tech.
Image
Image
Read 6 tweets
John Scott-Railton Profile picture
Oct 9
🚨BREAKING: #predator mercenary spyware targeting across #Twitter/ @X replies to:

❌🇺🇸 US congresspeople
❌ 🇪🇺EU & Asian officials
❌ Journalists

Reports by @AmnestyTech w/independent investigation & confirmation by us @citizenlab 1/
amnesty.org/en/latest/news…



Image
Image
Image
Image
2/ Clicking on the links in these #Twitter / @X replies to officials could lead to the infection of a device with Predator mercenary spyware.

Turning it into a spy in your pocket.

Our @citizenlab confirmation: citizenlab.ca/2023/10/predat…

Image
Image
3/ Tweeting zero day infection links is wild.

Crazier still when it's at officials like @ChrisMurphyCT @GaryPeters @RepMcCaul @EP_President @iingwen etc.

Because you'll get caught. Just. Like. This.

It's a sign that mercenary spyware proliferation is still out of control. Image
Read 12 tweets
John Scott-Railton Profile picture
Sep 22
🚨UPDATE your @Apple products now!

We @citizenlab w/TAG's @maddiestone caught #predator spyware attacks against a prominent pro-democracy Egyptian politician after he announced presidential ambitions.

Apple rushed a patch.

It gets crazier 1/

citizenlab.ca/2023/09/predat…
Between May and September 2023, former Egyptian MP Ahmed Eltantawy was targeted with Cytrox’s Predator spyware via links sent on SMS and WhatsApp. The targeting took place after Eltantawy publicly stated his plans to run for President in the 2024 Egyptian elections. In August and September 2023, Eltantawy’s Vodafone Egypt mobile connection was persistently selected for targeting via network injection; when Eltantawy visited certain websites not using HTTPS, a device installed at the border of Vodafone Egypt’s network automatically redirected him to a malicious website to infect his phone wi...
2/ Ahmed Eltantawy got in touch with us @citizenlab, worried his devices were targeted in #Egypt.

He was right. His iPhone on @VodafoneEgypt was targeted for network injection.

As he browsed the net, the attackers were trying to slip a #Predator infection onto his device.

Image
Image
Image
3/ It gets worse.

We attribute the spyware injection system to a @Sandvine Packet Logic product w/high confidence.

Sandvine has been accused in past of facilitating human rights abuses in the past.

Owned by NSO Group's former owner Francisco Partners.




Image
Image
Image
Image
Read 10 tweets
John Scott-Railton Profile picture
Sep 14
Block ads on your networks now.

The system designed to follow us around the net with ads is now a blinking national security & human rights threat.

By @omerbenj
haaretz.com/israel-news/20…
Image
2/ Once the capability was limited to governments.

Now, in a predictable step, mercenary spyware companies are selling it.

Leveraging ads to remotely infect you with #Pegasus-like spyware.

Analogy: a devastating & unfixable backdoor chasing you device around the internet. Image
3/ The incentives are simple: ad companies will do everything they can to make sure you get tracked & shown ads.

So do their customers.

Even the newspapers that do good reporting on privacy.

All that effort has basically forced security vulnerabilities onto the entire world.
Read 8 tweets
John Scott-Railton Profile picture
Sep 9
Remember when we collectively identified #ZipTieGuy Eric Munchel?

He was just sentenced to 57 months in prison. 1/ Image
2/ We'll never know how much worse things could have gone without the speedy evacuation of the senators.

But the judge made it clear: the intention was to take hostages. Image
3/ Munchel brought weapons & tactical vests to the Capitol with his mom Lisa Eisenhart

She got a 30 month sentence.

Memory: I still remember shelling out to buy the license of a hires photograph of them together so i could tweet it one time (pic: different image pictured)

Image
Image
Image
Read 7 tweets
John Scott-Railton Profile picture
Sep 7
🚨 Update your @apple products immediately!

Last week we @citizenlab discovered a new #Pegasus zero-click exploit chain.

(No clicking required to infect latest iOS!)

Found while checking civil society.

Disclosed to Apple which rushed a patch 1/
citizenlab.ca/2023/09/blastp…
Image
2/ We found the #BLASTPASS exploit chain thanks to an unnamed victim.

Once more, civil society, is serving as the cybersecurity early warning system for... billions of devices around the world.

Including you, if you're reading this on your iPhone. Or Mac. Image
3/Update your #iPhone right away.

And then, if you are at risk because of who you are or what you do, enable #Lockdown mode.

As my colleague @billmarczak says "it's the one weird trick NSO hates" Image
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(