DeepSec 2021 Press Release: Surveillance as Organized Crime – DeepSec Conference Criticizes Pegasus Spy Software as a legal Vacuum
The information published by the Pegasus Project consortium on the systematic abuse of this monitoring software for smartphones clearly shows that rampant surveillance can hardly be distinguished from organized crime. Security experts are increasingly warning against the hoarding of unknown security vulnerabilities by companies that develop espionage products. Information security for society, authorities and the economy are incompatible with the existence of such tools. In addition, they represent a threat to the national security of every country. We can only maintain a real locational advantage for Europe through consistent IT security.
Battle for Communication Content
Since the first discussions about the availability of strong encryption for private individuals and companies, the security of digital communication has been hotly contested. In the 1990s, the US government wanted to enshrine access to messages and calls from communication providers in law. This failed due to resistance from business and civil rights organizations. In the discussion’s course, projects such as Pretty Good Privacy (PGP) emerged, which strongly encrypt transmitted content. The efforts of the US government to ban encryption for private communications also failed. The increasing spread of portable computers and the explosion of messenger services have led to an enormous spread of encrypted technologies in products at least since the revelations of Edward Snowden. This gain in security is now at stake again. It is threatened by the introduction of back doors in the form of key escrow through new legislative initiatives, analogous to the advance in the 1990s.
Rule of Law as a Threat
If encryption has no back doors or deliberate weaknesses, you can always try to copy messages on end devices before they can be encrypted. To do this, it is necessary to break the security of the end device in order to gain access. The compromised computers, smartphones and tablets are then read with the help of malware. The spy software Pegasus from NSO Group is taking this route. The infection occurs with the help of supposedly genuine messages and by exploiting unknown security holes. The quality of Pegasus is very high. Finding traces on infected devices is very difficult. Such products exist because there is a demand for surveillance tools. Manufacturers of these applications assure that they only sell to authorities. This would theoretically create legal certainty, but considering the 193 states that are members of the United Nations (UN), that doesn’t say much. If you read the published list of 50,000 telephone numbers, you will find some plausible strategic goals for certain countries. Emmanuel Macron is a prominent example. Security experts and around 150 civil society organizations are therefore calling for such surveillance tools to be regulated or banned.
Governmental Security Department surrenders
The German Federal Office for Information Security (BSI) has published a warning about the Pegasus spy software. It describes that the application is technically very advanced and that it is very difficult to implement protective measures. Only the restriction of the affected news channels and the switch to alternative forms of communication remain as recommendations. In the light of the legislative changes recently passed in Germany on the use of spy software by state authorities this warning appears as a guide to the future. Security gaps in digital systems must be published and closed. There must be no leeway for weak points that is retained for a specific use. IT security experts have been warning of the scenario of uncontrolled spyware for some time, a scenario that has long since occurred. This does not only exist for civil society but especially for every national economy and its companies as the greatest threat. Industrial espionage attacks take place every day. They are often only discovered months or years later. We must combat this status quo.
To make matters worse, the Crypto Wars are not over yet. This year there was a virtual meeting of senior officials from the EU and the US. The slogan “Security despite encryption” was used. This refers to the access to communication as the Clinton administration wanted to create in the USA in the 1990s. For business people affected, the slogan can also mean “flood protection despite holes in dikes” or “fire protection through arson”. The Pegasus malware already shows the consequences of success through espionage by third parties. Secure communication must not be the privilege of a selected few and organized crime, because legal sanctions so far have only driven the black market – in this case the one for strong encryption.
Exchange of expertise
This year’s DeepSec and DeepINTEL conferences will again discuss current IT security issues in Vienna in November. This also includes legal attacks on secure communication, the keeping open of security gaps by authorities and which defensive measures are available to affected companies and organizations. The DeepSec conference is accompanied by several two-day training courses that specifically enable the deepening of knowledge. The spectrum ranges from attacks on modern desktops, dangers in cellular networks (2G to 5G), weak points in industrial control systems (ICS) to overcoming single sign-on solutions. Completely new to the program is the analysis of threats to your own IT infrastructure through practical business games.
Nothing is more important than having the right information at the right moment. The constant attacks on secure communication prove this thesis. Informal discussions with confidentiality clauses take place at DeepINTEL, where security intelligence and strategic IT security are discussed confidentially. Natio state malware and related threats will also be scrutinized there.
Programs and booking
The DeepSec 2021 conference days are on November 18th and 19th. The DeepSec trainings will take place on the two preceding days, November 16 and 17. All trainings (with a few exceptions) and lectures are intended as face-to-face events, but because of future COVID-19 measures, they can take place partially or completely virtually.
The DeepINTEL Security Intelligence Conference will take place on November 17th. Since this is a closed event, we ask for direct inquiries about the program. We provide strong end-to-end encryption for communication: https://deepsec.net/contact.html
You can order tickets for the DeepSec conference and the trainings online at any time under the link https://deepsec.net/register.html. Sponsor discount codes are available. If you are interested, please contact deepsec@deepsec.net. Please note that we depend on timely ticket orders because of the security of planning.