Pegasus spyware ramifications

As more people are being made aware of the dangers of personal information they may unwittingly have shared over social media platforms, now comes a bigger threat over technologies that are embedded in and run your electronic devices and gadgets.

It seems that researchers have long been warning users of iOS, Android, and Windows devices of a significant rise in attacks by hackers, largely believed amplified by a proliferation of hacking tools, many already being sold on the dark web.

A report by the MIT Technology Review spoke of 66 zero-days found this year, which would be about double what had been recorded annually in the previous five years.

Zero days is a term that refers to programming weaknesses discovered by other people or organizations before the actual program developers of an app or software catch it, thus giving them zero days to fix the problem. Normally, program bugs are detected way before others than the actual program developers are able to see them, thus giving time for the programmers to issue “fixes.”

Hacking, however, has become more sophisticated and many of the hackers are motivated by the monetary rewards. The recent most popular hacks involve ransomware, where “kidnapped” data is returned to the owner only after ransom has been paid. This has made voice and mail phishing seem like child’s play.

Rising zero day cases

How serious the rise of zero days has become is best illustrated in an article posted by techhq.com’s Dashveenjit Kaur. Four zero-day security vulnerabilities were just recently exposed, which hackers were able to exploit even in iOS devices that run Apple products. This shatters the long-held belief by Apple users of the impregnability of the company’s products to attacks.

The article first mentioned Chinese hackers who were able to exploit Microsoft Exchange to pilfer emails and plant ransomware. In another case, hackers were able to exploit a zero day in the software sold by IT management software supplier Kaseya, thus resulting in one of the biggest supply chain attacks in history.

The biggest story, though, is about the Israeli spyware company NSO Group, which is notoriously known for vending programs to governments that want to remotely take over people’s smartphones and computers. Apparently, as early as March, NSO has found a way to get its spyware Pegasus into Apple devices by sending a fake GIF through iMessage.

Pegasus is a distinct and superior spyware since it moves away from the “click-bait” formula, where formerly one had to click on a file to allow malwares to infiltrate an operating system. Just sitting on your phone is enough for Pegasus to capture users’ photos, emails, recorded messages, texts, calls, and even encrypted messages, and send them to government clients.

The recently exposed targets were a Saudi activist and members of the French Cabinet, although watchdog Citizen Lab had been for months racking attention to how Pegasus had been targeting activists and journalists in repressive government regimes.

While you and I, and millions of others, categorized as “faceless” citizens not likely to be on the Pegasus watch list, this kind of spyware that can report on everything that goes on through our smartphones can really turn on the creeps.

If there’s any consolation to this rise in zero day attacks, which hopefully can be comforting, is the equal swiftness that program vendors are responding to stop the problem from escalating further, and to find better and long-lasting fixes.

We look forward to the day when we can worry less about these potential aggressions on our privacy.

Bugged bug bounty system

While we’re on a tech news binge, also of interest to us mortals who use Apple devices is the exposé of a security consultant about the potential risk on finders of lost Apple AirTags. Bobby Rauch says that finders who respond to the appeal to find the owner of the lost tag (attached to something) must be wary lest they get exposed to a phony Apple iCloud login page.

The AirTag weakness story, however, is overshadowed by another: one that deals with the slow response of Apple on reports of bugs on its products, which is often dealt by the company through its bug bounty program.

Many IT companies, website owners or even software developers have a bug bounty system open to tech-savvy individuals who can ferret out weaknesses of their published software. A monetary reward is most often offered depending on the severity of the discovered flaw.

Among this elite community of bug hunters, the notoriety of Apple’s slow responses – which could take months – to such reported problems apparently tops the list. As irritation builds up among those who have reported problems, but have received no reply, the court of last resort had been to publicly expose the findings, either through blogs or other media channels.

Understandably, many of the red flags sent to Apple deal with simple and less critical problems that eclipse other bigger problems that the company has to work on, such as the Pegasus spyware. However, immediately acknowledging bug discovers’ reports and keeping them updated is a good way of keeping the pot from boiling over.

A better way is to get more researchers onboard to solve all of these little entanglements. When too many of such problems are exposed through media reports, Apple’s credibility stands to suffer the most.

Facebook and Twitter

We are actively using two social networking websites to reach out more often and even interact with and engage our readers, friends and colleagues in the various areas of interest that I tackle in my column. Please like us on www.facebook.com/ReyGamboa and follow us on www.twitter.com/ReyGamboa.

Should you wish to share any insights, write me at Link Edge, 25th Floor, 139 Corporate Center, Valero Street, Salcedo Village, 1227 Makati City. Or e-mail me at [email protected]. For a compilation of previous articles, visit www.BizlinksPhilippines.net.