Tag Archives: Pegasus

How to Defend Against NSO Spyware

Or at least try!

The NSO Group is the Israeli company that sells spyware to governments. And which evidence suggests also sells to all forms of unsavory characters, although they deny that.

Evidence also says that they target journalists, activists, business executives and lawyers around the world.

But they come from the Werner Von Braun school of rocketry – once they go up, who cares where they come down. They say that how their customers use the software is not their business.

While iPhones are usually good at stopping malware, in this case they are about as secure as a screen door against NSO’s Pegasus software.

While there is no such thing as perfect security, that doesn’t mean that you should just give up and allow the hackers in. The Pegasus software gives the hackers unlimited access to a target’s mobile device. It allows the hacker, which may be a government, to:

  • Remotely and covertly collect information including
  • – location
  • – relationships
  • – phone calls
  • – plans
  • – activities
  • Monitor Voice and VoIP phone calls in real time
  • Siphon contacts, passwords, files and encrypted content from the phone
  • Use it to monitor the room around the phone by turning on the microphone
  • Monitor the phone’s location
  • and, monitor connections through apps like WhatsApp, Facebook, Signal and other apps

All that being said, it is just an old fashioned remote access trojan.

So, what can you do to even the odds?

  1. Avoid click bait – text messages or WhatsApp messages that try to get you to click on a link (and install the malware). The messages may appear to come from your bank, for example.
  2. Separate sensitive work from non-sensitive work on different devices. I know that is a pain, but so is getting hacked.
  3. Use out of band verification if you get a link that you are not expecting

That is just one form of attack. Another is to intercept unencrypted web traffic and redirect it to malicious sites. To help thwart this:

  1. Always type the HTTPS:// in front of the URL
  2. Bookmark known sites and only go there from the bookmarks
  3. Use a VPN

Unfortunately, there are also zero-click exploits, ones that you don’t have to interact with to get infected. There was a recent iMessage attack that worked like that. Just send you a malformed iMessage and you were infected. To reduce the odds of this working:

  1. UNINSTALL **ALL** apps that are not absolutely essential
  2. Regularly audit your apps to make sure there are none there that you don’t need
  3. Regularly install all patches to the OS and apps – but only do that when you are on a trusted network
  4. Use a tamper bag to stop a phone from communicating with its handler when you are not using it

Obviously, the simplest attack is physical access. To help thwart this:

  1. Keep your phone under your control at all times
  2. Do not believe the myth that hotel room safes are secure. They are not.
  3. Put your device in a tamper-evident bag if you need to leave it somewhere. At least that way you will know if someone attempted to get into it.
  4. Use burner phones and change them like underwear

I know that all of this is a pain in the rear. You have to decide what your level of paranoia is.

Remember: Security or convenience, pick one.

Credit: The Intercept