Imagine if you forgot to lock your front door. And now imagine that news of your forgetfulness got into the hands of local criminals. If so, the odds of your being a crime victim got a lot more likely.
That’s what happens if you have unpatched software that is vulnerable to a “zero day attack.” That’s when hackers know about a flaw and exploit it before developers have a chance to fix it. Zero day refers to the fact that there are no days left to fix the flaw before a potential attack.
Unfortunately, zero day flaws are fairly common. In fact, there were some for Microsoft and Google products that have been revealed and just fixed this week, according to ZDNet. They include flaws in Microsoft Office and the Edge browser, along with other software. The good news is that Microsoft has already issued a fix for the problem, and if you have your Windows machine set to automatically apply new patches, you’re probably already protected. But to be sure, type “Update” in the search box in the lower left corner of your PC to see if it says “You’re up to date.” To be doubly sure, click on “Check for updates” to get an update on your updates. You’ll find more on updates, including links to instructions for Macs, iOS and Android at ConnectSafely.org/updates.
Google is in the same boat. Google has issued an urgent update to its Chrome browser because, as the company reported in a blog post, it “is aware of reports that an exploit for (a recent vulnerability) exists in the wild.” The “wild” means that it’s out in the world where hackers can attack. Such flaws are unlike those that are discovered by security researchers and eradicated before they can be exploited.
Any software can be vulnerable to an attack, but operating systems like Windows, Mac OS, Android and iOS are particularly vulnerable as are browsers like Google Chrome, Microsoft Edge and Apple Safari. Browsers are your front door to the World Wide Web, so it’s especially important for them to be secure.
To check for updates in both Chrome and Edge, click on the three dots in the upper right of the browser, select settings and search for updates. You’ll find more at ConnectSafely.org/updates, including updating Apple Safari.
This won’t directly affect most people, but we should all be concerned about nation states and, potentially, private organizations or terrorist networks hacking activists, dissidents, and journalists as is too often the case. In these situations, the organizations or governments don’t need to hire their own hackers, they can purchase or otherwise obtain software from NSO Group, an Israeli spyware company, that sells tools for attacking Android and iOS devices. The company claims that it “only sells licenses for its most well-known software product, Pegasus, to select approved, verified and authorized states and state agencies, specifically to be used in national security and major law enforcement-driven investigation,” but Google’s Project Zero recently reported that another NSO product, FORCEDENTRY, had been used to target a Saudi activist.
The Google blog added, “For years, groups like Citizen Lab and Amnesty International have been tracking the use of NSO’s mobile spyware package “Pegasus.” Despite NSO’s claims that they “[evaluate] the potential for adverse human rights impacts arising from the misuse of NSO products,” Pegasus has been linked to the hacking of New York Times journalist Ben Hubbard by the Saudi regime, hacking of human rights defenders in Morocco and Bahrain, the targeting of Amnesty International staff and dozens of other cases.” The U.S. Commerce Department has added NSO group and other foreign companies to its “entity list for malicious cyber activities.”
We’re all at risk
You don’t have to be an activist to be a victim of this type of attack. Security researchers warn that any technology designed to thwart security tools can get into the wrong hands, including those of criminals and rogue governments. And while it’s not clear what government was behind the attack, NSO’s software, according to Reuters (via The Guardian), was used to attack the “iPhones of at least nine US state department officials,” likely by a foreign government.
This is especially concerning at this point in history, with a rise in authoritarian regimes around the world along with authoritarian movements in numerous democratic countries, including the United States.
What you can do
There are things we can all do to protect our own systems and encourage public officials and companies to protect our vital national infrastructure from attacks. Battening down your own hatches is a good first step not only by updating your software but by making sure you have strong and unique passwords, take advantage of other security tools like two-factor authentication, and avoid clicking on links in email or social media that could lead you to a rogue website. You’ll find more advice at ConnectSafely.org/security.
Larry Magid is a tech journalist and internet safety activist.