cross-posted from: https://lemmy.ml/post/74540
Hello! I think it is a nice time to re-mention some 101 tips of IT security for folks here, that I also practice. Pegasus malware investigation will be big news for a good while, so the more awareness it helps spread, the better.
RULE 1
DO NOT CLICK ON RANDOM SMS AND EMAIL LINKS. Please, do not do this, ever. Just do not do it. Do not do it. Do not do it. Do not do it.
Yes, that is how many times I repeated that line. That is how important this rule is.
Also, do not download random email attachments.
Phishing is such a common tactic that one would think this problem has been solved by now, but it has not.
RULE 2
Keep OFF auto download of photos, videos, documents and so on on WhatsApp, Signal and such apps.
Drive by downloads being self executable surprise bombs is not a new thing. Basically, this rule is similar to keeping off AutoPlay for external USB sticks on Windows computers.
RULE 3
Avoid using popular software too much.
I get it, this is a hard rule to workaround considering how much we need to use WhatsApp, Signal, Telegram and so on, so it is a lot better to compartmentalise your activities among multiple messengers.
Pegasus and a lot of specialised malware uses zero-days to be able to design zero click deployment tricks, which is what these government surveillance tools are good at reserving. They use their millions of dollars of funding and R&D properly, so you have to be careful.
As an example, try to keep WhatsApp internet turned off most of the times via NetGuard, and turn it on only when needed, a good method I have earlier suggested as well in my smartphone hardening guide.
CONCLUSION
Those were some thoughts on the top of my head, before I go to sleep. Stay safe against surveillance! And feel free to ask whatever you want to!
Exactly, given imessage/facetime was used on iOS, virtually every iPhone is at risk. The same applies to Android depending on whether the exploit depends on something at the OS level or software like Whatsapp.
Diversity of OS is certainly a way to go, but ultimately, tying your identity to a device that communicates with a cell phone tower makes this needlessly hard. Your phone number easily identifies a device. For a firm as sophisticated as NSO, Linux is not an obstacle, as it is not free of potential exploits. It’s moreso identifying a device as belonging to you that puts you at risk.
Ultimately, if one is truly at risk of state intelligence, one should simply not use a device that relies on a cell phone network that can be easily traced to you.