Journalists targeted with Pegasus yet again

Martin Shelton

Principal Researcher

(Freedom of the Press Foundation)

It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

In the news

Mercenary spyware firm NSO Group’s Pegasus spyware, designed to remotely access targeted smartphones, is marketed to governments around the world for the purposes of law enforcement and counterterrorism. But in the wild, we’ve seen governments repeatedly abuse this and similar spyware tools to infect journalists, spying on their most sensitive files, communications, and sources.

Access Now, as part of a joint analysis with the Citizen Lab at the University of Toronto, released a report examining traces of Pegasus spyware on the mobile devices of at least 30 Jordanian journalists, activists, lawyers, and civil society members. Further work included in the report by Human Rights Watch, Amnesty International, and the Organized Crime and Corruption Reporting Project highlights five individuals targeted with Pegasus malware, for a total of 35 victims. Of those, 16 were journalists. The report says, "We believe this is just the tip of the iceberg when it comes to the use of Pegasus spyware in Jordan, and that the true number of victims is likely much higher." Read the report here.

What you can do

  • According to the report, the researchers “observed that activating Lockdown Mode for the iPhone appears to have blocked some attempts to compromise Apple devices with Pegasus.” If you’re concerned you’re at elevated risk and have an iPhone, you can enable Apple’s Lockdown Mode for more restrictive security settings.
  • It may not catch absolutely everything, but iVerify for iOS can help scan for less sophisticated malware.
  • For Android users, it’s a little more involved. The Mobile Verification Toolkit may require some technical knowledge to set up. If you don’t feel comfortable trying out this approach on your own, Amnesty International’s Security Lab and Access Now’s digital security helpline may be of assistance to those involved in civil society work.
  • Advanced attacks may rely on vulnerabilities that have not yet been reported or patched in security updates, so downloading and installing updates for your apps and devices is still the best way to defend against most kinds of spyware. Read my colleague David Huerta’s write-up about the story behind your software updates.

Updates from my team

  • Next Thursday, Feb. 15, Davis Erin Anderson, one of our digital security trainers, and Adam Glenn, our deputy editor, will be holding it down at a summer internship fair hosted by the Craig Newmark Graduate School of Journalism. If you’re a Newmark student, stop by between noon and 2 p.m. EST for FPF swag and information about our to-be-announced summer internships. We’d love to meet you!
  • In case you missed it, last week my colleague Anastasia Kolobrodova wrote a post on some preliminary research she has conducted. She examines how practitioners can hone how we frame messaging when communicating the value of digital security to journalists. Check it out.

We are always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,
Martin

Donate to support press freedom

Your support is more important than ever.

Read more about Digital Security Digest

Mozilla breaks into the anti-data broker game

Hundreds of data brokers aggregate and sell access to personal data, such as phone numbers, emails, addresses, and even purchasing habits collected through loyalty card programs, social media sites, apps, trackers embedded in websites, and more. Mozilla has a new monthly subscription service which automatically scans for your personal data on data broker websites, but there are other ways to make your data less easily searchable. Read more from the Digital Security Team.

Moving from passwords to passkeys

Instead of traditional passwords, where you log into a website with credentials that you know or store in a manager, a passkey is a credential that you store on your device, registered with an online account. Read more in our newsletter.

Harden your iPhone against thieves

Thieves don’t just steal iPhones for the hardware — they may also want access to banking apps and Apple Pay to facilitate fraudulent transfers and purchases. One thing that works in thieves’ favor is that people often use short passwords that are easy to shoulder surf and to memorize — typically only six digits. To minimize this risk, instead of typing in passcodes, where possible and practical consider opting for Face ID or Touch ID when unlocking the phone in public spaces.