A newsletter briefing on cybersecurity news and policy.

with research by Aaron Schaffer

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Whatever else 4/20 may signify, it's also the second birthday of this guy here. Happy birthday, Jet!

Below: European lawmakers on a committee investigating spyware get cracking, and a former eBay executive is pleading guilty in a bizarre cyberstalking scheme. 

The most complex and time-consuming cyberattacks are still far too easy to pull off, according to a new report from Google’s Project Zero division.

These attacks, called zero days, are typically pulled off by extremely sophisticated hackers such as those employed by government intelligence agencies and top-end private companies like the controversial spyware vendor NSO Group. They’re more likely to give hackers long-lasting access to the technology they exploit and the ability to do far more damage. 

Ideally, such hacks would take so much time, effort and expertise that only the cream of the crop could find and use them. But that’s rarely the case, Google found. The report underscores the way cyberattackers continue to have an advantage over defenders — even at the very top of the hacking food chain. 

The annual report looks at cyberattacks conducted using “zero day” vulnerabilities. This is when highly sophisticated hackers are able to discover a vulnerability – and exploit it – before the developers are aware of the vulnerability (so they've had zero days to patch against it).

The report focuses specifically on zero days that researchers believe nefarious hackers have exploited rather than those that were merely discovered by the good guys. Because the zero day hacks are so comparatively easy to develop, hackers aren't as fearful of researchers discovering and protecting against them — so they use them more freely and cause more damage. 

To be clear: Zero day hacks remain exceedingly rare compared with run-of-the-mill hacks, which use vulnerabilities that people and organizations know about but simply haven’t updated their technology to guard against. 

But they get outsize attention from cyberthreat researchers and media because they’re used against some of the most high-profile targets. 

“My mom and dad don’t need to worry about being attacked with zero days, but when politicians, journalists and human rights activists are targeted, that affects us in a very large way,” Stone told me. “We need to care about them because of the societal impact.” 

No one's sure quite how bad the zero day problem is.

Researchers simply don't know about the zero day bugs that they haven't discovered yet. And the people who do know about them — nefarious hackers — aren't sharing information. 

Stone estimated that the 58 zero days highlighted in this year’s Project Zero report represents less than 20 percent of the total number of zero days that were exploited in 2021, with the rest going undetected. 

“I’d probably hedge closer to 10 percent,” she said. “There’s a huge number of zero days that no one is detecting.”

There were more exploited zero days detected last year than in any previous year — more than double the previous record of 28 exploited zero days detected in 2015.

But that probably is because more zero days are getting discovered and reported rather than that there are more being exploited, the report states. 

More details from Project Zero via Recorded Future’s Allan Liska:

Great report from @maddiestone & the team at Project Zero, which confirms research @RecordedFuture has been reporting, the number of reported 0-Days increased dramatically in 2021. Maddie & team have unique insight, that make this a must read. https://t.co/gZfgBtaO2d pic.twitter.com/VaxGAAnjnG

One big difference in the number of zero day reports came from tech platforms that began specifying whether the previously undisclosed bugs they highlighted had been exploited by hackers or not. Such reports accounted for 12 of the 58 zero days reported — seven from Apple products and five from Google’s Android division. 

And yet: It's likely that many software vendors are aware of zero days that have been exploited on their platforms that they haven't publicly disclosed. One policy change Project Zero is calling for is a pledge from vendors to publicly disclose such bugs. 

Members of the European Parliament’s committee of inquiry want to investigate NSO CEO Shalev Hulio and national governments that have used the company’s Pegasus spyware, EUobserver’s Nikolaj Nielsen reports. The committee is looking into whether those government’s use of the spyware broke European laws or violated citizens’ rights.

The committee's investigation could have major consequences for NSO because its tools are used across Europe. “Almost all governments in Europe are using our tools,” Hulio recently told the New Yorker. At least three E.U. member states have admitted to using Pegasus.

The committee began working hours after researchers revealed that dozens of politicians and activists from Spain’s autonomous northeastern Catalonia region were targeted with Pegasus. Even Catalan members of the European Parliament were targeted, Citizen Lab said, noting it suspected that Spain was behind the hacks. 

Catalan politicians plan to fight back:

They won’t get investigations from the European Union's executive branch, EUobserver reported. The European Commission won’t separately investigate Pegasus misuse by European countries, a spokesperson for the commission told reporters. It’s “really something for the national authorities,” the spokesperson said.

Former eBay security director Jim Baugh plans to admit that he ran a bizarre 2019 cyberstalking campaign that targeted a couple critical of the e-commerce company, Bloomberg News’s Janelle Lawrence reports. 

The plea comes after five other former employees have admitted to taking part in the campaign to intimidate bloggers Ina and David Steiner. Another ex-executive, former global resiliency director David Harville, is set to go on trial next month.

The couple drew the ire of top eBay executives after they wrote about litigation involving the company, the Justice Department said.

The harassments was intense: “At Baugh’s direction, the couple received anonymous deliveries including a preserved fetal pig, a bloody pig mask, a funeral wreath and a book on surviving the loss of a spouse,” Lawrence writes. “Baugh also secretly visited the couple’s suburban home with plans to install a GPS tracking device on their car, according to federal prosecutors.”

In the years leading up to Russia’s invasion of Ukraine, the Kremlin imposed an onslaught of laws, regulations and back-channel demands on major Russian tech companies, Joseph Menn reports. As a result, Russian anti-virus giant Kaspersky Lab, social network VKontakte and search engine Yandex have been reduced to shadows of what they could have been.

“This has been a total disaster for the Russian economy, and the tech industry was adding a lot of value,” said Esther Dyson, an early American investor in Yandex who left its board shortly after Russia invaded Ukraine. “Even before they started waging war on Ukraine, they were waging war on the truth.”

DC coalition urges hearing on bill to vote by phone (7News DC)

South Africa’s private surveillance machine is fueling a digital apartheid (MIT Technology Review)

How a former US Navy sailor became a Putin propagandist (Task and Purpose)

Cyberattack cripples Puerto Rico toll collection system (NBC News)

WATCH OUT THE PANDA-MIC IS IN THE HOUSE pic.twitter.com/0gSf0W0n9c

Thanks for reading. See you tomorrow.