Journalists can't seem to keep up with the latest threat model material. I'm wondering if a resource for journalist training is a good idea considering the resources stacked against them.
Many journalists who are frequently engaging in conversations that would be deemed highly sensitive are keeping up with the latest thread model material and following best security practice, moreover, the circumstances we know in this case make me question if any individual outside of the most security paranoid, could have prevented being hacked in this way.
This was an iOS 0-day that appears to have targeted iMessage [1] and worked via zero-click, meaning user interaction wasn’t necessary. CitizenLabs says that in one case, the initial vector appears to be Apple’s own servers.
So you’ve got people with modern (if not the latest) phones running the latest software on what is considered to be the most secure mobile operating system and you have highly-targeted attacks that appear to be state-sponsored, with high precision, going after these individuals.
What could education do to help in this case? Literally every single person I know, and this includes some extremely sophisticated security experts, would have been victims here too.
In the abstract, I agree with more training — though I’ll offer that these resources are widely available already in many newsrooms — but in this case, it would have done nothing.
More of a failing of AJ's IT dept than anything else. Not sure if they were using AJ issued devices but they should be on managed devices that get updated on schedule, which may have mitigated this attack. Journos aren't necessarily deeply technical folks, that's really not their core competency.
Read the details on this attack. They were running the latest software. I wouldn’t be surprised if the devices were managed in some way too. It doesn’t matter. This highly-targeted attack couldn’t be mitigated and that’s exactly the point.
> Researchers at Citizen Lab said the apparent malicious code they discovered, which they claim is used by clients of Israel’s NSO Group, made “almost all” iPhone devices vulnerable if users were using an operating system that pre-dated Apple’s iOS 14 system, which appears to have fixed the vulnerability.
Edit: and that's almost not relevant to my point - what I'm saying is that journalists aren't inherently technical people, and that the work of reading reports on the latest exploits and vulnerabilities and developing countermeasures should probably go to someone else in their org
And my point is that with this attack, that wouldn’t matter. The exploit was state-sponsored and specifically targeted and was going after even up to date (at the time) devices. Citizen Lab was only able to glean as much information as it was in one case because the journalist reached out 7 months before he was hacked and they gave him a VPN they could use to monitor his traffic logs. The journalist was a key part of figuring this out, which goes against your entire point that the IT department would have caught this.
They wouldn’t have and they didn’t. This isn’t a scenario where you can blame lack of information or talk about who is or is not inherently technical. It was state-sponsored targeted hacking.
When you work in a sensitive environment such as the middle east as a journalist, one really needs to go overboard and keep an insulated protection layer - separate devices, clean contacts, Tor and VPN, the whole gamut. It is the journalist's responsibility in such environments to ensure their survival and make sure that they don't engage in something stupid.
I presume AJ, just like the others, tends to use a lot of freelancers - in fact, they pay out some of the highest commissions to freelancers. Most freelancers are responsible for their own lives.
This was an iOS 0-day that appears to have targeted iMessage [1] and worked via zero-click, meaning user interaction wasn’t necessary. CitizenLabs says that in one case, the initial vector appears to be Apple’s own servers.
So you’ve got people with modern (if not the latest) phones running the latest software on what is considered to be the most secure mobile operating system and you have highly-targeted attacks that appear to be state-sponsored, with high precision, going after these individuals.
What could education do to help in this case? Literally every single person I know, and this includes some extremely sophisticated security experts, would have been victims here too.
In the abstract, I agree with more training — though I’ll offer that these resources are widely available already in many newsrooms — but in this case, it would have done nothing.
[1]: https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hac...