First published in the Daily Maverick 168 weekly newspaper.

Until 18 July, Pegasus usually referred to the fabled Greek mythical flying horse. Now the name stands for arguably the most diabolical spyware the world has ever seen.

Startling revelations have emerged that the spyware tool called Pegasus – made by Israeli cybersecurity company NSO Group – could have been used to snoop on President Cyril Ramaphosa, French President Emmanuel Macron, Pakistani Prime Minister Imran Khan, as well as 11 other heads of state.

Once “infected with Pegasus, a client of NSO could, in effect, take control of a phone, enabling them to extract a person’s messages, calls, photos and emails, secretly activate cameras or microphones, and read the contents of encrypted messaging apps such as WhatsApp, Telegram and Signal”, The Guardian revealed.

The newspaper is part of 16 media organisations that have been investigating a data leak that contains “a list of more than 50,000 phone numbers that, it is believed, have been identified as those of people of interest by clients of NSO since 2016”.

NSO has denied that it was the source of the leaked database and argues it has “no relevance” to it. NSO also claimed Macron was not a “target” of any of its customers, which include Rwanda (for whom Ramaphosa was a person of interest in 2019), Morocco, Mexico, India and the United Arab Emirates.

Macron and World Health Organization chief Tedros Adhanom Ghebreyesus were persons of interest for Morocco in 2019.

The database contains phone numbers of more than 600 diplomats, military chiefs and senior politicians from 34 countries.

For years, it has been common cause that the most secure mobile operating system is Apple’s iOS, which runs on its one billion iPhones. But NSO has been able to infiltrate even Apple’s devices using Pegasus, including those, reportedly, of activists, lawyers and journalists.

“When an iPhone is compromised, it’s done in such a way that allows the attacker to obtain so-called root privileges, or administrative privileges, on the device,” Claudio Guarnieri, who runs Amnesty International’s Security Lab, told The Guardian.

“Pegasus can do more than what the owner of the device can do,” he said.

The reporting consortium – called Project Pegasus – has been exploring the data that was given to Amnesty International, which, in turn, asked media outlets to help to  investigate.

Although phone numbers on the list don’t necessarily mean they were infected, “forensics analysis of a small number of phones whose numbers appeared on the leaked list also showed more than half had traces of the Pegasus spyware”.

The people on the list include hundreds of business executives, religious figures, academics, NGO employees, union and government officials, including cabinet ministers, presidents and prime ministers.

The list also contains “the numbers of close family members of one country’s ruler, suggesting the ruler may have instructed their intelligence agencies to explore the possibility of monitoring their own relatives”.

Narendra Modi’s government in India has come under fire for its suspected use of Pegasus, after the data cache revealed details of hundreds of verified Indian phone numbers. This includes two numbers belonging to India’s most prominent political opposition figure, Rahul Gandhi, The Guardian reported.

Amnesty International secretary-general Agnès Callamard said: “The Pegasus Project lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists and crush dissent, placing countless lives in peril.”

It was suggested, although never proved, that NSO was behind a hack into Amazon founder and recently resigned CEO Jeff Bezos’s iPhone X in 2018.

Astonishingly, the hack came via WhatsApp message from an account belonging to Saudi Crown Prince Mohammed bin Salman, the heir apparent to the country, which implanted malicious software (malware).

Most worrying for legions of Apple fans and paranoid corporate security chiefs, Apple is not as impervious as it is always imagined.

“Apple’s self-assured hubris is just unparalleled,” Patrick Wardle, a former NSA employee who now runs Apple security firm Objective-See, told The Guardian.

“They basically believe that their way is the best way. And to be fair … the iPhone has had incredible success,” Wardle said. “But you talk to any external security researcher, they’re probably not going to have a lot of great things to say about Apple.

“Whereas if you talk to security researchers in dealing with, say, Microsoft, they’ve said: ‘We’re gonna put our ego aside, and ultimately realise that the security researchers are reporting vulnerabilities that at the end of the day are benefiting our users, because we’re able to patch them.’ I don’t think Apple has that same mindset.”

Most worrying for the whole world is just how devious and determined nefarious governments and unscrupulous companies are in their sinister and unscrupulous pursuits.

Most importantly, you can never be too paranoid about security. 

What to do to make sure you’re maintaining tight cybersecurity

Even if we mere mortals aren’t a Pegasus target, everybody should know about and practise good cybersecurity. 

1. Install security software on your computer and Android smartphone. Right now. I use Kaspersky, which offers a one or multiple device licence. Make sure you run daily scans and always keep it updated.
2. Update Windows, Android, iOS or any apps as soon as software updates, often called patches, are available. Hackers use known gaps to crack people’s security, often with ransomware, which would not be possible if the patches were installed to close the vulnerability.
3. Never use the same password for more than one app or website. Ever.
4. Stop trying to remember passwords and get a password manager. Apps like LastPass, 1Password, DashLane and others create randomised passwords with capitals, symbols and numbers and fill them in for you. I personally prefer LastPass ($36 a year for Premium, or $48 for a six-person family).
5. Set up two-factor authentication (2FA). Don’t be put off by the phrase. Your password is the first “factor,” the second is an SMS or code from an authenticator app. I recommend you use the latter, because SMSs can easily be intercepted with a SIM swap – which is one of the most common ways people commit internet banking fraud. Microsoft and Google’s authenticator apps are both great. LastPass also offers one.
6. Make sure 2FA is set up on all your important accounts, please. Please. Email, social media, cloud services, and e-commerce sites must all require you to verify your identity. A password alone is no longer enough.
7. Never use any unsecured public WiFi without a VPN. It’s common cause that “baddies” use WiFi services with no passwords to “sniff” your unsecured data. It’s very, very easy to steal your login details and passwords this way. Like all things Big Tech gives away for free, you ultimately get charged a lot more than you ever imagined. NordVPN is good, as is Kaspersky’s app.
8. Don’t click on a dodgy link or open a document from a sender you don’t know. Social media is now the most likely place you’ll be phished. Any private or direct message with a link that says “look at what people are saying about you” is likely to be malware. Unless you’re Jacob Zuma. Then it’s all true. DM168
   This story first appeared in our weekly Daily Maverick 168 newspaper which is available for free to Pick n Pay Smart Shoppers at these Pick n Pay stores until 24 July 2021. From 31 July 2021, DM168 will be available for R25 at Pick n Pay, Exclusive Books and airport bookstores.