Here’s our security landscape at the beginning of 2022:
There are still log4j vulnerabilities still floating around unpatched, and new log4j vulnerabilities popping up.
Supply chain issues from 2021 are not getting any better. Organizations are keeping old hardware. In some cases, they can’t afford the inflated prices for a replacement. In others, their purchases are stuck on backorder for several months. Old hardware gets abandoned by its manufacturer, thus does not get patched for new vulnerabilities.
There are companies like NSO Group which are out for profit, despite what they say. They sold their KISMET zero-click iMessage vulnerability recklessly, and it ended up in the hands of fascist governments across the globe. Pegasus is another, perhaps more relevant example because it was reported to Apple in 2021. This is a no-click vulnerability. All an attacker needs is to be a government organization (or a crime syndicate with a government organization wrapped around its finger) to pay a subscription to NSO Group to use this vulnerability. They can get root access to any iPhone, iPad, or MacOS device that has been unpatched. And in case you don’t grasp the impact, this means they have access to your emails, calls, text messages, microphone, camera, location, browsing history, user credentials, two-factor authentication, full interactive use of your device, and even your VPN for all the highly sensitive projects you are working on. There are still a lot of unpatched devices out there, and oppressive governments have been intimidating and tracking journalists and human rights activists with this exploit.
Companies like NSO Group exist because there is more profit to be made from crime and exploitation than to contribute to the information security community. Bug bounties from the technological pillars of our society (Apple, Google, Facebook, Paypal, Intel, and Microsoft) are pathetic. The largest bug bounty payout to date is $100,000. It was paid to an expert software developer who worked 3 years to find this horrific vulnerability which allowed a hacker to sign in to Apple with any account they wished.
NSO Group sold the use of its exploits for millions of dollars, and they never would have gotten their dirty hands on these vulnerabilities if a sufficient bug bounty allowed security researchers to make a decent living.
Why don’t big, multi-billion dollar global organizations like Google and Apple pay a respectable bug bounty? Because they don’t have to. There is no legal requirement to do so, and in our current culture bad news is forgotten and brushed away by worse news. It’s not a matter of forgiveness by consumers. It is more a matter of their short attention span.
Hoy Manor 