NCSC Outlines Tips to Mitigate Commercial Surveillance | Digital Guardian

The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

NCSC Outlines Tips to Mitigate Commercial Surveillance

by Chris Brook on Monday January 10, 2022

Contact Us
Free Demo

The National Counterintelligence and Security Center (NCSC) on Friday warned about the risks posed by commercial spyware to smartphones.

Recent revelations around commercial spyware like the NSO Group’s Pegasus, especially following news that it was used to hack the phones of several American diplomats, has prompted a government response over the last few months.

The US blacklisted the company in November, something which forbids it from selling in the US but also US firms from selling technology to the company.

Now government agencies like the National Counterintelligence and Security Center (NCSC) are warning civilians about spyware like Pegasus and how to prevent their own devices from becoming compromised.

While Pegasus and NSO aren’t explicitly named, it’s certainly hinted. A bulletin released on Friday discussed capabilities of “commercial surveillance software,” including its ability to record phone calls, track a user’s location, and access text messages, files, and browser activity.

“Companies and individuals have been selling commercial surveillance tools to governments and other entities that have used them for malicious purposes,” the bulletin reads, “Journalists, dissidents, and other persons around the world have been targeted and tracked using these tools, which allow malign actors to infect mobile and internet-connected devices with malware over both WiFi and cellular data connections.”

While it’s highly unlikely that an average citizen could find their phone infected by malware like Pegasus – the malware has mainly been used to spy on dissidents, journalists, and politicians – the guidance still contains some best practices designed to enhance cybersecurity awareness.

NCSC, which is part of the Office of the Director of National Intelligence, recommends users:

  • Regularly update their device operating systems and mobile apps.
  • Be suspicious of content from unfamiliar senders, especially those with links or attachments.
  • Don’t click on suspicious links or emails or attachments.
  • Check URLs before clicking links.
  • Regularly restart mobile devices – this can help remove mobile implants.
  • Encrypt and password protect your device.
  • Maintain physical control of your device whenever possible.
  • Use trusted Virtual Private Networks.
  • Disable geolocation options and cover camera on devices.

Not all of these recommendations may be necessary for every user; threat models vary and it’s worth noting that some of these practices may be overboard for some. As NCSC notes, even following the steps to a ‘T’ may not totally eliminate risk entirely. The last line of NCSC's guidance may only pertain those in high risk scenarios: "It's always safest to behave as if the device is compromised, so be mindful of sensitive content."

While commercial surveillance malware like Pegasus isn’t new, in the eyes of experts, the sophistication around the exploit used by the spyware is unrivaled.

Project Zero, Google’s crew of zero day threat researchers, called FORCEDENTRY, the exploit that Pegasus uses, one of the most technically sophisticated exploits they’d ever seen in a deep dive published in December. It’s largely because the spyware relies on a zero-click exploit, something that as the name suggests, doesn’t require human interaction to work. There is no way to prevent exploitation; there’s no phishing email or link to be wary of, the exploit works in the background. All an attacker would need to target a user with Pegasus is their phone number or AppleID username.

Tags: Mobile Security

Recommended Resources

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.