Best of the Checklist: April 21, 2022
A big year for 0-days
Google’s team of security research analysts, Project Zero, has just released its 2021 year-in-review report. It’s not good news. Here’s what the folks at Project Zero have to say:
2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014. That’s more than double the previous maximum…
Project Zero said that they saw both iOS as well as macOS 0-days in their research. To learn more about the issue of 0-days, check out:
Checklist 229: Zero-Days and WebKit with August Trometer
Closing the gap
According to recent reports, the “cybersecurity skills gap” is still a major problem for the United States. To put it bluntly, there aren’t nearly enough qualified employees to fill all of the open jobs in cybersecurity. At the moment, the US has about 600,000 vacant positions in cybersecurity — and this is against the backdrop of new overseas hacking threats and an increased risk of nation-state attacks.
There are no easy answers here, but for an interesting look at what one high school teacher is doing to address the issue, have a listen to:
Checklist 219: Teaching Tomorrow’s Cybersecurity Pros with Robert Speciale
NSO group exploits another iMessage flaw
Security researchers at Citizen Lab have published a report showing that NSO Group’s Pegasus spyware was used to surveil Catalan politicians, activists, and citizens. According to the researchers, the spyware campaign infected iPhones with a “zero-click [iMessage] exploit that has not been previously described”, which they call “HOMAGE”.
To learn more about Pegasus, and about NSO Group’s background, check out:
Checklist 240: Updating Apple Gear and Sizing Up Pegasus
Checklist 257: Suing to Stop Pegasus
Have a question or an idea for a show?
If you have a cybersecurity question — or a suggestion for a topic you’d like to see covered on a future edition of The Checklist — please write to us and let us know!