IT and cybersecurity professionals will tell you keeping your devices up-to-date is one of the most important good practices you can follow: important vulnerabilities can be fixed before they become public, using a process called “responsible vulnerability disclosure”.
Responsible vulnerability disclosure is a process by which a security researcher (a.k.a. a “white hat hacker”) finds a vulnerability and reports it to the appropriate authorities, or to the affected manufacturer or vendor, and does not immediately make it public. Some vendors will pay a “bug bounty” for this type of disclosure to incentivize security researchers to report vulnerabilities responsibly rather than make them public. This allows the vendor to fix the issue, update their products and deploy the fix before it’s made public and malicious actors learn about it and exploit it.
Most software developers take cybersecurity issues seriously enough to at least fix vulnerabilities when they’re made aware of them, or at least treat them as bugs and fix them with some level of urgency. Larger vendors, such as Microsoft, Oracle, Amazon, and Google, take cybersecurity very seriously (though not necessarily for the right reasons) and will pay people, both on their own payroll and external, to find bugs for them. So when responsible vulnerability disclosure is used, and you update your software and firmware regularly, you may be applying patches for vulnerabilities that aren’t public yet.
Of course, some vulnerabilities are never disclosed to the vendors but are exploited by “black hat” hackers to implement spyware, ransomware, and other malicious software – the stuff we used to refer to as viruses but now more generally call malware. The people who write malware depend on the same type of security research as the white hat hackers, but are generally less scrupulous about what they do with what they find.
People who write malware can be criminals, legitimate business people or government agents. The former and the latter categories speak for themselves, but the legitimate business people need some explaining. In that context, you may have heard of “Pegasus”, a spyware developed by an Israeli firm for use by governments to spy on, presumably, legitimate targets. Pegasus was developed by a cyber-arms firm, called NSO. This firm, and others like it, develop malware as weapons in cyber-warfare. Just like “IRL” arms dealers, cyber-arms dealers create and sell weapons that are then used to inflict harm on its targets. I don’t intend to go into the “is it the gun or the guy pulling the trigger that kills” debate, but it’s important to understand that these weapons work by exploiting the same types of vulnerabilities that so-called “white hat” hackers responsibly disclose. The ones that aren’t disclosed are called “zero-day” vulnerabilities, because there’s been zero notice for their existence. Such vulnerabilities are worth a lot of money to these cyber-arms dealers.
They’re also worth a lot of money to criminals.
If you haven’t watched today’s episode of John Oliver’s Last Week Tonight, you really should. You can, of course, wait until it’s been uploaded to YouTube, but if you have any way of watching it before that, please do. In this particular episode, he talks about ransomware, how pervasive it has become, and how to avoid it. He mentions multi-factor authentication a number of times, and you should really set that up ASAP, but he also says a number of other things about ransomware, and he’s right about all of them! I can’t vouch for his bit on Lamborghinis and what the Russian license plates mean, of course, but is there any doubt?
States are not after your cute pictures of your cat. Nobody really cares what you watch on the internet except, perhaps, your SO and, if you’re a politician, whoever votes for you in the hopes that you have better judgement than them. However, criminals do care about getting money from you, and you generally do care about the contents of your devices. So update your software and firmware, use multi-factor authentication, and make sure you have offline backups.
You will get hacked. You will at some point be the victim of a cyber-attack, identity theft, or worse. Your personal information is already out there, and there’s nothing you can do about it now. What you can do is delay the inevitable. You might be able to delay it until you no longer care.