Category Archives: mobile devices

Survey Reveals 92 Percent of IT Professionals Concerned About Public Wi-Fi Security Risks on Corporate Devices

A new survey revealed that 92 percent of IT professionals are concerned about Wi-Fi security risks related to accessing public networks on corporate devices.

According to a Spiceworks, most IT professionals believe organizations could do more to address these risks. Just 63 percent of respondents said they are confident that employees use a virtual private network (VPN) when accessing public Wi-Fi on a corporate device, and even fewer (55 percent) said they think organizations are protected against these threats overall.

IoT Sparks Wi-Fi Security Concerns

Their concerns are justified: Twelve percent of respondents said their organization has suffered a security incident that involved an employee connecting to public Wi-Fi. Even more troubling is the fact 34 percent of IT professionals don’t know whether their employer has experienced such an incident due to the difficulty of detecting these events.

But IT professionals aren’t just concerned about public Wi-Fi — they’re also worried about the security of devices that are connecting to corporate networks. Respondents to the Spiceworks survey attributed the greatest risk of Wi-Fi attacks to Internet of Things (IoT) devices, such as IP-enabled controllers (52 percent), appliances (49 percent), video equipment (42 percent) and electronic peripherals (40 percent). By contrast, 32 percent ranked Windows laptops as the greatest risk, while 18 percent cited iOS smartphones.

“While adoption of IoT devices is increasing in the workplace, many IT professionals are still wary of connecting these often unpatchable devices to corporate Wi-Fi networks,” said Peter Tsai, senior technology analyst at Spiceworks, in a press release. “As a result, some organizations are delaying the adoption of IoT devices and holding out hope that the forthcoming WPA3 protocol might improve Wi-Fi security.”

Don’t Wait for WPA3

But organizations don’t have to wait for WPA3 to begin addressing the persistent challenges associated with Wi-Fi security. In the meantime, they can use standard Wi-Fi security protocols and create guest Wi-Fi networks for visitors. If they haven’t done so already, they can also set up complex admin passwords on networking devices, implement strong service set identifier (SSID) networking names and enact MAC address filtering.

The post Survey Reveals 92 Percent of IT Professionals Concerned About Public Wi-Fi Security Risks on Corporate Devices appeared first on Security Intelligence.

Read My Lips: Researchers Find Ways to Fool Speech Recognition Systems

In the four years since Amazon introduced the Echo, the popularity of speech recognition systems has exploded. One reason is that the quality of voice recognition technology has now reached parity with humans. An estimated 27 million Echo and Google Home devices have been sold, according to Computer Intelligence Research Partners (CIRP), and the Consumer Technology Association expected another 4.4 million were sold during this past holiday season.

This surge has made speech recognition a tempting new target for cybercriminals. Thanks to encryption and tunneling, voice-activated devices are believed to be reasonably secure against compromise at the software level, but what about the commands they accept? Recent research has shown that voice recognition itself can be compromised with unsettling ease.

Subverting the Human Ear

Last summer, a group of researchers at Zhejiang University published a paper describing how popular speech recognition systems, such as Apple’s Siri and Google Now, can be activated using high frequencies that are inaudible to humans but can be picked up by electronic microphones. This technique, which the researchers dubbed DolphinAttack, works even if the microphones are wired to ignore high-frequency audio because the harmonic effect produces the same sound at other frequencies.

By boosting the power of those harmonics, researchers were able to command voice-activated assistants to do things such as visit a malicious website, initiate phone calls, send fake text messages and disable wireless communications. Their brief but unsettling demonstration video shows how this is possible.

Hijacking Speech Recognition With Hidden Commands

More recently, two researchers at the University of California, Berkeley published a report that detailed how they were able to embed commands into any kind of audio that’s recognized by Mozilla’s DeepSpeech voice-to-text translation software. The authors claimed that they were able to duplicate any type of audio waveform with 99.9 percent accuracy and transcribe it as any phrase they chose at a rate of 50 characters per second with a 100 percent success rate.

The Berkeley researchers posted samples of these “audio adversarial” clips to demonstrate how they embedded the hidden phrase, “OK Google, browse to” in the spoken passage “Without the dataset the article is useless.” It’s nearly impossible to tell the difference.

They did it with music too. The samples include a four-second clip from Verdi’s “Requiem” that masks the same command. The only difference between the two clips is a series of subtle chirps that the passive listener probably wouldn’t even notice.

The technique works because of the complex way machine learning algorithms translate speech to text, which is considerably more difficult than interpreting handwriting or images. Because of the many different ways people pronounce the same sounds, speech recognition algorithms use connectionist temporal classification (CTC) to make an educated guess about how each sound translates to a letter. Researchers were able to create an audio waveform that the machine recognized by making slight changes to the input that are nearly undetectable to the human ear. In essence, they were able to cancel out the sound the machine was supposed to hear in favor of the audio they wanted it to hear.

Don’t Panic, But Use Caution

This doesn’t mean you should go home and unplug your Alexa. Both proofs of concept have significant limitations. In the case of DolphinAttack, the audio source had to be within six feet of the target device. It’s also reasonably easy for device owners to defend against hijacks by changing their wake phrases or restricting access to critical apps.

The Berkeley researchers only tested their technique on DeepSpeech, which isn’t used by any of the major voice recognition products. They had detailed knowledge of how DeepSpeech works and the benefit of a highly controlled laboratory environment. There was also quite a bit of computational power involved in refining the audio to embed the hidden commands.

Nevertheless, these academic experiments highlighted the way malicious actors can make these techniques work in the wild. The Berkeley researchers admitted as much, noting in their report that “further work will be able to produce audio adversarial examples that are effective over the air.”

These discoveries are unsettling because voice recognition is on its way to becoming ubiquitous, not just on smartphones, but also in appliances, control devices, sensors and other Internet of Things (IoT) devices. You can imagine the chaos that an attacker could cause by broadcasting hidden commands over a public address system or hijacked TV signal, or even from a boombox in a crowded subway car.

South Park” and Burger King have already provided real-world examples of how this technique could disrupt both consumers and businesses. Their stunts were in good fun, but you can bet that cybercriminals are already thinking of ways to apply them to their own malicious schemes.

Listen to the podcast: The 5 Indisputable Facts About IoT Security

The post Read My Lips: Researchers Find Ways to Fool Speech Recognition Systems appeared first on Security Intelligence.

Smart Homes May Hide Crypto Mining Schemes

Loosely attended smart home appliances may be platforms for cryptocurrency mining scams, a researcher with the firm IOActive warns. Is your smart refrigerator or connected dishwasher secretly mining Moreno or Bitcoin on the sly? It’s a possibility that experts at the firm IOActive say homeowners, regulators and device makers need to be...

Read the whole entry... »

Related Stories

Researchers uncover mobile, PC surveillance platform tied to different nation-state actors

The Electronic Frontier Foundation (EFF) and mobile security company Lookout have uncovered a new malware espionage campaign that has targeted activists, journalists, lawyers, military personnel, and enterprises in more than 20 countries in North America, Europe, the Middle East, and Asia. They have dubbed the threat Dark Caracal, and have traced its activities to as far back as 2012. The malware used by Dark Caracal The attackers went after information stored on targets’ Android devices … More

Adult Themed Virtual Reality App spills Names, Emails of Thousands

Thousands of users of an adult virtual reality application risk having their personal information, including names and email addresses exposed, according to researchers in the UK. Thousands of Internet denizens who wanted to explore their virtual naughty side are in for an unpleasant surprise after a firm offering an adult virtual reality game,...

Read the whole entry... »

Related Stories

Sensor Shortfall: Mobile Application Security Could Put PINs at Risk

The ideal data that cybercriminals target to compromise mobile devices is user personal identification numbers (PINs). While it’s tempting to consider these PINs secure — especially if they’re regularly changed and don’t occupy the “1111” or “1234” space — researchers from the Nanyang Technological University (NTU) in Singapore have discovered a shortfall in mobile application security: sensor data. Now it’s possible for what devices see, hear and feel to help cybercriminals gain total device access.

Listening In

As noted by Bleeping Computer, most modern mobile operating systems, including iOS and Android, don’t ask for user permission to collect sensor data. The result? Newly installed apps can easily access accelerometer, gyroscope, magnetometer, proximity sensor, barometer and ambient light data. Seems like a hodgepodge of useless information, right? Not quite.

Researchers created a custom Android app that included a sensor data-gathering algorithm. Once installed on test devices, the application gathered device tilt and ambient light data captured when users entered their PINs. Using that data, the algorithm then attempted to predict device PINs from a list of the 50 most common. The result was 99.5 percent accuracy on the first try. However, when using the list of all 10,000 possible four-digit PINs, success dropped to 83.7 percent over 20 tries.

This still marks a significant mobile application security risk. Using a combination of deep learning and agile methodology, the algorithm was able to assign specific weights to sensor data and improve accuracy over time by learning how different users enter their PINs.

PIN Pushback

As noted by the NTU research, current mobile application security makes it possible for attackers to leverage side-channel methods that subvert even strong device security. So how can users stay safe? Start with longer PINs, which increases the amount of data needed by the algorithm to successfully guess user passcodes. Dr. Shivam Bhasin of NTU suggested that, in addition to extra-long PINs, users should also leverage other security methods including two-factor authentication or biometric scans that can’t be subverted by sensor data collection.

Enhancing Mobile Application Security

Ideally, mobile device operating systems will begin regulating sensor permissions, either disabling access by default or giving users the ability to allow or block access on-demand. Given current the current security climate, however — such as the burgeoning Internet of Things (IoT) market, which values speed over security — users shouldn’t expect significant security changes in the near future.

The more likely scenario is grudging device-maker acknowledgment that sensor data could be an issue, coupled with dismissal of the test-app scenario as a viable real-world vector. But as evolving malware and network attacks demonstrate, cybercriminals often enjoy marked success by leveraging supposedly low-risk threat vectors such as air-gapped devices or SCADA systems. As a result, mobile sensor data could quickly roll up the attacker priority list.

Bottom line? Mobile application security has a blind spot. While per-app sensor control isn’t available (yet), users can reduce their risk with longer PINs and two-factor authentication.

The post Sensor Shortfall: Mobile Application Security Could Put PINs at Risk appeared first on Security Intelligence.

Cyber Security Predictions for 2017



2016 kicked off with more than 20 million new samples of malware detected and neutralised by PandaLabs – an average of 227,000 per day. This figure is slightly higher than that of 2015, which saw around 225,000 per day.

Throughout 2016, we’ve seen how the number of new malware has been slightly lower than in 2015 — about 200,000 new samples of malware per day on average — however attacks have become more effective.

Cybercriminals are becoming more confident in their abilities, and, although figures have been lower than expected, there is still cause for concern. Hackers appear to be concentrating their efforts into the most profitable attacks, utilising sophisticated techniques that allow them to make quick and easy money in an efficient manner.

Black Hats have turned their focus essentially to productivity, proliferating attacks on businesses that handle massive quantities of data and sensitive information. Once they’ve gained access to these businesses, they are able to infect a large number of computers possible with ransomware, putting themselves in a position to demand millions in ransom or put the data up for sale on the black market.

If there is one thing that hasn’t changed over the course of this year, it’s the popularity of trojans, with ransomware at the forefront, continuing to top the statistical charts for years.

Ranking the top attacks of 2016



We know that ransomware is a substantial business for cybercriminals, but it is incredibly tricky to measure the number of attacks reliably. What can be noted is the evolution of Ransomware attacks, in some cases having become particularly aggressive, as is the case of Petya. Instead of encrypting documents, Petya goes straight for the computer’s Master Boot Record (MBR) and makes it unserviceable until a ransom is paid.

Abuse of system tool PowerShell has risen this year, installed by default in Windows 10 and frequently used in attacks to avoid detection by security solutions installed on victims computers.

In Q2 of 2016, one of the strangest cases of Ransomware involved a company in Slovenia. The company’s head of security received an email out of Russia informing him that their network had been compromised and that they were poised to launch ransomware on all of their computers. If the company didn’t pay around €9000 in Bitcoins within 3 days. To prove that they did in fact have access to the organisations network, the hackers sent a file with a list of every device connected to the company’s internal network.

Ransomware as a Service (RaaS) presented as the latest development in the Ransomware industry. In Q3 we witnessed to a higher level of specialisation in the ransomware trade. The best example of this featured the creators of the ransomware Petya and Mischa, specialised in the development aspect of malware and its corresponding payment platforms, leaving distribution in the hands of third parties. Once the creators have done their part they leave it up to the distributors to be in charge of infecting their victims. Much like in the legal world, the distributors’ profit is derived from a percentage of the money acquired. The higher the sales, the higher the percentage that they receive.

Malicious email

Attacks don’t only come in the form of malvertising or compromised websites. A large number of them still arrive through email in the form of false invoices or other notifications. An attack of this sort was carried out in at least two European countries, in which cybercriminals posed as their respective local electricity supply companies. The message contained no attachment, showing only the billing information in text and including a link that when clicked would take you to the invoice details. The hook was an exorbitantly high payment that would entice an emotional response so that the recipient would click through to consult the supposed bill without thinking. Upon clicking the link, the user was directed to a website that resembled the company’s real website, where a bill could be downloaded. If the client downloaded and opened the file, they became infected with ransomware.

Business Email Compromise Phishing

Hackers will investigate how the company operates from the inside and get information from their victims off of social networks to give credibility to their con. The attackers then pose as the CEO or financial director of a company and request a transfer from an employee. This kind of attack is rapidly gaining in popularity.

A notable case this year affected Mattel, the well-known toy manufacturer of Barbies and Hot Wheels. A high ranking executive received a message from the recently appointed CEO soliciting a transfer of $3 million to a bank account in China. After making the transfer, he then confirmed with the CEO that it was done, who in turn was baffled, having not given such an order. They got in touch with the American authorities and with the bank, but it was too late and the money had already been transferred.

In this case they were fortunate. It was a bank holiday in China and there was enough time to alert the Chinese authorities. The account was frozen, and Mattel was able to recover their money.


Mobile Devices

SNAP is one the most popular vulnerabilities that we’ve seen this year – affecting LG G3 mobile phones. The problem stemmed from an error in LG’s notifications app, called Smart Notice, which gives permission for the running of any JavaScript. The researchers at BugSec discovered the vulnerability and notified LG, which rapidly published an update that resolved the problem.

Gugi, an Android trojan, managed to break through Android 6’s security barriers to steal bank credentials from apps installed on the phone. To accomplish this, Gugi superimposed a screen on top of the screen of the legitimate app asking for information that would then be sent directly to the criminals without their victims’ knowledge.

In August, Apple published an urgent update of version 9.3.5 of iOS. This version resolves three zero-day vulnerabilities employed by a software spy known as Pegasus, developed by the NGO Group, an Israeli organization with products similar to those offered by Hacking Team.

Internet of Things

Connected cars are at risk from cyber-attack – investigators at the University of Birmingham showed how they had succeeded in compromising the power door lock system of every vehicle sold by the Volkswagen Group in the last twenty years. Researchers Charlie Miller and Chris Valasek, who last year demonstrated how to hack a Jeep Cherokee, took it one step further this year to show how they could manipulate at will the throttle, the brake, and even the steering wheel while the car was in gear.

Smart homes are just as vulnerable to attack – researchers Andrew Tierney and Ken Munro showed a proof of concept that they built to hijack a thermostat. After taking control of the thermostat (inserting an SD card in it), he raised the temperature to 99 degrees Fahrenheit and required a PIN to deactivate it. The thermostat connected to an IRC channel, giving the MAC address of as an identifier of every compromised device. It demanded a bitcoin in exchange for the PIN, which changed every 30 seconds.



2016 saw the United States go on the offensive and concede that it is launching cyber-attacks against Daesh targets. Robert Work, United States Deputy Secretary of Defense, made this clear in statements to CNN.

In February, South Korean officials discovered an attack originating from North Korea. The attack allegedly began over a year ago, its primary target being 140,000 computers belonging to organisations and government agencies, as well as defense contractors. According to police statements, more than 42,000 documents were stolen, of which 95% were related to defense, such as, for example, documents containing plans and specs for the F15 fighter jet.

At the height of the United States presidential election, one of the most significant incidents that took place was the discovery of an attack on the DNC (Democratic National Committee) in which a stockpile of data was plundered, and was then leaked to the public.

On the subject of the elections, the FBI issued an alert after detecting two attacks on electoral websites, and at least one of the attackers — identified as foreigners — was able to make off with voter registration data.

In August, a group calling itself “The Shadow Brokers” announced that it had hacked the NSA and published some of the “cyber weapons” that it had stolen, promising to sell the rest to the highest bidder.


In June, a criminal dubbed “The Dark Overlord” put patient information from three US institutions up for sale on the black market. He had stolen information from over 650,000 patients and asked for around $700,000 for its return. Shortly thereafter, he put the personal information of 9.3 million clients of a medical insurance agency up for sale for 750 bitcoins.

In the last few months, Dropbox became another victim of cybercrime. It was recently revealed that the well-known file sharing service suffered an attack in 2012. The outcome: the theft of data from 68 million users.

One of the biggest attacks to date affected Yahoo – despite having taken place in 2014 the attack only become known recently. A total of 500 million accounts were compromised, becoming the greatest theft in history.

In August 2016 we saw one of the greatest bitcoin thefts in history. Bitfinex, a company that deals in the commerce and exchange of cryptocurrency, was compromised and had an equivalent of 60 million dollars in bitcoins stolen from it, money which belonged to clients that had deposited their bitcoins in this “bank”. There is still no evidence pointing to the culprits, and the company has offered no information as to how it happened, as law enforcement agencies are still investigating the case.

DDoS Attacks

In September, Brian Krebs, the famed journalist specialising in security, blew the cover off of vDOS, a “business” that offered DDoS attack services. Shortly thereafter, the people responsible, who in two years had lead 150,000 attacks and made a profit of $618,000, were arrested.

In retaliation hackers took down Krebs’s website through a crippling DDoS attack. In the end, Google, through its Project Shield, was able to protect it and the page came back online.

In the last quarter of the year, a wave of large-scale cyberattacks against the American internet provider DynDNS disrupted the service of some major global corporations’ websites. The brutal attack affected major organisations and international communications tools, such as Netflix, Twitter, Amazon, and The New York Times. Service was interrupted for almost 11 hours, affecting more than a billion clients worldwide.


POS’s and Credit Cards

The popular American fast food chain Wendy’s saw the Points of Sale terminals at more than 1,000 of its establishments infected with malware that stole credit card information from its clients. PandaLabs discovered an attack carried out with malware known as PunkeyPOS, which was used to infect more than 200 US restaurants.

Another such attack was discovered in 2016 by PandaLabs. Once again, the victims were US restaurants, a total of 300 establishments whose POS’s had been infected with the malware PosCardStealer.

Financial Institutions

This year, the Central Bank of Bangladesh suffered an attack in which 1 billion US dollars in bank transfers were made. Fortunately, a large portion of those transfers were blocked, although the thieves had already succeeded in making off with 81 million dollars.

Shortly after that we witnessed two similar cases: one against a bank in Vietnam, another against a bank in Ecuador.


Social Networks

The security of 117 million LinkedIn users was at risk after a list of email address and their respective passwords were published.

On Twitter, 32 million usernames and passwords were put up for sale for around $6000. The social network denied that the account information had been aquired from their servers. In fact, the passwords were in plain text and the majority of them belonged to Russian users, hinting at the possibility that they were attained by means of phishing or Trojans.

This year it came to light that MySpace was attacked. The intrusion happened in 2013, although up until May of this year it remained unknown. Usernames, passwords, and email addresses were taken, reaching up to 360 million affected accounts. A user may not have used MySpace in years, but if they are in the habit of reusing passwords, and aren’t using two-factor authentication they could be at risk.

Activating two-factor authentication, creating complex passwords and not reusing them for different websites is recommended to avoid these risks.

What cyber nightmares does 2017 have in store for us?


Having taken center stage in 2016, Ransomware will most likely do so again in 2017. In some ways, this kind of attack is cannibalising other more traditional ones that are based on information theft. Ransomware is a simpler and more direct way to make a profit, eliminating intermediaries and unnecessary risks.

Taking every idea into consideration


Attacks on companies will be more numerous and sophisticated. Companies are already the prime target of cybercriminals. Their information is more valuable than that of private users.

Cybercriminals are always on the lookout for weaknesses in corporate networks through which they can gain access. Once inside, they use lateral movements to access resources that contain the information they are looking for. They can also launch large-scale ransomware attacks (infecting with ransomware all available devices), in order to demand astronomical sums of money to recover the data of affected companies.

Internet of Things

Internet of Things (IoT) is fast becoming the next cybersecurity nightmare. Any kind of device connected to a network can be used as an entryway into corporate and home networks. The majority of these devices have not been designed with security strength in mind. Typically they do not receive automatic security updates, use weak passwords, reuse the same credentials in thousands of devices, and other security flaws – all of this together makes them extremely vulnerable to outside attacks.


The final months of 2016 witnessed the most powerful DDoS attacks in history. It began in September with an attack on Brian Krebs after his having reported on the activities of an Israeli company that offered this kind of service. On the heels of that attack came another on the French company OVH (reaching 1Tbps of traffic) and another on the American company Dyn that left several major tech giants without Internet service.

These attacks were carried out by bot networks that relied on thousands of affected IoT devices (IP cameras, routers). We can be certain that 2017 will see an increase in this kind of attack, which is typically used to blackmail companies or to harm their business.

Mobile Phones

The target is clear here as well — Android devices got the worst of it. Which makes sense, given that Android has the greatest market share. Focusing on one single OS makes it easier for cybercriminals to fix a target with maximal dissemination and profitability.

To complicate matters, updates do not only depend on the rollout of what Android can do, but also depends on each hardware manufacturer’s decision of when and how to incorporate them – if at all. Given the amount of security issues that crop up every month, this situation only puts users at greater risk.


We are living in uncertain times with regards to international relations – threats of commercial warfare, espionage, tariffs with the potential to polarise the positions of the great powers. This can no doubt have vast and serious consequences in the field of cyber-security.

Governments will want access to more information, at a time when encryption is becoming more popular) and intelligence agencies will become more interested in obtaining information that could benefit industry in their countries.

A global situation of this kind could hamper data sharing initiatives — data that large companies are already sharing in order to better protect themselves against cyber-crime, setting standards and international engagement protocols.

The post Cyber Security Predictions for 2017 appeared first on