Category Archives: Mobile Security

Android 9 in the Enterprise: Easy as Pie

It’s that time of year again, when Google releases its latest version of the Android OS. In keeping with the tradition of dessert-themed names, the newest edition is dubbed Android 9 Pie. Focusing on more efficient workflows, Pie brings an array of new features to get tasks done quickly. But the new release offers more than just productivity enhancements; it’s built around the user’s everyday life.

Aside from ease of use, Android is focusing on how users actually interact with their devices. With its new Dashboard feature, Android 9 shows users how much time they’ve spent in specific apps and on the device overall. This ties to a new feature that allows users to set daily app timers. Once an app’s limit has been reached, its icon grays out on the home screen to remind users of their daily goals.

Android 9 also assists users when it’s time to hit the hay by fading the screen to grayscale and offering the ability to activate Do Not Disturb at any time by turning their device over. These mindful features are aimed at helping users take a step back from their devices and focus on the world around them.

Register for the Sept. 6 webinar: Adopting Android 9 in the Enterprise — Easy as Pie

Fewer Taps and Swipes, More AI

Android 9 focuses on the user experience, which will change dramatically with new gesture controls to quickly navigate between apps. However, the main driving force will be its AI. Intuitive new technology learns how users go about their day — plugging in a pair of headphones will pull up a user’s most recent playlist, for example. Location detection can identify when users are at the office and prompt the device to surface apps they use at work.

Another piece of Android Pie AI is called Slices (pun intended). Slices pulls relevant information from apps the user searches. For instance, if a user searches for his or her preferred ride-sharing app, Slices brings up prices and pickup times automatically.

Enhanced Security and Productivity Features

Pie adds even more enterprise features to the library Android has developed over the years, and these should be of particular interest to IT and security leaders looking to enhance Android device management.

Now, users can access their work apps with a simple tap. Work apps can be organized into the work tab, which can be toggled on and off; with a quick gesture, users can hide their work apps when they’re not on the clock.

Android 9 also offers simpler multi-user support. Users can share a single device for shift work or public kiosks. While this capability has been around for some time, IT and security leaders will laud these improvements. Another heavily requested feature new to Android 9 allows IT admins to control over-the-air (OTA) updates. This new ability allows IT professionals to freeze updates for up to 90 days, giving them time to determine whether the update will affect their fleet.

Pie boasts new security features as well, including Android Protected Confirmation, which triggers apps to prompt users to approve a brief statement. This allows the app to reaffirm that the user would like to complete a sensitive transaction, such as making a payment.

Android 9 also provides unified biometric authentication dialogs for enterprise apps. This creates a standard look, feel and placement for the dialog, giving users more confidence that they’re authenticating against a trusted biometric credential checker.

One of the most important new developments in Android 9 is the deprecation of device admin; the feature will be removed and unavailable starting with Android 10 (Android Q). All organizations that use Android devices in their operations should move to Android Enterprise to improve their corporate device and data security.

Below are some additional baked-in security features.

  • Enhanced lockdown mode allows administrators to configure the screen and settings available when an app is locked to the launcher.
  • Native support for shared devices introduces the concept of an ephemeral user for dedicated devices, aka corporate-owned, single-user (COSU) devices. Ephemeral users are short-term users intended for cases in which multiple users share a single, dedicated device.
  • Additional security restrictions include overriding APN settings, disabling Airplane mode and other screen settings, and configuring time and time zone.
  • Restrictions on sharing into a work profile can prevent users from sharing personal data into a work profile on their device.
  • Work profile lock screen challenges can require users to set a separate lock screen challenge for their work profile.
  • Streamlined QR code enrollment offers a built-in QR code library and provides additional configuration options.

Baking Android 9 Pie Into the Enterprise With UEM

So, what’s next? First things first: Make sure that your unified endpoint management (UEM) solution supports the latest Android 9 software version. And to ensure you’re adequately managing and securing Android devices at work, we have an upcoming learning opportunity. In our Sept. 6 webinar, we’ll discuss all the new Android 9 features and run a live demo.

Register for the Sept. 6 webinar: Adopting Android 9 in the Enterprise — Easy as Pie

The post Android 9 in the Enterprise: Easy as Pie appeared first on Security Intelligence.

A Black Hat Veteran Reflects on the Hot Topics at This Year’s Conference

An especially thick haze hung over the Las Vegas valley as the smoke from the California wildfires drifted eastward. Combined with the excessive heat warnings — which in Las Vegas means it’s really hot — most people decided that staying inside and walking around the vendor floor at the annual Black Hat security conference wasn’t such a bad idea after all.

Participants at this year’s event were treated to Elvis Presley and Marilyn Monroe impersonators, magicians and vendor-branded mohawks — all the traditional sights of a Black Hat conference. Hot topics from previous years, such as endpoint protection, threat intelligence, threat hunting, artificial intelligence (AI) and machine learning, were once again hotly discussed and debated at vendor booths and in the conference halls.

IoT Security Risks at a Municipal Scale

Among the biggest topics of discussion this year was the Internet of Things (IoT) — not just at the consumer level, but also at the industrial level, especially with the deployment of IoT devices in many smart city environments. Devices such as traffic controllers, flood gauges, street lights, air quality control, municipal Wi-Fi and other technologies are being built and deployed quickly without much thought to the security within them.

Interestingly, many of the vulnerabilities researchers are discovering in these devices are the same ones that plague consumer IoT, such as hardcoded passwords and non-updatable software. However, the risks are much greater when we consider devices that control entire cities.

The Vulnerability Management Conundrum

A somewhat less sexy topic that also got a lot of play at this year’s Black Hat is the evolving nature of vulnerability and threat management. Vulnerability management has been around for a while to help security teams scan their networks, rank vulnerabilities and remediate them with the resources they have.

More recently, the industry has come to discover that this approach tends to fail at scale when organizations have thousands of endpoints to scan, resulting in tens of thousands of vulnerabilities, many of which are rated as critical by their Common Vulnerability Scoring System (CVSS) scores. How do you know what to patch first?

Vulnerability management has wrestled with this conundrum for years. Fortunately, the industry finally seems to be developing ways to better rank those flaw. By looking at additional data surrounding a vulnerability beyond its CVSS score, security teams can determine the likelihood of exploitation, including the risk to the business if exploited. This will go a long way toward stretching the slim resources that most organizations have when it comes to vulnerability management.

What Did We Learn at Black Hat 2018?

All in all, this year’s Black Hat was another one for the books. Sure, Elvis is still in the building, but the illuminating sessions and discussions that took place at this year’s conference demonstrated that we as security professionals are raising awareness in some areas, such as IoT security and smart cities, making progress in others, such as vulnerability and threat management, and continuously developing new techniques to help to secure everything around us.

Listen to the podcast: X-Force Red Team Lead Charles Henderson Announces X-Force Red Labs at Black Hat

The post A Black Hat Veteran Reflects on the Hot Topics at This Year’s Conference appeared first on Security Intelligence.

Back to School: Cybersecurity in the Classroom

It’s hard to believe that summer is coming to an end and that back-to-school time is around the corner. For some kids, that means cyberbullies are traded in for school bullies and social engagement will turn into in-person interactions. But for others — dubbed Extreme Internet Users — the screen stays. When it comes time to go back to the classroom, the six hours or more a day these kids spent online during summer may be curtailed in favor of educational screen time instead.

Every year around this time, I reflect on how much has changed for children, especially when it comes to mobile devices in the classroom. This trend has become increasingly popular and, on the rise, as technology has improved, education adapts to rapid changes, and our world becomes more interconnected. Either these devices are given to kids or their classrooms by their school, or parents are encouraged to purchase one for their child to help support internet research and to digitize note-taking and homework.

Regardless of whether you’re a technophile or technophobe when it comes to leveraging screens in education, one thing is for sure – their presence in learning environments is here to stay. And with this shift, security is of the utmost importance.

Since January 2016, there have been 353 cybersecurity incidents in the United States related to K-12 public schools and districts. These attacks range include phishing, ransomware, DoS attacks and breaches that have exposed personal data. However, the question – what motivates cybercriminals to target schools? – still persists. The answer is complex, because what cybercriminals could exploit depends on what they want to accomplish.  Extorting school faculty, hacking private student data, disrupting school operations, or disabling, compromising, or re-directing school technology assets are all regular tools of the trade when it comes to hacking schools.

You may not be able to control how your child’s school thinks about cybersecurity, but you can take matters into your own hands. There are steps you can take to make sure your child is ready to face the school year head-on, including protecting their devices and their data.

  • Start a cybersecurity conversation. Talk with school faculty about what is being done in terms of a comprehensive cybersecurity plan for your child’s school. It’s worth starting the conversation to understand where the gaps are and what is being done to patch them.
  • Install security software on all devices. Don’t stop at the laptop, all devices need to be protected with comprehensive security software, including mobile devices and tablets.
  • Make sure all device software is up-to-date. This is one of the easiest and best ways to secure your devices against threats.
  • Teach your child how to connect securely on public Wi-Fi networks. Public Wi-Fi networks are notoriously used as backdoors by hackers trying to gain access to personal information. If Wi-Fi is absolutely necessary, ensure the network is password protected. However, if you want a secure encrypted connection, consider using a virtual private network (VPN).
  • Designate a specific date and time for regular data back-ups. If ransomware hits, you won’t have to pay to get your child’s information back. You can back up that personal data to a physical external hard drive or use an online backup service, such as Dropbox or Google Drive. That way you can access your files even if your device gets compromised.
  • Understand your child’s school bring your own device (BYOD) policy. Each school is different when it comes to BYOD and understanding your child’s school policy will save you a headache down the road. Some schools buy devices for students to rent, with parents having to pay for any incidentals, and some ask parents to buy the devices outright. Take the time to understand your child’s school policy before accidents happen.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, and follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Back to School: Cybersecurity in the Classroom appeared first on McAfee Blogs.

How to Outsmart the Smart City

Today’s digital world has created new ways to keep us all informed and safe while automating our daily lives. Our phones send us alerts about weather hazards, traffic issues and lost children. We trust these systems since we have no reason not to — but that trust has been tested before.

For a tense 38 minutes in January 2018, residents of Hawaii saw the following civil alert message on their mobile devices: “BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL.”

This false alarm was eventually attributed to human error, but what if someone intentionally caused panic using these types of systems?

Smart City View

This incident in Hawaii was part of what motivated our team of researchers from Threatcare and IBM X-Force Red to join forces and test several smart city devices, with the specific goal of investigating “supervillain-level” attacks from afar. We found 17 zero-day vulnerabilities in four smart city systems — eight of which are critical in severity. While we were prepared to dig deep to find vulnerabilities, our initial testing yielded some of the most common security issues, such as default passwords, authentication bypass and SQL injections, making us realize that smart cities are already exposed to old-school threats that should not be part of any smart environment.

So, what do smart city systems do? There are a number of different functions that smart city technology can perform — from detecting and attempting to mitigate traffic congestion to disaster detection and response to remote control of industry and public utilities.

The devices we tested fall into three categories: intelligent transportation systems, disaster management and the industrial Internet of Things (IoT). They communicate via Wi-Fi, 4G cellular, ZigBee and other communication protocols and platforms. Data generated by these systems and their sensors is fed into interfaces that tell us things about the state of our cities — like that the water level at the dam is getting too high, the radiation levels near the nuclear power plant are safe or the traffic on the highway is not too bad today.

Read the interactive white paper: The Dangers of Smart City Hacking

Smart City Vulnerable

Earlier this year, our team tested smart city systems from Libelium, Echelon and Battelle. Libelium is a manufacturer of hardware for wireless sensor networks. Echelon sells industrial IoT, embedded and building applications and manufacturing devices like networked lighting controls. Battelle is a nonprofit that develops and commercializes technology.

When we found vulnerabilities in the products these vendors produce, our team disclosed them to the vendors. All the vendors were responsive and have since issued patches and software updates to address the flaws we’ll detail here.

After we found the vulnerabilities and developed exploits to test their viabilities in an attack scenario, our team found dozens (and, in some cases, hundreds) of each vendor’s devices exposed to remote access on the internet. All we did was use common search engines like Shodan or Censys, which are accessible to anyone using a computer.

Once we located an exposed device using some standard internet searches, we were able to determine in some instances who purchased the devices and, most importantly, what they were using the devices for. We found a European country using vulnerable devices for radiation detection and a major U.S. city using them for traffic monitoring. Upon discovering these vulnerabilities, our team promptly alerted the proper authorities and agencies of these risks.

Smart City Scare

Now, here’s where “panic attacks” could become a real threat. According to our logical deductions, if someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic. While no evidence exists that such attacks have taken place, we have found vulnerable systems in major cities in the U.S., Europe and elsewhere.

Here are some examples we found disturbing:

  • Flood warnings (or lack thereof): Attackers could manipulate water level sensor responses to report flooding in an area where there is none — creating panic, evacuations and destabilization. Conversely, attackers could silence flood sensors to prevent warning of an actual flood event, whether caused by natural means or in combination with the destruction of a dam or water reservoir.
  • Radiation alarms: Similar to the flood scenario, attackers could trigger a radiation leak warning in the area surrounding a nuclear power plant without any actual imminent danger. The resulting panic among civilians would be heightened due to the relatively invisible nature of radiation and the difficulty in confirming danger.
  • General chaos (via traffic, gunshot reports, building alarms, emergency alarms, etc.): Pick your favorite crime action movie from the last few years, and there’s a good chance that some hacker magically controls traffic signals and reroutes vehicles. While they’re usually shown hacking into “metro traffic control” or similar systems, things in the real world can be even less complicated. If one could control a few square blocks worth of remote traffic sensors, they could create a similar gridlock effect as seen in the movies. Those gridlocks typically show up when criminals needed a few extra minutes to evade the cops or hope to send them on a wild goose chase. Controlling additional systems could enable an attacker to set off a string of building alarms or trigger gunshot sounds on audio sensors across town, further fueling panic.

In summary, the effects of vulnerable smart city devices are no laughing matter, and security around these sensors and controls must be a lot more stringent to prevent scenarios like the few we described.

The Vulnerabilities

IBM X-Force Red and Threatcare have so far discovered and disclosed 17 vulnerabilities in four smart city systems from three different vendors. The vulnerabilities are listed below in order of criticality for each vendor we tested:

Meshlium by Libelium (wireless sensor networks)

  • (4) CRITICAL — pre-authentication shell injection flaw in Meshlium (four distinct instances)

i.LON 100/i.LON SmartServer and i.LON 600 by Echelon

  • CRITICAL — i.LON 100 default configuration allows authentication bypass – CVE-2018-10627
  • CRITICAL — i.LON 100 and i.LON 600 authentication bypass flaw – CVE-2018-8859
  • HIGH — i.LON 100 and i.LON 600 default credentials
  • MEDIUM — i.LON 100 and i.LON 600 unencrypted communications – CVE-2018-8855
  • LOW — i.LON 100 and i.LON 600 plaintext passwords – CVE-2018-8851

V2I (vehicle-to-infrastructure) Hub v2.5.1 by Battelle

V2I Hub v3.0 by Battelle

The Fixes

Smart city technology spending is anticipated to hit $80 billion this year and grow to $135 billion by 2021. As smart cities become more common, the industry needs to re-examine the frameworks for these systems to design and test them with security in mind from the start.

In light of our findings, here are some recommendations to help secure smart city systems:

  • Implement IP address restrictions to connect to the smart city systems;
  • Leverage basic application scanning tools that can help identify simple flaws;
  • Safer password and API key practices can go a long way in preventing an attack;
  • Take advantage of security incident and event management (SIEM) tools to identify suspicious traffic; and
  • Hire “hackers” to test systems for software and hardware vulnerabilities. There are teams of security professionals — such as IBM X-Force Red — that are trained to “think like a hacker” and find the flaws in systems before the bad guys do.

Additionally, security researchers can continue to drive research and awareness in this space, which is what IBM X-Force Red and Threatcare intended to do with this project. Jen Savage, Mauro Paredes and I will be presenting these vulnerabilities at Black Hat 2018, and again at the DEF CON 26 Hacking Conference later this week, so check back soon for the video presentation.

For remediation and security patches, see the vendor pages listed below:

Echelon: https://www.echelon.com/company/security/security-advisories

Read the interactive white paper: The Dangers of Smart City Hacking

The post How to Outsmart the Smart City appeared first on Security Intelligence.

Group Video Chat Now Available on WhatsApp

WhatsApp, the Facebook-owned voice, video, and messaging app, recently announced that group video calling has finally arrived for their 1.5 billion users. The cross-platform app that sees more than 60 billion messages sent per day said that its user base can now make group video calls with up to four people in total per call. To add more participants to the call all you have to do is start a one-on-one voice or video call and then click on the “add participant” button located in the top right corner of your screen. Even if all four call participants are based in four different contents, they will still be able to video chat with each other as long as they have installed the latest version of WhatsApp on Android or an Apple device and have a reliable internet connection.  If one of the people drops, even if it is the person who started the call, the remaining three will remain connected.

The long-awaited group video calling option for WhatsApp does not come as a surprise – back in May, Facebook announced that group video calling capabilities would be added to WhatsApp’s list of features sooner than later. Speculators were expecting it to happen at some point in the fourth quarter of 2018, but WhatsApp managed to roll out the new feature less than three months after the tech summit. The new feature was a needed move for the company as they were one of the last popular online messaging platforms not supporting group video chats. Rival messaging platforms such as Giant has been offering the option for simultaneous group calls for up to 200 people for years.

What are the risks of WhatsApp’s new feature?

WhatsApp has been enjoying a constant user growth ever since it was created back in 2009. Sadly, the increased popularity attracted some of the wrong crowds too – online predators see the trendy platform as yet another playground where they can execute all sorts of phishing and scam campaigns. Whether it is a fake retail coupon or an invitation to an “unbelievable deal” that leads you to a malicious website, hackers have been trying to lure WhatsApp users into trouble for years.  With the introduction of group video calling they now have one more tool to get even more creative with their phishing techniques.

WhatsApp is particularly popular among vulnerable groups of people as it is considered very user-friendly and does not require password setup – the app is easily accessible by youngsters and the elderly. If you want to be on the safe side, the connected devices used by all members of your family must have antivirus software that comes with parental control capabilities. Keeping an eye on the online activity of your loved ones must be a priority!

Download Panda Mobile Security

The post Group Video Chat Now Available on WhatsApp appeared first on Panda Security Mediacenter.

Too Much Tech: 4 Steps to Get Your Child to Chill on Excessive Snapchatting

We were in the midst of what I believed to be an important conversation.

“Just a sec mom,” she said promptly after a Snapchat notification popped up on her iPhone.

She stopped me mid-sentence, puckered her lips, rolled her eyes, typed a few lines of copy, and within three seconds, my teenage daughter Snapchatted a few dozen friends.

“Sorry, mom, what were you saying?” she turned back toward me her face void of any trace of remorse.

It was clear: Snapchat had far more influence than I, the parent, and it was time to make some serious changes.

Imbalance of Power

It’s obvious the power apps hold over our lives. In fact, in an attempt to encourage responsible app use, Facebook and Instagram recently announced it would implement tools allowing users to track how much time they spend on the apps. This mom is hoping Snapchat will follow suit.

Since its inception in 2011, Snapchat has become one of the most popular apps with an estimated 187 daily active users. A 2017 study released by Science Daily found that 75% of teens use Snapchat. But it’s not the only app winning our kids affections:

  • 76 percent of American teens age 13-17 use Instagram.
  • 75 percent of teens use Snapchat.
  • 66 percent of teens use Facebook.
  • 47 percent of teens use Twitter.
  • Fewer than 30 percent of American teens use Tumblr, Twitch, or LinkedIn.

If you have a teen, you understand the dilemma. We know that social ties are essential to a teen’s psychological well-being. We also know that excessive time online can erode self-esteem and cause depression. We can’t just yank our child’s favorite app, but we also can’t let it run in the background of our lives 24/7, right?

What we can do is take some intentional steps to help kids understand their responsibility to use apps in healthy, resilient ways. In our house, taking that step meant addressing — and taming — the elephant in the room: Snapchat. Here are a few things that worked for us you may find helpful.

4 Steps to Help Curb Excessive Snapchatting

  1. Strive for quality relationships. With so much more information available on the downside of excessive social media use, it’s time to be candid with our kids. Excessive “liking,” carefully-curated photos, and disingenuous interactions online are not meaningful interactions. Stress to kids that nothing compares to genuine, face-to-face relationships with others.
  2. Zero phone zones. This is a rule we established after one too many snaps hijacked our family time. We agreed that when in the company of others — be it at home, in the car, in a restaurant, at church, at a relative’s house — all digital devices get turned facedown or put in a pocket. By doing this, we immediately increased opportunities for personal connection and decreased opportunities for distraction. This simple but proven strategy has cut my daughter’s Snapchat time considerably.
  3. Establish a Snapchat curfew. Given the opportunity, teens will Snapchat until the sun comes up. Don’t believe me? Ask them. If not for the body’s physical need for sleep, they’d happily Snapchat through the night. Consider a curfew for devices. This rule will immediately begin to wean your child’s need to Snapchat around the clock.
  4. Track Snapchat time. Investing in software such as McAfee® Safe Family is an option when trying to strike a healthy tech balance. The software will help with time limits, website filtering, and app blocking. There is also helpful time tracking apps. For the iPhone, there’s Moment, and for Android, there’s Breakfree. Both apps will track how much time you spend on your phone. Seeing this number — in hours — can be a real eye-opener for both adults and kids.toni page birdsongToni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Too Much Tech: 4 Steps to Get Your Child to Chill on Excessive Snapchatting appeared first on McAfee Blogs.

Blog | Avast EN: The Best and Safest Phones for Kids of All Ages | Avast

Some kids take their first steps into the digital world at the tender age of one, when they discover Elmo apps on the family iPad. By the time we give them their first cell phones, they’re already familiar with the web, basic internet etiquette, and the way mobile devices work — let’s face it, they’re a savvy generation.



Blog | Avast EN

Fake Android Banking Apps Leak Credit Card Details Online

Three fake Android banking apps phished for users’ credit card details and then leaked them online by transferring them to an exposed server.

On July 26, 2018, Slovakian security firm ESET reported that it notified Google about the three fake banking apps that were uploaded to the Google Play Store in June and July 2018. Each of the impostor programs promised to increase users’ credit card limits at one of three Indian banks and presented users with a form to supposedly collect their credit card information.

Upon completing the forms, the apps directed users to a final screen indicating that a “customer service executive” would be in touch soon. Instead, the applications sent users’ information in plaintext to a server where anyone with a link — not just the attackers — could access the saved data.

Fake Android Banking Apps Exploit Common Mobile Security Weaknesses

This campaign highlights attackers’ ongoing interest in mobile banking, which has given rise to a host of new security threats. First, fraudsters are now targeting users with fake mobile banking apps — and users often can’t distinguish between real and potentially malicious programs. According to Avast, 36 percent of users have mistaken fraudulent banking applications as legitimate.

At the same time, banks’ legitimate mobile applications often suffer from security weaknesses themselves. For instance, researchers at the University of Birmingham in the U.K. discovered in December 2017 that even some “high-security” banking, stock trading, cryptocurrency and virtual private network (VPN) applications were susceptible to man-in-the-middle (MitM) attacks due to failure to verify the hostname.

How Can Organizations Stave Off Mobile Banking Threats?

Security professionals should adopt a multipronged approach to defend their organizations against the threat of fake mobile banking apps. IBM experts recommend investing in mobile threat prevention (MTP) solutions, as well as a mobile device management (MDM) platform that allows access to only certain approved applications.

Security leaders can also protect Android devices from fraudulent apps by implementing unified endpoint management (UEM) and over-the-air (OTA) support.

Sources: WeLiveSecurity, Avast, University of Birmingham

The post Fake Android Banking Apps Leak Credit Card Details Online appeared first on Security Intelligence.

An AI Chatbot and Voice Assistant for the Mobile Employee

Have a look around, and you might notice that chatbots and voice assistants have permeated our lives — bringing an air of excitement and efficiency to manual tasks and chores. Considering the amount of time and effort we expend at the office, it’s about time that assistants make their way to the workplace.

Although IT and security leaders are making ongoing strides to ensure their workers are enabled with the most cutting-edge technology, the employees they support continue to dedicate countless hours to basic tasks that could otherwise be delegated to an artificial intelligence (AI)-powered sidekick.

It can also be a struggle for workers to overcome learning curve challenges or get on-the-go help with support-related issues. Think about the number of requests and tickets that could be avoided if users had the ability to get this level of support from an AI voice assistant.

Why Mobile Employees Could Use Some Assistance

It can be frustrating trying to find a specific email or attachment when on a mobile device, oftentimes leading to multiple searches and dead ends. Think of how many times you’ve said things like, “Sure, I’ll pull that up and send it over when I get back to my laptop.”

It’s even more frustrating attempting to schedule a meeting when the organizer is forced to look up the availability of all the participants, type out the title and define an agenda. Something that is seemingly simple is anything but when put into practice.

Smartphones and tablets are designed provide everything you need in the palm of your hand, but sometimes there’s too much in front of you to know how to prioritize. Imagine the headaches that could be avoided if employees had a helper that could constantly query their emails, calendars and contacts for them and notify them when they’ve let an email response to an important person — such as their boss — slip a bit too long.

There also can be times when devices just don’t work the way they’re supposed to. Perhaps you’re having trouble figuring out how to do something, like how to reset your passcode or turn on notifications, for example. In times like these, employees want on-demand support, but without a viable alternative, they turn to their IT helpdesk team to answer the call.

Join the Aug. 23 webinar: Help is on its way! A Sidekick For Your Mobile Workforce

Say Hello to an AI-Enabled Voice Assistant

IBM MaaS360, an industry leader in unified endpoint management (UEM), is pleased to introduce MaaS360 Assistant, the latest addition to its unique assortment of AI offerings. Enabled by chat and voice, MaaS360 Assistant is available for use by mobile employees today through open beta.

Programmed to improve productivity and deliver the best possible user experience, MaaS360 Assistant is now at the ready to respond to common questions across email, corporate contacts and calendar using natural language processing (NLP) capabilities.

An Even Better MaaS360 Assistant Tomorrow

Assistant was developed with AI capabilities that enable it to learn, evolve and become more accurate over time. In fact, it’s already begun learning.

Soon, this intelligence voice assistant will deliver notifications and insights that improve user awareness and prioritization surrounding their everyday activities, making it possible to follow up with the click of a button. For example, if your boss emailed you a week ago and you haven’t responded, you’ll get a nudge.

It’ll also be able to provide expert support and guidance, eliminating the user’s need to depend on the support team to resolve common issues.

Finally, the solution will integrate with third-party enterprise apps (e.g., human resources, customer relationship management and content management). Instead of swapping between enterprise apps, users can now rely on AI and NLP capabilities to perform tasks and get information.

Get Acquainted With Assistant

MaaS360 customers with Secure Mail are all set to enable their mobile employees. Just check in with your account manager to learn how to take full advantage.

To see MaaS360 Assistant in action and learn more about what it has to offer, register for the live webinar, “Help Is On Its Way! A Sidekick for Your mobile workforce,” on Aug. 23 at 11 a.m. EST.

The post An AI Chatbot and Voice Assistant for the Mobile Employee appeared first on Security Intelligence.

Malware Attacks Exploit Open Source MDM Software to Compromise iPhones and Apps

Thirteen iPhone users in India fell victim to malware attacks that exploited open source mobile device management (MDM) software to break into corporate devices.

In July 2018, security researchers from Cisco’s Talos security division discovered a campaign that has been running since 2015, using at least five applications. Two of these apps conducted phony tests on the devices, while others sent SMS messages back to the attackers and extracted location data and other information.

Why MDM Deployments May Be at Risk

The attackers were able to change passwords, revoke certificates and replace apps like WhatsApp and Telegram with malicious versions either by gaining physical access to the iPhones or by using social-engineering tactics.

These attacks come at a time when large enterprises are working harder than ever to provide a safe way for employees to access corporate networks via their mobile devices. Most organizations use MDM tools to do just that, but the threat actors behind the malware attacks exploited these systems to trick users into accepting malicious certificates.

Similar to opening a phishing email, this essentially gave remote management access to the attackers. While the researchers reported no immediate financial repercussions, they noted that switching out various mobile apps would enable cybercriminals to gather priority data from users or their employer.

Establish Security Policies to Limit Malware Attacks

While some data may be stored locally on a mobile device, IBM Security experts emphasize that security professionals can limit the impact of these malware attacks by establishing strong security policies to lock down access to the corporate network. According to a January 2018 IBM white paper, such policies could include setting up specific windows of availability for certain applications and data, as well as a passcode to protect the MDM app itself.

Source: Talos

The post Malware Attacks Exploit Open Source MDM Software to Compromise iPhones and Apps appeared first on Security Intelligence.

Family Matters: How to Help Kids Avoid Cyberbullies this Summer

The summer months can be tough on kids. There’s more time during the day and much of that extra time gets spent online scrolling, surfing, liking, and snap chatting with peers. Unfortunately, with more time, comes more opportunity for interactions between peers to become strained even to the point of bullying.

Can parents stop their kids from being cyberbullying completely? Not likely. However, if our sensors are up, we may be able to help our kids minimize both conflicts online and instances of cyberbullying should they arise.

Be Aware

Summer can be a time when a child’s more prone to feelings of exclusion and depression relative to the amount of time he or she spends online. Watching friends take trips together, go to parties, hang out at the pool, can be a lot on a child’s emotions. As much as you can, try to stay aware of your child’s demeanor and attitude over the summer months. If you need help balancing their online time, you’ve come to the right place.

Steer Clear of Summer Cyberbullies 

  1. Avoid risky apps. Apps like ask.fm that allow outsiders to ask a user any question anonymously should be off limits to kids. Kik Messenger and Yik Yak are also risky apps. Users have a degree of anonymity with these kinds of apps because they have usernames instead of real names and they can easily connect with profiles that could be (and often are) fake. Officials have linked all of these apps to multiple cyberbullying and even suicide cases.
  2. Monitor gaming communities. Gaming time can skyrocket during the summer and in a competitive environment, so can cyberbullying. Listen in on the tone of the conversations, the language, and keep tabs on your child’s demeanor. For your child’s physical and emotional health, make every effort to help him or her balance summer gaming time.
  3. Make profiles and photos private. By refusing to use privacy settings (and some kids do resist), a child’s profile is open to anyone and everyone, which increases the chances of being bullied or personal photos being downloaded and manipulated. Require kids under 18 to make all social profiles private. By doing this, you limit online circles to known friends and reduces the possibility of cyberbullying.
  4. Don’t ask peers for a “rank” or a “like.” The online culture for teens is very different than that of adults. Kids will be straightforward in asking people to “like” or “rank” a photo of them and attach the hashtag #TBH (to be honest) in hopes of affirmation. Talk to your kids about the risk in doing this and the negative comments that may follow. Remind them often of how much they mean to you and the people who truly know them and love them.
  5. Balance = health. Summer means getting intentional about balance with devices. Stepping away from devices for a set time can help that goal. Establish ground rules for the summer months, which might include additional monitoring and a device curfew.

Know the signs of cyberbullying. And, if your child is being bullied, remember these things:

1) Never tell a child to ignore the bullying. 2) Never blame a child for being bullied. Even if he or she made poor decisions or aggravated the bullying, no one ever deserves to be bullied. 3) As angry as you may be that someone is bullying your child, do not encourage your child to physically fight back. 4) If you can identify the bully, consider talking with the child’s parents.

Technology has catapulted parents into arenas — like cyberbullying — few of us could have anticipated. So, the challenge remains: Stay informed and keep talking to your kids, parents, because they need you more than ever as their digital landscape evolves.

toni page birdsong

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Family Matters: How to Help Kids Avoid Cyberbullies this Summer appeared first on McAfee Blogs.

Managing Enterprise Security Risk on Vacation

Enterprise security hardships await wherever we travel — especially during summer vacation. Connecting to an organization’s software while on vacation is different from doing so on a business trip. Employees’ mindsets are different; they’re not supposed to be working, but they’re bound to check their email or access that document that just needs a little more attention. In this increasingly digital world, it’s getting tougher for us to disconnect no matter where we are or what we’re doing. This predicament represents a huge security risk for the enterprise.

Guarding Enterprise Data

With the abundance of hacking tactics available to threat actors, it’s easier than ever to launch an attack, especially on public Wi-Fi. For example, pen testing tools like Cain and Abel and WiFi Pineapple can be used nefariously to steal passwords and enable theft of the data protected by them. If employees learn just one thing before enabling the good old out of office message, let it be this: Steer clear of public Wi-Fi unless they’re using a VPN.

Although Wi-Fi vulnerabilities tend to garner more attention, it’s also important to remember how easy it is to wreak havoc with Bluetooth. When the average Bluetooth device has a range of 100 meters (over 300 feet), a hacker gets plenty of room to be stealthy. The BlueBorne tool, for example, can attack your phone without touching it. What makes Bluetooth so vulnerable, according to Jerry Irvine, CIO and partner of Prescient Solutions and member of the National Cyber Security Task Force, is the inherent insecurity of the technology.

“For many devices, the passwords are either 0000 or 11,” he said, “so people can get to your device [through Bluetooth] and connect as a keyboard or a mouse or an entry device.” Once connected, threat actors can intercept or download information from your device. Irvine recommends turning off any services you’re not using on your phone until you need them.

Wireless concerns aside, there are many other security pitfalls to consider while on vacation, and employees should exert caution before invoking their extended out of office rule. For instance, at this time of year, there are a lot of travel-related emails and social media links that look legitimate but are anything but. Getting a message offering a chance to save 50 percent off airfare or one free night in a hotel is enticing. But according to Irvine, seven out of 10 of those are phishing scams that could take you to a malicious site that may install ransomware.

“Users need to be very cautious while clicking on the embedded links or attachments,” he said. Instead, he suggested, they should take the extra step to go directly to the airline, hotel or travel site. Even clicking on a link from a search engine results page may lead to an infected website.

And what about when employees are at the coffee shop and nature calls? It’s only going to take two minutes, right? Those two minutes are more than enough time for a well-dressed thief to sit down at the table as if he or she belongs there, pack up a laptop and exit stage left. It’s far too easy, and Irvine hears about it all too often. “It’s simple: Don’t leave your devices alone,” he advised.

A Robust Fail-Safe for Security Risks

One critical security measure for the enterprise is to ensure your employees have — or are correctly using — a mobile device management (MDM) solution. MDM allows companies to manage and enforce security policies as well as detect when a device has been compromised. Security teams can remotely initiate a wipe of the device, ensure employees don’t launch specific apps without a secure connection or disable or remove unapproved applications.

These quick tips only begin to secure the shallows of this deep ocean of potential pratfalls plaguing the enterprise with a lax-minded workforce this summer. Vacation brain is a powerful force, and in this state, security doesn’t receive the mindfulness it requires for success. Humans are and always will be the weakest link in the security chain, and summertime only reinforces the credo. The enterprise must do all it can to take security into its own hands and accept that most employees aren’t putting security first.

Sure, some of the onus is on the employees, but it’s best to err on the side of caution.

The post Managing Enterprise Security Risk on Vacation appeared first on Security Intelligence.

Gartner Releases First-Ever Magic Quadrant for Unified Endpoint Management (UEM)

Over the past decade, mobile security platforms have existed under a variety of classifications. First came mobile device management (MDM), followed by enterprise mobility management (EMM), and today we’ve arrived at an entirely new term: unified endpoint management (UEM).

In its 2018 Magic Quadrant for Unified Endpoint Management Tools, Gartner has evaluated UEM vendors across a variety of criteria, including:

  • EMM capabilities, spanning from provisioning and reporting to data protection;
  • Modern management of PCs and Macs;
  • Client- and agent-based management techniques, such as imaging and patching; and
  • Proven ability to manage Internet of Things (IoT) devices and gateways.

To learn more, read the report: 2018 Magic Quadrant for Unified Endpoint Management Tools

MDM and EMM in the Rearview — Why the Sudden Change?

For years, IT and security leaders have needed a way to enroll, manage and enforce compliance on smartphones and tablets, which MDM was able to accomplish. These needs were just the beginning — the devices became more capable, and their apps, content and data became integral to everyday business operations. Hence the need for EMM solutions, which enabled a more holistic management approach.

Over time, the variety and differentiation across device types — smartphones, tablets, laptops, desktops, wearables and IoT — has increased, as have their everyday applications and use cases. Traditional MDM and EMM tools that organizations have relied upon to manage these endpoints do not provide consistent workflows for management, nor do they enable an over-the-air, out-of-the-box experience for all devices.

UEM accounts for vast industry-specific innovations that have taken place and supports modern-day use cases for endpoint and mobile, including:

  • One window and consistent workflows for securing disparate devices;
  • Migration from legacy laptop platforms to Microsoft Windows 10;
  • Identity and access management (IAM) for mobile devices; and
  • Low-touch, no-touch deployments for PC and Mac.

Laptop Management Meets Modern-Day APIs

With the introduction of Windows 10, everything changed. Unlike its laptop ancestors, this particular laptop operating system (OS) was not reliant on an agent to administer enterprise-grade management and security. Much like its iPhone and Android cousins, it could be managed using MDM application programming interfaces (APIs), as can macOS.

In the past, organizations were reliant on MDM and EMM separate from client management tools (CMTs). Now, this can be accomplished through UEM. For the first time, a single tool can manage laptops alongside mobile devices.

With the end of life (EOL) of Windows 7 scheduled for 2020, organizations are setting their sights on deploying the latest laptop platforms throughout the enterprise, primarily macOS and Windows 10. The most effective way to accomplish this is not through the traditional approach with one solution for PCs, Macs and servers and a separate solution for mobile devices.

Now that modern PCs and Macs can be managed alongside iPhones, iPads and Androids, IT teams are prioritizing consolidation to reduce costs and improve IT efficiency. As modern platforms, such as Chrome OS, become more prevalent in the enterprise, the ability to manage endpoints with APIs will become an even higher area of focus and importance.

Expanding Into Wearables and IoT

What else is UEM doing, aside from incorporating laptops into the mix? As organizations have increased their dependency on endpoints and mobile devices to transform their operations, the complexity of their use cases has increased.

Mixed-reality devices, such as Microsoft HaloLens, offer a great example of how unique device types are coming into the fold — and need to be managed just like any other device. As IT and security leaders broaden their deployments of IoT devices and sensors, the need to blanket the management of every “thing” will only continue to expand.

IBM Named a Leader in Unified Endpoint Management

IBM was named a Leader in the 2018 Gartner Magic Quadrant for Unified Endpoint Management Tools due to its completeness of vision and ability to execute.

Unlike all other vendors featured on the Magic Quadrant for UEM, we believe IBM MaaS360 is the only solution that offers artificial intelligence (AI) capabilities delivered by Watson, helping IT and security leaders make informed decisions about their end users and endpoints, in addition to their apps, content and data. Aiming to provide the best possible outcomes for administrators and users, MaaS360 is committed to making AI a native component of the UEM experience.

To learn more, read the report: 2018 Magic Quadrant for Unified Endpoint Management Tools

To learn more about MaaS360 and Gartner’s assessment of the UEM industry, download your complimentary copy of the 2018 Gartner Magic Quadrant for Unified Endpoint Management Tools.

Disclaimer: Gartner Magic Quadrant for Unified Endpoint Management Tools, Chris Silva, Rich Doheny, Bryan Taylor, Rob Smith and Manjunath Bhat, 23 July 2018. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Gartner Releases First-Ever Magic Quadrant for Unified Endpoint Management (UEM) appeared first on Security Intelligence.

A study of car sharing apps

The growing popularity of car sharing services has led some experts to predict an end to private car ownership in big cities. The statistics appear to back up this claim: for example, in 2017 Moscow saw the car sharing fleet, the number of active users and the number of trips they made almost double. This is great news, but information security specialists have started raising some pertinent questions: how are the users of these services protected and what potential risks do they face in the event of unauthorized access to their accounts?

Why is car sharing of interest to criminals?

The simple answer would be because they want to drive a nice car at somebody else’s expense. However, doing so more than once is likely to be problematic – once the account’s owner finds out they have been charged for a car they never rented, they’ll most likely contact the service’s support line, the service provider will check the trip details, and may eventually end up reporting the matter to the police. It means anyone trying it a second time will be tracked and caught red-handed. This is obvious and makes this particular scenario the least likely reason for hijacking somebody’s account.

The selling of hijacked accounts appears to be a more viable reason. There is bound to be demand from those who don’t have a driving license or those who were refused registration by the car sharing service’s security team. Indeed, offers of this nature already exist on the market.

Criminals offer hijacked accounts from a wide range of car sharing services…

…and explain why you are better off using somebody else’s account

In addition, someone who knows the details of a user’s car sharing account can track all their trips and steal things that are left behind in the car. And, of course, a car that is fraudulently rented in somebody else’s name can always be driven to some remote place and cannibalized for spare parts.

Application security

So, we know there is potential interest among criminal elements; now let’s see if the developers of car sharing apps have reacted to it. Have they thought about user security and protected their software from unauthorized access? We tested 13 mobile apps and (spoiler alert!) the results were not very encouraging.

We started by checking the apps’ ability to prevent launches on Android devices with root privileges, and assessed how well the apps’ code is obfuscated. This was done for two reasons:

  • the vast majority of Android applications can be decompiled, their code modified (e.g. so that user credentials are sent to a C&C), then re-assembled, signed with a new certificate and uploaded again to an app store;
  • an attacker on a rooted device can infiltrate the process of the necessary application and gain access to authentication data.

Another important security element is the ability to choose a username and password when using a service. Many services use a person’s phone number as their username. This is quite easy for cybercriminals to obtain as users often forget to hide it on social media, while car sharing users can be identified on social media by their hashtags and photos.

An example of how a social media post can give you away

We then looked at how the apps work with certificates and if cybercriminals have any chance of launching successful MITM attacks. We also checked how easy it is to overlay an application’s interface with a fake authorization window.

Reverse engineering and superuser privileges

Of all the applications we analyzed, only one was capable of countering reverse engineering. It was protected with the help of DexGuard, a solution whose developers also promise that protected software will not launch on a device where the owner has gained root privileges or that has been modified (patched).

File names in the installation package indicate the use of DexGuard

However, while that application is well protected against reverse engineering, there’s nothing to stop it from launching on an Android device with superuser privileges. When tested that way, the app launches successfully and goes through the server authorization process. An attacker could obtain the data located in protected storage. However, in this particular app the data was encrypted quite reliably.

Example of user’s encrypted credentials

Password strength

Half the applications we tested do not allow the user to create their own credentials; instead they force the user to use their phone number and a PIN code sent in a text message. On the one hand, this means the user can’t set a weak password like ‘1234’; on the other hand, it presents an opportunity for an attacker to obtain the password (by intercepting it using the SS7 vulnerability, or by getting the phone’s SIM card reissued). We decided to use our own accounts to see how easy it is to find out the ‘password’.

If an attacker finds a person’s phone number on social media and tries to use it to log in to the app, the owner will receive an SMS with a validation code:

As we can see, the validation code is just four digits long, which means it only takes 10,000 attempts to guess it – not such a large number. Ideally, such codes should be at least six digits long and contain upper and lower case characters as well as numbers.

Another car sharing service sends stronger passwords to users; however, there is a drawback to that as well. Its codes are created following a single template: they always have numbers in first and last place and four lower-case Latin characters in the middle:

That means there are 45 million possible combinations to search through; if the positioning of the numbers were not restricted, the number of combinations would rise to two billion. Of course, 45,000,000 is also large amount, but the app doesn’t have a timeout for entering the next combination, so there are no obstacles to prevent brute forcing.

Now, let’s return to the PIN codes of the first application. The app gives users a minute to enter the PIN; if that isn’t enough time, users have to request a new code. It turned out that the combination lifetime is a little over two minutes. We wrote a small brute force utility, reproduced part of the app/server communication protocol and started the brute force. We have to admit that we were unable to brute force the code, and there are two possible reasons for that. Firstly, our internet line may have been inadequate, or secondly, the car sharing operator set an appropriate two-minute timeout for the PIN code, so it couldn’t be brute forced within two minutes even with an excellent internet connection. We decided not to continue, confirming only that the service remained responsive and an attack could be continued after several attempts at sending 10,000 requests at a time.

While doing so, we deliberately started the brute force in a single thread from a single IP address, thereby giving the service a chance to detect and block the attack, contact the potential victim and, as a last resort, deactivate the account. But none of these things happened. We decided to leave it at that and moved on to testing the next application.

We tried all the above procedures on the second app, with the sole exception that we didn’t register a successful brute force of the password. We decided that if the server allows 1,000 combinations to be checked, it would probably also allow 45 million combinations to be checked, so it is just a matter of time.

The server continues to respond after 1,000 attempts to brute force the password

This is a long process with a predictable result. This application also stores the username and password locally in an encrypted format, but if the attacker knows their format, brute forcing will only take a couple of minutes – most of this time will be spent on generating the password/MD5 hash pair (the password is hashed with MD5 and written in a file on the device).

MITM attack

It’s worth noting that the applications use HTTPS to communicate data to and from their control centers, so it may take quite a while to figure out the communication protocol. To make our ‘attack’ faster, we resorted to an MITM attack, aided by another global security flaw: none of the tested applications checks the server’s certificate. We were able to obtain the dump of the entire session.


Screenshot of a successful MITM attack. HTTPS traffic dump was obtained

Protection from overlaying

Of course, it’s much faster and more effective (from the attacker’s point of view) if an Android device can be infected, i.e., the authorization SMS can be intercepted, so the attacker can instantly log in on another device. If there’s a complex password, then the attacker can hijack the app’s launch by showing a fake window with entry fields for login details that covers the genuine app’s interface. None of the applications we analyzed could counter this sort of activity. If the operating system version is old enough, privileges can be escalated and, in some cases, the required data can be extracted.

Outcome

The situation is very similar to what we found surrounding Connected Car applications. It appears that app developers don’t fully understand the current threats to mobile platforms – that goes for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying users of suspicious activities – only one service currently sends notifications to users about attempts to log in to their account from a different device. The majority of the applications we analyzed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not just very similar to each other but are actually based on the same code.

Russian car sharing operators could learn a thing or two from their colleagues in other countries. For example, a major player in the market of short-term car rental only allows clients to access a car with a special card – this may make the service less convenient, but dramatically improves security.

Advice for users

  • Don’t make your phone number publicly available (the same goes for your email address)
  • Use a separate bank card for online payments, including car sharing (a virtual card also works) and don’t put more money on it than you need.
  • If your car sharing service sends you an SMS with a PIN code for your account, contact the security service and disconnect your bank card from that account.
  • Do not use rooted devices.
  • Use a security solution that will protect you from cybercriminals who steal SMSs. This will make life harder not only for free riders but also for those interested in intercepting SMSs from your bank.

Recommendations to car sharing services

  • Use commercially available packers and obfuscators to complicate reverse engineering. Pay special attention to integrity control, so the app can’t be modified.
  • Use mechanisms to detect operations on rooted devices.
  • Allow the user to create their own credentials; ensure all passwords are strong.
  • Notify users about successful logons from other devices.
  • Switch to PUSH notifications: it’s still rare for malware to monitor the Notification bar in Android.
  • Protect your application interface from being overlaid by another app.
  • Add a server certificate check.

Securelist – Kaspersky Lab’s cyberthreat research and reports: A study of car sharing apps

The growing popularity of car sharing services has led some experts to predict an end to private car ownership in big cities. The statistics appear to back up this claim: for example, in 2017 Moscow saw the car sharing fleet, the number of active users and the number of trips they made almost double. This is great news, but information security specialists have started raising some pertinent questions: how are the users of these services protected and what potential risks do they face in the event of unauthorized access to their accounts?

Why is car sharing of interest to criminals?

The simple answer would be because they want to drive a nice car at somebody else’s expense. However, doing so more than once is likely to be problematic – once the account’s owner finds out they have been charged for a car they never rented, they’ll most likely contact the service’s support line, the service provider will check the trip details, and may eventually end up reporting the matter to the police. It means anyone trying it a second time will be tracked and caught red-handed. This is obvious and makes this particular scenario the least likely reason for hijacking somebody’s account.

The selling of hijacked accounts appears to be a more viable reason. There is bound to be demand from those who don’t have a driving license or those who were refused registration by the car sharing service’s security team. Indeed, offers of this nature already exist on the market.

Criminals offer hijacked accounts from a wide range of car sharing services…

…and explain why you are better off using somebody else’s account

In addition, someone who knows the details of a user’s car sharing account can track all their trips and steal things that are left behind in the car. And, of course, a car that is fraudulently rented in somebody else’s name can always be driven to some remote place and cannibalized for spare parts.

Application security

So, we know there is potential interest among criminal elements; now let’s see if the developers of car sharing apps have reacted to it. Have they thought about user security and protected their software from unauthorized access? We tested 13 mobile apps and (spoiler alert!) the results were not very encouraging.

We started by checking the apps’ ability to prevent launches on Android devices with root privileges, and assessed how well the apps’ code is obfuscated. This was done for two reasons:

  • the vast majority of Android applications can be decompiled, their code modified (e.g. so that user credentials are sent to a C&C), then re-assembled, signed with a new certificate and uploaded again to an app store;
  • an attacker on a rooted device can infiltrate the process of the necessary application and gain access to authentication data.

Another important security element is the ability to choose a username and password when using a service. Many services use a person’s phone number as their username. This is quite easy for cybercriminals to obtain as users often forget to hide it on social media, while car sharing users can be identified on social media by their hashtags and photos.

An example of how a social media post can give you away

We then looked at how the apps work with certificates and if cybercriminals have any chance of launching successful MITM attacks. We also checked how easy it is to overlay an application’s interface with a fake authorization window.

Reverse engineering and superuser privileges

Of all the applications we analyzed, only one was capable of countering reverse engineering. It was protected with the help of DexGuard, a solution whose developers also promise that protected software will not launch on a device where the owner has gained root privileges or that has been modified (patched).

File names in the installation package indicate the use of DexGuard

However, while that application is well protected against reverse engineering, there’s nothing to stop it from launching on an Android device with superuser privileges. When tested that way, the app launches successfully and goes through the server authorization process. An attacker could obtain the data located in protected storage. However, in this particular app the data was encrypted quite reliably.

Example of user’s encrypted credentials

Password strength

Half the applications we tested do not allow the user to create their own credentials; instead they force the user to use their phone number and a PIN code sent in a text message. On the one hand, this means the user can’t set a weak password like ‘1234’; on the other hand, it presents an opportunity for an attacker to obtain the password (by intercepting it using the SS7 vulnerability, or by getting the phone’s SIM card reissued). We decided to use our own accounts to see how easy it is to find out the ‘password’.

If an attacker finds a person’s phone number on social media and tries to use it to log in to the app, the owner will receive an SMS with a validation code:

As we can see, the validation code is just four digits long, which means it only takes 10,000 attempts to guess it – not such a large number. Ideally, such codes should be at least six digits long and contain upper and lower case characters as well as numbers.

Another car sharing service sends stronger passwords to users; however, there is a drawback to that as well. Its codes are created following a single template: they always have numbers in first and last place and four lower-case Latin characters in the middle:

That means there are 45 million possible combinations to search through; if the positioning of the numbers were not restricted, the number of combinations would rise to two billion. Of course, 45,000,000 is also large amount, but the app doesn’t have a timeout for entering the next combination, so there are no obstacles to prevent brute forcing.

Now, let’s return to the PIN codes of the first application. The app gives users a minute to enter the PIN; if that isn’t enough time, users have to request a new code. It turned out that the combination lifetime is a little over two minutes. We wrote a small brute force utility, reproduced part of the app/server communication protocol and started the brute force. We have to admit that we were unable to brute force the code, and there are two possible reasons for that. Firstly, our internet line may have been inadequate, or secondly, the car sharing operator set an appropriate two-minute timeout for the PIN code, so it couldn’t be brute forced within two minutes even with an excellent internet connection. We decided not to continue, confirming only that the service remained responsive and an attack could be continued after several attempts at sending 10,000 requests at a time.

While doing so, we deliberately started the brute force in a single thread from a single IP address, thereby giving the service a chance to detect and block the attack, contact the potential victim and, as a last resort, deactivate the account. But none of these things happened. We decided to leave it at that and moved on to testing the next application.

We tried all the above procedures on the second app, with the sole exception that we didn’t register a successful brute force of the password. We decided that if the server allows 1,000 combinations to be checked, it would probably also allow 45 million combinations to be checked, so it is just a matter of time.

The server continues to respond after 1,000 attempts to brute force the password

This is a long process with a predictable result. This application also stores the username and password locally in an encrypted format, but if the attacker knows their format, brute forcing will only take a couple of minutes – most of this time will be spent on generating the password/MD5 hash pair (the password is hashed with MD5 and written in a file on the device).

MITM attack

It’s worth noting that the applications use HTTPS to communicate data to and from their control centers, so it may take quite a while to figure out the communication protocol. To make our ‘attack’ faster, we resorted to an MITM attack, aided by another global security flaw: none of the tested applications checks the server’s certificate. We were able to obtain the dump of the entire session.


Screenshot of a successful MITM attack. HTTPS traffic dump was obtained

Protection from overlaying

Of course, it’s much faster and more effective (from the attacker’s point of view) if an Android device can be infected, i.e., the authorization SMS can be intercepted, so the attacker can instantly log in on another device. If there’s a complex password, then the attacker can hijack the app’s launch by showing a fake window with entry fields for login details that covers the genuine app’s interface. None of the applications we analyzed could counter this sort of activity. If the operating system version is old enough, privileges can be escalated and, in some cases, the required data can be extracted.

Outcome

The situation is very similar to what we found surrounding Connected Car applications. It appears that app developers don’t fully understand the current threats to mobile platforms – that goes for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying users of suspicious activities – only one service currently sends notifications to users about attempts to log in to their account from a different device. The majority of the applications we analyzed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not just very similar to each other but are actually based on the same code.

Russian car sharing operators could learn a thing or two from their colleagues in other countries. For example, a major player in the market of short-term car rental only allows clients to access a car with a special card – this may make the service less convenient, but dramatically improves security.

Advice for users

  • Don’t make your phone number publicly available (the same goes for your email address)
  • Use a separate bank card for online payments, including car sharing (a virtual card also works) and don’t put more money on it than you need.
  • If your car sharing service sends you an SMS with a PIN code for your account, contact the security service and disconnect your bank card from that account.
  • Do not use rooted devices.
  • Use a security solution that will protect you from cybercriminals who steal SMSs. This will make life harder not only for free riders but also for those interested in intercepting SMSs from your bank.

Recommendations to car sharing services

  • Use commercially available packers and obfuscators to complicate reverse engineering. Pay special attention to integrity control, so the app can’t be modified.
  • Use mechanisms to detect operations on rooted devices.
  • Allow the user to create their own credentials; ensure all passwords are strong.
  • Notify users about successful logons from other devices.
  • Switch to PUSH notifications: it’s still rare for malware to monitor the Notification bar in Android.
  • Protect your application interface from being overlaid by another app.
  • Add a server certificate check.


Securelist - Kaspersky Lab’s cyberthreat research and reports

Are Fake Apps Taking Over Your Phone?

It seems some malicious app developers have taken the phrase “fake it ‘til you make it” to heart, as fake apps have become a rampant problem for Android and iPhone users alike. Even legitimate sources, such as Google Play and Apple’s App Store, have been infiltrated with illegitimate applications, despite their own due diligence in combating this phenomenon.

After downloading a fake app, cybercriminals leverage ransomware or malware through ads to run in the background of your device to do damage, making it difficult to notice something’s off. But while you’re minding your own business, your personal data –such as usernames, photos, passwords, and credit card information– can be compromised.

Malicious apps have become more challenging to detect, and even more difficult to delete from a device without causing further damage. The trend of fake apps shows no sign of slowing down either, as bad actors have become more brazen with the apps they work to imitate. From Nordstrom to Fortnite to WhatsApp, it seems no business or industry is off limits.

Luckily, cybercriminals have yet to figure out a sure-fire way to get their fake apps onto our devices. By paying extra attention to detail, you can learn to identify a fake app before downloading it. Here’s how:

  • Check for typos and poor grammar. Double check the app developer name, product title, and description for typos and grammatical errors. Malicious developers often spoof real developer IDs, even just by a single letter, to seem legitimate. If there are promises of discounts, or the description just feels off, those signals should be taken as red flags.
  • Look at the download statistics. If you’re attempting to download a popular app like WhatsApp, but it has an inexplicably low number of downloads, that’s a fairly good indicator that an app is most likely fraudulent.
  • Read what others are saying. When it comes to fake apps, user reviews are your ally. Breezing through a few can provide vital information as to whether an app is authentic or not, so don’t be afraid to crowdsource those insights when you can.

If you do find yourself having accidentally downloaded a fake app, there are steps you can take to rid your phone of it. Here’s what to do:

  • Delete the app immediately or as soon as you notice anything suspicious. If you can’t find it, but you’re still having issues, the app could still be on your device. That’s because, in the interest of self-preservation, fake apps can try and protect themselves from disposal by making their icon and title disappear. If that happens, go to your installed apps page(s) and look for blank spaces, as it may be hiding there.
  • Check the permissions. After installation, check the app’s permissions. Fake apps usually give long lists of frivolous requests in an effort to get access to more data.
  • Clear the app’s cache and data. If you do find the app you want to delete, this is the first step you must take in order to get the app completely off your phone.
  • Take it into your provider. If you’re still having issues after you’ve deleted an app, consider taking your device into your provider to run a diagnostic test.
  • Factory reset. As a last resort, if you can’t find the app because it has “disappeared,” or traces of the app and malware linger, the best way to ensure it is completely gone is to wipe the data, factory reset your device, and start over. This is why it is vital to have backups of your devices.

Even as this ever-growing trend of malicious developers spoofing legitimate applications to gain access to victims’ personal information continues, we can deter their advances simply by paying closer attention to detail. Remember to be vigilant about being aware of the signs to avoid fake apps at all costs.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Are Fake Apps Taking Over Your Phone? appeared first on McAfee Blogs.

BYOD: Are Thousands of Rogue Devices Lurking on Your Network?

Once upon a time, workplaces struggled over the now-quaint idea that an employee might occasionally use his or her own laptop or personal smartphone to perform work-related tasks.

When this trend first began, IT workers often knew all the BYOD users by name — those were the days.

Of all the disconnects that exist today between IT teams and other departments, perhaps the widest chasm is over bring-your-own-device (BYOD) practices. And if it’s difficult to secure the wide variety of known employee gadgets on your network, then it likely feels downright impossible to manage all of the uninvited guests.

The Evolution of Bring-Your-Own-Device

Today, employees bring a cornucopia of gadgets with them to the workplace — and use them all over the world to connect with work networks. A Fitbit, an Amazon Alexa, a smart TV and even a connected refrigerator or microwave could be a potential menace to a company now, according to the May 2018 report from security firm Infoblox.

Why would someone connect a kitchen appliance to an office network? While the answer to this question may never be fully clear, this practice is happening.

All of the aforementioned gadgets have their own applications, and these applications are used by employees who may or may not be well-versed in the risks they entail. The confluence of the Internet of Things (IoT), BYOD and “shadow IT” creates security headaches the likes of which no one has seen before.

Securing desktops was once a security team’s primary job. Now, each employee might have access to dozens of endpoints — each one bringing unique threats.

An Increase in Rogue Cyber Risks

Sure, you can remotely wipe a lost smartphone (and trust the worker to report it promptly). But can you really trust that your employee’s 6-year-old son will never download a rogue application onto his dad’s tablet during a family road trip?

The risks are growing fast: According to the Infoblox report, one-third of large organizations say there are at least 5,000 non-business devices connected to their networks. Predictably, these devices are used for all manner of non-business tasks, like using social networking sites.

“Due to the poor security levels of many consumer devices, there is a very real threat posed by those connected devices operating under the radar of many organizations’ traditional security policies,” said Gary Cox, technology director at Infoblox, in the report. “These devices present a weak entry point for cybercriminals into the network and a serious security risk to the company.”

Infoblox asked workers what they do with their personal devices while accessing the enterprise network. Thirty-nine percent said they access social media, but workers also download applications (24 percent), games (13 percent) and films (7 percent) — not a great use of network resources.

What Security Problem? Denial Runs Deep

Some IT departments seem to be in denial about the problem: While 88 percent of IT leaders who responded to Infoblox’s survey said their security policy for connected devices is effective, nearly one-quarter of U.S. and U.K. employees said they didn’t even know if their organization had a policy at all.

The risks from all of these connected devices aren’t theoretical — they’re real. The U.S. government created “Weeping Angel,” software which was capable of turning smart TVs into surveillance microphones. (This is just one way hackers could use an insecure gadget to steal company secrets.) The more significant threat, however, might be the use of devices as part of a botnet.

In 2017, Verizon discovered that 5,000 devices at a university — including vending machines and lightbulbs — were used in an attack that caused the entire school’s network to slow down. And then there’s Mirai, an IoT-based botnet attack that managed to slow down whole portions of the internet back in 2016, primarily by deploying a network of hijacked closed circuit television (CCTV) cameras.

How to Effectively Manage BYOD Practices

Neither BYOD nor IoT is going anywhere. So, what should IT departments do? The solutions aren’t easy — and they’re going to have to evolve alongside every new gadget and application that connects to the company network.

Here are a few practices to consider:

  • Implement policies and software solutions that restrict access to specific content categories, such as social networking sites.
  • Establish training to ensure that all employees are aware of policies around BYOD devices, including specific training around IoT devices.
  • Ensure constant monitoring of approved hardware and software. (Just because your team decides a particular tablet or application is safe today doesn’t mean it won’t be unsafe tomorrow.)
  • Consider cost-benefit analysis. Sure, employees are happier with their own devices — and the company saves money on hardware costs and training — but is it worth the risk?

The combination of BYOD and the IoT will continue to dramatically increase the number of gadgets that security professionals have to worry about. Securing these devices and all their associate applications while enabling employees to work efficiently will be one of the toughest tasks of our time.

Don’t make the task any harder than it has to be: Start by keeping out the uninvited guests.

Read the white paper: The Ten Commandments of BYOD

The post BYOD: Are Thousands of Rogue Devices Lurking on Your Network? appeared first on Security Intelligence.

SecurityWeek RSS Feed: Bluetooth Vulnerability Allows Traffic Monitoring, Manipulation

A high severity vulnerability affecting some Bluetooth implementations can allow an attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange. Some of the impacted vendors have already released patches.

read more



SecurityWeek RSS Feed

Bluetooth Vulnerability Allows Traffic Monitoring, Manipulation

A high severity vulnerability affecting some Bluetooth implementations can allow an attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange. Some of the impacted vendors have already released patches.

read more

How mobile threats impact today’s BYOD landscape

Bring-your-own-device (BYOD) has been a revolutionary concept for years now, even before it was recognized by enterprise policy. However, now that business executives and IT leaders have realized the benefits this type of strategy for their organizations, BYOD is becoming an increasingly powerful way to support efficient access and productivity.

At the same time, however, a worker who uses his or her device to connect with sensitive, enterprise applications and data could very easily put the business at risk. Without the right secure workflow processes and associated security protections, a single employee’s smartphone could be all that hackers need to breach the entire organization.

In the current environment, though, there’s no turning back when it comes to BYOD. Prohibiting use of personal devices in the interest of data security can quickly lead to shadow IT, which can expose the organization, its systems and assets to an even wider array of threats.

For these reasons, it’s imperative that executives, IT leaders and individual staff members alike are aware of the risks that BYOD can pose, and are trained on the best ways to leverage this strategy with secure operations.

The state of BYOD: Too widespread to repeal

The very nature of mobile device use within today’s society would make it nearly impossible to prevent their use within the business world. Even mobile devices provided by enterprises can lead to security risks. This approach is also typically cost-prohibitive and a main reason why many businesses have embraced BYOD.

  • Pew Research found that 95 percent of all Americans own a mobile phone, 77 percent of which are smartphones.
  • Mobile devices now represent the primary way users access the internet, even surpassing desktop access, Dynamic Signal reported.
  • Sixty percent of all employees use apps to complete work pursuits, and 90 percent of these users note that this activity has created a change in their professional behavior, according to Dynamics Signal.
  • Seventy-one percent of employees spend two hours a week or more accessing enterprise information and assets via their mobile device, Dynamics Signal noted.

Despite attempts at rules to the contrary, even when businesses don’t provide adequate resources for employees to leverage their mobile devices in meaningful ways, workers will seek out apps and other tools on their own. This can create dangerous shadow IT processes that heighten the enterprise’s risk of attack, infection and data breach.

The most optimal way forward in the current enterprise landscape is for leaders to fully accept and support BYOD within the business, and provide the necessary platforms, solutions, awareness and training to enable this strategy.

Trend Micro blocked millions of mobile threats from affecting businesses and consumers alike in 2017.

The current mobile threat landscape

First and foremost, it’s imperative that business and IT leaders understand what they’re up against when it comes to the current mobile threat environment. Awareness and identification of current threats will help decision-makers and IT teams craft protection deployments and usage policies that can thwart these issues specifically and better protect the organization’s systems and assets.

According to Trend Micro’s recent research included in its 2017 Mobile Threat Landscape report, there are a few specific threats – including historically dangerous issues yet to be addressed by many enterprises, and emerging strategies growing in usage with cyber hackers – that business and IT leaders should be aware of.

Mobile ransomware

By now, most companies and users are aware of ransomware – robust attacks that involve encryption to lock users out of their operating systems, applications and data. These instances also include a ransom request which notes that users will be provided the decryption key and returned access to their data and systems upon payment. In many instances, organizations have paid attackers only to be met with a second ransom request or without ever being re-granted access to their system.

When it first emerged, ransomware traditionally impacted desktops and spread throughout the network from there. Now, however, attackers have made the jump to mobile devices. In 2017 alone, mobile ransomware increased a whopping 415 percent compared to the previous year. Overall Trend Micro researchers identified more than 468,000 unique mobile ransomware samples last year.

Security vulnerabilities and exploits

Hackers are also leveraging identified security weaknesses in order to breach devices and provide a springboard for larger attacks.

“While operating systems are designed with security mechanisms in place, no platform is impervious – and mobile devices are no different,” Trend Micro researchers explained in the 2017 Mobile Threat Landscape report. “Added mobile device features expose them to bigger security gaps with potentially greater impact.”

Last year also saw an increase in the number of these vulnerabilities and exploits, including the likes of BlueBorne, Key Reinstallation Attack (KRACK), Toast Overlay and Janus. BlueBorne alone – a combination of security flaws affecting Bluetooth systems – impacted 5.3 billion devices.

Targeted attacks

Cyber attackers are also in the business of pinpointing and infecting or attacking a certain mobile device or group of devices specifically in order to further the goal of the hacking campaign they are a part of. For instance, Trend Micro’s report noted that these activities can center around politicians or other government officials, members of the military, journalists, celebrities and other high-profile individuals. This can also include targeting the mobile devices of company leaders, which can then provide an opening for attacking the business itself.

“These campaigns focus on stealing messages, contact lists, photos, audio and video files, as well as spying on calls, camera, and their target’s social media,” Trend Micro’s report stated.

Attacks of this nature increased considerably last year, particularly due to political tensions. Any type of targeted attack – including specifically those carried out through mobile platforms – pose a considerable danger to today’s enterprises.

Security in the age of BYOD

While there is surely no turning back the page on BYOD, there are certain steps and strategies enterprises can use to bolster security surrounding the use of mobile devices for corporate purposes:

  • Embrace it with a robust BYOD policy: Organizational and IT leaders should craft a strong BYOD policy that explains users’ responsibilities, the protections that must be in place and the standards they must observe in order to ensure security. Companies that are more visible and supportive when it comes to BYOD can better reduce the chances of shadow IT, which can cause more threats and damage.
  • Understand the threat environment: As Trend Micro’s report shows, hackers are taking advantage of identified and unpatched security vulnerabilities within mobile devices to support their attacks. When business and IT leaders are aware of these potential weaknesses, they can work to specifically guard against their malicious use within their own infrastructures.
  • Leverage strong security solutions: This includes both at the network- and device-level.

Trend Micro successfully blocked more than 58 million mobile threats in 2017 alone. Connect with us today to find out how we can help you safeguard your business’s BYOD activity.

The post How mobile threats impact today’s BYOD landscape appeared first on .

It’s time to relook at, rethink and then restructure our fragmented IT security landscape

GDPR and the NIS Directive present the perfect opportunity to eliminate tool bloat at your organisation. The run-up to Brexit has led to a boost in wages for professionals of

The post It’s time to relook at, rethink and then restructure our fragmented IT security landscape appeared first on The Cyber Security Place.

iPhone Users: This Mobile Malware Could Allow Cybercriminals to Track Your Location

The iPhone and many of the apps designed to live on the device have the ability to track our location. Whenever they set up these apps, however, users get the option to opt in or out of location tracking services. But what happens when a malicious campaign doesn’t give users the option to opt of having their location tracked by cybercriminals? In fact, just this week, it has been discovered that iPhone users may be faced with that very possibility, as a sophisticated mobile malware campaign is gaining access to devices by tricking users into downloading an open-source mobile device management (MDM) software package.

First, let’s back up – how does a mobile device management software package work, exactly? Well, according to Continuum, Mobile device management (MDM) is a type of software used by an IT department to monitor, manage, and secure employees’ mobile devices. Therefore, once hijacked by hackers, this software could be used to gain almost complete access to a mobile device.

So, with this malicious MDM campaign, cybercriminals can gain access to a device and steal various forms of sensitive information, including the phone number, serial number, location, contact details, user’s photos, SMS messages, and Telegram and WhatsApp chat messages.

As of now, it’s not entirely clear how this campaign is being spread – though many signs point to social engineering. So, given the information we do know – the next question is what should iPhone users do next to stay secure? Start by following these tips:

  • Keep up-to-date on the latest social engineering scams. It’s important you stay in the loop so you know what scams to look out for. This means reading up the latest security news and knowing what’s real and what’s fake when it comes to random emails, phone calls, and text messages.
  • Turn off location services. It’s one thing for a cybercriminal to have ahold of your data, but it’s another thing entirely if they have the ability to track your location. This hack could not only impact your digital security but your physical security as well. So, turn off the location services immediately on your phone – that way if they gain access to your device, they won’t be able to track you.
  • Use a mobile security solution. As schemes like this MDM campaign continue to impact mobile users, make sure your devices are prepared for any threat coming their way. To do just that, cover these devices with a mobile security solution, such as McAfee Mobile Security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post iPhone Users: This Mobile Malware Could Allow Cybercriminals to Track Your Location appeared first on McAfee Blogs.

Protecting a Mobile Workforce with Hybrid DNS Security

It is expected that half of the UK’s workforce will be working remotely by 2020, accessing the corporate network via mobile devices and the cloud. If true, this prediction is likely to

The post Protecting a Mobile Workforce with Hybrid DNS Security appeared first on The Cyber Security Place.

New Protocol Promises to Improve Wi-Fi Security — Eventually

A new wireless protocol promises to improve Wi-Fi security significantly, but the changes won’t be immediate.

The Wi-Fi Alliance released the Wi-Fi Protected Access (WPA3) security protocol in June 2018, an update to the 14-year-old WPA2, in an effort to improve defenses in personal and enterprise networks.

But some experts expect the rollout of WPA3 to take years because the organization will need to certify routers to work with the new protocol.

Just How Long Will It Take to Roll Out WPA3?

When WPA2 became mandatory in March 2006, it took the agency about a year and a half to certify devices, according to Nick Bilogorskiy, cybersecurity strategist at Juniper Networks.

“I expect adoption of WPA3 to take many months — even years,” Bilogorskiy said.

In some cases, current routers will be able to run WPA3 through software updates, meaning some organizations won’t need to buy new hardware. Bilogorskiy advised organizations and individual users to update their software as soon as possible and use a virtual private network (VPN) connection in addition to Wi-Fi in the meantime.

Consumer routers are less likely to accept the software update than enterprise routers. According to Sean Newman, director of product management at Corero Network Security, that means many old routers running WPA2 could continue to operate for years.

“The challenge is the long-tail of wireless devices which don’t support the new standard, which will likely propagate significant use of the current standard for three, four, five or even more years before organizations can even consider turning off access for that,” Newman explained.

Improving Wi-Fi Security for Individuals and Businesses

WPA3’s new features promise to help both individual users and enterprises improve Wi-Fi security. For example, WPA3-Personal uses the Simultaneous Authentication of Equals (SAE) protocol to establish secure keys between devices, which helps protect individual users regardless of the strength of their Wi-Fi password. WPA3 also implements forward secrecy, a privacy feature that limits exposure in the event that a threat actor guesses the password.

“If an attacker steals an encrypted Wi-Fi transmission and then guesses the password, they will only be able to see information currently running through the network, not any older data,” Bilogorskiy explained.

For businesses, WPA3-Enterprise enables 192-bit encryption, while older versions used a 64-bit or 128-bit key. In addition, the new protocol offers simplified, secure connections for devices without screens, including smart speakers and other Internet of Things (IoT) devices.

But WPA3 won’t solve all of the IoT’s security problems. According to Newman, the simplified connection scheme will not protect individuals or enterprises from threats originating from compromised IoT devices, such as distributed denial of service (DDoS) attacks.

“The security of the devices themselves will also need to be improved significantly, not just the security of their Wi-Fi connection,” Newman said.

What’s Holding Up WPA3 Adoption?

Despite the security benefits of WPA3, some experts believe there is little urgency to make the switch because WPA2 is still a fairly robust security protocol.

Ian Sherlock, Wi-Fi product manager at Texas Instruments, noted that while WPA3 reflects “an industry desire to be proactive in enhancing Wi-Fi security,” many wireless users will likely wait for the release of the 802.11ax physical layer standard to adopt WPA3. The 802.11ax standard is designed to alleviate congestion and deliver faster Wi-Fi speeds on public networks and other high-bandwidth users, and many new routers will integrate support for both this standard and WPA3.

“WPA3 is expected to be a prerequisite for products supporting 802.11ax, and so that will provide a seamless migration point,” he said.

Wi-Fi operators can take other steps to protect their networks, including investing in security solutions and regularly checking the technology infrastructure for misconfigurations.

“I don’t think anyone needs to be rushing out to buy WPA3-enabled routers just yet,” said Craig Young, computer security researcher at Tripwire. “Anyone looking to improve their wireless security would be better off spending the time to install firmware updates and review configurations.”

Why You Should Adopt WPA3 Sooner Rather Than Later

Bilgorskiy noted that car manufacturers and IoT device makers should be the first companies to move to WPA3, since attacks against these technologies could result in particularly serious consequences. Think of what might happen, for example, if threat actors managed to take control of connected medical devices. Government and defense organizations should also move quickly given the criticality of their systems, Newman said.

“It makes sense to upgrade as soon as possible to benefit from WPA3 improvements,” Newman said, “but, as its use also depends on the connecting devices supporting it, it will likely be months — or even years — before there is a significant enough proportion of those devices for the benefits to be realized.”

Still, organizations should consider adopting the standard sooner rather than later.

“As with all network security, the hackers are constantly innovating and enhancing their abilities to compromise or bypass existing protections,” Newman said. “Combine this with their access to ever-increasing processor power, and the likelihood of hackers being able to readily crack the encryption and other security measures of older standards increases correspondingly.”

The post New Protocol Promises to Improve Wi-Fi Security — Eventually appeared first on Security Intelligence.

SecurityWeek RSS Feed: US Lifts Export Ban on Suppliers to China’s ZTE

The United States on Friday formally lifted a crippling ban on exports to China's ZTE, rescuing the smartphone maker from the brink of collapse after it was denied key components.

The US Commerce Department said it would continue to monitor the company to prevent further violations of US sanctions on Iran and North Korea.

read more



SecurityWeek RSS Feed

US Lifts Export Ban on Suppliers to China’s ZTE

The United States on Friday formally lifted a crippling ban on exports to China's ZTE, rescuing the smartphone maker from the brink of collapse after it was denied key components.

The US Commerce Department said it would continue to monitor the company to prevent further violations of US sanctions on Iran and North Korea.

read more

Google Play Users Risk a Yellow Card With Android/FoulGoal.A

English soccer fans have enthusiastically enjoyed the team’s current run in the World Cup, as the tune “Three Lions” plays in their heads, while hoping to end 52 years of hurt. Meanwhile a recent spyware campaign distributed on Google Play has hurt fans of the beautiful game for some time. Using major events as social engineering is nothing new, as phishing emails have often taken advantage of disasters and sporting events to lure victims.

“Golden Cup” is the malicious app that installs spyware on victims’ devices. It was distributed via Google Play, and “offered” the opportunity to stream games and search for records from the current and past World Cups. McAfee Mobile Security identifies this threat as Android/FoulGoal.A; Google has removed the malicious applications from Google Play.

Once Golden Cup is installed it appears to be a typical sporting app, with multimedia content and general information about the event. Most of this data comes from a web service without malicious activity. However, in the background and without user consent the app silently transfers information to another server.

Data captured

Golden Cup captures a considerable amount of encrypted data from the victim’s device:

  • Phone number
  • Installed packages
  • Device model, manufacturer, serial number
  • Available internal storage capacity
  • Device ID
  • Android version
  • IMEI, IMSI

This spyware may be just the first stage of a greater infection due to its capability to load dex files from remote sources. The app connects to its control server and tries to download, unzip, and decrypt a second stage.

Android/FoulGoal.A detects when the screen is on or off and records this in its internal file scrn.txt, with the strings “on” or “off” to track when users are looking at their screens:

The Message Queuing Telemetry Transport protocol serves as the communication channel between the device and the malicious server to send and receive commands.

Data encryption

User data is encrypted with AES before it is sent to the control server. Cryptor class provides the encryption and decryption functionality. The doCrypto function is defined as a common function. As the first parameter of the function, “1” represents encryption and “2” is decryption mode:

The encryption key is generated dynamically using the SecureRandom function, which generates a unique value on the device to obfuscate the data. The addKey function embeds the encryption key into the encryption data. The data with the key is uploaded to the control server.

We believe the malware author uses this AES encryption technique for any information to be uploaded to escape the detection by Google Bouncer and network inspection products.

Our initial analysis suggests there were at least 300 infections, which we suspect occurred between June 8‒12, before the first World Cup matches began.

The second round

The second phase of the attack leverages an encrypted dex file. The file has a .data extension and is downloaded and dynamically loaded by the first-stage malware; it is extracted with the same mechanism used to upload the encrypted files. The location of the decryption key can be identified from the size of the contents and a fixed number in the first-stage malware.

After decryption, we can see out.dex in zipped format. The dex file has spy functions to steal SMS messages, contacts, multimedia files, and device location from infected devices.

The control server in second stage is different from the first stage’s. The encryption methodology and the server folder structures on the remote server are identical to the first stage.

We found one victim’s GPS location information and recorded audio files (.3gp) among the encrypted data on the control server.

Variants

We have also discovered two other variants of this threat created by the same authors and published to Google Play as dating apps. Although all the apps have been removed from Google Play, we still see indications of infections from our telemetry data, so we know these apps are active on some users’ devices.

Our telemetry data indicates that although users around the world have downloaded the app, the majority of downloads took place in the Middle East, most likely as a result of a World Cup–themed Twitter post in Hebrew directing people to download the app for a breakdown of the latest events.

McAfee Mobile Security users are protected against all the variants of this threat, detected as   Android/FoulGoal.A.

The post Google Play Users Risk a Yellow Card With Android/FoulGoal.A appeared first on McAfee Blogs.

Time to Take a Good, Hard Look at Your Cybersecurity Health

What happens when your livelihood is at stake, thanks to someone stealing your identity or draining your account? The real-life possibilities are nerve-wracking, to say the least. The constant barrage of cyberthreats we face as consumers today is exhausting. Just this month, two major situations were revealed.  A Florida marketing firm, Exactis, had their database on a publicly accessible server. The information exposed ranged from phone numbers, home, and email addresses to the number, age, and gender of a customer’s children. As of now, social security numbers and credit card data have not been leaked. However, what makes this breach particularly anxiety-inducing is that now cybercriminals have the ability to improve the success rate of socially engineered attacks. For example, phishing attacks could become rampant through social media and email.

To add insult to injury, last week, researchers found a way to discover everything you type and read on your phone simply by studying the differing power levels of a smart battery. By implanting a micro-controller into a phone’s battery, they could record the power flowing in and out of the device. Then, with the use of AI, power flows were matched with specific keystrokes. Using this technique, the researchers proved that cybercriminals could record passwords, monitor website activity, access call records, and know the last time the camera was used. Smart batteries are attractive targets because they are not as secure as your phone. In fact, they expose all personal data. While the possibilities are stressful, the good news is that this attack remains theoretical.

The seemingly endless string of security events and the stress they cause can take a serious toll on our well-being. While we can’t prevent breaches from occurring, it’s important to remember that we can be prepared to take the right steps to minimize any damage when one hits. Whether we’re dealing with the repercussions of a data breach, or adapting to new vulnerabilities, developing positive security habits can help improve and maintain your digital health. Taking care of your mobile devices to ensure they remain secure – and therefore optimally functional – is like taking care of your own well-being; to maintain cybersecurity health, you have to perform basic upkeep.

To help you prepare in advance for the next data breach and ensure your device remains in good cybersecurity health, here are some habits you should consider picking up, stat:

  • Be aware of your surroundings. Mindfulness is a habit that can be developed, provides almost instant results, can support longevity, general awareness and well-being. We can learn a lot from mindfulness when it comes to cybersecurity. By taking a little bit of time to be aware of our surroundings, we can prevent vulnerabilities and potential threats simply by paying attention.
  • Set up alerts. Just like going to a doctor regularly for check-ups, you should “check-up” on your accounts. Not all data breaches expose financial data, but personal data that is leaked can still be used to access your financial accounts. Talk with your bank or financial planner about setting up a fraud alert on your cards to maintain control of your accounts.
  • Stay away from untrustworthy emails or messages. The mantra “no bad vibes” is surprisingly full of wisdom. Ridding your life of energy suckers and toxic people supports health – and the same goes for malicious messages. If you see a suspect item from an unknown source in your inbox or via a direct message or comment on social media, do not click on the message. If you do open it, be sure not to click on any links. To be safe, delete the email or message altogether.
  • Avoid public Wi-Fi when possible. Just as sleep is a panacea of sorts that helps to fight off bugs, giving your phone a break from public Wi-Fi is one of the best things you can do to ensure your cybersafety. The use of public Wi-Fi can offer cybercriminals a backdoor into your phone. By spoofing a legitimate website, they can gain access to your sensitive information. Give your device a much-needed break until you can use Wi-Fi you trust, you’ll save yourself a serious headache.
  • Switch up your passwords. It’s been said that variety is the spice of life, the secret to a happy relationship, and a way to stay engaged and aware in old age. The same is true when it comes to your passwords. When you mix it up, you keep cybercriminals guessing. Passwords are your data’s first defense against cybercriminals. Be sure to change them every so often and never use “1234” or “password.” If remembering a difficult password or remembering a multitude of them is hard, consider using a password manager.
  • Consider investing in identity theft protection. Vitamins are excellent supplements to a healthy diet, adding in additional nutrition when and where you need it — but not meant to be taken as the sole way to maintain health. Identity theft protection can be a supplement of sorts to your already positive security habits. With McAfee Identity Theft Protection, users can take proactive steps toward protecting their identities with personal and financial monitoring and recovery tools.

The power of habit actually dictates 40% of our day. As with your body and mind, the more you create healthy, positive habits, the easier it is to maintain health. The same is true for your security “health.” The more you express safe habits, the easier it will become and the safer you will be – both in the short and long term.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, and follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Time to Take a Good, Hard Look at Your Cybersecurity Health appeared first on McAfee Blogs.

Anubis Strikes Again: Mobile Malware Continues to Plague Users in Official App Stores

IBM X-Force mobile malware researchers have observed several developers actively uploading Android malware downloaders to the Google Play Store.

Following ongoing campaigns against Google Play, our research team has been monitoring banking malware activity in official app stores. The team recently reported that downloader apps in the store are being used as the first step in an infection routine that fetches the Marcher (aka Marcher ExoBot) and BankBot Anubis mobile banking Trojans. Users who unknowingly install the app on their devices are subsequently infected. Cybercriminals use these banking Trojans to facilitate financial fraud by stealing login credentials to banking apps, e-wallets and payment cards.

Starting in June, our team discovered a number of new malware downloader samples that infect users with BankBot Anubis (aka Go_P00t). The campaign features at least 10 malicious downloaders disguised as various applications, all of which fetch mobile banking Trojans that run on Android-based devices. While the number of downloaders may seem modest, each of those apps can fetch more than 1,000 samples from the criminal’s command-and-control (C&C) servers.

Finding new downloaders in the app store in connection with the BankBot Anubis malware could suggest that:

  • A given malware distributor/cybercrime faction has shifted from using Marcher to distributing BankBot Anubis; or
  • The threat actors distributing the malware on Google Play are offering their “expertise” as a service, spreading malware downloaders for different cybercrime factions that use mobile Trojans to facilitate financial fraud — aka “downloader-as-a-service.”

Such cybercrime services are common in the fraud and malware black markets. They entail a proven ability to infiltrate Google Play and plant malicious downloaders under the guise of benign-looking apps. These services can likely maintain the downloader’s C&C servers long enough to generate a steady stream of new infections, suggesting the thought-out operational security and know-how characteristic of organized cybercrime groups.

Read the white paper: Worried about mobile security? You should be

An Era of Mobile Malware Downloaders

As app store operators layer security to stymie the efforts of malicious developers, black-hat app distributors find ways to sidestep them. To circumvent ever-evolving app store defenses, mobile malware distributors rely on a strategy from the PC malware realms: Instead of uploading the actual malware to the store, which can result in sampling and detection at a very early stage in the distribution chain, they upload a downloader that may seem rather innocuous compared to actual malware.

In general, a downloader app is more likely to survive security checks and recurring scans, and once it lands on a user’s device, it can fetch the intended malware app. As the Chinese general Sun Tzu wrote in “The Art of War,” “The greatest victory is that which requires no battle.”

Sample Downloader Campaign From Current Analyses

In the current campaign, according to X-Force researchers, the downloader apps target Turkish-speaking users. They differ in type and visual style — from online shopping to financial services and even an automotive app — and are designed to look legitimate and enticing to users.

IBM X-Force Research IBM X-Force Research

IBM X-Force Research

Figure 1: Examples of malware downloader apps found on Google Play.

The variety of apps and styles indicates a large investment of resources on the part of the campaign’s operators, suggesting that a cybercrime service, rather than a single cybercrime faction, is likely responsible.

The downloaders themselves are rather stealthy, and VirusTotal missed all but one of the samples. The one that was found had zero detections by antivirus engines.

IBM X-Force Research

Figure 2: No detection rates on malicious downloaders.

In this campaign, the malicious downloader apps X-Force detected have the same code base as three apps that ThreatFabric reported in January 2018. The following characteristics show the similarity:

IBM X-Force Research

Figure 3: Code from sample downloader reported by ThreatFabric in January 2018.

IBM X-Force Research

Figure 4: Code from sample downloader discovered by X-Force in June 2018.

The resemblance is even more striking in the figure below. By removing all the key instances (**pE2**) from the string, we produced the same string from the January sample:

IBM X-Force Research

Figure 5: The code bases are very similar, suggesting that the same developer produced both apps.

With 10 downloaders at this point, the campaign appears to be scaling up.

Over time, we’ve seen the code evolve. As time went by between downloader versions, the developers added a simple obfuscation and expanded the downloader capabilities. The code was also altered slightly to avoid detection by Google Play’s security controls.

According to X-Force’s analysis, these changes suggest that the downloader app is being maintained on an ongoing basis — another sign that it is a commodity offered to cybercriminals or a specific group that’s focused on defrauding Turkish mobile banking users.

Anubis Masquerades as Google Protect

After a successful installation of the malicious downloader, the app fetches BankBot Anubis from one of its C&C servers. The BankBot Anubis malware then masquerades as an app called “Google Protect” and prompts the user to grant it accessibility rights.

BankBot Anubis Android malware app

Figure 6: Apps name in Turkish

IBM X-Force Research IBM X-Force Research

Figure 7: Malware asking for accessibility to keylog user credentials.

Why ask for accessibility? BankBot Anubis uses Android’s Accessibility services to perform keylogging as a way to obtain the infected user’s credentials when he or she accesses a targeted mobile banking app. In most Android banking Trojans, the malware launches a fake overlay screen when the user accesses a target app. The user then taps his or her account credentials into the fake overlay, which allows the malware to steal the data. BankBot Anubis streamlines this process.

By keylogging the user’s login information, the attacker can steal credentials from any app while avoiding the need to create custom overlays for each target. This malware is also able to take screen captures of the user’s screen, which it likely uses to steal credentials since the keyboard strokes are visible. These features are staples of PC banking malware and are evolving in Android malware as well.

The downloader apps in this particular campaign were designed to address Turkish users. With different botnets and configurations, BankBot Anubis itself also targets users in the following countries:

  • Australia
  • Austria
  • Azerbaijan
  • Belarus
  • Brazil
  • Canada
  • China
  • Czech Republic
  • France
  • Georgia
  • Germany
  • Hong Kong
  • India
  • Ireland
  • Israel
  • Japan
  • Kazakhstan
  • Luxembourg
  • Morocco
  • Netherlands
  • New Zealand
  • Oman
  • Poland
  • Russia
  • Scotland
  • Slovakia
  • Spain
  • Taiwan
  • Turkey
  • U.K.
  • U.S.

While there were 10 downloader apps in the Google Play Store at the time of this writing, the campaign is rather hefty. X-Force estimated the magnitude of campaigns on Google Play by the number of downloads, as well as the number and variety of payloads found. In one case, the researchers fetched more than 1,000 new samples of BankBot Anubis from just one C&C server. Each sample has a different MD5 signature, few of which were documented by any antivirus engine when tested against VirusTotal.

Official App Stores: A Fraudster’s Holy Grail

When it comes to maximizing the results of infection campaigns, mobile malware operators consider official app stores to be the holy grail. Getting a malicious app into an official store yields greater exposure to more potential victims, a cheap distribution channel and user trust. Moreover, malware apps that have already made it into an official store are more likely to fly under the radar of security controls for longer than those hosted on hijacked sites or rogue servers. IBM X-Force reports malicious apps to the official stores to have them removed before more users can be affected.

Malicious apps are a blight that both store operators and developers work hard to limit. Still, it is a recurring problem: In 2017, X-Force mobile researchers reported numerous occasions on which financial malware had sneaked into the Google Play Store, with the BankBot Android malware family leading the pack. The trend continues to escalate.

X-Force researchers suspect that the cybercrime services spreading mobile Trojans have mastered it as a malware campaign channel and may be monetizing it. While such cybercrime services are rather popular with PC malware distributors, its rise in the mobile malware realm is an escalating risk factor users and organizations should be aware of.

To learn more about keeping devices safe from mobile malware, read our mobile malware mitigation tips.

Read the white paper: Worried about mobile security? You should be

The post Anubis Strikes Again: Mobile Malware Continues to Plague Users in Official App Stores appeared first on Security Intelligence.

How to save data

Our smartphones are latched to us at all times and we constantly spend time online. From using applications to searching the web, we spend at least a few hours a day connected to the internet. But at what cost? While wifi becomes more and more accessible, using data is still the go-to for many people on the go.

While some data plans are unlimited, many are restricted to 3-20 GB of data. When it comes to saving data, there are a few things to take into account. We’ll show you which apps are killing your data plan, how much data you really need and tips to keep your data usage down.

Now that you are an expert on how to save data, take a few minutes to update your settings and reflect on what apps you can cut down on. Remember to use safe, private wifi when you can, and to toggle off cellular data for apps that are rarely used. These tips can save you money on your cellular bill and battery life for your devices.

Sources:
Ting | Confused | Tech Walla | Lifehacker | CNET | Digital Trends | Whistle Out | Time | Apple | iMore |

The post How to save data appeared first on Panda Security Mediacenter.

A Brief History of iOS: The Evolution of MDM and Enterprise Mobility

As organizations have gradually embraced mobile technology over the years to boost productivity, the task of protecting enterprise networks has become increasingly difficult for IT and security professionals. Each device represents a potentially vulnerable endpoint, and cybercriminals have mastered the art of exploiting these weaknesses to infiltrate corporate networks.

Fortunately, each iteration of Apple’s iOS has made security teams’ jobs easier by introducing new features that can be applied to mobile device management (MDM).

Below is a brief history to show how each release marked another crucial step in the evolution of enterprise mobility.

Apple and the Dawn of Mobile Device Management

In 2010, Apple released iOS 4, which opened the door to the enterprise with MDM capabilities. IT and security leaders gained the ability to enroll iOS devices over the air (OTA) to perform basic MDM functions. These functions included locate, lock and wipe. As an added benefit, iOS 4 also introduced mobile application management (MAM) capabilities, enabling security teams to push apps down to devices and set compliance rules.

The following year, iOS 5 introduced Siri, iCloud and OTA operating system (OS) updates, which could also be managed by an MDM solution. By this point, enrolled devices were subject to more customization from an IT security standpoint, such as disabling Siri and determining what could be synced and backed up to iCloud.

Enterprise Containment and the BYOD Model

The release of iOS 6 in 2012 brought a new facet to MDM capabilities by providing application programming interfaces (APIs) to private developers. At that time, MDM solutions aimed to capitalize on a then-rising enterprise need: containment.

By this point, iOS devices had gained popularity for personal use, and businesses were just catching on to their versatility. The APIs released in this version allowed IT teams to containerize and separate their enterprise information within the user’s device, which brought about the bring-your-own-device (BYOD) model. During this time, organizations frequently used a corporate-owned device model as their standard practice for mobile productivity.

However, the option of containing enterprise data on a user’s personal device — as opposed to purchasing, setting up and deploying a new device — proved to be the more cost-effective business model.

Aside from the BYOD aspect, iOS 6 introduced a supervised mode, making it easier for IT teams to manage corporate-owned devices. Supervised mode gave IT full administrative rights to the device and set restrictions to prevent the user from falling out of compliance.

New Look, New Management Capabilities

In 2013, iOS 7 packed a punch with a completely new OS redesign, upgraded security features and better management capabilities. One of the most noticeable and innovative features of iOS 7 was TouchID. This new security measure was the first of its kind within the Apple product line to use biometric data instead of a passcode for device access. It also provided APIs to enable or disable MDM solutions, allowing IT teams to use TouchID for access to the enterprise container, as well as the device itself.

With iOS 7, Apple included another feature that has saved many an administrator from endless headaches: disabling Activation Lock. The idea behind this feature was that if a device were lost or stolen, it could not be wiped without entering the associated Apple ID.

This feature was a major pain point for IT teams because users often enabled Activation Lock while setting up their device and, when their employment ended, IT teams were left with devices they could not wipe. Since the release of iOS 7, IT teams have been able to toggle the feature on and off and remotely wipe devices (as needed) without having to wait days or weeks to complete the task.

From 2014 through 2016, subsequent releases of iOS 8, 9 and 10 added more capabilities for the supervised mode, such as the Device Enrollment Program (DEP) and an advanced kiosk mode. DEP enabled IT teams to curate their devices, settings, apps and content before they were sent out to users. Once a device was turned on, the user would go through the enrollment process and everything he or she needed would be pushed down over the air. Apple has since expanded on DEP by allowing for retroactive purchases and retailers that are not Apple partners.

The kiosk mode enhancements allowed administrators to control which apps were shown to the user, helping them boost productivity and reduce the risk of users falling out of compliance or downloading malicious apps. These improvements also enabled administrators to control users’ wallpapers and standardize how apps were arranged on their devices.

As superficial as this seems, it was a big win for administrators because it allowed them to establish continuity across all enterprises devices for more granular visibility.

Watch the on-demand webinar: SOS! Remote Support for iOS & Android With UEM

Facing Forward With Biometric Authentication

iOS 11 was released in the fall of 2017 alongside Apple’s 10th-anniversary edition iPhone, which included a new feature called FaceID. Much like TouchID is used for identity and access management (IAM) within the device itself, FaceID performs a quick scan of the user’s face to provide more secure biometric authentication than the traditional fingerprint method. As far as MDM capabilities go, FaceID falls under the same APIs as TouchID.

Aside from the new hardware features, iOS 11 introduced a new classroom feature, which administrators of educational institutions can use to limit what students have access to on their iOS devices while still providing a rich experience that coincides with their lesson plan. Teachers can now turn off screens, push out apps and deliver presentations from a central device to all their students at once.

Since iOS entered the enterprise, IT teams have needed some form of remote support. Users might be miles away from their IT representative and need fast, effective help. For years, the only method of delivering remote support was through AirPlay, which required both the IT representative and user to be on the same Wi-Fi network. With iOS 11, remote assistance is available with software such as TeamViewer to provide a live look at a user’s device. This feature also integrates with the organization’s MDM solution.

Notable iOS MDM Enterprise Features by Version

  • iOS 4: Apple enters the MDM and MAM field for easy device management for the enterprise.
  • iOS 5: Siri, iCloud and OTA OS updates are introduced — thus bringing granular controls and automatic actions via MDM compliance rules.
  • iOS 6: Apple releases APIs that MDM solutions use to separate work and personal data and a supervised mode, which gives the organization full admin rights over the device.
  • iOS 7: With a full OS redesign, Apple introduces its biometric security feature, TouchID, which can be enabled and disabled via an MDM solution. iOS 7 also brings about the much-desired ability to disable Activation Lock, allowing administrators to remotely wipe a device without an Apple ID.
  • iOS 8: Apple Configurator becomes an OTA solution with DEP, so IT teams can configure and deploy their devices without touching each one.
  • iOS 9: Supervised mode with enhanced kiosk mode, including app lock and app compliance, enables IT administrators to dictate which apps are visible to users for a more customized device.
  • iOS 10: Small enhancements to the supervised mode, such as enabling dictation and spellcheck, are introduced.
  • iOS 11: Apple introduces FaceID, Apple Classroom settings can be managed via MDM and remote support like TeamViewer directly integrates with MDM solutions.

What’s Next for iOS and MDM?

Each iteration of iOS introduces more features that can be applied to MDM capabilities, making the jobs of IT and security leaders easier. Over the years, iOS device management has grown from basic commands to in-depth, complex and customized solutions that fit organizations perfectly. With iOS 12 coming in the fall of 2018, we can only speculate as to what capabilities IT administrators will be able to manage through an MDM solution.

Watch the on-demand webinar: SOS! Remote Support for iOS & Android With UEM

The post A Brief History of iOS: The Evolution of MDM and Enterprise Mobility appeared first on Security Intelligence.

What Parents Need to Know About the Popular App Mappen

Kids love their apps but in their excitement to download the new ones, app safety often falls straight off their radar. One of those new, fun, not-so-safe apps is Mappen.

Kids, pre-teens specifically, are jumping on Mappen to connect with friends nearby and, as the app’s tagline encourages, “Make Things Happen.” The location-based app allows friends to see each other’s location, what they are doing, and make it easy to meet up. Sounds like fun except for the fact that the app is brimming with potential security flaws.

How It Works

Anyone who downloads the Mappen app can send a friend request to anyone else and begin sharing his or her location (and data) immediately. While on Mappen, friends can share updates and photos much like any other social network. Personal data that can be shared: names, birthdates, location, likes, dislikes, photos, and friend lists.

Once a user installs the app (icon, right), he or she is asked to turn on location services that must remain on to share location, see others, and post content updates. The app also asks to access a user’s full contact list before it can be used.

The Risks

While many location-based apps exist now, Mappen specifically targets tweens. Mappen’s privacy policy states clearly that it collects and shares data, which presents a privacy risk to minors who use the app.

Likewise, the location requirement to use the app poses a safety risk. This feature means anyone on your child’s friend list can see your child’s location at any time. As your child’s Mappen circle grows, so too might the chance of your child sharing his or her location and personal information with an unsafe “friend.”

Tips to Help Boost App Safety

Stay connected with your kids. The greatest risk to your child’s online safety is a strained relationship. Every family dynamic and circumstance varies, but consider doing all you can to make your relationship with your child a priority. When communication and trust are strong with your child, you will better know what’s going on in his or her life, whom their friends are, and if there’s a situation in which they might need help.

Monitor apps! The best way to know which apps your kids use and how they use them is to routinely monitor their phones. How do you do this? You do this physically and with technology. About once a week, look at your child’s phone and laptop or tablet (preferably with your son or daughter next to you), look at the display screen, examine the app icons, and ask questions. If you don’t recognize an app, click it open, or ask questions. Also, if there’s an app icon you click that asks for a password, it may be a vault app that requires a few more clicks or a conversation. Another way to monitor apps is using technology such as filtering software that will help you filter and track the content that comes into your home via your child’s devices.

Do your research, stay aware. Stay on top of trends in apps by reading this and other technology or family blogs. New apps come out all the time, and word-of-mouth among teens quickly spreads. One of the best ways to keep your kids safe online is to understand where they connect online and what risks those digital spaces may present. Potential risks to be aware of that some apps may carry potential privacy infringements, cyberbullying, pornography, phishing scams, malware, predators, and sex-related crimes.

Turn off location. Mappen, as well as other apps such as Facebook, Kik, and Snapchat, access a user’s location while using the app and even when the app is not in use. To ensure your location isn’t shared randomly, turn off location when apps are not in use. Depending on the age of your child, you may consider not allowing the use of location-based apps at all.

Say NO to random friend requests. It’s easy for criminals to create a fake profile and gain access into your child’s life. An attractive peer from a nearby town who wants to “connect” may be a catfish using another person’s identity or a predator looking to groom a vulnerable tween or teen.

Guard your child’s privacy. When your child shares personal information through an unsafe app, it opens up them up, and it opens up your entire family to risk. Often kids get comfortable online and forget — or don’t fully understand — the problem with sharing personal details. Review the importance of keeping details such as full name, school, birthdates, address, personal photos, and other family information private.

The post What Parents Need to Know About the Popular App Mappen appeared first on McAfee Blogs.

Android Users Hit With Mobile Billing Fraud Due to Sonvpay Malware

Ever hear “Despacito” on the radio? Of course you did! It was the song of 2017 – taking over radios, dance clubs, and even ringtones on our cell phones. Take Android users for instance – many even downloaded the “Despacito for Ringtone” so they could enjoy the tune anytime they received a phone call. But what they didn’t know is that they could be involved in a cyberattack, rather than just listening to their favorite song. As a matter of fact, our McAfee Mobile Research team has found a new malicious campaign, named Sonvpay, that’s impacted at least 15 apps published on Google Play – including that Despacito app.

How it works

You know how with some of your apps you can adjust the push notifications? Sometimes these notifications pop up on your screen, and other times you won’t receive any – depending on your settings. To enact its malicious scheme, Sonvpay listens for incoming push notifications that contain the data they need in order to perform mobile billing fraud – which is when extra charges get added to a user’s phone bill and can potentially line a cybercriminal’s pocket.

Once receiving the data, the crooks can perform this mobile billing fraud (either WAP and SMS fraud) by displaying a fake update notification to the user. This fake notification has only one red flag – if the user scrolls until the end, the phrase “Click Skip is to agree” appears, as seen below.

If the user clicks the only button (Skip), Sonvpay will complete its mission – and will fraudulently subscribe the user to a WAP or SMS billing service, depending on the victim’s country.

What it affects

So which Android applications contain Sonvpay? The McAfee Mobile Research team initially found that Qrcode Scanner, Cut Ringtones 2018, and Despacito Ringtone were carrying the Sonvpay, and Google promptly took them down once notified. But then more emerged, totaling up to 15 applications out there that contain Sonvpay, some of which have been installed over 50,000 times. These applications include:

Wifi-Hostpot

Cut Ringtones 2018

Reccoder-Call

Qrcode Scanner

QRCodeBar Scanner APK

Despacito Ringtone

Let me love you ringtone

Beauty camera-Photo editor

Flashlight-bright

Night light

Caculator-2018

Shape of you ringtone

Despacito for Ringtone

Iphone Ringtone

CaroGame2018

So now the next question is – what do I do if I was one of the Android users who downloaded an application with Sonvpay? How can I avoid becoming a victim of this scam? Start by following these tips:

  • Only give your apps permission to what they need. When downloading one of these applications, one user reported they noticed that the app asked for access to SMS messages. This should’ve been a red flag – why would a ringtone app need access to your texts? Whenever you download an app, always double check what it’s requesting access to, and only provide access to areas it absolutely needs in order to provide its service.
  • Always read the fine print. Before you update or download anything, always make sure you scroll through all the information provided and read through it line by line. This may feel tedious, but it could be the difference between being compromised and remaining secure.
  • Use a mobile security solution. As schemes like Sonvpay continue to impact mobile applications and users, make sure your devices are prepared for any threat coming their way. To do just that, cover these devices with a mobile security solution, such as McAfee Mobile Security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Android Users Hit With Mobile Billing Fraud Due to Sonvpay Malware appeared first on McAfee Blogs.

AsiaHitGroup Returns With New Billing-Fraud Campaign

Are you tired yet of the music track “Despacito”? If you downloaded this ringtone app from Google Play, chances are your answer is a resounding Yes. But it gets worse: The McAfee Mobile Research team recently found 15 apps on Google Play that were uploaded by the AsiaHitGroup Gang. The ringtone app was one of them—downloaded 50,000 times from the official app store—that were designed to steal money from their victims. The AsiaHitGroup Gang has been active since at least 2016, attempting to charge 20,000 victims for the download of popular mobile applications containing the fake-installer app Sonvpay.A. For more analysis, see the Mobile Research team’s post.

Ordinarily we advise users to review the requested permissions before installing a mobile app, and normally this is enough. In this case, the only permission requested was access to SMS messages, and once installed the app behaved as expected. In the background, however, Sonvpay silently used the push notification service to subscribe users to premium-rate services.

This campaign displays a significant level of customization. The criminals can tailor their fraud to the country of their choosing. In our analysis we looked at mobile billing fraud targeting users in Kazakhstan, Malaysia, and Russia. In Kazakhstan victims are subscribed to a premium-rate service whereas in Malaysia and Russia they are connected to a WAP billing service. Further, the criminals recognize that in Malaysia the mobile operator sends a PIN code, so the attackers include functionality to intercept the SMS. Once intercepted, the app communicates with the mobile operator to subscribe to the service.

This group began targeting users in Asia, but the move to Russia shows its increasing ambition. The goal of the AsiaHitGroup Gang remains the same, but the manner in which they attempt to achieve their ends differs per campaign, and their techniques are improving. Although the security industry focuses much attention on “loud” and destructive attacks, many campaigns quietly steal funds from unsuspecting victims or those who have little visibility into what is happening.

The post AsiaHitGroup Returns With New Billing-Fraud Campaign appeared first on McAfee Blogs.

AsiaHitGroup Gang Again Sneaks Billing-Fraud Apps Onto Google Play

The McAfee Mobile Research team has found a new billing-fraud campaign of at least 15 apps published in 2018 on Google Play. Toll fraud (which includes WAP billing fraud) is a leading category of potentially harmful apps on Google Play, according to the report Android Security 2017 Year in Review. This new campaign demonstrates that cybercriminals keep finding new ways to steal money from victims using apps on official stores such as Google Play.

The AsiaHitGroup Gang has been active since at least late 2016 with the distribution of the fake-installer applications Sonvpay.A, which attempted to charge at least 20,000 victims from primarily Thailand and Malaysia for the download of copies of popular applications. One year later, in November 2017, a new campaign was discovered on Google Play, Sonvpay.B, used IP address geolocation to confirm the country of the victim and added Russian victims to the WAP billing fraud to increase its potential to steal money from unsuspected users.

In January 2018, the AsiaHitGroup Gang returned to Google Play with the repackaged app, Sonvpay.C, which uses silent background push notifications to trigger a fake update dialog. When victims start the “update” they instead subscribe to a premium-rate service. The subscription operates primarily via WAP billing, which does not require sending SMS messages to premium-rate numbers. Instead it requires only that users employ the mobile network to access a specific website and automatically click on a button to initiate the subscription process. Based on the approximate number of installations from Google Play, the cost of the premium-service subscription, and the days that these apps were available, we estimate that the AsiaHitGroup Gang could have potentially earned between $60,500–$145,000 since January.

Sonvpay on Google Play

The McAfee Mobile Research team initially found the following applications repackaged with Sonvpay on Google Play, all of them published this year:

Figure 1. Sonvpay apps found on Google Play.

We notified Google about these apps on April 10 and they were promptly removed. A couple of days later the app “Despacito for Ringtone” was found again on the store and was quickly removed. In total we found 15 apps that were installed at least 50,000 times since the first one, Cut Ringtones 2018, was released on Google Play in January 2018. The following table lists the 15 malicious apps:

At the time of download, the only red flag that a user could notice is that the app needs access to SMS messages. Once installed and executed, the app behaves as expected (QR code reader, ring tones, etc.). However, in the background and without the user’s knowledge, Sonvpay listens for incoming push notifications that contain the data to perform mobile billing fraud.

Background Push Notification and Fake Update Screen

Sonvpay employs the onesignal push notification service to get the information to subscribe users to premium-rate services. To receive the data in the background without displaying a notification, Sonvpay implements the method “onNotificationProcessing” and returns “true” to make the notification silent:

Figure 2. Silent background notification.

The received data can perform WAP and SMS fraud along with information necessary to display a fake update notification to the user after some time of using the repackaged application. This fake notification has only one bogus button. If the user scrolls until the end, the misleading phrase “Click Skip is to agree” appears:

Figure 3. Fake update notification.

If the user clicks the only button, Sonvpay will do its job. However, even if there is no interaction with this window and the data in the push notification has the value “price” as empty, Sonvpay will proceed to subscribe to a premium-rate service:

Figure 4. Starting mobile billing fraud if “price” value is empty.

Downloading the Dynamic Payload from a Remote Server

One of the parameters obtained from the silent push notification is a URL to request the location of functionality to perform mobile billing fraud. Once the fake update notification is displayed, Sonvpay requests the download of the library from another remote server:

Figure 5. Sonvpay requesting library with additional functionality.

The new APK file is downloaded and stored in the path /sdcard/Android/<package_name>/cache/ so that it can be dynamically loaded and executed at runtime. The library we obtained for performing mobile billing fraud targeted only Kazakhstan and Malaysia but, because the library is present in a remote server and can be dynamically loaded, it can likely be updated at any time to target more countries or mobile operators.

WAP Billing and SMS Fraud

In the case of Kazakhstan, Sonvpay loads a specific URL delivered through the silent push notification and uses JavaScript to click on a button and on the element “activate” to fraudulently subscribe the user to a premium-rate service:

Figure 6. WAP billing fraud in Kazakhstan.

For Malaysia, the malware creates a new WebView to send the “Shortcode” and “Keyword” parameters to a specific URL to subscribe the user to a WAP billing service:

Figure 7. WAP billing fraud in Malaysia.

However, for Malaysia the app needs to intercept a confirmation code (PIN) sent by the mobile operator via SMS. Sonvpay has this SMS interception functionality implemented in the original repackaged application:

Figure 8. Processing an intercepted SMS message to get the confirmation PIN.

Once the PIN is obtained, it is sent to the mobile operator via a web request to automatically confirm the subscription. If the parameters for Kazakhstan or Malaysia do not match, Sonvpay still tries to perform mobile billing fraud by attempting to send an SMS message to a premium-rate number provided via the silent push notification:

Figure 9. Functionality to send an SMS message to a premium-rate number.

Closer Look to Previous Campaigns

While looking for patterns in the 2018 campaign, we found the app DJ Mixer–Music Mixer. As soon as this application executes, it checks if the device has an Internet connection. If the device is offline, the app shows the error message “You connect to internet to continue” and ends its execution. If the device is online, the app executes a web request to a specific URL:

Figure 10. Web request to the AsiaHitGroup Gang URL.

We learned the apps created by the developer SHINY Team 2017 were available on Google Play in September 2017; earlier Sonvpay variants were discovered in November 2017. The primary behavior of the two variants is almost the same—including the changing of the main icon and the app’s name to Download Manager to hide its presence from the user. However, with DJ Mixer, the geolocation of the IP address identifies the country of the infected device and aids the execution of the mobile billing fraud:

Figure 11. Using IP geolocation to target specific countries.

In this case only three countries are targeted via the geolocation service: Russia (RU), Thailand (TH), and Malaysia (MY). If the IP address of the infected devices is not from any of these countries, a dialog will claim the app is not active and that the user needs to uninstall and update to the latest version.

If the country is Thailand or Malaysia, the malicious app randomly selects a keyword to select an image to offer users premium-rate services. With Malaysia the image includes English text with terms of service and the button “Subscribe” to accept the randomly selected premium-rate service:

Figure 12. Screens displayed when the country of the IP address is Malaysia.

In the case of Thailand, the text is in Thai and includes a small version of terms of service along with instructions to unsubscribe and stop the charges:

Figure 13. Screens shown when the country of the IP address is Thailand.

Finally, with Russia no image is shown to the user. The app fraudulently charges the user via WAP billing while enabling 3G and disabling Wi-Fi:

Figure 14. Forcing the use of 3G to start WAP billing fraud.

We also found similar apps from late 2016 that performed SMS fraud by pretending to be legitimate popular applications and asking the user to pay for them. These are similar to text seen in the 2018 campaign as an update but labeled as Term of user:

Figure 15. Fake-installer behavior asking the user to pay for a popular legitimate app.

If the user clicks “No,” the app executes as expected. However, if the user clicks “Yes,” the app subscribes the user to a premium-rate service by sending an SMS message with a specific keyword to a short number. Next the mobile operator sends the device a PIN via SMS; the malware intercepts the PIN and returns it via web request to confirm the subscription.

Once the user is fraudulently subscribed to a premium-rate service to download a copy of a free app on official app stores, the malware shows the dialog “Downloading game…” and proceeds with the download of another APK stored on a third-party server. Although the APK file that we downloaded from the remote server is a copy of the legitimate popular app, the file can be changed at any point to deliver additional malware.

Unlike in previous campaigns, we did not find evidence that these fake-installer apps were distributed via Google Play. We believe that they were distributed via fake third-party markets from which users looking for popular apps are tricked into downloading APK files from unknown sources.  In June 2018 ESET and Sophos found a new version of this variant pretending to be the popular game Fortnite. The fake game was distributed via a YouTube video by asking the user to download the fake app from a specific URL. This recent campaign shows that the cybercriminals behind this threat are still active tricking users into installing these fake applications.

Connections Among Campaigns

All of these campaigns rely on billing-fraud apps targeting users in Southeast and Central Asia and offer some similarities in behavior such as the use of almost the same text and images to trick users into subscribing to premium-rate services. Other potential connections among the three campaigns suggest that all the apps are likely from the same actor group. For example, apps from all campaigns use the same string as debug log tag:

Figure 16. The “SonLv” string used as a log tag occurs in all campaigns.

There is also a notable similarity in package and classes names and in the use of a common framework (telpoo.frame) to perform typical tasks such as database, networking, and interface support:

Figure 17. Common package and classes names in all campaigns.

Finally, apps from the Google Play campaigns use the domain vilandsoft[.]com to check for updates. The same domain is also used by apps from the fake-installer campaign to deliver remote-execution commands, for example, action_sendsms:

Figure 18. A fake-installer app checking for the command action_sendsms.

The following timeline identifies the campaigns we have found from this group, strategies to trick users into installing the apps, distribution methods, main payload, and targeted countries:

 

Figure 19. A timeline of Sonvpay campaigns.

Conclusion

Sonvpay campaigns are one example of how cybercriminals like the AsiaHitGroup Gang constantly adapt their tactics to trick users into subscribing to premium-rate services and boosting their profits. The campaigns started in late 2016 with very simple fake installers that charged users for copies of popular apps. In late 2017, Google Play apps abused WAP-billing services and used IP address geolocation to target specific countries. In 2018, Google Play apps used silent background push notifications to trigger the display of a fake update message and to gather data for mobile billing fraud. We expect that cybercriminals will continue to develop and distribute new billing fraud campaigns to target more countries and affect more users around the world.

Cybercriminals always follow the money, and one of the most effective ways to steal money from users is via billing fraud. A victim will likely not notice a fraudulent charge, for example, until it appears on the mobile bill at the end of the month. Even when the payment is detected early, most of the time the charge is for a subscription rather than a one-time payment. Thus victims will need to find a way to unsubscribe from the premium-rate service, which may not be easy if the subscription occurred silently or if the app does not provide that information. Also, the fact that WAP-billing fraud does not require sending an SMS message to a premium-rate number makes it easier to commit. Cybercriminals need to only silently subscribe users by forcing them to load the WAP-billing service page and click on buttons. For these reasons we expect that mobile billing fraud will continue to target Android users.

McAfee Mobile Security detects this threat as Android/Sonvpay. To protect yourselves from this and similar threats, employ security software on your mobile devices, check user reviews for apps on Google Play, and do not accept or trust apps that ask for payment functionality via SMS messages as soon as the app is opened or without any interaction.

The post AsiaHitGroup Gang Again Sneaks Billing-Fraud Apps Onto Google Play appeared first on McAfee Blogs.

How a 40-Year-Old Mobile Security Flaw Puts Consumers at Risk

It’s the mobile vulnerability that won’t go away: Security concerns about Signaling System 7 (SS7), a set of four-decade-old telephony signaling protocols, have flared up in recent weeks after a U.S. senator reported that an unnamed mobile carrier had been breached.

Mobile security experts have long recognized vulnerabilities in the SS7 protocol, which can enable cybercriminals to gain access to smartphones’ data, locations, calls and texts.

On May 29, 2018, Sen. Ron Wyden wrote in a letter to the Federal Communications Commission (FCC) that SS7 is “riddled with long-standing cybersecurity vulnerabilities that pose a major national security threat.” Criminals and foreign governments can use SS7 vulnerabilities to “prey on unsuspecting consumers,” Wyden wrote.

Wyden had previously raised his concerns with Christopher Krebs, the president’s nominee for Undersecretary of the National Protection and Programs Directorate (NPPD) within the Department of Homeland Security (DHS). In a May 22, 2018 letter to Wyden, Krebs acknowledged that threat actors might have exploited SS7 to target U.S. residents’ communications.

Government and Industry Players Address the SS7 Flaw

According to Ian Eyberg, CEO of virtual machine vendor NanoVMs, cybercriminals have been targeting SS7 for 25 years.

“There are companies that sell cell tracking packages based on SS7 flaws — that’s how bad it has gotten,” Eyberg said. “What’s disturbing is that year after year, security researchers find more and more things wrong with the protocol.”

While Wyden is pushing the FCC and DHS to address SS7 flaws, some influential players in the mobile industry have already moved to protect against smartphone attacks. CTIA, a U.S. trade group representing carriers, worked with the FCC on SS7 vulnerabilities following a 2016 “60 Minutes” special that detailed how cybercriminals can track phone owners and intercept calls and text messages.

U.S. mobile operators have endorsed several FCC recommendations, including monitoring and filtering signaling interconnections.

“The wireless industry is committed to safeguarding consumer security and privacy and collaborates closely with the DHS, FCC and other stakeholders to combat evolving threats that could impact communications networks,” a CTIA spokesman said.

Attacks Persist Despite Better Mobile Security Tools

Many mobile security experts still see avenues of attack, however. Positive Technologies, a security monitoring firm, found that a whopping 100 percent of SS7-based SMS interception attacks that took place on European and Middle Eastern mobile phone networks during 2016 and 2017 were successful.

“Virtually every network allowed eavesdropping on conversations and reading incoming text messages,” the company asserted in a March 2018 press release accompanying the report. “Use of SMS for two-factor authentication means that if a hacker is able to access a subscriber’s text messages, they can go on to compromise accounts for online banks, stores, government services and much more.”

The researchers noted a decrease in successful SS7-based attacks between an earlier study in 2015 and 2017. This drop could be due to the proliferation of ready-made mobile security solutions in the market, they suggested. Still, all of the mobile networks studied in 2017 were susceptible to SS7-based attacks looking for subscriber information, subscriber traffic interception and subscriber denial-of-service (DoS) attacks.

How Can Consumers Protect Themselves?

According to Dan Tara, executive vice president of Positive Technologies, there are no significant actions mobile customers can take.

“Attacks on the SS7 network are conducted from the outside and are aimed at extracting or modifying data in the network devices of the operator infrastructure,” Tara said. “Subscribers cannot resist these attacks in any way because they’re outside of the SS7 network perimeter.” Instead, carriers must embrace comprehensive security protections, including SS7 firewalls, he said.

Eyberg agreed that the problem is largely within the purview of mobile carriers, but customers can also help by embracing encryption, he said.

“Short of [carriers] adopting new protocols, consumers can use encrypted chat and encrypted voice applications,” Eyberg added. “However, that is not always an option for things like one-time passwords from your bank.”

Eyberg also noted that customers should pay attention when their carriers are compromised.

“I think the best individuals can do is map out the irresponsible carriers and vote with their pockets,” he said.

The post How a 40-Year-Old Mobile Security Flaw Puts Consumers at Risk appeared first on Security Intelligence.

A Traveler’s Guide to International Cybersecurity

When you think of the most valuable thing you could lose while traveling, what comes to mind? Your suitcase, wallet, passport? What comes to my mind is my mobile device. Especially while traveling abroad, my mobile device is my lifeline and is essentially the remote control to my digital life.

What many international travelers do not realize is that their devices are often more vulnerable when taking a long-distance trip. Because they store and transmit our personal information – from website logins to banking information – these devices are much more valuable than the contents of your wallet or suitcase. Especially while you’re abroad and not used to your surroundings, pickpockets and cybercriminals can prey on your vulnerability to steal or infect your devices. Luckily, there are cybersecurity precautions you can take before, during and after international travel to ensure your information stays safe.

Before Travel

First and foremost, you have to get your device security in order before you hit the skies or hit the road. Now is the time to be proactive, not reactive, when it comes to protecting your information. The best thing to do would be to leave your devices at home where you know they will be safe. However, that’s unrealistic for most people, since we’re tethered to our mobile gadgets. So at the very least, before you head on your trip, make sure to:

  • Clean up your device. Clear your browser history and delete cookies.
  • Consider deleting apps that you don’t use altogether to avoid unnecessary vulnerability.
  • Encrypt any personal data to ensure that information stays protected. Back up any files to an external hard drive or desktop if your encryption fails.

During Travel

Whether you’re home or abroad, it’s important to always be vigilant and aware of your surroundings, both online and in-person. While device theft is uncontrollable, you can control how and where you use your devices. When you’re traveling internationally, public, free Wi-Fi is sometimes the only option for service. Unfortunately, it can be exploited by cybercriminals as a gateway to your devices. By spoofing legitimate Wi-Fi networks, these nefarious folks could gain access to sensitive data and private accounts and potentially request money for the return of your information, making public Wi-Fi the biggest threat to your cybersecurity. To avoid being compromised, be sure to:

  • Mitigate risk and avoid making online purchases or accessing bank accounts while using public Wi-Fi.
  • Use your smartphone to create a personal hotspot, if you are in dire need of an internet connection.
  • Use a Virtual Private Network (VPN) to encrypt any data you may receive while on your trip.

After Travel

Arriving home after travel is an already exhaustive experience – don’t exhaust your device by bringing any malware back with you. Remember that if you connected to local networks abroad, your mobile devices may have been susceptible to malware. So, in order to help your device be ready for its return back home, follow these tips:

  • Update your software. By updating your apps when prompted, you’ll ensure you have the latest patch and avoid any vulnerabilities that may have surfaced while you were away.
  • Delete travel apps you needed for your trip but no longer use. These can store personal information that can be accessed if they are not regularly used or updated.
  • Reset your passwords, pins and other credentials you may have used while abroad, regardless if you think you were compromised or not. Changing them will render the stolen credentials useless.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, and follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post A Traveler’s Guide to International Cybersecurity appeared first on McAfee Blogs.

Listen to Hackable? on Google Podcasts

Android users and podcast lovers are in luck! Google just rolled out an easier than ever podcast platform so you can binge all you favorite shows, like our original podcast, Hackable?

Haven’t heard it yet? Our award-winning show gives a behind-the-scenes look into real cyber attacks in action. We take hacks as seen on TV, in movies, and throughout pop culture and see how they measure up in the real world. Season One featured Geoff and his band of good-guy hackers who put these cyber attacks to the test. In Season Two, they came back to deliver even more eye-opening excitement. The crew found out just how easy it is to digitally break into cars, passwords, an automated car wash, a smart baby onesie, and so much more! The team is here to answer the question, “Is it Hackable?”

If you’re an Android user, you can now listen to podcasts directly in Google Podcasts. Binge listen to all Hackable? episodes, or catch up where you left off now!

The post Listen to Hackable? on Google Podcasts appeared first on McAfee Blogs.

Internet Safety Month: 5 Tips to Keep You Secure

The internet is infinitely expansive, but that’s often easy to forget as we now have immediate access to it in the palm of our hands. We feel safe scouring the digital world from the comfort of our homes, offices, or local coffee shops, but there is real danger lurking behind those virtual walls. Cybercriminals using the internet to infiltrate the Internet of Things (IoT) and our mobile devices is no longer the stuff of science fiction movies. Hacks, phishing scams, malicious sites, and malware, just to name a few — this world of hyper-connectivity has left us exposed to far greater threats than we could have ever imagined. To combat these looming threats and highlight the importance of staying safe online, June was dubbed Internet Safety Month. Seeing as the internet gives us the opportunity to learn, explore, create, and socialize, we should be doing so safely and securely.

According to a recent Pew Research Center survey, 77% of American adults own a smartphone, up from 35% just six years ago. Whether we’re traveling, working, or just having fun, our mobile devices — tablet, smartphone, or laptop — are within reach at all times. Our gadgets make it easier to connect with the world, but they also store tons of sensitive information about our lives. Yes, we may use our devices to talk and text, but we also use applications on those devices to access banking information, share our location, and check emails. This wealth of personal information on an easily hackable device should galvanize us to ensure that data stays out of the hands of cybercriminals. From ransomware to phishing scams, the numerous threats that can infect our IoT and mobile devices through the internet are ever-evolving menaces.

With the rise of IoT, the probability of a debilitating attack increases. Just like everything else online, IoT devices are one part of a massively distributed network. The billions of extra entry points that IoT devices create make them a greater target for cybercriminals. In 2016, this fact was proven and executed by the Mirai botnet, a malware strain that remotely enslaved IoT objects for use in large-scale attacks designed to knock websites and entire networks offline. The authors of Mirai discovered previously unknown vulnerabilities in IoT devices that could be used to strengthen their botnet, which at its height infected 300,000 devices. While this is an extreme example, it is very much a reality that could happen again — only this time worse. These ever-present threats make it crucial to maintain proper cyber hygiene while using the internet.

Internet Safety Month emphasizes the importance of staying safe while surfing the web, not just in June but all 365 days of the year. With new threats appearing every day, the time to be proactive about your online safety is now. Don’t find yourself on the wrong side of the most recent internet threat, follow these tips to stay protected:

  • Secure your devices. Strong passwords or touch ID features are your first line of defense against cybercriminals stealing your sensitive information. With security measures in place, your data is protected in the case of your device being lost or stolen. And reset those default passwords — many of today’s exploits come from leveraging devices where the default settings were never changed.
  • Only use apps you trust. Information about you is collected through the apps you use. Think about who is getting that data and if you’re comfortable with how it could be used.
  • Be picky about what Wi-Fi you’re using. Hotspots and public Wi-Fi networks are often unsecured, meaning anyone can see what you’re doing on your device. Limit your activity and avoid logging into accounts that hold sensitive information. Consider using a virtual private network (VPN) or a personal/mobile hotspot.
  • Disable Wi-Fi and Bluetooth when not in use. Stores and other locations use this information to track your movements when you are in range. Both Bluetooth and Wi-Fi can also act as digital entrances into your phone. When it’s not absolutely necessary, consider turning it off.
  • Keep your devices and apps up-to-date. Having the most up-to-date software and applications is the best defense against threats. If an app is no longer in use, just delete it to ensure your devices clutter-free and no longer housing unsupported or outdated apps.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, and follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Internet Safety Month: 5 Tips to Keep You Secure appeared first on McAfee Blogs.

What the Mobile-Born Mean for IoT and Cybersecurity

Since before they knew how to walk, Gen Z – or the mobile-born generation – has had a wealth of information, quite literally, at their fingertips. Their lives are exponentially hyper-connected with social media, music, ride sharing, shopping, and more, all through their mobile devices. But Gen Z’s haste to be on the cutting edge of technology and trends can often leave them arrogant to the security implications. They prioritize personalization over privacy and willingly share personal data so they can have a more predictive and personalized experience, without the same sense of security awareness as that of previous generations. Through increased data sharing, and the modern-day usage of social media, the mobile-born could be naively exposing themselves, and loved ones, to security issues they don’t fully realize or understand.

Social Media

Apps such as Snapchat and Facebook constantly know where consumers are located through default settings, geotagging photos, and videos, “checking in” to reap promotional rewards or to just show off their latest experiences. This may not seem pressing, but in actuality, it tells people where you are at any given moment and, depending on your privacy settings, this information could get out to audiences that it wasn’t intended for. If you posted a picture while at home, you are likely taking a GPS location snapshot and potentially letting your home address get into the wrong hands. The metadata within your photo can now be used by cybercriminals to track where you live, opening up your home and devices to a slew of cybersecurity concerns. Geotagging can be fun and beneficial, but issues arise when user data is distributed unknowingly.

Furthermore, past generations have learned the hard way that once something is on the internet, it’s nearly impossible to get it back. We’ve gotten into the habit of oversharing our experiences online – whether mere photos of friends, our pets, birthday celebrations or the address of your favorite spot to hang out on the weekends, you may be giving the keys to all of your data. How does this seemingly harmless series of posts affect personal security? A combination of the information being shared on these social media sites can also be utilized to crack common passwords.

Passwords

Another common theme among Gen Z is poor password hygiene. There is more importance placed on ease and convenience rather than data security. Passwords are often the weakest entry point for hackers and, according to a recent McAfee survey, nearly a quarter of people currently use passwords that are 10 or more years old. While Post-Millennials may not have passwords that old, they still display poor password hygiene by reusing the same credentials among multiple online sites and granting login access to third-party applications through networking platforms like Facebook.

If a cybercriminal cracks one password, they now have the skeleton key to the rest of your digital life. Passwords are our data’s first defense when it comes to cybercriminals, so by differentiating passwords across several accounts or using a password manager, Gen Z-ers can make sure the proper precautions are in place and better defend against unwanted access.

Public Wi-Fi

The mobile-born generation has a totally new outlook on digital experiences and their connection to the online world. They expect to have free, authentic, and secure Internet provided to them at all times, without having to take the necessary security precautions themselves. The internet isn’t just a tool for these digital natives, but rather a way of life and with that expectation, they will connect to public Wi-Fi networks without a second thought toward who’s hosting it and if it’s secure.

If they head to the library or a coffee shop to do homework or stream a video while out to lunch, they’re likely connecting to an unsecured public Wi-Fi network. Connecting to public Wi-Fi can be an easy data/money-saving trick for those on a family shared data plan, but it may be one that puts your data at risk. Much like all individuals have a social security number, all devices have a unique Internet Protocol (IP) address being tracked by Internet Service Providers (ISPs). This allows a device to communicate with the network, but if it’s doing so insecurely, it can act as a watering hole for cybercriminals to eavesdrop, steal personal information, and potentially infect devices with malware.

Educating the Next Generation

Whether it’s ignorant use of social media, poor password protection or careless connection to the internet, the iGeneration does not show the same level of security knowledge or experience as previous generations. Maybe they just don’t know about the various threats out there, or they don’t have the proper education to be using their devices and the internet safely, but it’s our duty to educate our kids about the implications of cybercriminals, privacy breaches, and data exploits to ensure proper cyber hygiene for years to come.

Consider these tips when setting ground rules for keeping you and your family safe:

  • Parental Controls. While these may be a nuisance sometimes, they are also a necessity in keeping you and your children safe from malicious sites. Consider using McAfee Secure Home Platform to ensure your family’s security while in the home.
  • Turn off geolocation. In ‘Settings’ on your device, you can select which apps are allowed to use your location. Make sure only the ones you know you can trust are selected.
  • Restrict access to your information. If you go into your browser, you can adjust your privacy settings to delete information from your browsing history (i.e. cookies, history, saved passwords, or banking information).
  • Install a Virtual Private Network (VPN). A personal VPN extends a private network across a public Wi-Fi network to help secure and encrypt your data and keep your connections safe. Software like McAfee Safe Connect can help protect your data at home and on the go.
  • Talk with your children. Understanding that their personal information is invaluable is the first step towards creating and maintaining safe online habits.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post What the Mobile-Born Mean for IoT and Cybersecurity appeared first on McAfee Blogs.

America’s Dirty Little Secrets: Opening the Door to Protected Data

It’s 2018. Digital assistants have started taking over our homes, with adoption growing tenfold. These smart speakers know everything about us, from our shopping habits to our music tastes — they likely know more about our daily lives than we do. This ever-growing, ever-changing relationship between humans and devices highlights the importance of protecting data – verbal or otherwise – in the home. With connected devices using our personal data to be the most comprehensive in-home assistants possible, we need to prioritize Internet of Things (IoT) security, awareness and the implications of using such devices.

It’s estimated that by 2022, over half of U.S. households will have at least one smart speaker in their home — that’s over 70 million households, topping 175 million installed devices. These devices are aimed at making our lives easier and more convenient than ever before, but to do so they require that we willingly share access to our personal and private information. Whether it’s banking and home address stored directly on the device, or learnings it’s picked up from our conversations, the amount of private data that these devices carry opens up a new array of threats. New research from McAfee reveals that 60% of Americans have considered their digital assistants could be recording or listening to them. If so, what are the security implications of using a digital assistant?

From answering a quick question to ordering items online, controlling the lights, or changing thermostat temperature, digital assistants have become a pseudo-family member in many households, connecting to more IoT things than ever before. But if one of these devices is breached, it can open up an entire home Wi-Fi network and our valuable information could get into the wrong hands. Beyond this, many Americans have developed a very personal relationship with their devices, with 50% admitting to being embarrassed if friends or family knew what questions they asked their digital assistants. Now imagine if any of that information fell into the hands of cybercriminals — it could open the door to your personal data and threaten your family’s security.

In addition to the sensitive data that our smart speakers have stored, and the conversations they may or may not be recording, there are other security risks associated with this technology in the home. In 2016, it was determined that music or TV dialogue could take control of our digital assistants with commands undetectable to human ears. Known as the “Dolphin Attack,” this occurrence essentially hides commands in high-frequency sounds that our assistant-enabled gadgets can detect, but we are unable to hear. Instances of TV commercials activating digital assistants have already been reported, so we can see how this technique could be quite easy for cybercriminals to imitate if they wanted to access our smart homes’ network.

The growing trend of connecting these always-listening assistants to our home appliances and smart home gadgets is only exacerbating these concerns. Aside from digital assistants, other IoT devices such as game consoles, home security systems, thermostats, and smartphones may be at risk and must be secured to avoid becoming targets for cybercriminals. We must proceed with caution and be aware of who, or what could be listening in order to protect ourselves accordingly. Whenever bringing any kind of new, connected device into the home, prioritize safety and privacy.

Here are some top tips to securely manage the connected devices in your home:

  • Vary your passwords. Create passwords that are difficult to crack to ensure accounts are secure and update your passwords on a regular basis. Use multi-factor authentication whenever possible. Simplify password management by using a password manager.
  • Consider setting up a PIN code. Particularly for voice command purchases. Help keep cybercriminals away from your data by setting up an extra layer of security.
  • Invest in a router that delivers security for all your connected devices. It’s important to secure your entire connected home network. And the launch of McAfee Secure Home Platform skill for Alexa is set to make this easier and more convenient than ever before.

Technology is changing our everyday lives but being aware of the security concerns is the key to becoming an empowered consumer.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post America’s Dirty Little Secrets: Opening the Door to Protected Data appeared first on McAfee Blogs.

It’s a Zoo Out There! Data Analysis of Alleged ZooPark Dump

In early May, researchers disclosed a Mobile malware campaign by a group focused on Middle Eastern targets. This actor was found to be an evolving and sophisticated group using fake Android apps, namely Telegram, to trick users into installing malicious software. They have been active since 2015 and evolved over several campaigns into 2018. On May 14, a Reddit post linked to LamePT, claiming to have leaked their infrastructure including a database containing victim information.

Figure 1 – Screenshot of the site hosting the leaked data

The current leaked assets include:

  • MYSQL database
  • Audio recordings
  • The old C2 server and assets
  • AppData folder (presumably of the C2 server)
  • Current C2 server and control panel

Further leaked documents are behind a paywall payable to a fresh bitcoin address. The first payment was made on May 13th, 2018 leaving a balance of $1,110.87. It’s difficult to verify if someone paid to have the first dataset released or the actor paid themselves to appear more authentic. With that said, the authenticity of the data is still in question as we have some significant doubts on at least a portion of the data. For example, the following SMS caught our attention:

“Wife.how she knew the time of murder exactly”.

This text can be found in an SMS spam dataset used for training spam engines. Many other English based SMS messages can also be found here. “will be office around 4 pm. Now I am going hospital” is another example. Universities tend to use these datasets to teach computer science concepts. In this case, the concept is likely related to machine learning techniques for categorizing messages into spam. One university came up often when searching for these messages based on its Computer Science I: Fundamentals homework postings. Other messages could be found in cached websites.

“Credit shuma ka mast jahat ezdiad credit ba hesab tan shumarai 222 ra dair namoda w aba taqeeb aan code 14 raqami ra dakhel nomaed .”

This translates to “Credit card is not available for sale at 222 days or less than 142 days.” and found cached in a language translation site. This particular phrase was being translated from Turkish to Urdu. Not all of the messages were found publicly online. Most of the messages were in Middle Eastern languages presenting its own challenges. Other sources were found such as Facebook posts; however, sources for the vast majority of the SMS message have not yet been located. For these reasons, we remain skeptical of the authenticity of the data.

Figure 2 – Facebook post with the same text as an SMS message

Other data such as the recordings do not appear to be publicly available. After sampling 100 of these files we’ve found them to sound like authentic recordings. The majority are in 7 minute 59 second .3gpp files. Most appear to be ambient conversations and daily activities and not phone calls as was expected. Searching for public audio is difficult but we can verify that the hashes of the 100 are not publicly indexed by major search engines nor are the file names themselves.

Until we know for certain whether the data is authentic we cannot grantee that this data dump represents ZooPark and its capabilities but we can look at what they could be up to. After reviewing the leaked MySQL database we’ve learned much about the ZooPark’s potential operations.

Tables Included:

  • Appinfotracking
  • Audiotracking
  • Calltracking
  • Emailtracking
  • geolog
  • gpslocation
  • phonebookaccess
  • phototracking
  • recordcall
  • registration
  • sales_user_info
  • settings
  • smstracking
  • urltracking

From the table names alone, we can infer a lot of the access ZooPark had to user devices and the data they were after. Call tracing, phonebook access, and SMS tracking are unfortunately very common to collect amongst malicious app developers. However, audio tracking caught our attention. While we are still analyzing the dataset, the database records indicate over 102,571 recordings have been uploaded to their C2 server between 2015 and 2018. The dump contains approximately 3,887 of these, jeopardizing private and potentially highly sensitive conversations. Our sampling of these files indicate that the audio was recorded in roughly 8-minute blocks. Most, but not all audio files took place with time gaps between them. There was at least one group conversation that continued on for at least 3 recorded blocks. A surprisingly low number of phone numbers generated these recordings. Only eight phone numbers are part of the recording available through this data dump.

Other conversations were also captured such as SMS texts although portions of these have been found publicly in open datasets. Conceivably, these could have been generated by researchers investigating the malicious Android apps but it’s more likely they were generated by the data leaker to sell the dump. The SMS texts contain much of what you expect such as general chat, and advertisements. However, it’s also riddled with embarrassing or explicit texts which could be used against the users should they prove legitimate. Additionally, we’ve found cleartext two-factor authentication messages from major services such as Google and LinkedIn, and popular chat apps such as Telegram. ZooPark could have used these to gain access to additional services unbeknownst to the victims. After attempting and failing to rebuild several English based conversations we have little confidence that the entire data set came from ZooPark. However, It does exemplify the real danger of sensitive conversations being collected by Zoopark and available for their operations.

Another surprising find is in the Appinfotracking table, where there are 1541 unique apps listed, indicating a very large campaign. Here are a few notable ones:

  • Youtube
  • Wikipedia
  • WhatsApp
  • WinZip
  • Weather
  • VLC
  • Twitter
  • Telegram
  • TrueCaller
  • Tango
  • Pinterest
  • ICQ
  • Flashlight
  • Facebook
  • DUO
  • Dropbox
  • Crunchyroll

There were relatively few games listed compared to other social and utility apps, perhaps suggesting a more utilitarian or professional target. Approximately, 92 phone numbers are listed in relation to the apps. Of the GPS coordinates we’ve checked the middle east is still the main focus, with a significant footprint in Egypt.

While the data leakers request is for Bitcoin payment, we believe they are primarily interested in acquiring Monero coin. Once payments are made the actors use a popular tool called ShapeShift to turn the Bitcoin into Monero (XMR). Shapeshift allows the actors to pay in from one cryptocoin and receive a payout in another without creating an account for the service. The added Monero features enable them to maintain greater anonymity during the transfer. It is anonymity that usually motivates cybercriminals to move to Monero.  Monero coins are of interest due to their improved anonymity and privacy-related improvements, making it difficult to for law enforcement and security researchers to trace.

Shapeshift Transaction from BitCoin (BTC) to Monero (XMR)

The actor who leaked this data is obviously motivated by money as evidenced by the requested payment for further data leaks. Fake datasets, especially those that contain credit card information, email addresses and passwords, have been known to be for sale to scam other cybercriminals. It’s a distinct possibility that this could be the case with the current data dump but it has yet to be determined. However, competition also can play a primary motivator. Many times competing bad actors will attempt to sabotage others in the space. Altruism can play a role as well. Some vigilante actors may believe that their motivations are for the greater good regardless of the laws they break and collateral damage. Whatever the motivations are, data leaks like these can be embarrassing, damaging and in some cases dangerous for the victims whose information it may contain.
Other points of interest:

  • There are a surprisingly low number of unique victim numbers in the database with only 169.
  • The latest URL record is as recent as May 12,2018
  • The latest SMS record is as recent as May 8,2018
  • 81 unique numbers had 47,784 records of GPS data stored

Bitcoin Address:

  • 1AUMs2ieZ7qN4d3M1oUPCuP3CH9WGQxpbd

The post It’s a Zoo Out There! Data Analysis of Alleged ZooPark Dump appeared first on McAfee Blogs.

Malware on Google Play Targets North Korean Defectors

Earlier this year, McAfee researchers predicted in the McAfee Mobile Threat Report that we expect the number of targeted attacks on mobile devices to increase due to their ubiquitous growth combined with the sophisticated tactics used by malware authors. Last year we posted the first public blog about the Lazarus group operating in the mobile landscape. Our recent discovery of the campaign we have named RedDawn on Google Play just a few weeks after the release of our report proves that targeted attacks on mobile devices are here to stay.

RedDawn is the second campaign we have seen this year from the “Sun Team” hacking group. In January, the McAfee Mobile Research Team wrote about Android malware targeting North Korean defectors and journalists. McAfee researchers recently found new malware developed by the same actors that was uploaded on Google Play as “unreleased” versions. We notified both Google, which has removed the malware from Google Play, and the Korea Internet & Security Agency.

Our findings indicate that the Sun Team is still actively trying to implant spyware on Korean victims’ devices. (The number of North Korean defectors who came to South Korea exceeded 30,000 in 2016, according to Radio Free Asia.) Once the malware is installed, it copies sensitive information including personal photos, contacts, and SMS messages and sends them to the threat actors. We have seen no public reports of infections. We identified these malwares at an early stage; the number of infections is quite low compared with previous campaigns, about 100 infections from Google Play.

Malware on Google Play

Malware uploaded on Google Play (now deleted).

We found three apps uploaded by the actor we named Sun Team, based on email accounts and Android devices used in the previous attack. The first app in this attack, 음식궁합 (Food Ingredients Info), offers information about food; the other two apps, Fast AppLock and AppLockFree, are security related. 음식궁합 and Fast AppLock secretly steal device information and receive commands and additional executable (.dex) files from a cloud control server. We believe that these apps are multi-staged, with several components. AppLockFree is part of the reconnaissance stage we believe, setting the foundation for the next stage unlike the other two apps. The malwares were spread to friends, asking them to install the apps and offer feedback via a Facebook account with a fake profile promoted 음식궁합.

Links to Previous Operations

After infecting a device, the malware uses Dropbox and Yandex to upload data and issue commands, including additional plug-in dex files; this is a similar tactic to earlier Sun Team attacks. From these cloud storage sites, we found information logs from the same test Android devices that Sun Team used for the malware campaign we reported in January. The logs had a similar format and used the same abbreviations for fields as in other Sun Team logs. Further, the email addresses of the new malware’s developer are identical to the earlier email addresses associated with the Sun Team. The relationship among email addresses and test devices is explained in the following diagram.

The use of identical email addresses ties the two malware campaigns to the same attacker.

About the Actors

After tracking Sun Team’s operations, we were able to uncover different versions of their malware. Following diagram shows the timeline of the versions.

Timeline of different malware versions of Sun Team.

Timeline shows us that malwares became active in 2017. Sun Team’s only purpose is to extract information from devices as all of the malwares are spywares. Malwares on Google Play stayed online for about 2 months before being deleted.

In our post of the earlier attack by this actor, we observed that some of the Korean words found on the malware’s control server are not in South Korean vocabulary and that an exposed IP address points to North Korea. Also, Dropbox accounts were names from South Korean drama or celebrities.

In the new malware on Google Play, we again see that the Korean writing in the description is awkward. As in the previous operation, the Dropbox account name follows a similar pattern of using names of celebrities, such as Jack Black, who appeared on Korean TV. These features are strong evidence that the actors behind these campaigns are not native South Koreans but are familiar with the culture and language. These elements are suggestive though not a confirmation of the nationality of the actors behind these malware campaigns.

Sun Team’s test devices originate from various countries.

Moreover, we uncovered information about the attacker’s Android test devices and exploits they tried to use. The devices are manufactured in several countries and carry installed Korean apps, another clue that the threat actors can read Korean. The exploits codes were found uploaded on one of the cloud storages used by Sun Team which are modified versions of publicly available sandbox escape, privilege escalation, code execution exploits that added functions to drop their own Trojans on victims’ devices. The modified exploits suggest that the attackers are not skillful enough to find zero days and write their own exploits. However, it is likely just a matter of time before they start to exploit vulnerabilities.

Modified exploits installing the Sun Team’s Trojan.

The most concerning thing about this Sun Team operation is that they use photos uploaded on social network services and identities of South Koreans to create fake accounts. We have found evidence that some people have had their identities stolen; more could follow. They are using texting and calling services to generate virtual phone numbers so they can sign up for South Korean online services.

Conclusion

This malware campaign used Facebook to distribute links to malicious apps that were labeled as unreleased versions. From our analysis, we conclude that the actor behind both campaigns is Sun Team. Be cautious when installing unreleased or beta versions of any app. Also, check the number of downloads to see if an app is widely installed; avoid obscure apps.

McAfee Mobile Security detects this malware as Android/RedDawn.A, B. Always keep your mobile security application updated to the latest version.

The post Malware on Google Play Targets North Korean Defectors appeared first on McAfee Blogs.

You, Your Company, and BYOD: A Love Triangle

BYOD, or bring your own device, has become the new normal in the corporate workplace. But with this convenience comes impending security concerns. Although BYOD costs companies less, mobile devices are often used without proper security measures in place. This makes it difficult for employers to determine how much access employees should receive to company networks. The more access an employee has to company networks, the more opportunities for not only their personal information becoming vulnerable, but company data as well. With BYOD becoming more prevalent in the workplace, it is vital companies and employees understand the perks and security concerns that are associated with BYOD and take necessary steps to ensure personal devices and company information is protected.

BYOD can offer some really great perks: 1) employers spend less on technology and providing devices to employees thus saving the company money and 2) you get to use your own device(s) with which you are already accustomed to. Your company may already allow BYOD in your office, but do you know the associated security risks? They are complicated. Three looming concerns of BYOD that companies and employees should be addressing are accessibility to company data, lost or stolen devices, and overall maintenance. Let’s delve into why these concerns are the most pressing.

  1. Accessibility. The overarching question of BYOD is who gets access to company data on their personal devices, when and where? For example, if you are at a meeting, outside of the office and you are on a limited-access BYOD policy with your employer, you would only be able to access work email and contact but nothing stored on the company servers. If your client asks to see a specific document hosted on your company server during the meeting, you won’t be able to access it because it is sensitive and lives on the private severs. This is where BYOD backfires for the employee.
  2. Lost or stolen devices. A personal device that contains confidential company information poses a huge security threat if it is lost or stolen, and begs the question: who is responsible for retrieving the device and/or data? What is the proper response to this sort of breach? It is your personal device, with both personal and company data, so should it be locked, tracked and retrieved, or completely wiped immediately? There is no clear or correct answer, which is why companies need a clear BYOD policy and culture of security that fits both parties’ needs.
  3. Maintenance and malware. Frequency of device maintenance, software updates and uniformed app downloads can open the door to a slew of security vulnerabilities. Organizations have a hard-enough time implementing their own software across the corporate network, let alone ensuring all employees are adhering to the required software updates from device operating systems and applications. With the breadth of different phones and tablets being used around the globe, it can be nearly impossible to keep track of employees’ security posture on their personal devices.

Without the right security measures in place, there is the possibility of malware being downloaded through sketchy apps or unpatched versions of software, which could be transferred onto corporate servers depending on the employee’s access level. McAfee Labs detected over 16 million mobile malware infestations in the third quarter of 2017 alone, nearly doubling the number one year previously. This uptick in cyberattacks on mobile devices illustrates the importance of comprehensive cybersecurity policies across the board.

So how do you protect yourself when it comes to using your smartphone or tablet for both business and pleasure? Here are a few tips:

  • Practice discretion when alternating between personal and business tasks on your mobile device. Separate the two by using different, verified apps for company and personal uses to maintain safety.
  • Avoid downloading apps from third-party vendors that could make your device prone to malware, and always check permissions of any apps before downloading, particularly those that ask for to access to your device’s data.
  • Regularly update your device to ensure they are equipped with vital patches that protect against flaws and bugs that cybercriminals can exploit.
  • Avoid accessing data-sensitive apps on your device over public Wi-Fi. Cybercriminals could use this as an opportunity to take a look at your mobile data.
  • Keep your personal and work information secure with comprehensive mobile security, such as McAfee® Mobile Security, that will not only scan your device for viruses and threats but also help you identify apps that are accessing too much of your valuable personal information.

McAfee is the device-to-cloud cybersecurity company helping to secure data at all levels, on all devices. We’re helping you stop threats and protect your data wherever it resides, from your fingertips to the skies, enabling you to protect what matters on your digital journey.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post You, Your Company, and BYOD: A Love Triangle appeared first on McAfee Blogs.

Securing Your Devices from Mobile Malware

As the world has gone mobile, so too have the cybercriminals. With users now spending an average of four hours a day on multiple mobile devices that store mountains of sensitive information, it’s no wonder that mobile malware has become one of the most effective ways to capture our money and data.

That’s probably why mobile malware increased by 46% in the last year, with new mobile threats like ransomware and ad click malware making our digital lives even more complicated.

Of course, risky apps remain the persistent threat. These days, even official app stores aren’t completely safe. For instance, McAfee noted a 30% increase in threat families found in the Google Play Store over the last year alone. These included fake versions of legitimate apps designed to steal personal information, and apps that signed users up for premium services without their consent, leaving them with hefty bills.

But one of the biggest threats we saw was the rise of cryptocurrencies miners. They can hide in the background of seemingly harmless apps, and use your device’s computing power to mine for Bitcoin and other digital currencies. This type of mobile malware can even cause your phone to overheat and stop functioning all together.

In addition to risky apps, dangers lurk when you connect your mobile devices to public Wi-Fi networks, which are often unsecured. Public networks, like those in hotels and airports, have become hunting grounds for cybercriminals who can set up fake Wi-Fi hotspots and use them to deliver malware. They can also potentially eavesdrop on your private data, including passwords and credit card numbers, as they are sent from your device to the router.

Finally, the explosion of devices known as the Internet of Things (IoT), which include IP cameras, interactive speakers, and smart appliances, offer another avenue of attack for the cybercriminals. Since these devices usually come with few security features, they can easily be hacked and used to spread malware to other more data-rich devices connected on the same network.

Given these escalating risks, it’s essential for mobile users to learn how to secure their mobile devices, and all the valuable information that they hold.

Tips for avoiding mobile malware: 

  1. Use Mobile Security—Make sure all your devices are protected from malware and other emerging mobile threats by using security software that can warn you about risky apps and dangerous links, as well as help you locate and lock down a missing device.
  2. Avoid Risky Apps—Stick to downloading highly-rated apps from official app stores. You should also check the app’s permissions to see how much of your private information the app is trying to access. Limit access to only what the app needs to function properly. For instance, a calculator app shouldn’t need your location or contact details.
  3. Choose Strong Passwords—A complicated, hard-to-guess password is your first line of defense when it comes to protecting your online accounts and information. You may want to consider using a password manager that generates strong passwords and keeps them in a secure vault so you don’t have to remember them all. Look into comprehensive security software that includes a password manager.
  4. Keep your IoT devices separate—Since many IoT devices have very low security, you may want to consider keeping them on a separate network from your smartphones, tablets, and computers since these usually contain private information. Read your router’s user manual to learn how to setup a second “guest” network. Or, you can invest in a router with built-in security that protects all the devices on the network.
  5. Stay Informed—Given our reliance on mobile devices, mobile malware is unlikely to go away anytime soon. Make sure you stay up-to-date on emerging threats and the steps you need to take to protect yourself.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post Securing Your Devices from Mobile Malware appeared first on McAfee Blogs.

Security Calling: Celebrate National Telephone Day by Securing Your Mobile Devices

April 25 – otherwise known as National Telephone Day – rolls around once a year to remind us of the sheer technologic prowess and influence of the phone. What first started as an industrial revolution invention from Alexander Graham Bell, the phone has undergone quite a remarkable evolution over its nearly 150 years of existence. When people say the word ‘phone’ today, the device they’re talking about is widely different. The phone of the past has become the gateway into our digital identities and now holds the keys to all the connected things in our homes. As dependency on our mobile devices continues to grow, potential cyberthreats and need for mobile security does as well.

Consumers have been quick to adopt mobile phones, more so than at any point in the telephone’s storied history. It’s estimated that 95% of Americans own a cell phone today. This goes to show that the phone has not only become an instrumental device in today’s society, but it also speaks to how it has evolved beyond its initial capabilities to serve as a device that contains our digital persona. A phone is no longer a convenient piece of equipment but a fundamental element of many people’s lifestyles, so much so that many can’t even unplug while on vacation—only 27% say they’re unwilling to leave their smartphones at home when on vacation. As today’s world becomes more digital and interconnected, our mobile phones are at the heart of this transformation.

Of course, with any device that contains this much power and influence, the mobile phone has also become the target of cybercriminals and hackers, making mobile security a cause for much concern. McAfee Labs detected over 16 million mobile malware infestations in the third quarter of 2017, and new threats continue to emerge around the world, most of which target a consumer’s money. However, according to a recent CES Survey, 52% of respondents are either unsure of or have no idea how to check to see if their mobile devices and apps are secure against these kinds of threats—which is worrisome considering these latest mobile trends:

  • More targeted attacks – Following the money, a global spike in banking Trojans has occurred, targeting large multinationals and small regional banks.
  • Virtual bank robberies – With the growing interest in cryptocurrencies, cybercriminals are attempting virtual bank robberies by distributing fake mobile wallets and targeting the cryptocurrency industry.
  • States using malware – North Korean dissidents and journalists using the popular South Korean chat app KakaoTalk were recently targeted in a State-instigated malware attack, with the aim of implanting spyware on the victim’s device.
  • Persistent threats – The increasing proliferation of Internet of Things (IoT) devices are significantly heightening the threat landscape, increasing the number of possible points of attack.

In order to feel safe and secure when you shout “Call me, maybe!”, take some time out of whatever festivities you may have planned for National Telephone Day to consider these tips on how to keep your mobile phones and devices secure:

  • Update regularly – Regularly updating your devices helps ensure they are armed with critical patches that protect against bugs or flaws in their operating systems that cybercriminals can leverage. Though it’s very tempting to skip out on these updates, taking a few minutes to download them means you aren’t recklessly leaving your devices open for hackers. This also applies to apps on your phone as well.
  • Use a complex password – A complex password is a secure password, so there’s no excuse to skate by with your own birthdate or a “1234” code for your mobile devices anymore. It’s good practice to have distinct passwords for every device, even though it’s a bit more burdensome on you. Still, choosing a safe and secure password is always the priority. Be sure to throw in a mix of numbers and symbols to avoid making it easy for potential hackers.
  • Turn off geolocation – When it comes to geolocation or sharing your location with apps and other services on your phone, approach with caution. It’s a good rule of thumb to only activate geolocation permissions when it’s crucial for an app’s ability to work (i.e. Uber, Google Maps, etc.). Otherwise, hackers can start to uncover your exact whereabouts and understand your movement patterns.
  • Use security software – Finally, I can’t stress enough how important it is to use comprehensive security software to protect your mobile phones and devices from the inside out.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Security Calling: Celebrate National Telephone Day by Securing Your Mobile Devices appeared first on McAfee Blogs.

Seven Android Apps Infected With Adware, Downloaded Over 500,000 Times

The amount we use our apps and the amount of apps we use has shown no signs of slowing. And as the McAfee Labs Threats Report: March 2018 tells us, mobile malware has shown no signs of slowing either. Now, a tricky Android malware dubbbed Andr/HiddnAd-AJ is adding to the plethora of mobile strains out there. The malware managed to sneak onto the Google Play Store disguised as seven different apps – which have collectively been downloaded over 500,000 times.

Slipping onto the Google Play store via six QR reader apps and one smart compass app, the malware manages to sneak past security checks through a combination of unique code and no initial malicious activity. Following installation, Andr/HiddnAd-AJ waits for six hours before it serves up adware. When it does, it floods a user’s screen with full-screen ads, opens ads on web pages, and sends various notifications containing ad-related links, all with the goal of generating click-based revenue for the attackers.

These apps have since been taken down by Google, however, it’s still crucial that Android users are on the lookout for Andr/HiddnAd-AJ malware and other adware schemes like it. Start by following these security tips:

  • Do your homework. Before you download an app, make sure you head to the reviews section of an app store first. Be sure to thoroughly sift through the reviews and read through the comments section; Andr/HiddnAd-AJ may have been avoided if a user read one of the comments and saw that the app was full of unnecessary advertisements. When in doubt, don’t download any app that is remotely questionable.
  • Limit the amount of apps. Only install apps you think you need and will use regularly. And if you no longer use an app, uninstall it. This will help you save memory and reduce your exposure to threats such as Andr/HiddnAd-AJ.
  • Don’t click. This may go without saying, but since this is a click-generated revenue scheme, do whatever you can to avoid clicking pop-ups and unwarranted advertisements. The less you click, the less cybercriminals will profit.
  • Use a mobile security solution. As malware and adware campaigns continue to infect mobile applications, make sure your mobile devices are prepared for any threat coming their way. To do just that, cover these devices with a mobile security solution, such as McAfee Mobile Security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Seven Android Apps Infected With Adware, Downloaded Over 500,000 Times appeared first on McAfee Blogs.

Kick Off Your Digital Spring Cleaning Efforts During World Backup Day

As spring blossoms into full-force, millions of people will start to shed the heavy baggage and gear that kept them warm during winter by partaking in a tried and true practice: spring cleaning. While whipping yourself into a cleaning frenzy around your home, take a moment to extend your spring cleaning efforts into your digital environments as well. And there’s no better time to kick off a digital spring cleaning than during World Backup Day.

What exactly is World Backup Day? I’m glad you asked.

In today’s day and age, data is basically digital gold. It’s imperative to ensure your information is organized and backed up—not just for peace-of-mind, but to protect yourself against potential malware and ransomware threats. Still, a large number of people have never backed up their files, leaving themselves vulnerable to losing everything. In fact, this has become such a systemic problem that a whole day has been devoted to reversing this trend: World Backup Day. One of the main goals of the World Backup Day initiative is to reach people who have never backed their data up or people who aren’t even aware that data backups are a thing, let alone a crucial security measure.

For those who may not know, a backup is a second copy of all your important files and information, everything from photos and documents to emails and passwords. Storing all of that data in one place, like a personal computer or smartphone, is a woefully unsafe practice. Creating another copy of that data through a backup will ensure that it’s stored and kept safe somewhere else should catastrophe befall your personal mobile devices, or if they’re lost or stolen.

Data loss isn’t something that only happens to huge conglomerates or to unsuspecting victims in spy movies. Every individual is susceptible to data loss or theft, and backing up that data is an easy, relatively painless step to protect all of your personal information and prevent pesky hackers from truly swiping your stuff.

Think about it—if you’re targeted by a nasty piece of ransomware but have successfully performed a data backup, there’s absolutely no need for you to pay the ransom because you have a second, secure copy of all that data. It’s a simple preventative measure that can pay off big time should worse come to worst. Even the STOP. THINK. CONNECT. campaign, dedicated to increase awareness around cybersecurity and provide information to help digital citizens protect against malware, lists regular data backups as an important security action to safeguard yourself against cybercrime.

There are two main approaches to backing up your data: either in the cloud or on an external hard drive. A cloud-based backup solution is great for people who don’t want to actively back up their devices and data or worry about the space constraints that come with most external hard drives. Simply subscribing to one of these cloud solutions will do the trick—your device’s files and data will automatically be backed up and protected without you having to lift more than a finger. Cloud-based services typically come with a monthly fee, and you’ll need a good internet connection to access them. If your connection is wonky or the site is undergoing maintenance, it can be difficult to access your backed-up data.

With an external hard drive, you can manually back up all your data and files yourself onto a physical device that you have access to anytime, anywhere. These drives are extremely reliable and a great way to achieve data redundancy. An external hard drive doesn’t hinge on internet access like cloud-based services and is an easy fix when transferring data to a new device. However, using external hard drives requires a more hands-on approach when it comes to actually backing up your data. The responsibility falls upon you to regularly perform these backups yourself. Storage space can also pose a problem. Look for an external drive with at least a terabyte of space to accommodate all of your data, which tends to accumulate quickly.

Here are some other digital spring cleaning tips to consider this World Backup Day:

  • Play it extra safe and go both routes for a thorough backup by using an external drive and subscribing to a cloud-based solution. After all, it’s better safe than sorry when it comes to your personal data.
  • Back up data from your mobile devices onto a central laptop or personal computer for an added layer of security and protection. Then work on backing up these devices with one (or both) of the methods laid out above.
  • Have at least one backup of your initial backup as a fail-safe measure.
  • Test your ability to restore data from backups regularly to ensure your backups have been performed correctly and that they haven’t been compromised.
  • Back up your data with a process and system that’s simple and works best for you—there’s no need to over complicate it!

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Kick Off Your Digital Spring Cleaning Efforts During World Backup Day appeared first on McAfee Blogs.

McAfee Safe Connect, Two Gold Award Winners of 2018 Info Security PG’s Global Excellence Awards®

On February 28th, Info Security Products Guide Global Excellence Awards presented their 2018 award winners. We are humbled to have received two golds in the Product or Service Excellence of the Year — Security Information and Website & Web Application Security for McAfee Safe Connect.

Product Overview:

McAfee Safe Connect is a VPN (Virtual Private Network) that helps users create secure online connections while using the internet.  Doing so helps our customers minimize their individual security risks and helps keep their data private – especially when connecting to a public or open Wi-Fi network. Unlike home Wi-Fi, many public Wi-Fi networks (commonly offered at cafés, airports and hotels) aren’t password-protected and don’t encrypt the user data being transmitted through. Therefore, when you connect to a hotspot, your online activities from your social media activity to your online purchase history and even your bank account credentials may be wide open to hackers. With McAfee Safe Connect, you can rest assured that your information and online activities are encrypted.

McAfee has a proven record of providing security for consumers in the digital age. To address growing concerns over Wi-Fi security, we created an award-winning VPN that would keep users’ personal information secure from online threats and unsecure networks.

McAfee Safe Connect has over 1 million downloads across Google Play and the App Store with an impressive 4.3-star rating. It is available in over 20 languages to users worldwide.

Tech behemoth Samsung also chose McAfee Safe Connect VPN for their Galaxy Note 8 – Secure Wi-Fi feature and expanded collaboration with its newly announced Galaxy S9 Smartphones.

About Info Security PG’s Global Excellence Awards

Info Security Products Guide sponsors the Global Excellence Awards and plays a vital role in keeping individuals informed of the choices they can make when it comes to protecting their digital resources and assets. The guide is written expressly for those who wish to stay informed about recent security threats and the preventive measure they can take. You will discover a wealth of information in this guide including tomorrow’s technology today, best deployment scenarios, people and technologies shaping cyber security and industry predictions & directions that facilitate in making the most pertinent security decisions. Visit www.infosecurityproductsguide.com for the complete list of winners.

We are proud of recognition given to McAfee Safe Connect, which aims to safeguard every Internet user’s online privacy. Please check out our award-winning Wi-Fi Privacy VPN product: McAfee Safe Connect.

Interested in learning more about McAfee Safe Connect and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post McAfee Safe Connect, Two Gold Award Winners of 2018 Info Security PG’s Global Excellence Awards® appeared first on McAfee Blogs.

McAfee Safe Connect RT2Win Sweepstakes Terms and Conditions

Just a few weeks back, Info Security Products Guide awarded McAfee Safe Connect with two Gold-Level Global Excellence Awards for Product or Service Excellence of the YearSecurity Information and Website & Web Application Security!

To celebrate, we’re treating you to a #RT2Win Sweepstakes on the @McAfee_Home Twitter handle. Ten [10] lucky winners of the Sweepstakes drawing will receive a one-year free subscription of McAfee Safe Connect to provide security and privacy across your PC, iOS, and Android devices when connecting to Wi-Fi hotspots and private networks.

All you have to do is simply retweet one of our contest tweets between March 26, 2018 – April 17, 2018 for your chance to win. Sweepstake tweets will include “#McAfeeSafeConnect, #RT2Win, and #Sweepstakes”. Terms and conditions below.

#McAfeeSafeConnect #RT2Win Sweepstakes Official Rules

  • To enter, go to https://twitter.com/McAfee_Home, and find the #RT2Win sweepstakes tweet.
  • The sweepstakes tweet will be released on Monday, March 26. This tweet will include the hashtags: #McAfeeSafeConnect, #RT2Win, and #Sweepstakes.
  • Retweet the sweepstakes tweet released on the above date, from your own handle. The #McAfeeSafeConnect AND #RT2Win hashtags must be included to be entered.
  • Winners will be notified on Wednesday, April 18, 2018 via Twitter direct message.
  • Limit one entry per person.

How to Win:

Retweet one of our contest tweets on @McAfee_Home that include “#RT2Win, #Sweepstakes, and #McAfeeSafeConnect” for a chance to win a one-year free subscription to McAfee Safe Connect. Ten [10] total winners will be selected and announced on April 18, 2018. Winners will be notified by direct message on Twitter. For full Sweepstakes details, please see the Terms and Conditions, below.

McAfee Safe Connect #RT2Win Sweepstakes Terms and Conditions

How to Enter: 

No purchase necessary. A purchase will not increase your chances of winning. McAfee Safe Connect #RT2Win Sweepstakes will be conducted from March 26, 2018 through April 17, 2018. All entries for each day of the McAfee Safe Connect #RT2Win Sweepstakes must be received during the time allotted for the McAfee Safe Connect #RT2Win Sweepstakes. Pacific Daylight Time shall control the McAfee Safe Connect #RT2Win Sweepstakes. The McAfee Safe Connect #RT2Win Sweepstakes duration is as follows.

McAfee Safe Connect #RT2Win Sweepstakes Duration:

  • Begins Monday, March 26, 2018­­ at 12:00pm PST
  • Ends: Tuesday, April 17, 2018 at 12:00am PST
  • Ten [10] winners will be announced: Wednesday, April 18th

For the McAfee Safe Connect #RT2Win Sweepstakes, participants must complete the following steps during the time allotted for the McAfee Safe Connect #RT2Win Sweepstakes:

  1. Find the sweepstakes tweet of the day posted on @McAfee_Home which will include the hashtags: #RT2Win, #Sweepstakes, and #McAfeeSafeConnect.
  2. Retweet the sweepstakes tweet of the day and make sure it includes the #RT2Win, #Sweepstakes, and #McAfeeSafeConnect hashtags.
  3. Note: Tweets that do not contain the #RT2Win, #Sweepstakes, and #McAfeeSafeConnect hashtags will not be considered for entry.
  4. Limit one entry per person.

Ten [10] winners will be chosen for the McAfee Safe Connect #RT2Win Sweepstakes tweet from the viable pool of entries that retweeted and included #RT2Win, #Sweepstakes, #McAfeeSafeConnect. McAfee and the McAfee social team will choose winners from all the viable entries. The winners will be announced and privately messaged on April 18, 2018 on the @McAfee_Home Twitter handle. No other method of entry will be accepted besides Twitter. Only one entry per user is allowed, per Sweepstakes.   

Eligibility: 

McAfee Safe Connect #RT2Win Sweepstakes is open to all legal residents of the 50 United States who are 18 years of age or older on the dates of the McAfee Safe Connect #RT2Win Sweepstakes begins and live in a jurisdiction where this prize and McAfee Safe Connect #RT2Win Sweepstakes are not prohibited. Employees of Sponsor and its subsidiaries, affiliates, prize suppliers, and advertising and promotional agencies, their immediate families (spouses, parents, children, and siblings and their spouses), and individuals living in the same household as such employees are ineligible.

Winner Selection:

Winners will be selected at random from all eligible retweets received during the McAfee Safe Connect #RT2Win Sweepstakes drawing entry period. Sponsor will select the names of ten [10] potential winners of the prizes in a random drawing from among all eligible submissions at the address listed below. The odds of winning depend on the number of eligible entries received. By participating, entrants agree to be bound by the Official McAfee Safe Connect #RT2Win Sweepstakes Rules and the decisions of the coordinators, which shall be final and binding in all respects.

Winner Notification: 

Each winner will be notified via direct message (“DM”) on Twitter.com by April 18th. Prize winners may be required to sign an Affidavit of Eligibility and Liability/Publicity Release (where permitted by law) to be returned within ten [10] days of written notification, or prize may be forfeited, and an alternate winner selected. If a prize notification is returned as unclaimed or undeliverable to a potential winner, if potential winner cannot be reached within twenty-four [24] hours from the first DM notification attempt, or if potential winner fails to return requisite document within the specified time period, or if a potential winner is not in compliance with these Official Rules, then such person shall be disqualified and, at Sponsor’s sole discretion, an alternate winner may be selected for the prize at issue based on the winner selection process described above.

Prizes: 

The prize for the McAfee Safe Connect #RT2Win Sweepstakes is a one-year free subscription to McAfee Safe Connect. Entrants agree that Sponsor has the sole right to determine the winners of the McAfee Safe Connect #RT2Win Sweepstakes and all matters or disputes arising from the McAfee Safe Connect #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor. Sponsor will not replace any lost or stolen prizes. Sponsor is not responsible for delays in prize delivery beyond its control. All other expenses and items not specifically mentioned in these Official Rules are not included and are the prize winners’ sole responsibility.

General Conditions: 

Entrants agree that by entering they agree to be bound by these rules. All federal, state and local taxes, fees, and surcharges on prize packages are the sole responsibility of the prizewinner. Sponsor is not responsible for incorrect or inaccurate entry information, whether caused by any of the equipment or programming associated with or utilized in the McAfee Safe Connect #RT2Win Sweepstakes, or by any technical or human error, which may occur in the processing of the McAfee Safe Connect #RT2Win Sweepstakes entries. By entering, participants release and hold harmless Sponsor and its respective parents, subsidiaries, affiliates, directors, officers, employees, attorneys, agents, and representatives from any and all liability for any injuries, loss, claim, action, demand, or damage of any kind arising from or in connection with the McAfee Safe Connect #RT2Win Sweepstakes, any prize won, any misuse or malfunction of any prize awarded, participation in any McAfee Safe Connect #RT2Win Sweepstakes-related activity, or participation in the McAfee Safe Connect #RT2Win Sweepstakes. Except for applicable manufacturer’s standard warranties, the prizes are awarded “AS IS” and WITHOUT WARRANTY OF ANY KIND, express or implied (including any implied warranty of merchantability or fitness for a particular purpose).

Limitations of Liability; Releases:

By entering the Sweepstakes, you release Sponsor and all Released Parties from any liability whatsoever, and waive any and all causes of action, related to any claims, costs, injuries, losses, or damages of any kind arising out of or in connection with the Sweepstakes or delivery, misdelivery, acceptance, possession, use of or inability to use any prize (including claims, costs, injuries, losses and damages related to rights of publicity or privacy, defamation or portrayal in a false light, whether intentional or unintentional), whether under a theory of contract, tort (including negligence), warranty or other theory.

To the fullest extent permitted by applicable law, in no event will the sponsor or the released parties be liable for any special, indirect, incidental, or consequential damages, including loss of use, loss of profits or loss of data, whether in an action in contract, tort (including, negligence) or otherwise, arising out of or in any way connected to your participation in the sweepstakes or use or inability to use any equipment provided for use in the sweepstakes or any prize, even if a released party has been advised of the possibility of such damages.

  1. To the fullest extent permitted by applicable law, in no event will the aggregate liability of the released parties (jointly) arising out of or relating to your participation in the sweepstakes or use of or inability to use any equipment provided for use in the sweepstakes or any prize exceed $10. The limitations set forth in this section will not exclude or limit liability for personal injury or property damage caused by products rented from the sponsor, or for the released parties’ gross negligence, intentional misconduct, or for fraud.
  2. Use of Winner’s Name, Likeness, etc.: Except where prohibited by law, entry into the Sweepstakes constitutes permission to use your name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation (including in a public-facing winner list).  As a condition of being awarded any prize, except where prohibited by law, winner may be required to execute a consent to the use of their name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation. By entering this Sweepstakes, you consent to being contacted by Sponsor for any purpose in connection with this Sweepstakes.

Prize Forfeiture:

If winner cannot be notified, does not respond to notification, does not meet eligibility requirements, or otherwise does not comply with these prize McAfee Safe Connect #RT2Win Sweepstakes rules, then the winner will forfeit the prize and an alternate winner will be selected from remaining eligible entry forms for each McAfee Safe Connect #RT2Win Sweepstakes.

Dispute Resolution:

Entrants agree that Sponsor has the sole right to determine the winners of the McAfee Safe Connect #RT2Win Sweepstakes and all matters or disputes arising from the McAfee Safe Connect #RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor.

Governing Law & Disputes:

Each entrant agrees that any disputes, claims, and causes of action arising out of or connected with these sweepstakes or any prize awarded will be resolved individually, without resort to any form of class action and these rules will be construed in accordance with the laws, jurisdiction, and venue of Delaware.

Privacy Policy: 

Personal information obtained in connection with this prize McAfee Safe Connect #RT2Win Sweepstakes will be handled in accordance policy set forth at http://www.mcafee.com/us/about/privacy.html.

  1. Winner List; Rules Request: For a copy of the winner list, send a stamped, self-addressed, business-size envelope for arrival after March 26th 2018 and before April 17th 2018 to the address listed below, Attn: #RT2Win at CES Sweepstakes.  To obtain a copy of these Official Rules, visit this link or send a stamped, self-addressed business-size envelope to the address listed in below, Attn: Sarah Grayson. VT residents may omit return postage.
  2. Intellectual Property Notice: McAfee and the McAfee logo are registered trademarks of McAfee, LLC. The Sweepstakes and all accompanying materials are copyright © 2018 by McAfee, LLC.  All rights reserved.
  3. Sponsor: McAfee, LLC, Corporate Headquarters 2821 Mission College Blvd. Santa Clara, CA 95054 USA

The post McAfee Safe Connect RT2Win Sweepstakes Terms and Conditions appeared first on McAfee Blogs.

RottenSys Malware Reminds Users to Think Twice Before Buying a Bargain Phone

China is a region that has been targeted with mobile malware for over a decade, as malware authors there are continually looking at different tactics to lure victims. One of the most innovative tactics that we have come across in the past several years is to get victims to buy discounted devices from sellers that have compromised a smartphone. And now, one of these campaigns, Android.MobilePay (aka dubbed RottenSys) is making headlines, though McAfee has been aware of it for over two years. The tactic used by the author(s)/distributors is straightforward; they install fake apps on a device that pretend to provide a critical function, but often don’t get used.

RottenSys is stealthy. It doesn’t provide any secure Wi-Fi related service but is rather an advanced strain of malware that swoops almost all sensitive Android permissions to enable its malicious activities. In order to avoid detection, RottenSys doesn’t come with an initial malicious component and or immediately initiate malicious activity. The strain has rather been designed to communicate with its command-and-control servers to obtain the actual malicious code in order to execute it and following which installs the malicious code onto the device.

Given it installs any new malicious components from its C&C server, RottenSys can be used to weaponize or take full control over millions of infected devices. In fact, it already seems that the hackers behind RottenSys have already started turning infected devices into a massive botnet network.

This attack acts as an indication of change, as over the past two years the mechanism of fraud has adapted. In the past, scams such as this typically have used premium SMS scams to generate revenue, which reach out to a premium number and make small charges that go unnoticed over the course of an extensive period. As described in detail in our Mobile Threat Report: March 2018, we have seen traditional attack vectors, such as premium text messages and toll fraud replaced by botnet ad fraud, pay-per-download distribution scams, and crypto mining malware that can generate millions in revenue.

Long story short – it’s important to still take precautionary steps to avoid future infection from this type of malware scheme. The good news is, you can easily check if your device is being infected with RottenSys. Go to Android system settings→ App Manager, and then look for the following possible malware package names:

  • android.yellowcalendarz
  • changmi.launcher
  • android.services.securewifi
  • system.service.zdsgt

Beyond that, you can protect your device by following these tips:

  • Buy with security in mind. When looking to purchase your next mobile device, make sure to do a factory reset as soon as you turn it on for the first time.
  • Delete any unnecessary apps. Most mobile providers allow users to delete pre-installed apps. So, if there’s a pre-installed app you don’t use, or seems unknown to you, go ahead and remove it from your device entirely.
  • Always scan your device, even if it’s new. One of the first applications you should load onto a new device is an anti-malware scanner, like McAfee Mobile Security. It can detect and alert users to malicious behavior on their devices. In this case, if a malware variant is detected, new users can see if they can return their infected devices in exchange for a clean one.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post RottenSys Malware Reminds Users to Think Twice Before Buying a Bargain Phone appeared first on McAfee Blogs.

JS-Binding-Over-HTTP Vulnerability and JavaScript Sidedoor: Security Risks Affecting Billions of Android App Downloads

Third-party libraries, especially ad libraries, are widely used in Android apps. Unfortunately, many of them have security and privacy issues. In this blog, we summarize our findings related to the insecure usage of JavaScript binding in ad libraries.

First, we describe a widespread security issue with using JavaScript binding (addJavascriptInterface) and loading WebView content over HTTP, which allows a network attacker to take control of the application by hijacking the HTTP traffic. We call this the JavaScript-Binding-Over-HTTP (JS-Binding-Over-HTTP) vulnerability. Our analysis shows that, currently, at least 47 percent of the top 40 ad libraries have this vulnerability in at least one of their versions that are in active use by popular apps on Google Play.

Second, we describe a new security issue with the JavaScript binding annotation, which we call JavaScript Sidedoor. Starting with Android 4.2, Google introduced the @JavascriptInterface annotation to explicitly designate and limit which public methods in Java objects are accessible from JavaScript. If an ad library uses @JavascriptInterface annotation to expose security-sensitive interfaces, and uses HTTP to load content in the WebView, then an attacker over the network could inject malicious content into the WebView to misuse the exposed interfaces through the JS binding annotation. We call these exposed JS binding annotation interfaces JS sidedoors.

Our analysis shows that these security issues are widespread, have affected popular apps on Google Play accounting for literally billions of app downloads. The parties we notified about these issues have been actively addressing them.

Security Issues with JavaScript Binding over HTTP

Android uses the JavaScript binding method addJavascriptInterface to enable JavaScript code running inside a WebView to access the app’s Java methods. However, it is widely known that this feature, if not used carefully, presents a potential security risk when running on Android 4.1 or below. As noted by Google: “Use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the permissions of the host application.” [1]

In particular, if an app running on Android 4.1 or below uses the JavaScript binding method addJavascriptInterface and loads the content in the WebView over HTTP, then an attacker over the network could hijack the HTTP traffic, e.g., through WiFi or DNS hijacking, to inject malicious content into the WebView – and thus take control over the host application. We call this the JavaScript-Binding-Over-HTTP (JS-Binding-Over-HTTP) vulnerability. If an app containing such vulnerability has sensitive Android permissions such as access to the camera, then a remote attacker could exploit this vulnerability to perform sensitive tasks such as taking photos or record video in this case, over the Internet, without a user’s consent.

We have analyzed the top 40 third-party ad libraries (not including Google Ads) used by Android apps. Among the apps with over 100,000 downloads each on Google Play, over 42 percent of the free apps currently contain at least one of these top ad libraries. The total download count of such apps now exceeds 12.4 billion. From our analysis, at least 47 percent of these top 40 ad libraries have at least one version of their code in active use by popular apps on Google Play, and contain the JS-Binding-Over-HTTP vulnerability. As an example, InMobi versions 2.5.0 and above use the JavaScript binding method addJavascriptInterface and load content in the WebView using HTTP.

Security Issues with JavaScript Binding Annotation

Starting with Android 4.2, Google introduced the @JavascriptInterface annotation to explicitly designate and limit which public Java methods in the app are accessible from JavaScript running inside a WebView. However, note that the @JavascriptInterface annotation does not provide any protection for devices using Android 4.1 or below, which is still running on more than 80 percent of Android devices worldwide.

We discovered a new class of security issues, which we call JavaScript Sidedoor (JS sidedoor), in ad libraries. If an ad library uses the @JavascriptInterface annotation to expose security-sensitive interfaces, and uses HTTP to load content in the WebView, then it is vulnerable to attacks where an attacker over the network (e.g., via WIFI or DNS hijacking) could inject malicious content into the WebView to misuse the interfaces exposed through the JS binding annotation. We call these exposed JS binding annotation interfaces JS sidedoors.

For example, starting with version 3.6.2, InMobi added the @JavascriptInterface JS binding annotation. The list of exposed methods through the JS binding annotation in InMobi includes:

  • createCalendarEvent (version 3.7.0 and above)
  • makeCall (version 3.6.2 and above)
  • postToSocial (version 3.7.0 and above)
  • sendMail (version 3.6.2 and above)
  • sendSMS (version 3.6.2 and above)
  • takeCameraPicture (version 3.7.0 and above)
  • getGalleryImage (version 3.7.0 and above)
  • registerMicListener (version 3.7.0 and above)

InMobi also provides JavaScript wrappers to these methods in the JavaScript code served from their ad servers, as shown in Appendix A.

InMobi also loads content in the WebView using HTTP. If an app has the Android permission CALL_PHONE, and is using InMobi versions 3.6.2 to 4.0.2, an attacker over the network (for example, using Wi-Fi or DNS hijacking) could abuse the makeCall annotation in the app to make phone calls on the device without a user’s consent – including to premium numbers.

In addition, without requiring special Android permissions in the host app, attackers over the network, via HTTP or DNS hijacking, could also misuse the aforementioned exposed methods to misguide the user to post to the user’s social network from the device (postToSocial in version 3.7.0 and above), send email to any designated recipient with a pre-crafted title and email body (sendMail in version 3.6.2 and above), send SMS to premium numbers (sendSMS in version 3.6.2 and above), create calendar events on the device (createCalendarEvent in version 3.7.0 and above), and to take pictures and access the photo gallery on the device (takeCameraPicture and getGalleryImage in version 3.7.0 and above). To complete these actions, the user would need to click on certain consent buttons. However, as generally known, users are quite vulnerable to social engineering attacks through which attackers could trick users to give consent.

We have identified more than 3,000 apps on Google Play that contain versions 2.5.0 to 4.0.2 of InMobi – and which have over 100,000 downloads each as of December, 2013. Currently, the total download count for these affected apps is greater than 3.7 billion.

We have informed both Google and InMobi of our findings, and they have been actively working to address them.

New InMobi Update after FireEye Notification

After we notified the InMobi vendor about these security issues, they promptly released new SDK versions 4.0.3 and 4.0.4. The 4.0.3 SDK, marked as “Internal release”, was superseded by 4.0.4 after one day. The 4.0.4 SDK made the following changes:

  1. Changed its method exposed through annotation for making phone calls (makeCall) to require user’s consent.
  2. Added a new storePicture interface to download and save specified files from the Internet to the user’s Downloads folder. Despite the name, it can be used for any file, not just images.
  3. Compared with InMobi’s earlier versions, we consider change No. 1 as an improvement that addresses the aforementioned issue of an attacker making phone calls without a user’s consent. We are glad to see that InMobi made this change after our notification.

    InMobi recently released a new SDK version 4.1.0. Compared with SDK version 4.0.4, we haven't seen any changes to JS Binding usage from a security perspective in this new SDK version 4.1.0.

    Moving Forward: Improving Security for JS Binding in Third-party Libraries

    In summary, the insecure usage of JS Binding and JS Binding annotations in third-party libraries exposes many apps that contain these libraries to security risks.

    App developers and third-party library vendors often focus on new features and rich functionalities. However, this needs to be balanced with a consideration for security and privacy risks. We propose the following to the mobile application development and library vendor community:

    1. Third-party library vendors need to explicitly disclose security-sensitive features in their privacy policies and/or their app developer SDK guides.
    2. Third-party library vendors need to educate the app developers with information, knowledge, and best practices regarding security and privacy when leveraging their SDK.
    3. App developers need to use caution when leveraging third-party libraries, apply best practices on security and privacy, and in particular, avoid misusing vulnerable APIs or packages.
    4. When third-party libraries use JS Binding, we recommend using HTTPS for loading content.
    5. Since customers may have different requirements regarding security and privacy, apps with JS-Binding-Over-HTTP vulnerabilities and JS sidedoors can introduce risks to security-sensitive environments such as enterprise networks. FireEye Mobile Threat Prevention provides protection to our customers from these kinds of security threats.

      Acknowledgement

      We thank our team members Adrian Mettler and Zheng Bu for their help in writing this blog.

      Appendix A: JavaScript Code Snippets Served from InMobi Ad Servers

      a.takeCameraPicture = function () {

      utilityController.takeCameraPicture()

      };

      a.getGalleryImage = function () {

      utilityController.getGalleryImage()

      };

      a.makeCall = function (f) {

      try {

      utilityController.makeCall(f)

      } catch (d) {

      a.showAlert("makeCall: " + d)

      }

      };

      a.sendMail = function (f, d, b) {

      try {

      utilityController.sendMail(f, d, b)

      } catch (c) {

      a.showAlert("sendMail: " + c)

      }

      };

      a.sendSMS = function (f, d) {

      try {

      utilityController.sendSMS(f, d)

      } catch (b) {

      a.showAlert("sendSMS: " + b)

      }

      };

      a.postToSocial = function (a, c, b, e) {

      a = parseInt(a);

      isNaN(a) && window.mraid.broadcastEvent("error", "socialType must be an integer", "postToSocial");

      "string" != typeof c && (c = "");

      "string" != typeof b && (b = "");

      "string" != typeof e && (e = "");

      utilityController.postToSocial(a, c, b, e)

      };

      a.createCalendarEvent = function (a) {

      "object" != typeof a && window.mraid.broadcastEvent("error",

      "createCalendarEvent method expects parameter", "createCalendarEvent");

      "string" != typeof a.start || "string" != typeof a.end ?

      window.mraid.broadcastEvent("error",

      "createCalendarEvent method expects string parameters for start and end dates",

      "createCalendarEvent") :

      ("string" != typeof a.location && (a.location = ""),

      "string" != typeof a.description && (a.description = ""),

      utilityController.createCalendarEvent(a.start, a.end, a.location, a.description))

      };

      a.registerMicListener=function() {

      utilityController.registerMicListener()

      };

      Monitoring Vulnaggressive Apps on Google Play

      Vulnaggressive Characteristics in Mobile Apps and Libraries

      FireEye mobile security researchers have discovered a rapidly-growing class of mobile threats represented by popular ad libraries affecting apps with billions of downloads. These ad libraries are aggressive at collecting sensitive data and able to perform dangerous operations such as downloading and running new code on demand. They are also plagued with various classes of vulnerabilities that enable attackers to turn their aggressive behaviors against users. We coined the term “vulnaggressive” to describe this class of vulnerable and aggressive characteristics. We have published some of our findings in our two recent blogs about these threats: “Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions” and “Update: Ad Vulna Continues”.

      As we reported in our earlier blog “Update: Ad Vulna Continues”, we have observed that some vulnaggressive apps have been removed from Google Play, and some app developers have upgraded their apps to a more secure version either by removing the vulnaggressive libraries entirely or by upgrading the relevant libraries to a more secure version which address the security issues. However, many app developers are still not aware of these security issues and have not taken such needed steps. We need to make a community effort to help app developers and library vendors to be more aware of these security issues and address them in a timely fashion.

      To aid this community effort, we present the data to illustrate the changes over time as vulnaggressive apps are upgraded to a more secure version or removed from Google Play after our notification. We summarize our observations below, although we do not have specific information about the reasons that caused these changes we are reporting.

      We currently only show the chart for one such vulnaggressive library, AppLovin (previously referred to by us as Ad Vulna for anonymity). We will add the charts for other vulnaggressive libraries as we complete our notification/disclosure process and the corresponding libraries make available new versions that fix the issues.

      The Chart of Apps Affected by AppLovin

      AppLovin (Vulna)’s vulnerable versions include 3.x, 4.x and 5.0.x. AppLovin 5.1 fixed most of the reported security issues. We urge app developers to upgrade AppLovin to the latest version and ask their users to update their apps as soon as the newer versions are available.

      The figure below illustrates the change over time of the status of vulnerable apps affected by AppLovin on Google Play. In particular, we collect and depict the statistics of apps that we have observed on Google Play with at least 100k downloads and with at least one version containing the vulnerable versions of AppLovin starting September 20. Over time, a vulnerable app may be removed by Google Play (which we call “removed apps”, represented in gray), have a new version available on Google Play that addresses the security issues either by removing AppLovin entirely or by upgrading the embedded AppLovin to 5.1 or above (which we call “upgradable apps”, represented in green), or remain vulnerable (which we call “vulnerable apps”, represented in red), as shown in the legend in the chart.

      Please note that we started collecting the data of app removal from Google Play on October 20, 2013. Thus, any relevant app removal between September 20 and October 20 will be counted and shown on October 20. Also, for each app included in the chart, Google Play shows a range of its number of downloads, e.g., between 1M and 5M. We use the lower end of the range in our download count so the statistics we show are conservative estimates.

      applovin1117

      We are glad to see that over time, many vulnerable apps have been either removed from Google Play or have more secure versions available on Google Play. However, apps with hundreds of millions of downloads in total still remain vulnerable. In addition, note that while removing vulnaggressive apps from Google Play prevents more people from being affected, the millions of devices that already downloaded them remain vulnerable since they are not automatically removed from the devices. Furthermore, because many users do not update their downloaded apps often and older versions of Android do not auto-update apps, even after the new, more secure version of a vulnerable app is available on Google Play, millions of users of these apps will remain vulnerable until they update to the new versions of these apps on their devices. FireEye recently announced FireEye Mobile Threat Prevention. It is uniquely capable of protecting its customers from such threats.