Category Archives: Mobile

Expert disclosed a new passcode bypass to access photos and contacts on a locked iPhone

iOS passionate Jose Rodriguez disclosed a new passcode bypass bug that could be to access photos and contacts on a locked iPhone XS.

The security passionate Jose Rodriguez has discovered a new passcode bypass bug that could be exploited on the recently released iOS 12.0.1.

A few weeks ago, Rodriguez discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could have been exploited to access photos, contacts on a locked iPhone XS.

Now the expert discovered a similar flaw that is very easy to execute by a physical attacker to access photo album of a locked device. The bug allows the attacker to select photos and send them to anyone using Apple Messages.

The new passcode bypass attack works on all current iPhone models, including iPhone X and XS devices, running the latest version of iOS 12 to 12.0.1 version.

The new hack devised by Rodriguez leverage Siri assistant and VoiceOver screen reader to bypass the passcode.

Below the step-by-step procedure for the passcode bypass discovered by Rodriguez:

  1. Call the target phone from any other phone.
  2. Instead of answering the call, click on “Message” in the call window.
  3. Select “Custom” to reply via text message. That will open the Messages input screen.
  4. Invoke Siri to activate VoiceOver, the iOS feature that helps sight-impaired users use an iPhone.
  5. Click on the camera icon.
  6. Invoke Siri with the iPhone’s home button while you double-tap the display. The screen will turn black. This is where the bug kicks in and iOS gets confused.
  7. From here, click on the home button again while the screen remains black.
  8. Swipe up to the upper left corner while the screen remains black. VoiceOver will tell you what you have selected.
  9. Keep swiping to the top left corner until VoiceOver tells you that you can select the Photo Library (“Fototeca” in Rodriguez’ video).
  10. Tap to select Photo Library.
  11. After selecting the Photo Library, iOS will take you back to the message screen, but you’ll see a blank space where the keyboard should be. The blank space is actually an invisible Photo Library.
  12. Click on the shelf handle on top of the blank space to activate the Photo Library.
  13. Now you only have to swipe and double tap to start grabbing photos. Each photo will be pasted in your input field, ready to be sent to any number.
Waiting for a patch it is possible to mitigate the issue by disabling Siri from the lockscreen (Go to the Settings → Face ID & Passcode (Touch ID & Passcode on iPhones with Touch ID) and Disable Siri toggle under “Allow access when locked).

Pierluigi Paganini

(Security Affairs – passcode bypass, hacking)

The post Expert disclosed a new passcode bypass to access photos and contacts on a locked iPhone appeared first on Security Affairs.

Stolen Apple IDs reportedly used for mobile payment theft in China

Users of two major mobile payment services in China -- Alipay and WeChat Pay -- have reported unauthorized Apple App Store spending in recent days, with some losing nearly $300 through fraudulent transactions. The companies say that stolen Apple IDs are to blame, the Wall Street Journal reports, and Alipay has asked Apple to investigate. In the meantime, Alipay is telling its customers to minimize potential losses by reducing how much money can be used from their accounts without a password.

Via: 9to5Mac

Security Affairs: Hackers can compromise your WhatsApp account by tricking you into answering a video call

Hackers can compromise your WhatsApp account by tricking you into answering a video call, the company fixed the flaw in September.

WhatsApp has addressed a vulnerability in the mobile applications that could have been exploited by attackers to crash victims instant messaging app simply by placing a call.

The vulnerability is a memory heap overflow issue that was discovered by Google Project Zero white hat hacker Natalie Silvanovich in August.

Whatsapp has fixed the flaw on September 28 and Silvanovich published the technical details of the vulnerability.

The news of the flaw was also shared by popular Google researcher and bug hunter Tavis Ormandy.

The exploitation of the flaw was very trivial, a malformed RTP (Real-time Transport Protocol) packet sent to a user, a call request, could have been used to trigger the memory heap overflow and cause the crash of the application.

“This issue can occur when a WhatsApp user accepts a call from a malicious peer. It affects both the Android and iPhone clients.” reads the report published by Silvanovich.

WhatsApp

An attacker could completely hijack a target’s WhatsApp account and spy on its conversations by simply video calling it.

Silvanovich published the proof-of-concept in the security advisory.

Latest versions of both popular instant messaging app for both Android and iOS include the fix for this vulnerability.

Pierluigi Paganini

(Security Affairs – instant messaging, hacking)

The post Hackers can compromise your WhatsApp account by tricking you into answering a video call appeared first on Security Affairs.



Security Affairs

Hackers can compromise your WhatsApp account by tricking you into answering a video call

Hackers can compromise your WhatsApp account by tricking you into answering a video call, the company fixed the flaw in September.

WhatsApp has addressed a vulnerability in the mobile applications that could have been exploited by attackers to crash victims instant messaging app simply by placing a call.

The vulnerability is a memory heap overflow issue that was discovered by Google Project Zero white hat hacker Natalie Silvanovich in August.

Whatsapp has fixed the flaw on September 28 and Silvanovich published the technical details of the vulnerability.

The news of the flaw was also shared by popular Google researcher and bug hunter Tavis Ormandy.

The exploitation of the flaw was very trivial, a malformed RTP (Real-time Transport Protocol) packet sent to a user, a call request, could have been used to trigger the memory heap overflow and cause the crash of the application.

“This issue can occur when a WhatsApp user accepts a call from a malicious peer. It affects both the Android and iPhone clients.” reads the report published by Silvanovich.

WhatsApp

An attacker could completely hijack a target’s WhatsApp account and spy on its conversations by simply video calling it.

Silvanovich published the proof-of-concept in the security advisory.

Latest versions of both popular instant messaging app for both Android and iOS include the fix for this vulnerability.

Pierluigi Paganini

(Security Affairs – instant messaging, hacking)

The post Hackers can compromise your WhatsApp account by tricking you into answering a video call appeared first on Security Affairs.

The Wild West of Data Risk Management in the Age of Cloud, Mobile and Digital Transformation

As enterprises undergo digital transformation and explore new opportunities offered by cloud technology, many lose sight of the digital risks they’ve encountered along the way. Like the pioneers who headed into the Wild West more than a century ago, companies today face a range of unseen dangers as they move unwittingly into potentially hostile territory. From developers and engineers collaborating via cloud-based, consumer-focused data sharing platforms to independent contractors retaining access credentials long after their projects are completed, the risks to critical data are expanding along with the attack surface.

Whether it’s digital transformation, cloud computing, extended supply chains or outsourcing, it’s imperative for organizations to establish a formal data risk management program that’s more than just a governance, risk and compliance program designed to check the boxes for auditors. Data risk management programs put mission-critical data — an organization’s crown jewels — at the center of the effort. Ensuring the confidentiality, integrity and availability of that data, no matter where it lives or who touches it, is the top priority.

Round Up the Posse: The Importance of Multiple Stakeholders

To be successful, a data risk management program requires the involvement of multiple stakeholders, including data owners; line-of-business managers; IT and security professionals; legal, HR and finance departments; and multiple members of the C-suite, all the way up to the CEO. All these parties have a hand in identifying the enterprise’s crown jewels, where they are located, who handles or processes them and where they flow not only within the organization, but outside of it as well.

An effective program also requires input from security professionals who can understand how the inherent risks of ownership, privilege rights, locality, sensitivity and complexities associated with third-party application integrations can be used as backdoors into mission-critical data or cause serious business disruption.

Other common challenges organizations encounter when developing a data risk management program include:

  • Manual process bottlenecks that greatly impact the organization’s ability to scale;
  • Siloed IT systems, each with their own data store, that lack sufficient controls and make it difficult to prioritize risk, thereby creating the potential for exposure;
  • Friction between IT operations and security teams due to the lack of a common language and differing priorities, which makes it hard for them to work in concert to prioritize risks and take immediate remediation actions in the event of a serious breach; and
  • The ability to distinguish between pedestrian events and those that could disrupt business operations, such as the theft and disclosure of sensitive intellectual property (IP).

Take the Reins: Developing Measurements That Actually Mean Something

Successful data risk management programs require security professionals to develop key performance indicators (KPIs) or risk measurements that actually mean something to business executives. Tactical metrics and reporting from tools designed to serve the needs of security analysts do not translate well into the language of business risk. However, by ingesting useful data from a range of security tools that can then be combined with other strategic operational metrics and contextual information, it’s possible to present such data to business executives in a way that allows them to better grasp where existing security controls are adequate and where additional resources are needed.

Such tools include security information and event management (SIEM), data loss prevention (DLP), application security, security response management, vulnerability assessment, and data monitoring systems. A dashboard that takes all that highly technical data and boils it down to sensible risk measurements can benefit multiple stakeholders within an organization as they work to mature their data risk management practices. A data risk manager with a business-centric approach can reduce the time it takes to investigate and remediate threats, and potentially avoid or minimize damages and cost.

Circle the Wagons: It’s Time for a Focused Data Risk Management Program

As enterprises embrace digitization, cloud and IT automation, most are still in the pioneering stages — if they’ve begun at all — of developing a data risk management program. With a vastly expanded threat surface, highly sophisticated and well-funded threat actors seemingly immune to law enforcement, and increasingly complex and porous organizational structures, it’s time to circle the wagons around mission-critical data assets. There’s no better time to create a programmatic approach by automating and orchestrating data risk management.

 

The post The Wild West of Data Risk Management in the Age of Cloud, Mobile and Digital Transformation appeared first on Security Intelligence.

Visibility and Control: A One-Two Punch for Securing iOS Devices in the Enterprise

When the iPhone was first introduced, Steve Jobs described it as “way smarter than any mobile device has ever been and super easy to use.” It’s no wonder that millions of iOS devices have since been deployed within the workplace, packed full of apps that fuel everyday communications, collaboration and productivity use cases.

Over time, organizations have not only grown accustomed to using iPhones and iPads for day-to-day processes, they’ve become dependent on them. With this in mind, IT and security leaders in charge of enabling productivity while securing smartphones and tablets must embrace these devices’ advantages responsibly. Adding to the complexity, they must also find a way to achieve security without disrupting an otherwise positive user experience that is exemplified by anytime, anywhere accessibility.

Swing for Visibility Into Mobile Activity

When considering the number of iOS devices that are being put to work, the various ways they’re being used, how far apart they’re located, and how they’re accessing a network, IT professionals have a lot to worry about. For this reason, it’s crucial to seek out an appropriate level of visibility. Optimally, an all-in-one display of this valuable information allows IT teams to understand user behavior on their devices — expanding beyond traditional mobile device management (MDM). For example, are employees using applications that could pose a potential threat to your organization?

When it comes to user app behavior, ask yourself: Do you have a strong understanding of the apps your mobile employees use most frequently? If you don’t have a way to assess the activity within your environment, it could be an app you know about or one you’ve never heard of. If it’s the latter, it would be good to know which users have the app and what level of activity has taken place.

Depending on what you uncover, the app might be completely normal — but there’s always a chance it’s not. Risky users might be using encryption to cover up their browsing history. Without seeing domain details for encrypted traffic, you have no way of knowing. Similarly, apps might be establishing local IP address connections on ephemeral ports. If that’s the case, and the device has corporate data on it, there’s a risk that other endpoints on the network could connect to it and swipe the proprietary data.

Strike With Control Over Risky User Behavior

Beyond visibility, IT professionals need a way to intervene at the most pivotal moments. If someone means to type in one URL, but ends up typing in another, are you certain the domain they’re navigating to is safe? Threat actors are aware of user error, and they commonly set up malicious sites to take advantage of those who may not check their spelling before they hit enter. That’s why it’s important to not only see device-specific web navigation activity, but to be able to act before problems arise.

To avoid mobile mishaps like this, IT and security leaders should invest in the appropriate threat defense capabilities to support the modern enterprise. No matter where your users are, what network they’re connected through or what they’re looking to do, it should be simple to take control if need be — whether you’re blocking, allowing or proxying traffic.

The Best of Both Worlds for Protecting iOS Devices

Built hand-in-hand with Apple, the Cisco Security Connector introduces a more granular level of visibility and control into corporate-owned iOS devices. This cloud-managed solution ensures that employees are protected and compliant at all times and wherever they go, and it can now be deployed and managed via IBM MaaS360 with Watson.

IT and security leaders can take advantage of this valuable integration by visiting the IBM Security App Exchange and downloading the Cisco Security Connector for MaaS360. To learn more about the IBM Security and Cisco partnership, visit the official alliance page.

Learn more about how Cisco and IBM are taking mobile security to the next level

The post Visibility and Control: A One-Two Punch for Securing iOS Devices in the Enterprise appeared first on Security Intelligence.

Expert demonstrated how to access contacts and photos from a locked iPhone XS

Expert discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could be exploited to access photos, contacts on a locked iPhone XS .

The Apple enthusiast and “office clerk” Jose Rodriguez has discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could be exploited by an attacker (with physical access to the iPhone) to access photos, contacts on a locked iPhone XS and other devices.

The hack works on the latest iOS 12 beta and iOS 12 operating systems, as demonstrated by Rodriguez in a couple of videos he published on YouTube (Videosdebarraquito).

The passcode bypass vulnerability affects a number of other iPhone models including the latest model iPhone XS.

An attacker can access the images on the devices by editing a contact and changing the image associated with a specific caller.

Apple has addressed the issue allowing images to be viewed via contacts, but Rodriguez devised a new method to circumvent the mitigations implemented by Apple.

The attack exploits the VoiceOver feature that enables accessibility features on iPhone, for this reason, the vulnerable device needs to have Siri enabled and Face ID either turned off or physically covered.

A step by step guide for the Rodriguez’s attack was published by the website Gadget Hacks.

iPhone passcode bypass issues are not uncommon, in September 2015, Jose Rodriguez discovered that the iOS 9.0.1 Update failed to address a lock screen bypass vulnerability.

In November 2017, experts discovered a flaw in iOS 8 and newer versions of the Apple OS that allowed bypassing the iPhone Passcode protection, even when Touch ID was properly configured, and access photos and messages stored on the device.

Pierluigi Paganini

(Security Affairs – iPhone XS, hacking)

The post Expert demonstrated how to access contacts and photos from a locked iPhone XS appeared first on Security Affairs.

QRecorder app in the Play Store was hiding a Banking Trojan that targets European banks

The QRecorder app in the Play Store impersonating a phone call and voice recording utility embedded a banking malware used to target European banks.

Security experts from ESET have discovered a malicious app in the official Google Play Store that impersonates a phone call and voice recording utility, it was hiding a banking malware used to target customers of European banks.

The malware, tracked as Razdel, is a variant of BankBot mobile banking Trojan.

According to the Czech Television, the malicious code targets apps from Raiffeisen Bank, as well as ČSOB and Česká Spořitelna.

Czech Police shared the identikit and pictures from ATM security camera of a money mule withdrawing money from one of the Prague ATM from affected victims accounts.

The malware was hidden in the QRecorder app and according to the ESET security researcher Lukas Stefanko, the banking Trojan was downloaded and installed by over 10,000.

QRecorder app malware

The malicious QRecorder app is able to intercept SMS two-factor authentication (2FA) messages and ask for permission to display overlays on top of legitimate bank apps to control what the user sees on his device.

To avoid raising suspicions, the malicious application correctly implements the audio recording features.

Stefanko discovered that the threat actor behind the operator sends commands to the app within 24 hours from installation, for example, it scans the device for specific banking apps.

Attacker leverages Google Firebase messages to communicate with compromised devices. If one of the targeted apps is installed on the device, before downloading payload it would request the user to activate Accessibility service and using this permission it would automatically download and execute the malicious payload.

Once the malicious payload is downloaded it sets triggers for legitimate banking apps. If one of the targeted apps is launched by the user, the malware displays overlay to steal credentials.

“Before downloading payload it would request user to activate Accessibility service and using this permission it would automatically download, install and open malicious payload.” wrote Stefanko.

“Once payload is downloaded it sets triggers for legitimate banking apps. If one of the targeted apps is launched it would create similar like looking activity that overlays official app demanding credentials.”

According to official statement of Czech police, QRecorder infected five victims in Czech Republic stealing a total of over 78,000 Euros from their accounts.

The analysis of the code revealed that the QRecorder malware is able to monitor a large number of banks, including Air Bank, Equa, ING, Bawag, Fio, Oberbank, and Bank Austria.

One of the most interesting aspects of this malware is that the threat actor created different payloads for each targeted bank.

QRecorder app was removed from the official Android store, below a video that shows how the app operates.

Pierluigi Paganini

(Security Affairs – QRecorder app, malware)

The post QRecorder app in the Play Store was hiding a Banking Trojan that targets European banks appeared first on Security Affairs.

Pangu hackers are back, they realized the iOS 12 Jailbreak

The popular Chinese hacking team Pangu has devised the iOS 12 Jailbreak running on the latest iPhone XS. Users wait for further details.

Here we go again to speak about the notorious Chinese hacking team Pangu, the group is time popular for his ability to jailbreak Apple devices. This time the experts presented a jailbreak for iOS 12 running on the latest iPhone XS.

The last jailbreak for Apple iOS devised by the Pangu team was released in October 2015, when the expert published the untethered jailbreak tool for iOS 9.

iOS jailbreak allows to remove hardware restrictions implemented by the Apple’s operating system, Jailbreaking gives users root access to the iOS file system and manager, this allows them to download and install applications and themes from third-party stores.
Jailbreaking mobile devices expose them to a wild range of threats, including malware such as KeyRaider and YiSpector.

Below the Tweet shared by the researcher Min(Spark) Zheng on a Tweet that shows the successfully jailbreak on Apple iPhone XS with A12 Bionic chip announced by one of the Pangu researchers.

The experts pointed out that the iOS 12 jailbreak bypass a functional PAC (Pointer authentication codes) mitigation implemented in the new Apple’s A12 Bionic chip.

Experts believe the same jailbreak should work also on iPhone XS Max because of the hardware similarities.

iOS 12 Jailbreak

The Pangu group still haven’t announced the jailbreak, but many users hope the team will release the iOS 12 jailbreak to the public.

Pierluigi Paganini

(Security Affairs – Pangu iOS 12 jailbreak, hacking)

The post Pangu hackers are back, they realized the iOS 12 Jailbreak appeared first on Security Affairs.

Hide and Seek (HNS) IoT Botnet targets Android devices with ADB option enabled

The latest samples of the HNS bot were designed to target Android devices having the wireless debugging feature ADB enabled.

The Hide and Seek (HNS) IoT botnet was first spotted early this year, since its discovery the authors continuously evolved its code.

The IoT botnet appeared in the threat landscape in January, when it was first discovered on January 10th by malware researchers from Bitdefender, then it disappeared for a few days, and appeared again a few weeks later infecting in a few days more than 20,000 devices.

The botnet initially spread infecting unsecured IoT devices, mainly IP cameras, in July security experts from Fortinet discovered that the Hide ‘N Seek botnet was improved to target vulnerabilities in home automation systems.

In the same month, experts from Netlab observed the Hide ‘N Seek botnet targeting also cross-platform database solutions. It is currently the first IoT malware that implements a persistence mechanism to keep devices infected after reboots.

The latest samples of the HNS bot were designed to target Android devices having the wireless debugging feature enabled instead of exploiting known vulnerabilities.

By default, Android has Android Debug Bridge (ADB) option disabled, but often vendors enable it to customize the operating system, then ship the devices with the feature turned on.

The authors of the HNS botnet are attempting to compromise new devices by exploiting the features.

“The newly identified samples add functionality by exploiting the Android Debug Bridge (ADB) over Wi-Fi feature in Android devices, which developers normally use for troubleshooting.” reads the analysis published by BitDefender.

“While it’s traditionally disabled by default, some Android devices are shipped with it enabled, practically exposing users to remote connections via the ADB interface that’s accessible using the TCP port 5555. Any remote connection to the device is performed unauthenticated and allows for shell access, practically enabling attackers to perform any task in administrator mode.”

In February 2018, security researchers at Qihoo 360’s Netlab have spotted an Android mining botnet that was targeting devices with ADB interface open.

The recent improvement of the Hide and Seek botnet, allowed its operators to add 40,000 new devices, most of them in Taiwan, Korea, and China.

HnS ADB_exposed_Shodan

 

Expert pointed out that the HNS bot could infect any device, including smart TVs and DVRs, that has ADB over Wi-Fi enabled could be affected too.

“It’s safe to say that not just Android-running smartphones are affected — smart TVs, DVRs and practically any other device that has ADB over Wi-Fi enabled could be affected too.concludes Bitdefender.

“Considering the evidence at hand, we speculate the botnet operators are constantly adding new features to “enslave” as many devices as possible, although the true purpose of the botnet remains unknown.”

Pierluigi Paganini

(Security Affairs – HSN botnet, hacking)

 

The post Hide and Seek (HNS) IoT Botnet targets Android devices with ADB option enabled appeared first on Security Affairs.

Mobile Menace Monday: SMS phishing attacks target the job market

Recently, a co-worker received an enticing SMS message from ASPXPPZUPS Human Resources. It read:

Tired of your old job? Join our team today, work from home and earn $6,200 per month: hire-me-zvcbrvpffy.<hidden>.com.  

Could it be that our dream job awaits via random text message? On the contrary, this SMS phishing attack could cause nightmares for unsuspecting job hunters.

Don’t quit your day job

In order to investigate this phish further, the first step is browsing to this so-called career-changing website mentioned in the message.

Click to view slideshow.

Amazon!? Awesome! Let’s review this exciting position of Prime Agent. Great base salary plus commission! Full healthcare and minimal working hours! Brand new car!? All for a couple of easy job responsibilities you can do from home—Apply now!

Okay, seriously though, if the brand-new car bit doesn’t tip people off this is a ruse, I don’t know what will.

Gathering information

Knowing this is a ruse, let’s proceed forward by clicking Apply now regardless.

Click to view slideshow.

This is where I’m a little disappointed in the scammers. This could be an opportunity to gather a person’s full resume, with history of work, education, where they live, and a plethora of other information. Instead, they only ask for name, email, and phone number. Lazy. Still, this is enough to send spam emails and even more SMS phishing attacks.

Adding fake information and turning on a network sniffer, I submitted the information.

As a result, the network capture shows the information going to a amz-jobs-careers.<hidden>/apply.php. After hitting Submit Details, it redirects to amazon.com to make things look legitimate.

Job hunters beware

Many studies have shown that in America, many people are unhappy with their current jobs. For example, the Conference Board conducted a 2018 study reporting that 51 percent of people are satisfied with their jobs, thus leaving 49 percent unhappy. In addition, it’s a job-rich economy right now, which means it’s a great time to be looking if you aren’t happy in your current situation. It’s no wonder scammers are targeting job hunters. For those in the 49 percent, best to stick with more trustworthy methods than through SMS phishing messages.

To aid in the battle against SMS phishing attacks, our premium version of Malwarebytes for Android alerts users of dangerous links in SMS messages. Furthermore, our it also scans phishing URLs when using the Chrome browser, once again alerting on detection.

In case anyone was wondering, I’m fortunate to be in the 51 percent of people happy with their jobs—mainly because I get to protect readers like you! Stay safe out there!

The post Mobile Menace Monday: SMS phishing attacks target the job market appeared first on Malwarebytes Labs.

Kaspersky: Attacks on Smart Devices Rise Threefold in 2018

Attacks against smart devices are surging, with both old and new threats targeting connected devices that remain largely unsecured, according to researchers at Kaspersky Lab. Kaspersky researchers observed three times as many malware samples against smart devices in the first half of 2018 than they did in all of 2017, according to new findings...

Read the whole entry... »

Related Stories

iOS 12 is here: these are the security features you need to know about

One year to the day after iOS 11 appeared, Apple yesterday released its replacement, iOS 12.

Security Affairs: NSO mobile Pegasus Spyware used in operations in 45 countries

A new report published by Citizen Lab revealed that the NSO Pegasus spyware was used against targets across 45 countries worldwide.

A new investigation of the Citizen Lab revealed that the powerful Pegasus mobile spyware was used against targets across 45 countries around the world over the last two years.

Pegasus is a surveillance malware developed by the Israeli surveillance NSO Group that could infect both iPhones and Android devices, it is sold exclusively to the governments and law enforcement agencies.

Earlier August, Citizen Lab shared evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

COUNTRY NEXUS REPORTED CASES OF INDIVIDUALS TARGETED YEAR(S) IN WHICH SPYWARE INFECTION WAS ATTEMPTED
Panama Up to 150 (Source: Univision)1 2012-2014
UAE 1 (Source: Citizen Lab) 2016
Mexico 22 (Source: Citizen Lab) 2016
Saudi Arabia 2 (Source: Amnesty, Citizen Lab) 2018

A report published by Amnesty International confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.

Now a new report published by Citizen Lab shows that the number of Pegasus infections is greater than initially thought.

Between August 2016 and August 2018, the researchers scanned the web for servers associated with Pegasus spyware and uncovered 36 distinct Pegasus systems in 45 countries by using a novel technique dubbed Athena.

The experts found 1,091 IP addresses that matched their fingerprint and 1,014 domain names that pointed to them.

pegasus spyware

At least ten of the operators identified by NSO appear to be actively engaged in cross-border surveillance, at least six countries with significant Pegasus operations (Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates) have been accused in the past of spying civil society.

“We designed and conducted a global DNS Cache Probing study on the matching domain names in order to identify in which countries each operator was spying. Our technique identified a total of 45 countries where Pegasus operators may be conducting surveillance operations. At least 10 Pegasus operators appear to be actively engaged in cross-border surveillance.” reads the report published by Citizen Lab.

“Pegasus also appears to be in use by countries with dubious human rights records and histories of abusive behaviour by state security services. In addition, we have found indications of possible political themes within targeting materials in several countries, casting doubt on whether the technology is being used as part of “legitimate” criminal investigations.”

Pegasus infections were observed in Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia.

Pegasus spyware

The experts determined the location of the infections using country-level geolocation of DNS servers, but they warn of possible inaccuracies because targets could have used VPNs and satellite connections.

NSO Group spokesperson released a statement in response to the report, he highlighted that the company never broke any laws, including export control regulations.

“Contrary to statements made by you, our product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror. Our business is conducted in strict compliance with applicable export control laws,” reads the statement from NSO Group spokesperson Shalev Hulio.

“NSO’s Business Ethics Committee, which includes outside experts from various disciplines, including law and foreign relations, reviews and approves each transaction and is authorized to reject agreements or cancel existing agreements where there is a case of improper use.”

The NSO Group also denied selling in many of the countries listed in the report.

Pierluigi Paganini

(Security Affairs – Pegasus Spyware, surveillance)

The post NSO mobile Pegasus Spyware used in operations in 45 countries appeared first on Security Affairs.



Security Affairs

NSO mobile Pegasus Spyware used in operations in 45 countries

A new report published by Citizen Lab revealed that the NSO Pegasus spyware was used against targets across 45 countries worldwide.

A new investigation of the Citizen Lab revealed that the powerful Pegasus mobile spyware was used against targets across 45 countries around the world over the last two years.

Pegasus is a surveillance malware developed by the Israeli surveillance NSO Group that could infect both iPhones and Android devices, it is sold exclusively to the governments and law enforcement agencies.

Earlier August, Citizen Lab shared evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

COUNTRY NEXUS REPORTED CASES OF INDIVIDUALS TARGETED YEAR(S) IN WHICH SPYWARE INFECTION WAS ATTEMPTED
Panama Up to 150 (Source: Univision)1 2012-2014
UAE 1 (Source: Citizen Lab) 2016
Mexico 22 (Source: Citizen Lab) 2016
Saudi Arabia 2 (Source: Amnesty, Citizen Lab) 2018

A report published by Amnesty International confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.

Now a new report published by Citizen Lab shows that the number of Pegasus infections is greater than initially thought.

Between August 2016 and August 2018, the researchers scanned the web for servers associated with Pegasus spyware and uncovered 36 distinct Pegasus systems in 45 countries by using a novel technique dubbed Athena.

The experts found 1,091 IP addresses that matched their fingerprint and 1,014 domain names that pointed to them.

pegasus spyware

At least ten of the operators identified by NSO appear to be actively engaged in cross-border surveillance, at least six countries with significant Pegasus operations (Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates) have been accused in the past of spying civil society.

“We designed and conducted a global DNS Cache Probing study on the matching domain names in order to identify in which countries each operator was spying. Our technique identified a total of 45 countries where Pegasus operators may be conducting surveillance operations. At least 10 Pegasus operators appear to be actively engaged in cross-border surveillance.” reads the report published by Citizen Lab.

“Pegasus also appears to be in use by countries with dubious human rights records and histories of abusive behaviour by state security services. In addition, we have found indications of possible political themes within targeting materials in several countries, casting doubt on whether the technology is being used as part of “legitimate” criminal investigations.”

Pegasus infections were observed in Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia.

Pegasus spyware

The experts determined the location of the infections using country-level geolocation of DNS servers, but they warn of possible inaccuracies because targets could have used VPNs and satellite connections.

NSO Group spokesperson released a statement in response to the report, he highlighted that the company never broke any laws, including export control regulations.

“Contrary to statements made by you, our product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror. Our business is conducted in strict compliance with applicable export control laws,” reads the statement from NSO Group spokesperson Shalev Hulio.

“NSO’s Business Ethics Committee, which includes outside experts from various disciplines, including law and foreign relations, reviews and approves each transaction and is authorized to reject agreements or cancel existing agreements where there is a case of improper use.”

The NSO Group also denied selling in many of the countries listed in the report.

Pierluigi Paganini

(Security Affairs – Pegasus Spyware, surveillance)

The post NSO mobile Pegasus Spyware used in operations in 45 countries appeared first on Security Affairs.

Security Affairs: One year later BlueBorne disclosure, over 2 Billion devices are still vulnerable

One year after the discovery of the BlueBorne Bluetooth vulnerabilities more than 2 billion devices are still vulnerable to attacks.

In September 2017, experts with Armis Labs devised a new attack technique, dubbed BlueBorne, aimed at mobile, desktop and IoT devices that use Bluetooth.  The BlueBorne attack exposes devices to a new remote attack, even without any user interaction and pairing, the unique condition for BlueBorne attacks is that targeted systems must have Bluetooth enabled.

The attack technique leverages on a total of nine vulnerabilities in the Bluetooth design that expose devices to cyber attacks.

A hacker in range of the targeted device can trigger one of the Bluetooth implementation issues for malicious purposes, including remote code execution and man-in-the-middle (MitM) attacks. The attacker only needs to determine the operating system running on the targeted device in order to use the correct exploit.

According to the experts, in order to launch a BlueBorne attack, it is not necessary to trick the victim into clicking on a link or opening a malicious file.

The attack is stealthy and victims will not notice any suspicious activity on their device.

blueborne attack

Two months later, experts at Armis also revealed that millions of AI-based voice-activated personal assistants, including Google Home and Amazon Echo, were affected by the Blueborne flaws.

At the time of BlueBorne disclosure, Armis estimated that the security flaw initially affected roughly 5.3 billion Bluetooth-enabled devices.

One year after the company published a new report that warns that roughly one-third of the 5.3 billion impacted devices are still vulnerable to cyber attacks.

“Today, about two-thirds of previously affected devices have received updates that protect them from becoming victims of a BlueBorne attack, but what about the rest? Most of these devices are nearly one billion active Android and iOS devices that are end-of-life or end-of-support and won’t receive critical updates that patch and protect them from a BlueBorne attack.” states the new report published by Armis.

“The other 768 million devices are still running unpatched or unpatchable versions of Linux on a variety of devices from servers and smartwatches to medical devices and industrial equipment.

  • 768 million devices running Linux
  • 734 million devices running Android 5.1 (Lollipop) and earlier
  • 261 million devices running Android 6 (Marshmallow) and earlier
  • 200 million devices running affected versions of Windows
  • 50 million devices running iOS version 9.3.5 and earlier”

It is disconcerting, one billion devices are still running a version of Android that no longer receives security updates, including Android 5.1 Lollipop and earlier (734 million), and Android 6 Marshmallow and earlier (261 million).

It is interesting to note that 768 million Linux devices are running an unpatched or unpatchable version, they include servers, industrial equipment, and IoT systems in many industries.

“An inherent lack of visibility hampers most enterprise security tools today, making it impossible for organizations to know if affected devices connect to their networks,” continues the report published by Armis.

“Whether they’re brought in by employees and contractors, or by guests using enterprise networks for temporary connectivity, these devices can expose enterprises to significant risks.”

Armis notified its findings to vendors five months ago, but the situation is not changed.

“As vulnerabilities and threats are discovered, it can take weeks, months, or more to patch them. Between the time Armis notified affected vendors about BlueBorne and its public disclosure, five months had elapsed. During that time, Armis worked with these vendors to develop fixes that could then be made available to partners or end-users.” added Armis.

Unmanaged and IoT devices grow exponentially in the enterprise dramatically enlarging the attack surface and attracting the interest of hackers focused in the exploitation of Bluetooth as an attack vector.

Pierluigi Paganini

(Security Affairs – BlueBorne, hacking)

The post One year later BlueBorne disclosure, over 2 Billion devices are still vulnerable appeared first on Security Affairs.



Security Affairs

One year later BlueBorne disclosure, over 2 Billion devices are still vulnerable

One year after the discovery of the BlueBorne Bluetooth vulnerabilities more than 2 billion devices are still vulnerable to attacks.

In September 2017, experts with Armis Labs devised a new attack technique, dubbed BlueBorne, aimed at mobile, desktop and IoT devices that use Bluetooth.  The BlueBorne attack exposes devices to a new remote attack, even without any user interaction and pairing, the unique condition for BlueBorne attacks is that targeted systems must have Bluetooth enabled.

The attack technique leverages on a total of nine vulnerabilities in the Bluetooth design that expose devices to cyber attacks.

A hacker in range of the targeted device can trigger one of the Bluetooth implementation issues for malicious purposes, including remote code execution and man-in-the-middle (MitM) attacks. The attacker only needs to determine the operating system running on the targeted device in order to use the correct exploit.

According to the experts, in order to launch a BlueBorne attack, it is not necessary to trick the victim into clicking on a link or opening a malicious file.

The attack is stealthy and victims will not notice any suspicious activity on their device.

blueborne attack

Two months later, experts at Armis also revealed that millions of AI-based voice-activated personal assistants, including Google Home and Amazon Echo, were affected by the Blueborne flaws.

At the time of BlueBorne disclosure, Armis estimated that the security flaw initially affected roughly 5.3 billion Bluetooth-enabled devices.

One year after the company published a new report that warns that roughly one-third of the 5.3 billion impacted devices are still vulnerable to cyber attacks.

“Today, about two-thirds of previously affected devices have received updates that protect them from becoming victims of a BlueBorne attack, but what about the rest? Most of these devices are nearly one billion active Android and iOS devices that are end-of-life or end-of-support and won’t receive critical updates that patch and protect them from a BlueBorne attack.” states the new report published by Armis.

“The other 768 million devices are still running unpatched or unpatchable versions of Linux on a variety of devices from servers and smartwatches to medical devices and industrial equipment.

  • 768 million devices running Linux
  • 734 million devices running Android 5.1 (Lollipop) and earlier
  • 261 million devices running Android 6 (Marshmallow) and earlier
  • 200 million devices running affected versions of Windows
  • 50 million devices running iOS version 9.3.5 and earlier”

It is disconcerting, one billion devices are still running a version of Android that no longer receives security updates, including Android 5.1 Lollipop and earlier (734 million), and Android 6 Marshmallow and earlier (261 million).

It is interesting to note that 768 million Linux devices are running an unpatched or unpatchable version, they include servers, industrial equipment, and IoT systems in many industries.

“An inherent lack of visibility hampers most enterprise security tools today, making it impossible for organizations to know if affected devices connect to their networks,” continues the report published by Armis.

“Whether they’re brought in by employees and contractors, or by guests using enterprise networks for temporary connectivity, these devices can expose enterprises to significant risks.”

Armis notified its findings to vendors five months ago, but the situation is not changed.

“As vulnerabilities and threats are discovered, it can take weeks, months, or more to patch them. Between the time Armis notified affected vendors about BlueBorne and its public disclosure, five months had elapsed. During that time, Armis worked with these vendors to develop fixes that could then be made available to partners or end-users.” added Armis.

Unmanaged and IoT devices grow exponentially in the enterprise dramatically enlarging the attack surface and attracting the interest of hackers focused in the exploitation of Bluetooth as an attack vector.

Pierluigi Paganini

(Security Affairs – BlueBorne, hacking)

The post One year later BlueBorne disclosure, over 2 Billion devices are still vulnerable appeared first on Security Affairs.

Google Android team found high severity flaw in Honeywell Android-based handheld computers

Experts at the Google Android team have discovered high severity privilege escalation vulnerability in some of Honeywell Android-based handheld computers.

Security experts from the Google Android team have discovered a high severity privilege escalation vulnerability in some of Honeywell Android-based handheld computers that could be exploited by an attacker to gain elevated privileges.

According to the vendor, Honeywell handheld computers combine the advantages of consumer PDAs and high-end industrial mobile computers into a single rugged package.

The rugged devices provide enhanced connectivity, including industry standard 802.11x, Cisco compatibility, and Bluetooth, they are widely adopted in many sectors, including energy, healthcare, critical manufacturing, and commercial facilities.

The US ICS-CERT published a security advisory to warn of the vulnerability that affects several models of Honeywell Android handheld computers, including CT60, CN80, CT40, CK75, CN75, CT50, D75e, CN51, and EDA series.

The affected devices run various Android version between 4.4 and 8.1.

“A vulnerability in a system service on CT60, CN80, CT40, CK75, CN75, CT50, D75e, CN51, and EDA series mobile computers running the Android Operating System (OS) could allow a malicious third-party application to gain elevated privileges.” reads the advisory published by the US ICS-CERT.

The flaw, tracked as CVE-2018-14825, received a CVSS v3 base score of 7.6).

Honeywell Android-based handheld computers

Customers should whitelist trusted applications to avoid malicious apps accessing the devices with high privileges.

An attacker could exploit the flaw to gain elevated privileges and unauthorized access e to sensitive information such as passwords and confidential documents.

“A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges.” continues the advisory.

“This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable information, photos, emails, or business-critical documents.”

Pierluigi Paganini

(Security Affairs – Honeywell Android-based handheld computers, hacking)

The post Google Android team found high severity flaw in Honeywell Android-based handheld computers appeared first on Security Affairs.

Security Affairs: Google Android team found high severity flaw in Honeywell Android-based handheld computers

Experts at the Google Android team have discovered high severity privilege escalation vulnerability in some of Honeywell Android-based handheld computers.

Security experts from the Google Android team have discovered a high severity privilege escalation vulnerability in some of Honeywell Android-based handheld computers that could be exploited by an attacker to gain elevated privileges.

According to the vendor, Honeywell handheld computers combine the advantages of consumer PDAs and high-end industrial mobile computers into a single rugged package.

The rugged devices provide enhanced connectivity, including industry standard 802.11x, Cisco compatibility, and Bluetooth, they are widely adopted in many sectors, including energy, healthcare, critical manufacturing, and commercial facilities.

The US ICS-CERT published a security advisory to warn of the vulnerability that affects several models of Honeywell Android handheld computers, including CT60, CN80, CT40, CK75, CN75, CT50, D75e, CN51, and EDA series.

The affected devices run various Android version between 4.4 and 8.1.

“A vulnerability in a system service on CT60, CN80, CT40, CK75, CN75, CT50, D75e, CN51, and EDA series mobile computers running the Android Operating System (OS) could allow a malicious third-party application to gain elevated privileges.” reads the advisory published by the US ICS-CERT.

The flaw, tracked as CVE-2018-14825, received a CVSS v3 base score of 7.6).

Honeywell Android-based handheld computers

Customers should whitelist trusted applications to avoid malicious apps accessing the devices with high privileges.

An attacker could exploit the flaw to gain elevated privileges and unauthorized access e to sensitive information such as passwords and confidential documents.

“A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges.” continues the advisory.

“This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable information, photos, emails, or business-critical documents.”

Pierluigi Paganini

(Security Affairs – Honeywell Android-based handheld computers, hacking)

The post Google Android team found high severity flaw in Honeywell Android-based handheld computers appeared first on Security Affairs.



Security Affairs

Researcher devised a new CSS & HTML attack that causes iPhone reboot or freezes Macs

The security researcher security researcher Sabri Haddouche from Wire devised a new CSS attack that causes iPhone reboot or freezes Macs.

The security researcher security researcher Sabri Haddouche from Wire devised a new attack method that saturates Apple device’s resources and causing it crashes or system restarts when visiting a web page. The experts discovered that iOS restart and macOS freezes when the user visits a web page that contains certain CSS & HTML.

Depending on the version of iOS being used, the bug could trigger the UI restart, cause a kernel panic and consequent device reboot.

This attack leverages a weakness in the -webkit-backdrop-filter CSS, for this reason, it affects all browsers on iOS that leverage on WebKit as rendering engine is WebKit. The weakness also affects Safari and Mail in macOS, but it doesn’t affect Linux and Windows systems.

“The attack exploits a weakness in the –webkit-backdrop-filter CSS property,” Haddouche explained to BleepingComputer. “By using nested divs with that property, we can quickly consume all graphic resources and crash or freeze the OS. The attack does not require Javascript to be enabled therefore it also works in Mail. On macOS, the UI freeze. On iOS, the device restart.”

iphone

Haddouche successfully tested the attack on iOS 12 and caused the device to reboot, on iOS 11.4.1 it only caused a UI restart.

Haddouche explained that on macOS, the attack will only cause Mail and Safari to freeze for a second and then slow down the computer.

Haddouche also devised another attack that uses HTML, CSS, and JavaScript to completely freeze macOS systems. The researchers told Bleeping Computer that he has not disclosed it because it persists after reboot and macOS will relaunch Safari with the malicious page, causing the system entering in a look that freeze it again.

Lawrence Abrams from Bleeping Computer created a video showing what happens when a user visits the attack page created by Haddouche (sees the rawgit[.]com) and published on Github. Lawrence used an iPhone running iOS 11.4.1.

The bad news is that there is no mitigation for this attack.

Pierluigi Paganini

(Security Affairs – iPhone reboot, CSS attack)

The post Researcher devised a new CSS & HTML attack that causes iPhone reboot or freezes Macs appeared first on Security Affairs.

Security Affairs: Researcher devised a new CSS & HTML attack that causes iPhone reboot or freezes Macs

The security researcher security researcher Sabri Haddouche from Wire devised a new CSS attack that causes iPhone reboot or freezes Macs.

The security researcher security researcher Sabri Haddouche from Wire devised a new attack method that saturates Apple device’s resources and causing it crashes or system restarts when visiting a web page. The experts discovered that iOS restart and macOS freezes when the user visits a web page that contains certain CSS & HTML.

Depending on the version of iOS being used, the bug could trigger the UI restart, cause a kernel panic and consequent device reboot.

This attack leverages a weakness in the -webkit-backdrop-filter CSS, for this reason, it affects all browsers on iOS that leverage on WebKit as rendering engine is WebKit. The weakness also affects Safari and Mail in macOS, but it doesn’t affect Linux and Windows systems.

“The attack exploits a weakness in the –webkit-backdrop-filter CSS property,” Haddouche explained to BleepingComputer. “By using nested divs with that property, we can quickly consume all graphic resources and crash or freeze the OS. The attack does not require Javascript to be enabled therefore it also works in Mail. On macOS, the UI freeze. On iOS, the device restart.”

iphone

Haddouche successfully tested the attack on iOS 12 and caused the device to reboot, on iOS 11.4.1 it only caused a UI restart.

Haddouche explained that on macOS, the attack will only cause Mail and Safari to freeze for a second and then slow down the computer.

Haddouche also devised another attack that uses HTML, CSS, and JavaScript to completely freeze macOS systems. The researchers told Bleeping Computer that he has not disclosed it because it persists after reboot and macOS will relaunch Safari with the malicious page, causing the system entering in a look that freeze it again.

Lawrence Abrams from Bleeping Computer created a video showing what happens when a user visits the attack page created by Haddouche (sees the rawgit[.]com) and published on Github. Lawrence used an iPhone running iOS 11.4.1.

The bad news is that there is no mitigation for this attack.

Pierluigi Paganini

(Security Affairs – iPhone reboot, CSS attack)

The post Researcher devised a new CSS & HTML attack that causes iPhone reboot or freezes Macs appeared first on Security Affairs.



Security Affairs

Personal mobile devices are the biggest threat to your network

Remote working and BYOD may be popular among employees but both pose a high risk to IT and security teams.Personal device use for remote work poses the biggest security risk

The post Personal mobile devices are the biggest threat to your network appeared first on The Cyber Security Place.

Spotlight Podcast: Flashpoint’s Allison Nixon on SIM Swapping and the Looming Online Identity Crisis

Your smart phone does double and triple duty: letting you do banking, buy a cup of coffee, board a plane or access a sensitive online account. But that doesn’t mean that your phone number is equally as trustworthy. In this Spotlight Podcast, we speak with Flashpoint* head of research Allison Nixon about how a recent rash of SIM swapping...

Read the whole entry... »

Related Stories

Mac App Store apps are stealing user data

There is a concerning trend lately in the Mac App Store. Several security researchers have independently found different apps that are collecting sensitive user data and uploading it to servers controlled by the developer. (This is referred to as exfiltrating the data.) Some of this data is actually being sent to Chinese servers, which may not be subject to the same stringent requirements around storage and protection of personally identifiable information like organizations based in the US or EU.

Adware Doctor

Patrick Wardle has recently posted an article detailing the misbehavior of an app named Adware Doctor, which is exfiltrating the following data:

  • Safari history
  • Chrome history
  • Firefox history
  • A list of all running processes
  • A list of software that you have downloaded and from where

Most of this is data that App Store apps should not be accessing, much less exfiltrating. In the case of the list of running processes, the app had to work around blockages that Apple has in place to prevent such apps from accessing that data. The developers found a loophole that allowed them to access that data despite Apple’s restrictions.

The developer of this app is one that we at Malwarebytes have had our eye on since 2015. At that time, we discovered an app on the App Store named Adware Medic—a direct rip-off of my own highly-successful app of the same name, which became Malwarebytes for Mac. We immediately began detecting this, and contacted Apple about removing the app. It was eventually removed, but was replaced soon after by an identical app named Adware Doctor.

We’ve continued to fight against this app, as well as others made by the same developer, and it has been taken down several times now, but in a continued failure of Apple’s review process, is always replaced by a new version before long.

Open Any Files: RAR Support

This app came onto our radar late last year. We’ve seen a number of different scam applications like this, which hijack the system’s functionality for handling documents that the user does not have an appropriate app to open, as a means for advertising other products…most often scams. The typical behavior is that, when the user opens an unfamiliar file, this app (and others like it) opens and promotes some antivirus software for scanning the file or the computer, often telling the user that they might be unable to open the file because they are infected.

Interestingly, this software was designed to promote a what appeared to be a mainstream antivirus product. This seemed like an abuse of an affiliate program for that product.

It turned out that this app’s behavior was very similar to the current behavior of Adware Doctor. It was uploading a file named file.zip to the following URL:

update.appletuner.trendmicro.com/1/upload/search_keywords/

This file contained the following data:

  • Complete Safari browsing and search history
  • Complete Chrome browsing and search history
  • Complete Firefox browsing and search history
  • Complete App Store browsing history

We reported this app to Apple in December 2017. It is still present on the App Store.

As we were investigating, we found it very odd that Open Any Files was promoting Dr. Antivirus on the App Store. This led us to investigate Dr. Antivirus, as well as a number of other apps.

(Recently, Open Any Files stopped exfiltrating this data, but we have retained the evidence from our observations.)

Dr. Antivirus

On investigating, we learned that this app, like most Mac App Store apps, is limited in what it can detect to begin with, due to restrictions imposed by the App Store. However, even within the user folder, most of antivirus apps in the App Store don’t have a good detection rate, and this was no exception.

Worse, however, was that we observed the same pattern of data exfiltration as seen in Open Any Files! We saw the same data being collected and also uploaded in a file named file.zip to the same URL used by Open Any Files.

This file, though, contained an interesting bonus. In addition to the browsing history, it also contained an interesting file named app.plist, which contained detailed information about every application found on the system. (See a short excerpt from the file below, showing only the information listed for Dr. Antivirus.)

It could be argued that it is useful for antivirus software to collect certain limited browsing history leading up to a malware/webpage detection and blocking. But it is very hard to argue to exfiltrate the entire browsing history of all installed browsers regardless of whether the user has encountered malware or not. In addition, there was nothing in the app to inform the user about this data collection, and there was no way to opt out of this data collection.

Dr. Cleaner

Unfortunately, other apps by the same developer are also collecting this data. We observed the same data being collected by Dr. Cleaner, minus the list of installed applications. There is really no good reason for a “cleaning” app to be collecting this kind of user data, even if the users were informed, which was not the case.

Interestingly, we found that the drcleaner[dot]com website was being used to promote these apps. WHOIS records identified an individual living in China, and having a foxmail.com email address, as being the registered owner of the domain.

What does all this mean?

It’s blindingly obvious at this point that the Mac App Store is not the safe haven of reputable software that Apple wants it to be. I’ve been saying this for several years now, as we’ve been detecting junk software in the App Store for almost as long as I’ve been at Malwarebytes. This is not new information, but these issues reveal a depth to the problem that most people are unaware of.

We’ve reported software like this to Apple for years, via a variety of channels, and there is rarely any immediate effect. In some cases, we’ve seen offending apps removed quickly, although sometimes  those same apps have come back quickly (as was the case with Adware Doctor). In other cases, it has taken as long as six months for a reported app to be removed.

In many cases, apps that we have reported are still in the store. Case in point…all of the above.

I strongly encourage you to treat the App Store just like you would any other download location: as potentially dangerous. Be cautious of what you download. A free app from the App Store may seem perfectly innocent and harmless, but if you have to give that app access to any of your data as part of its expected functionality, you can’t know how it will use that data. Worse, even if you don’t give it access, it may find a loophole and get access to sensitive data anyway.

If you download one of these apps and are now regretting it, you can report the app to Apple:

https://reportaproblem.apple.com

Special thanks

Thanks go to folks who have spent their spare time finding and poking at these applications over the last year: PeterNopSled (from the Malwarebytes forums), @privacyis1st, and Patrick Wardle.

The post Mac App Store apps are stealing user data appeared first on Malwarebytes Labs.

Fortnite’s Google Play rebuff sparks security concerns for Android users

There’s been no small outbreak of chaos in mobile land recently, all because of an astonishingly popular game called Fortnite.

Here’s the thing: people refer to Android as “open platform,” saying that, in theory, you can do what you want with it. In practice, you buy an Android phone and then you’re locked into apps from the Google Play store. You can switch things off to allow external installs, but it’s generally not advisable, as it leaves the gate open to potentially dubious installs.

You can delve into discussions about whether Android is open source or not, but the conversation is a little more complicated and nuanced than simply answering “yes” or “no.”

With all of the above discord thrown into a melting pot and swirled around, Fortnite steps in and rattles a few more cages.

What happened?

The developers, Epic, decided that they’d rather offer the game on mobile outside of Google Play, which drastically increases the amount of revenue not nibbled at by Google. There are multiple potential issues with this:

  • Having children enable the “allow installs from unknown sources” option on an Android is a recipe for disaster. It not only means many of them will inevitably end up downloading a rogue app by mistake, it also means that those phones are now less secure than the fully locked-down Android devices out there.
  • As pointed out on Twitter, even children with legitimate installs of Fortnite onboard will eventually fall foul to something nasty because the phone is splashing around in the metaphorical malware mud.
  • Everything comes down to how well promoted the official download link is, and how efficiently the game developers tell people to only grab the game from that one specific link.
  • Epic needs to ensure they don’t fall victim to sophisticated SEO scams pointing links away from their site and toward bad downloads, and also that their site security is top notch. If the page is compromised, a rogue download link might be waiting in the wings.

That’s how the initial landscape looked shortly after Epic’s announcement, and many predicted things would quickly go horribly wrong.

Did things go horribly wrong?

They most certainly did. In the end, it wasn’t even a rogue app causing mayhem but an issue found with Fortnite’s installer that allowed for the possibility of rogue apps onboard to hijack the installer and install their own junkware. The so-called “Man in the Disk” attack looks for apps not locking down external storage as well as they should, and quickly gets to work exploiting things happening under the hood.

The uproar over the installer kerfuffle was rounded off with a bit of a fierce debate on Twitter, because that’s what happens with everything in life now.

What happens next?

Whether they like it or not, Epic are now the standard bearer for “app developer going off range into the (incredibly wealthy and insecure) wilderness.” I don’t believe an Android app has attracted quite this much attention before, and that’s without throwing the no Google Play install angle into the mix.

What they’re also stuck with is the realization that for as long as they continue to remain outside of the Google Play ecosystem, stories will come back to haunt them regarding malware installs masquerading as the real thing, social engineering tricks convincing children to download dodgy Fortnite add-ons from Russian servers, and potential SEO poisoning leading would-be gamers astray.

Google Play certainly isn’t perfect, and plenty of rogue apps have been found lurking there through the years. I think most security professionals would argue it’s still an awful lot riskier to switch off the unknown source install ban than it is to visit Play and grab an app, though.

Let’s also not single out Epic on this one; it’s not just game developers taking tentative steps into the world of unknown installs—even mobile phone providers do it. About four or five years ago, I replaced my phone and took out a package deal with a well-known UK retailer. Part of the deal was “six free games for your Android.” Sounds great, right? Except I quickly realized that to get the games, you had to enable unknown source installs and download the six .APK files directly from the phone provider’s website.

At no point did anyone say anything about how turning off a security feature of the phone I’d just been sold was a bad idea. Nothing in the literature provided mentioned anything beyond, “Wow, turning this off is a really good idea, free games! Wow!” This is also at a time when I was regularly writing about fake Angry Birds/Flappy Bird downloads hosted on Russian websites.

Once installed (via dragging and dropping from desktop to mobile through the magic of USB cables), those fake bird-themed games would typically try and perform premium rate SMS shenanigans. This only worked because some people were running around with unknown source installs permitted, and they’d still have to try and social engineer the ones that weren’t into turning it on.

Unknown installs: so hot right now

Now we’re at a point where unknown source installs are not only mainstream but currently attached to the wheels of an absolute gaming juggernaut. There are serious security issues that Epic needs to consider, and it’s going to be fascinating looking back in six to 12 months and deciding if promoting unknown source installs in this way caused a maelstrom of security headaches from all sides, or a large pile of “absolutely nothing much happened.”

If it’s the latter, you can bet more developers will want to take advantage of this method. Then the threat landscape will become significantly more complicated in mobile land.

The post Fortnite’s Google Play rebuff sparks security concerns for Android users appeared first on Malwarebytes Labs.

A week in security (August 27 – September 2)

Last week, we looked at dubious antics in mobile land, a peculiar case of spam on the official Cardi B website, and we deep dived into fileless malware. We also explored the inner workings of Hidden Bee, and gave an explainer of Regex.

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (August 27 – September 2) appeared first on Malwarebytes Labs.

New BondPath Android Spyware Retrieves Chat Data From Messaging Apps

Researchers uncovered an Android spyware family called BondPath that is capable of retrieving chats from several mobile messaging apps while spying on other types of information.

BondPath has been around since May 2016, but in July 2018, researchers at Fortinet observed that some samples were still in the wild. Those specimens masqueraded as “Google Play Store Services,” an application signed by an unknown developer known only as “hola.” The name of this malicious application is intentionally similar to Google Play Services, the title of the process Google uses to update Android apps from the Play Store.

Upon successful execution, BondPath assumes the ability to steal an infected device’s browser history, call logs, emails and SMS messages. But a few less frequently used capabilities made BondPath stand out to the researchers, such as its ability to monitor an infected smartphone’s battery status. It could also steal chats from WhatsApp, Skype, Facebook, Line and other mobile messaging apps.

The Rise and Fall of Spyware

According to Verizon’s “2018 Data Breach Investigations Report,” spyware and keylogger malware were involved in 121 security incidents and 74 data breaches in 2017. This threat category increased its activity during the second half of 2017 and the beginning of 2018, yielding a 56 percent increase in detections during the first quarter of 2018, according to Malwarebytes. Spurred in part by a series of large attack campaigns pushing Emotet, Malwarebytes named spyware as the top detected business threat for the quarter.

Near the end of the first quarter, spyware activity declined significantly. It continued falling throughout the second quarter, ultimately decreasing by 40 percent, according to Malwarebytes. In that span of time, TrickBot was the most prevalent form of spyware after it added the ability to hijack cryptocurrency earlier in the year.

How to Protect Against Mobile Threats

To defend their organizations against BondPath and similar mobile threats that originate in official app stores, security teams should keep applications and operating systems running at the current patch level, verify the legitimacy of unsolicited email attachments through a separate channel, and monitor their IT environment for the indicators of compromise (IoCs) listed in the IBM X-Force Exchange threat advisory.

Sources: Fortinet, Verizon, Malwarebytes, Malwarebytes(1)

The post New BondPath Android Spyware Retrieves Chat Data From Messaging Apps appeared first on Security Intelligence.

Mobile Menace Monday: FakeGift is the gift that keeps on frustrating

Last spring, we found yet another piece of riskware on Google Play we call Android/PUP.Riskware.FakeGift. Based on Hindi characters found in the code, we can assume it originates from India. With over 50,000 installs before being removed from Google Play, FakeGift apparently kept on giving—frustration to its users, that is.

Click to view slideshow.

Gift cash money

As the name implies, FakeGift offers just that—fake gifts. Admittedly, it does so in a kind of fun way.  Here’s how it works: Every day you are given 10 free “gifts.”  As shown below, after the opening splash screen, the home page displays a gift box.

Click to view slideshow.

Press the gift box and you’ll receive a “gift” in rupees. The amount of rupees gifted is random. The gifted amount is then added to a balance found in the upper right part of the screen.

After pressing the gift box 10 times, it will let you know you’re done for the day—even after closing and reopening.

Click to view slideshow.

You can also accumulate rupees by pressing “Share,” which redirects you to WhatsApp. Note that if you don’t have Whatsapp, it just gives an error message stating, “Whatsapp not installed on this device.”  Once in Whatsapp, simply pick a victim…er…friend to send a message. In Hindi, the message says:

सभी स्मार्टफोन यूजर ध्यान दे 📱📱📱ऑनलाइन पैसे 💰कमाने का एक बहुत ही सुनहरा अवसर हैं आपके पास, “इसे एक बार जरूर पढ़े”| 👇👇👇👇👇 🎁🎁🎁 गिफ्ट मनी में आपका स्वागत हैं🎁🎁🎁गिफ्ट मनी दे रहा हैं पैसे कमाने का एक सुनहरा मौका गिफ्ट खोले और पैसा कमाए | गिफ्ट मनी अप्प में आप रोजाना 400-500 रूपए आसानी से कमा सकते हो | महीने के 15000 से 20000 रूपए आपकी इनकम हो सकती हैं | दोस्तों आपको 1 दिन में 10 गिफ्ट मिलेंगे उन गिफ्ट को आपको खोलना हैं आपके लक के अनुसार गिफ्ट में कितने भी रूपए निकल सकते हैं और गिफ्ट मनी आपको फ्री में गिफ्ट नहीं दे रहा हैं आपको रोजाना अप्प में 10 मिनट का वर्क करना हैं उसी के पैसे आपको दे रहा हैं तो दोस्तों पैसे कमाने के इस अच्छे मोके को गवांये नहीं और अभी डाउनलोड करे और वर्क स्टार्ट कर दे| Download this link <hidden Google Play link>

Rough translation using Google Translate:

All Smartphone users pay attention 📱📱📱 Online money is a great opportunity to make money, “You must read it once.” 👇👇👇👇👇 में Welcome to Gift MoneyGift Money is giving you a golden opportunity to earn money, open gifts and earn money. You can easily earn 400-500 rupees per day in the Gift Money App. You can earn from 15,000 to 20000 rupees a month. Friends, you will get 10 gifts in 1 day, you have to open those gifts according to your luck, how many rupees can get in the gift and gift gift is not giving you a free gift. You have to work 10 minutes daily in the work of the money If you are giving it, then guys do not miss this good thing to earn money and download it now and start work. Download this link <hidden Google Play link>

Every WhatsApp message sent is an additional 10 rupees.

FakeGift, the gift that keeps on giving…absolutely nothing

After accumulating some rupees, you can then press “Payment” from the home screen to redeem.  As shown below, you have three payment options.

Picking PayPal, it pops up this message.

Translation: For Balance Transfer in Paypel First Time should be 5000 rupees. After that you can transfer the balance daily. Thank you.

Here’s where it gets shady. After you accumulate the required 5,000 rupees, you still can’t transfer the money. Angry Google Play reviews show the disappointment.

One review (very) roughly translates to, “The money has to be 5000 every time you are cutting money and not being added, this is a fake app. Friends, do not waste your time.”

The fun ends

Although fun at first, the realization that there’s no award at the end turns fun into frustration. For many, this comes only after sharing with multiple friends via WhatsApp. Using this method, the app was able to gain over 50,000 installs. Also, another variant was found using a different name, but playing the same game. It also received around 50,000 installs. The good news is the only damage done is wasted time and nothing worse. Stay safe out there!

The post Mobile Menace Monday: FakeGift is the gift that keeps on frustrating appeared first on Malwarebytes Labs.

Hackers gain access to millions of T-Mobile customer details

T-Mobile has fallen foul of yet another cybersecurity issue. In a statement released this week the company said that an unauthorized entry into its network may have given hackers access to customer records, including billing ZIP codes, phone numbers, email addresses and account numbers. According to T-Mobile, the intrusion was quickly shut down, and no financial data, social security numbers or passwords were compromised.

Source: ZDNet

Fortnite: When Dollars and Cents Trumps Security!

When Epic Games recently announced and subsequently released Fortnite for Android, it took the decision to bypass the Play Store and ask users to side-load the app. After I read that Epic Games’ brilliant idea was to ask Android users to essentially downgrade the security on their devices, there was a lot of head-on-desk action.

Side-loading an app onto an Android device is essentially asking the user to download it from a website instead of the Play Store and then ignore the Android warnings about installing apps from untrusted locations. In more recent Android versions this safety net is called “Install unknown apps” and when a user tries to install an app directly from a website, the operating system will ask them a few times if they really want to do this. Note that this is does not affect users on Apple iOS devices as Apple locks down app distribution to the App Store.

Don’t get me wrong, I understand both the business reason and the developer logic that drove Epic Games to release the Android version in this way. For developers, Android’s lack of homogeneity means they often have to validate their app across multiple stores, each with its own constraints and minimum requirements. Thus, what should be a simple app release can gain an Nth degree of complexity; increased time to develop and associated maintenance, leading to increased cost. This is not an attractive prospect for any vendor wanting to deliver a product. Added to the fact that the Play Store takes a 30% cut on all transactions, you can see why an app vendor would look to avoid this if they could! Let’s face it, gaming companies have to make money in order to recuperate the investment in the development and maintenance of the game.

You may be reading this wondering why incentivising users to side-load popular games is really a problem. Fundamentally, it introduces bad habits to users. These bad habits break down the general foundations of mobile device security. The Fortnite game has a huge following and we can’t neglect the message being sent not only to users but also other app developers.

In InfoSec, we constantly argue the benefits of teaching users about safe and secure principals when using electronic devices, browsing the web and installing applications. The Epic Games Android installation is the antithesis of these teachings, instead sending a clear message to users – especially a younger generation that will one day enter the workforce – that it is ok to install apps from any location.

The fact is, Epic Games is inadvertently making  it easier for a malicious party to trick users into downloading fake apps and providing an opportunity for these malicious parties to introduce fake apps in the official store. This has been seen before, especially in the banking industry, and was even the case for Fortnite itself during the beta period. Google Pay Protect is one element of sanity in this situation as it will scan the apps on the device. Unfortunately this is only a recent addition to Android and is not always available depending on the version or the manufacturer of the device.

The issues continue even after the app is installed and being used. Fortnite, like many games, is free to play but relies extensively on in-app purchases – the pay to win paradigm. By not using the Play Store to deliver the app originally, the vendor needs to set-up its own payment infrastructure and ensure it is safe. This in itself is not an easy task and can be thwart with errors and potential for data loss.

Stepping back and analysing the situation, where does one place blame? I think a majority of us in the industry, myself included, will scorn the vendor for not doing the right thing and promoting bad habits to users. Looking beyond the initial rapid shame response from the industry, I think it is interesting to put oneself in the vendor’s shoes. I can see how the lack of standardisation, draconian process and exorbitant fees would make it unattractive to go to market via the various app stores in the “proper way”. Perhaps it is time for companies like Apple and Google to rethink the app distribution model, so all can benefit from a secure platform?

Realistically, I believe that this situation just boils down to the ability for a business to make a profit and you know what, this isn’t the first time or place where security has been compromised or downgraded because of money. Let’s face it, we see it all the time – most recently in IoT security and more generally in corporate security when a security risk is accepted instead of investing time and funds in fixing it.

This is why we can’t have secure things!

Update: Seems like fake Fortnite apps are already in the wild, more here

Thanks to Hannah Finch for the editorial review

The post Fortnite: When Dollars and Cents Trumps Security! appeared first on Liquidmatrix Security Digest.

Windows Phone Lives on in Android

For a little less than a year now, I have been using a Samsung smartphone for both work and play. Having owned a Windows Phone for nearly a decade, and happily so I might add, I was forced to migrate to one of two platforms—Apple or Android. Being the practical fellow that I am, I chose the Android route with little consideration for Apple, and for good reason.

After all, in my opinion, Apple seems to have a long history of gouging its customers similar to Disney, but I digress. People buy Apple stuff mainly for its cachet. It’s like a piece of jewelry. I get it. And just like a lot of jewelry, it’s often overpriced and not entirely functional. Yes, I will admit, I’ve never been much of an Apple fan, much less one of Steve Jobs. But Apple’s products are simply overpriced, and until recently, didn’t even include the latest technology.

Now, back to the good old Windows Phone. You know, that seemingly ephemeral blip on the radar screen of smartphones that no one had ever heard of, much less purchased, here in the United States. Interestingly, the device was wildly popular in some European countries, but not here in the U.S. in part because of the ferocious onslaught of anti-Microsoft trolls, or more specifically, Apple and Android stalwarts. They did nothing but trash talk the device constantly. I witnessed it firsthand being a Windows Phone fan.

The anti-Redmond giant types simply did not want the device to succeed and here’s why; First, Microsoft at the time was perceived as the anti-Christ in the tech industry, due to its hold on proprietary technology patents and the emergence of the open source software movement. Secondly, it had previously been chastised in U.S. courts for anti-trust behavior regarding the bundling of Windows and its web browser Internet Explorer. The public eventually soured on Microsoft and its technology and for quite some time, enough to essentially kill off any interest by developers and consumers in Windows Phone.

But that’s all history now. The de facto titans or leaders of the smartphone industry are Samsung and Apple. Pure and simple, it’s now a duopoly between the two. Windows Phone was a distant third, but it is all but dead now. Sans a select few of hangers-on that are hoping for Microsoft to release a new smartphone to replace it, mainly in the form of a Surface smartphone, it looks like it’s curtains for the device. And based on the latest soothsayers in the media, that idea has now indeed been shelved or put to rest by Microsoft.

So what options do Windows Phone fans have now? Fortunately, they now have two courses of action and maybe three, if and only if, Microsoft releases a Surface smartphone. The first foundational replacement examples are Android based smartphones from Samsung, otherwise known as the Galaxy series. They are robust and highly customizable, unlike Apple’s smartphones, particularly the home screens. The other option is Apple, but for many Windows Phone fans it's a non-starter. The iPhone's price and lack of customization would most likely deter them.       

Windows Phone Emulators for Android abound in Google Play, but one stands out among them all—Launcher 10. This formidable app allows Android users to completely replace their home screen with the Windows Phone UI or Live Tiles, and then some. In fact, the app actually outperforms the original UI with ultra-customizable features. Take my word for it Windows Phone fans, you’ll love it—if you can get yourself to switch to Android. It’s a big jump, I know, but it’s not as bad as it seems. In fact, the user experience is nearly imperceptible between the two phone platforms or devices (i.e. the Windows Phone and Android smartphone) once it is installed.

The only caveat I might add is that Google tracks your every move on Android based devices, otherwise known as “surveillance capitalism”. Tracking is turned on by default, but Google claims it can be turned off, albeit via a time consuming process.

The second-best choice for former Windows Phone users on Android is Microsoft Launcher. This cool little app by Microsoft essentially allows you to replace most of Google’s crappy stock apps that come on Samsung devices with their own, sans Contacts, and of course, the Phone or Call app. Unfortunately, their replacement for Samsung’s or Android’s stock home screen looks nothing like Live Tiles, but it does load all your favorite Microsoft apps like Outlook, OneDrive, Word and Excel effortlessly in one quick install.

Finally, my suggestion for Windows Phone fans for the best Windows Phone experience is to install Microsoft Apps and Launcher 10 you should you choose to go the Android route. Specifically, install Microsoft Apps first to replace your Google Apps, including the enabling of your phone to automatically save any photos you take on the phone to Microsoft OneDrive. Then, install Launcher 10 to replace Microsoft Launcher’s home screen with Live Tiles emulation app, Launcher 10.

Finally, if you're simply interested in replacing Google productivity apps on your Android device without having a Windows Phone UI, then install Microsoft Apps and Microsoft Launcher. One of the coolest and most productive features of Microsoft Apps is it's ability to push mobile texts to your desktop for two-factor authentication as well as to see any text via Windows 10 notifications--the flyout that's now native to Windows users. You can also reply directly to texts from your desktop rather than having to text cumbersomely on your mobile phone.

Apple’s new USB security feature has a major loophole

Apple's new USB Restricted Mode, which dropped with the iOS 11.4.1 release yesterday, may not be as secure as previously thought. The feature is designed to protect iPhones against USB devices used by law enforcement to crack your passcode, and works by disabling USB access after the phone has been locked for an hour. Computer security company ElcomSoft, however, has found a loophole.

Source: ElcomSoft

Security researcher bypasses iPhone’s limit on passcode attempts (updated)

It's not easy breaking into a locked iPhone. Try too many times and you can get locked out for years, even decades, or lose the device's data altogether. That's why law enforcement had to put pressure on Apple to unlock the San Bernardino shooter's iPhone, and why cops across the country are buying an affordable iPhone cracker called GrayKey. Hacker House cybersecurity firm co-founder Matthew Hickey, however, has discovered a way to bypass the device's security measures, even if it's running the latest version of Apple's mobile platform. Apparently, a hacker will only need "a turned on, locked phone and a Lightning cable."

Update: An Apple spokesperson has reached out and told us its devices have no vulnerability: "The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing."

Source: ZDNet, Matthew Hickey

The Do’s and Don’ts when using Public Wi-Fi

Curl up in a chair at your favorite coffee house, the aroma of premium coffee filling the air, take a few sips of your 700 calorie latte, and then enter cyberspace. Little do you know that you could have a stalker. Or two. Or 3,000. Because public Wi-Fi is there for the picking for hackers. Online transmissions can be intercepted. The credit card number that you enter onto that retailer’s site can be “seen.”

Don’t Do These at a Public Wi-Fi Site

  • Never leave your spot without your device on you—not even for a moment. You may come back and still see your computer where you left it…but a thief may have installed a keylogger into it to capture your keystrokes.
  • Do not e-mail messages of a sensitive or serious nature.
  • When your computer begins seeking out a network to connect to…do not let it just drift to the first one it wants; see if you can choose one.
  • Don’t leave on your file sharing.
  • If you’re not using your wireless card, then do not leave it on.
  • Don’t do banking or any other sensitive activities.
  • Don’t position your device so that someone nearby can see the screen.

Yes, Do These when at a Public Wi-Fi Spot

  • Look around before you settle into a nice spot.
  • Sit somewhere so that your back is facing a wall.
  • Assume all Wi-Fi links are suspicious—kind of like assuming all drivers are drunk whenever you go out driving. A wireless link may have been set up by a hacker.
  • See if you can confirm that a given Wi-Fi link is legitimate.
  • Assume that if the connection name is similar to the Wi-Fi spot, that this could mean that the hacker was clever. Inquire of the manager of the coffee shop, hotel, etc., for information about their Wi-Fi access point.
  • You should consider using your cell phone for sensitive activities such as online shopping.
  • But cell phone or not, see if you could avoid visiting sites that can make it easier for hackers to nab your data—sites such as banking, social media and any site where your credit card information is stored.

Use a VPN. This stands for virtual private network. What a VPN does is create an impervious tunnel through which your data travels. Hackers cannot penetrate this tunnel, nor can they “see” through it. Your data is safe. The tunnel encrypts all of your banking and other sensitive transactions, as well as sensitive e-mail communications, plus downloads, you name it. With a virtual private network, you will not have to worry about a thief or snoop intercepting your transmissions.

Robert Siciliano is a Security and Identity Theft Expert. He is the founder of Safr.me a cybersecurity speaking and consulting firm based in Massachussets. See him discussing internet and wireless security on Good Morning America.

ICE in your mobile. Sounds great, but is it really a good idea?

Another Internet and Facebook chain letter you no doubt have seen. Paramedics recommend adding a contact record named ICE in your mobile phone. It stands for In Case of Emergency and helps contacting your closest relatives if you have an accident. Sounds great, but let’s take a closer look first.

This is actually not a typical hoax chain letter because it’s based on facts. The idea emerged in UK in 2005, and was indeed introduced by paramedics. It’s a novel idea with good intentions and might have worked in the era before the smartphone. But it’s badly outdated now. I sincerely hope that people start circulating updated instructions rather than the original 10 years old idea.

Here’s why.

  • First, ICE is a nice idea. But it’s NOT the primary interest of paramedics. Their job is to save your life. They are going to concentrate on that rather than playing with your gadget. But ICE-info may still come in handy later at the hospital when the dust settles a bit.
  • Knowledge of some medical conditions is important to paramedics helping a trauma patient. Persons with conditions of this kind wear special medical IDs, necklaces or bracelets, and paramedics are trained to look for them. This has nothing to do with ICE.
  • Our smartphone is a key to all our on-line accounts, e-mail, Facebook, Twitter, cloud storage, you name it. It MUST be locked with a good password, otherwise you take a huge digital risk. And that unfortunately kills the idea with an ICE phonebook record. It’s not worth leaving the phone unprotected because of the ICE-record. Don’t even consider that!
  • Sometimes good old low-tech solutions are far better than digital technology. This is one of those cases. Write the ICE info on a sticker and put it on your phone or anything you carry with you. ID papers, like your driving license, are probably the best items as they are likely to be brought with you to the hospital.
  • If you are a bit nerdy, like me, you may still want a digital solution. Check your mobile for a function or app that puts free form text on the lock screen and use it for ICE. Some phones may even have a separate ICE function for this purpose. But use it as a complement to the good old sticker, not as a replacement.

So to summarize. ICE is in theory a good idea, but not really crucial for your survival. It’s not worth sacrificing your digital safety for it. Especially when you simply need a pen and paper to create an ICE record that is more reliable, safer and easier to use!

 

Safe surfing,
Micke

 

PS. Full medical ID can also be put on the mobile’s lock screen, at least on Android and iPhone. I’m not sure if this is a good idea. A solid necklace of stainless steel somehow feels better for stuff that can mean the difference between life and death. A complement to the necklace is of course never wrong but I really hope that nobody who really needs it trust this as their only medical ID!

 

Image by Ragesoss through Wikimedia

 

The Evolution of Mobile Security

Today, I posted a blog entry to the Oracle Identity Management blog titled Analyzing How MDM and MAM Stack Up Against Your Mobile Security Requirements. In the post, I walk through a quick history of mobile security starting with MDM, evolving into MAM, and providing a glimpse into the next generation of mobile security where access is managed and governed along with everything else in the enterprise. It should be no surprise that's where we're heading but as always I welcome your feedback if you disagree.

Here's a brief excerpt:
Mobile is the new black. Every major analyst group seems to have a different phrase for it but we all know that workforces are increasingly mobile and BYOD (Bring Your Own Device) is quickly spreading as the new standard. As the mobile access landscape changes and organizations continue to lose more and more control over how and where information is used, there is also a seismic shift taking place in the underlying mobile security models.
Mobile Device Management (MDM) was a great first response by an Information Security industry caught on its heels by the overwhelming speed of mobile device adoption. Emerging at a time when organizations were purchasing and distributing devices to employees, MDM provided a mechanism to manage those devices, ensure that rogue devices weren’t being introduced onto the network, and enforce security policies on those devices. But MDM was as intrusive to end-users as it was effective for enterprises.
Continue Reading

IAM for the Third Platform

As more people are using the phrase "third platform", I'll assume it needs no introduction or explanation. The mobile workforce has been mobile for a few years now. And most organizations have moved critical services to cloud-based offerings. It's not a prediction, it's here.

The two big components of the third platform are mobile and cloud. I'll talk about both.

Mobile

A few months back, I posed the question "Is MAM Identity and Access Management's next big thing?" and since I did, it's become clear to me that the answer is a resounding YES!

Today, I came across a blog entry explaining why Android devices are a security nightmare for companies. The pain is easy to see. OS Updates and Security Patches are slow to arrive and user behavior is, well... questionable. So organizations should be concerned about how their data and applications are being accessed across this sea of devices and applications. As we know, locking down the data is not an option. In the extended enterprise, people need access to data from wherever they are on whatever device they're using. So, the challenge is to control the flow of information and restrict it to proper use.

So, here's a question: is MDM the right approach to controlling access for mobile users? Do you really want to stand up a new technology silo that manages end-user devices? Is that even practical? I think certain technologies live a short life because they quickly get passed over by something new and better (think electric typewriters). MDM is one of those. Although it's still fairly new and good at what it does, I would make the claim that MDM is antiquated technology. In a BYOD world, people don't want to turn control of their devices over to their employers. The age of enterprises controlling devices went out the window with Blackberry's market share.

Containerization is where it's at. With App Containerization, organizations create a secure virtual workspace on mobile devices that enables corporate-approved apps to access, use, edit, and share corporate data while protecting that data from escape to unapproved apps, personal email, OS malware, and other on-device leakage points. For enterprise use-case scenarios, this just makes more sense than MDM. And many of the top MDM vendors have validated the approach by announcing MAM offerings. Still, these solutions maintain a technology silo specific to remote access which doesn't make much sense to me.

As an alternate approach, let's build MAM capabilities directly into the existing Access Management platform. Access Management for the third platform must accommodate for mobile device use-cases. There's no reason to have to manage mobile device access differently than desktop access. It's the same applications, the same data, and the same business policies. User provisioning workflows should accommodate for provisioning mobile apps and data rights just like they've been extended to provision Privileged Account rights. You don't want or need separate silos.

Cloud

The same can be said, for cloud-hosted apps. Cloud apps are simply part of the extended enterprise and should also be managed via the enterprise Access Management platform.

There's been a lot of buzz in the IAM industry about managing access (and providing SSO) to cloud services. There have even been a number of niche vendors pop-up that provide that as their primary value proposition. But, the core technologies for these stand-alone solutions is nothing new. In most cases, it's basic federation. In some cases, it's ESSO-style form-fill. But there's no magic to delivering SSO to SaaS apps. In fact, it's typically easier than SSO to enterprise apps because SaaS infrastructures are newer and support newer standards and protocols (SAML, REST, etc.)

My Point

I guess if I had to boil this down, I'm really just trying to dispel the myths about mobile and cloud solutions. When you get past the marketing jargon, we're still talking about Access Management and Identity Governance. Some of the new technologies are pretty cool (containerization solves some interesting, complex problems related to BYOD). But in the end, I'd want to manage enterprise access in one place with one platform. One Identity, One Platform. I wouldn't stand up a IDaaS solution just to have SSO to cloud apps. And I wouldn't want to introduce an MDM vendor to control access from mobile devices.

The third platform simply extends the enterprise beyond the firewall. The concept isn't new and the technologies are mostly the same. As more and newer services adopt common protocols, it gets even easier to support increasingly complex use-cases. An API Gateway, for example, allows a mobile app to access legacy mainframe data over REST protocols. And modern Web Access Management (WAM) solutions perform device fingerprinting to increase assurance and reduce risk while delivering an SSO experience. Mobile Security SDKs enable organizations to build their own apps with native security that's integrated with the enterprise WAM solution (this is especially valuable for consumer-facing apps).

And all of this should be delivered on a single platform for Enterprise Access Management. That's third-platform IAM.

Is MAM Identity and Access Management’s next big thing?

Mobile Application Management is making waves. Recent news from Oracle, IBM, and Salesforce highlight the market interest. It's a natural extension of what you've been hearing at Identity trade shows over the past few years (and this year's Gartner IAM Summit was no exception). The third platform of computing is not a future state. It's here. And Identity and Access solutions are adapting to accommodate the new use case scenarios. ...onward and upward.

[Update - interesting discussion of the IAM technology stack for mobile by SIMIEO]