Posted by: David Harley | September 28, 2018

This week’s roundup

John Leyden for The Register: Looking after the corporate Apple mobile fleet? Beware: MDM onboarding is ‘insecure’ –  “Hackers can blow holes in Apple’s managed service technology and sneak their own rogue devices onto corporate fleets of mobile iThings.

Weaknesses in Apple’s Device Enrollment Program (DEP) allow the ne’er-do-wells to run targeted attacks on both the networks of the corporate shiny-shiny and the backend systems that support them, researchers at Duo Security warned.”

Charlie Osborne for ZDnet: Android spyware in development plunders WhatsApp data, private conversations – “The malware’s code hosts a variety of surveillance functions and is available to the public.” Based on research by by ESET researcher Lukas Stefanko and G Data.

Rebecca Hill for The Register: Sneaky phone apps just about obey the law, still have no trouble guzzling your data, says Which?

Apps use sneaky tactics to get UK users to hand over more info than they need to – and privacy policies remain long and confusing.

These claims were this week emitted by Brit consumer rights body Which? in a report into data privacy of 29 commonly used Android and iPhone apps released.”

Ionut Ilascu for Bleeping Computer: macOS Mojave Privacy Bypass Flaw Allows Access to Protected Files – “In a minute-long clip, Patrick Wardle shows that the security in the dark-themed macOS can be bypassed to reach sensitive user data, such as the information in the address book….he’s holding the technical details until his upcoming Mac Security conference that he’s organizing in Maui, Hawaii, in November.” I can just see the sceptical expressions on the faces of security department heads when their researchers tell them they need to go to a conference in Hawaii…

Commentary from Shaun Nichols for The Register: Apple’s dark-horse macOS Mojave is out (and it’s already pwned) – “Wardle claims to topple privacy protections in new OS – which comes with security fixes”

Sophos: Cryptojacking – coming to a server-laptop-phone near you (and how to stop it) – Paul Ducklin’s summary of blockchain and cryptojacking, with particular reference to Android.

David Harley

Posted by: David Harley | September 24, 2018

Android malware (and iOS enhancements)

Research from Checkpoint: Meet Black Rose Lucy, the Latest Russian MaaS Botnet –

“The Black Rose Lucy MaaS product is a malware bundle consisting of:

  • Lucy Loader – a remote control dashboard, which controls an entire botnet of victim devices and hosts and deploys additional malware payloads.
  • Black Rose Dropper – a dropper that targets Android phones, collects victim device data, listens to a remote command and control (C&C) server and installs extra malware sent from a C&C server.”

Lukas Stefanko for ESET: Fake finance apps on Google Play target users from around the world – “Cybercrooks use bogus apps to phish six online banks and a cryptocurrency exchange…the apps have impersonated six banks from New Zealand, Australia, the United Kingdom, Switzerland and Poland, and the Austrian cryptocurrency exchange Bitpanda. Using bogus forms, the malicious fakes phish for credit card details and/or login credentials to the impersonated legitimate services.”

On a more positive (but not on the Android front)… John E. Dunn for Sophos: iOS 12 is here: these are the security features you need to know about

David Harley

Posted by: David Harley | September 18, 2018

Krebs: commentary on global authentication via your wireless carrier

Brian Krebs: U.S. Mobile Giants Want to be Your Online Identity – “The four major U.S. wireless carriers today detailed a new initiative that may soon let Web sites eschew passwords and instead authenticate visitors by leveraging data elements unique to each customer’s phone and mobile subscriber account, such as location, customer reputation, and physical attributes of the device.” What could go wrong? Well, too much for the idea to appeal to Krebs, and I have to say I agree. These carriers have not covered themselves with glory so far as regards their own/their customers’ authentication.

David Harley

Posted by: David Harley | September 18, 2018

Flushing the Mac App store

Two instances of app removal from the Mac App Store. The first concerns a legitimate security vendor, but some of its tools have been removed after it was noted that they seemed to be collecting more data than they should have been.

Shaun Nichols for The Register: Trend Micro tools tossed from Apple’s Mac App Store after spewing fans’ browser histories – “While neither Apple nor Trend has responded to a request for comment on the matter, the removals are almost certainly a response to reports in recent days that the products appeared to covertly collect and upload private user data.”

Patrick Wardle: A Deceitful ‘Doctor’ in the Mac App Store – “a massively popular app, surreptitiously steals your browsing history”

Tomáš Foltýn for ESET: Apple yanks top grossing app from Mac App Store for grabbing private user data – “The several thousand glowing reviews that Adware Doctor had garnered prior to its removal were “likely fake”, researchers say”

David Harley

Posted by: David Harley | September 18, 2018

Smartphones that talk too much

Daniel Oberhaus for Motherboard: Researchers Used Sonar Signal From a Smartphone Speaker to Steal Unlock Passwords – “>Researchers at Lancaster University have used an active acoustic side-channel attack to steal smartphone passwords for the first time….“We expect iPhones are similarly vulnerable, but we only tested our attack on Androids,” Peng Cheng, a doctoral student at Lancaster University told me in an email.’ 

In brief, the idea is that the phone’s ‘acoustic signature’ can be used to determine the device users’ password when they unlock the phone.

Paper: SonarSnoop: Active Acoustic Side-Channel Attacks

Discussion on Bruce Schneier’s site: Using a Smartphone’s Microphone and Speakers to Eavesdrop on Passwords (it’s actually the comments that are, in some cases, worth reading).

« Newer Posts - Older Posts »