There's a worrying trend amongst businesses who haven't yet been through some kind of IT related security issue. It's human nature to think bad things only happ...
Masque Attack threat to iPhones, iPads
- Editor 0 Comments
Hackers can fake legitimate apps
A vulnerability in all Apple devices running iOS7 or later - that's a whopping 95% of them - has surfaced which can trick users into replacing installed Apps which they are familiar with, and therefore trust, with malicious ones.
Termed "Masque Attack" by the internet security company FireEye, the attack worked by replacing the icons on a users home screen with identical ones the user was familiar with. The Apps these launched, however, had been replaced by malware.
Getting these apps onto the devices in the first place was always considered nearly impossible, but with the recent discovery of malware such as "WireLurker" this now becomes a real concern.
Has Apples iCloud been hacked?
- Editor 0 Comments
Celebrity photo leaks sparks iCloud hack panic
Apple's CEO, Tim Cook, has announced that Apple will add additional security steps to block hackers from the iCloud following the celebrity photo leak scandal. These new measures include alerting users through email and push messages when a password change is attempted, a restore operation performed or when the network first encounters a new device. Cook also announced further enhancements to the two factor authentication system, which he encourages all users to activate in the new version of iOS.
The concerns focus around the backup feature the iCloud supports - in particular the fact that users were not notified when someone accessed a backup on another device. This is because it's thought that these offline backups were used as the attack vector in the celebrity nude photo hack, and not a direct breach of the iCloud itself.
USB Condoms: Do they really work?
- William Damage 0 Comments
Stop laughing at the back there...
Ever really thought about what USB devices are? Would it surprise you to learn they actually have all the elements of a full blown computer, together with memory, data transfer and an OS? When you connect one to your computer, smartphone or laptop, you are in fact granting it access to the innermost corners of your device - and if the bad guys have got to it first, they are in there as well.
USB devices identify themselves using firmware, that is software on the device itself to tell the kit it's connected to what it is (such as a keyboard, mouse or memory stick etc) and what it can do. The eagle-eye amongst you will have already spotted the key there being "firmware", which is the software onboard the USB device itself. Software which can be reprogrammed. That's right - a keyboard can be told to tell whatever it is being connected to it's a pair of bluetooth speakers, and the host would not know any different and blindly try to play audio through it. Even worse is the way the firmware can actually hide a bad payload completely - so any inspection doesn't show up anything untoward - until the time is right, when it can pounce and infect the host.
Android Security Modules: Security framework proposed
- William Damage 0 Comments
Android security is broken and we think we can fix it
North Carolina State University and the German institution Technische Universitat Darmstadt have created a proposal to radically shake up and harden the Android security model. Termed ASM, for Android Security Modules, the proposal is aimed at creating a flexible kernel capable of embracing current and future security systems without compromising functionality.
There is a downside, however, in that implementing it requires some serious changes to the core Android security model - not least of which is root access to the devices - and these may well prove to be too difficult to implement whilst retaining backward compatibility with the millions of Android Apps currently available. Once installed however, root access isn't required for Apps to take advantage of the system from then on. The hope is that users won't see any of all this disruption, however, as manufacturers are encouraged to bake it into their devices so it's onboard when they leave the factory.
Can you smell a RAT?
- Editor 0 Comments
Beware SandroRAT: Android malware disguised as a security App
A nasty Remote Access Tool (RAT) has been uncovered which goes by the name of SandroRAT.
Disguised in a supposedly legitimate email from various respected financial institutions, the malware starts out by (ironically) warning users malware has been detected on their phone.
Once infected, compromised devices can find their SMS messages, contacts, call logs and browser history is then stolen and reported back to the bad guys. It can even activate the devices microphone, store recordings on the SD card and upload them remotely later.
Beware: New Facebook Smartphone Virus in the wild
- Editor 0 Comments
Facebook smartphone users warned
Users are being warned to avoid a new Facebook app claiming to allow them to change their profile page header and color. Victims are tricked into downloading the app which then directs them to a phishing website, which then takes advantage of a weakness in the way Facebook handles its app pages. More than 10,000 users have already been hit, experts from internet security firm Cheeta Mobile warned.
The app is called "Facebook color changer" and when activated allows the hackers full access to the victims Facebook contacts, profile and accounts. It is slightly unusual, and particularly sneaky, in that when first run it directs the users to a video supposedly showing how the color change function works. What the users don't realize, however, is that whilst watching this video, the hackers are actually rummaging through their Facebook account.
SMS Worm Virus targets Android
- Carl Whalley 0 Comments
Andr/SlfMite-A
In a return to the old-school way of spreading smartphone viruses, the recently discovered Andr/SlfMite-A worm "merely" sends a link to a site via an SMS to the first 20 contacts on the handsets it infects. This has proven to be a tricky method to stamp out however, since a users contacts usually trust those in each others contacts lists and so tend to click the link instinctively. The target link then installs the same virus to the recipients handset, and so the whole process begins again.
It does more
The days when these kind of worms spread for fun and did nothing else are long gone. This one, once on an infected device, tries to install Mobogenie, which is an alternative to Google's Play Store. Whilst there may well be nothing wrong with Mobogenie, it is obviously a concern that a virus is attempting to get users to download apps from a non-Google trusted app store. This is how it appears when it arrives on a handset:
The Fake-ID bug hits Android: How bad is it?
- Carl Whalley 0 Comments
Not fully checking security certificates
A long-standing defect in the Android certificate security system has been uncovered by BlueBox Labs. Google has confirmed a fix has already been applied, but concerns still exist over Android devices which live outside the Google mothership, and therefore won't be updated automatically. A Google spokesperson said "We appreciate BlueBox responsibly reporting this vulnerability to us. Third-party research is one of the ways Android is made stronger for users."
Forgot to double-check
Present in Android versions 2.1 to 4.4, the origins of the bug actually begin with the Apache open source web communications code, which is used by Android for managing its security certificates. Put simply, what's been happening is that the system of "I trust who you trust" - i.e. the chain of trust relationships - has been failing to actually double-check those in the chain really are who they say they are. This is important because some apps are granted special privileges - for example, Adobe's flash player - which then gain access to areas not usually allowed even with the users permissions. These special apps just wouldn't work otherwise, such as in the Flash example which needs access to lower-level functions by its very nature. So, if an app could somehow switch the Adobe cert to a fake one but keep its id, Android wouldn't then "phone home" to check the cert is genuine and continue to grant it these elevated privileges. It's the "phone home" part which has now been fixed.
New security system coming with Android L?
- William Damage 0 Comments
Hints from Google I/O at permission fixes
Along with the fanfare surrounding the UI makeover termed "material", this years Google I/O threw up some other interesting nuggets which needed the boffins over at XDA Developers to uncover properly. It seems there is code in the Android L preview which throws up a screen asking for "at-time-of-use" permissions, like iOS, as opposed to the "at -time-of-install" only ones we see today. The implementation is purely speculative - i.e. it could turn out to use both, for example - but the mere presence of such code is the smoking gun you'd see if such changes were coming.
Users benefit
The existing permission system Android uses hasn't changed much from the start. It asks the users what features of the handset they are willing to grant to the app at the point of install only. Granted, if a future upgrade changes the required permissions they are again prompted to provide them, but it's all seen as rather a kludge in that something the user agreed to some time ago now has "free reign" over their data without reminding them exactly what it's allowed to do.
Phone app password fraud hits over 30 financial institutions
- William Damage 0 Comments
Global financial targets
A report this week revealed over 30 financial institutions spread over 6 countries have been hit by sophisticated malware on their smartphones. The attack convinces its victims to reveal their account details and passwords to the bad guys, even though the institutions make use of 2-factor authentication mechanisms. This is achieved by the fall-back system the bank uses which involves an SMS being sent - and where SMS's are used, smartphones - and in particular smartphone virus apps working in conjunction with other attack vectors - can be too.
"Emmental"
Trend Micro Inc.have dubbed the attack "emmental" with a wry nod to the famous swiss cheese. Suspected to originate in Romania, institutions in Austria, Sweden, Switzerland and Japan have all been attacked, with damages totalling several millions of dollars, said Trend Micro Chief Cybersecurity Officer Tom Kellermann. Suprisingly, there is a fairly low-tech aspect to part of the attack - an email is sent with an attachment which, when opened, secretly sets up the victims PC to visit fake versions of selected banks when they later use their browsers. Then, at this later point, they see what appears to be their real bank and supply their user credentials such as their account number and passwords. The bad guys then not only harvest these but also prompt them to download an app which is in fact a smartphone virus. Thinking it is legitimate since it seems to come from a trusted source, the users follow through with this and the perpetrators then have access to their smartphone details.
