Devices

now browsing by tag

 
 

#nationalcybersecuritymonth | Security lifeline: WhatsApp to pull support for older Android and iOS devices next month

Source: National Cyber Security – Produced By Gregory Evans

Upgrade or be left behind

ANALYSIS Millions of smartphone users may have a little less mobile security next month, after WhatsApp withdraws its support for older versions of Android and iPhone operating systems.

Devices running on iOS 8 and earlier, or Android versions 2.3.7 and earlier, will no longer receive updates from the free messaging service, with app features expected to deprecate on these systems from February 1.

“WhatsApp for iPhone requires iOS 9 or later,” WhatsApp said in a recent statement on its website.

“On iOS 8, you can no longer create new accounts or reverify existing accounts.

“If WhatsApp is currently active on your iOS 8 device, you’ll be able to use it until February 1, 2020.”

According to the UK’s National Cyber Security Centre, a security vulnerability is much more likely to be exploited on end-of-life devices that run unsupported software.

The damage that these issues can cause also increases, with attackers finding an easy target in technology where the only fix available is to upgrade to patch supported hardware or operating system.

The general functionality of the retired product tends to break, as well.

“We don’t explicitly restrict the use of jailbroken or unlocked devices,” WhatsApp said.

“However, because these modifications might affect the functionality of your device, we can’t provide support for devices using modified versions of the iPhone’s operating system.”

There is no industry standard as to when to end support for dated versions of an app or software. The decision is largely decided in the boardrooms of tech conglomerates, and generally viewed as a balancing act between consumer market share, cost, and security.

In order to keep on top of the software lifecycle, consumers are often required to upgrade their hardware. In the case of Apple, iOS 13 – the latest version of its mobile OS – is only compatible with the iPhone 6S and above.

At the other end of the spectrum, iOS 8, Apple’s eighth major operating system released in 2014, receives only minimal third-party application support.

“Of course Apple wants us to upgrade to their latest and greatest iPhones and MacBooks,” Patrick Wardle, Mac security expert and creator of the infosec blog and security toolkit site Objective-See, told The Daily Swig last year.

“But from a security point of view (versus just a consumer/marketing point of view), there is no denying that the latest version of their software and hardware (for example devices) are often far more secure than their predecessors,” Wardle said.

“Users should really upgrade to newer versions,” he added.

Read the latest mobile security news and breaches

This is an ongoing game for consumers, and indeed businesses, to have a healthy level of security and rid themselves of, what is known in the industry, as technical debt – the migration away from Windows 7 is one example.

Affordability can outweigh the guarantee of vendor support, however, which illustrates the reality of many individuals who lose the security guarantee that comes alongside regular patches on compatible hardware.

While there are no official statistics related to the version types of mobile ownership, Angela Siefer, executive director of the US non-profit National Digital Inclusion Alliance (NDIA), says it’s safe to assume that those in low income brackets are less likely to be using the latest devices.

The most vulnerable populations are put at even more risk, she says.

“The situation with WhatsApp is definitely alarming, but it’s also not surprising,” Siefer told The Daily Swig.

“As technology keeps innovating there is going to continue to be people left behind, and society needs to figure out how to support those folks as technology moves forward.”

The NDIA works to address affordability issues related to internet access and ownership of digital devices. Part of that mandate is education, where security, in particular, needs to move outside the tech industry bubble in order to reach individuals who may not realize that their software needs fixes.

“They’re [consumers] not reading tech blogs, they’re probably not reading anything about WhatsApp, they’re just frustrated because now it [WhatsApp] doesn’t work anymore,” Siefer said.

There are certain cases where tech companies or software vendors provide extended support for their products, whether in full due to their popularity or through open sourcing specific applications, as the case with the iPhone.

But these third-party applications fall few and far between, and some, including Paul Roberts, founder of the right to repair infosec group Securepairs, believing legislation should compel companies to release unsuppoprted software into the public domain.

“So, in the context of WhatsApp, open source discontinued versions of the app and put it on GitHub,” Roberts told The Daily Swig.

“That way, technically minded users can pick up where the company left off: making a ‘public’ version of the app that will continue to work on older phones and tablets.”

WhatsApp deciding to make versions of iOS and Android obsolete follows a move to end its support for all Windows phones at the beginning of the year, similar to one taken by parent company Facebook in April 2019, which sunset Facebook, Messenger, and Instagram apps for users of the limited Microsoft smartphone.

WhatsApp is currently one of the most popular chat apps for smartphones operated in 2017 by an approximate 1.5 billion consumers across the globe.

The company did not reply to The Daily Swig’s request for comment about how many people use its service on the soon-to-be out-of-date operating system, but as Facebook, and other tech giants, continue to gain a foothold in emerging markets, consumer desire to hold onto older devices may drive the industry to rethink the end-of-life ecosystem.

RELATED Apple pulls U-turn on right to repair

Source link

The post #nationalcybersecuritymonth | Security lifeline: WhatsApp to pull support for older Android and iOS devices next month appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | US Navy Bans TikTok From Military Devices | Avast

Source: National Cyber Security – Produced By Gregory Evans

The U.S. Navy issued a bulletin announcing that the widely used social app TikTok is now seen as a cybersecurity threat and will no longer be allowed on any government-supplied devices. Reuters reported that the bulletin, posted on a Facebook page used by military personnel, warned government members that any device with the TikTok app installed would be blocked from the Navy Marine Corps Intranet. TikTok is a highly popular video-sharing app owned by the Beijing company ByteDance, which is currently under a U.S. national security review. The Navy is the second U.S. military branch to flag TikTok after Army leadership instructed cadets not to use the app last month. 

*** This is a Security Bloggers Network syndicated blog from Blog | Avast EN authored by Avast Blog. Read the original post at: https://blog.avast.com/us-navy-bans-tiktok-from-military-devices

Source link

The post #cybersecurity | #hackerspace |<p> US Navy Bans TikTok From Military Devices | Avast <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Critical Flaw in GoAhead Web Server Could Affect Wide Range of IoT Devices

Source: National Cyber Security – Produced By Gregory Evans Cybersecurity researchers today uncovered details of two new vulnerabilities in the GoAhead web server software, a tiny application widely embedded in hundreds of millions of Internet-connected smart devices. One of the two vulnerabilities, assigned as CVE-2019-5096, is a critical code execution flaw that can be exploited […] View full post on AmIHackerProof.com

#cybersecurity | #hackerspace | End-of-Life Devices Pose Data Breach Risk

Source: National Cyber Security – Produced By Gregory Evans End-of-life devices not properly sanitized of data can cause compliance issues and make corporate data vulnerable GDPR, CCPA and the rest of the alphabet soup of privacy laws should have organizations looking more deeply at how and where they store and use data. While most companies […] View full post on AmIHackerProof.com

#infosec | #ISC2Congress: IoT Devices Pose Off-Network Security Risk

Source: National Cyber Security – Produced By Gregory Evans

Internet of Things (IoT) devices can still be a serious security threat even when they are off network.

Speaking on day three of the (ISC)² Security Congress in Orlando, Florida, 802 Secure CSO Michael Raggo shared research that demonstrated the risks posed by everyday IoT devices. 

In his talk titled “Cyber Physical Security: Addressing IoT Risks,” Raggo cited examples of threat actors gaining access to data centers via WiFi thermostats and spying on conferences by hacking into smart TVs mounted on boardroom walls.

“The problem goes far above and beyond the potential breach of data or risks to that data. It also has an impact on safety, privacy, and the whole operation of your entire network, especially if it’s an industrial IoT type of network,” said Raggo.

“What that means in terms of your policies and how you approach the problem, is that this is more than just protecting data and avoiding data exfiltration. Now we are talking about the safety and the privacy of people and employees.”

The impact of IoT security issues is far-reaching. According to Raggo, “roughly 50% of the new buildings being built in the United States have some kind of IoT functionality.”

Raggo said that ensuring the reliability and security of the lighting, power, and HVAC systems of your home and your business is a real challenge if those systems aren’t connected to your own network.

Although many people are familiar with Wi-Fi and Bluetooth, according to Raggo they often don’t have a clear understanding of how IoT devices are configured and who can actually connect to them.   

Raggo referenced experiments conducted in his own lab that had produced worrying results, exposing vulnerabilities in smartphones and surveillance cameras. In one test, he used a wireless thumb drive to access data on a hub.

“I simply plugged it into a USB port in the back of the hub and immediately videos started being recorded to my thumb drive. There was no authentication required,” said Raggo.

One threat Raggo drew attention to was Bluetooth skimming, where threat actors steal money by breaching credit card details used in transactions. After being asked to investigate a fast-food restaurant that had suffered a breach, Raggo used readily available Bluetooth scanning tools to detect a long-range Bluetooth device placed under the cash register that had been used to skim data.

____________________________________________________________________________________________________________________

#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference #iossecurity #androidsecurity #macsecurity #windowssecurity
____________________________________________________________________________________________________________________

Source link

The post #infosec | #ISC2Congress: IoT Devices Pose Off-Network Security Risk appeared first on National Cyber Security.

View full post on National Cyber Security

A #Basic Z-Wave #Hack #Exposes Up To 100 #Million Smart #Home #Devices

So-called “smart” locks and alarms are proliferating across people’s homes, even though hackers have shown various weaknesses in their designs that contradict their claims to being secure.

Now benevolent hackers in the U.K. have shown just how quick and easy it is to pop open a door with an attack on one of those keyless connected locks. And, what’s more, the five-year-old flaw lies in software that’s been shipped to more than 100 million devices that are supposed to make the home smarter and more secure. Doorbells, bulbs and house alarms are amongst the myriad products from 2,400 different vendors shipping products with the flawed code. Tens of millions of smart home devices are now vulnerable to hacks that could lead to break-ins or a digital haunting, the researchers warned.

For their exploits, the researchers – Ken Munro and Andrew Tierney from Pen Test Partners – focused on the Conexis L1 Smart Door Lock, the $360 flagship product of British company Yale. As relayed to Forbes ahead of the researchers’ report, Munro and Tierney found a vulnerability in an underlying standard used by the device to handle communications between the lock and the paired device that controls the system. The flaw meant the communications could be intercepted and manipulated to make it easy for someone in the local area to steal keys and unlock the door.

The problematic standard was the Z-Wave S2. It provides a way for smart home equipment to communicate wirelessly and is an update from an old protocol, Z-Wave S0, that was vulnerable to exploits that could quickly grab those crucial keys. Indeed, they were “trivial” to decrypt, according to Pen Test Partners’ research.

Z-Wave S2 is more secure than S0. It comes with a method for sharing keys known as the Diffie-Helmann exchange; it’s a highly-regarded, tested method for ensuring that the devices shifting keys between one another are legitimate and trusted. But whilst the Yale device, purchased by Munro and Tierney just a couple of weeks ago and kept up to date, used that S2 protocol, the researchers found it was possible to quickly downgrade the device to the older, much less secure key-sharing mechanism.

During the period when a user paired their controller (such as a smartphone or smart home hub) with the device, Munro and Tierney could ensure the less-secure S0 method was used. From there, they could crack the keys and get permanent access to the Yale lock and therefore whatever building it was protecting, all without the real user’s knowledge. They believe they could carry out their attack, dubbed Z-Shave, from up to 100 meters away.

“It’s not difficult to exploit,” Munro said. “Software Defined Radio tools and a free software Z-Wave controller are all that’s needed.” In 2016, hackers created a free program designed to exploit Z-Wave devices called EZ-Wave.

Yale owner ASSA ABLOY said it understood the Z-Wave Alliance was conducting an investigation into the matter and was in close contact. ASSA ABLOY will also be conducting its own investigation, a spokesperson said, adding that it was “constantly updating and reviewing products in line with the latest technologies, standards and threats.”

No updates?

Munro told Forbes it should be possible to update many Z-Wave-based devices with a wireless update of both the app and the device. “However, it’s an issue with the Z-Wave standard, so would require a massive change by the Alliance, then an update pushed to all devices that support S2, which would likely stop them working with S0 controllers. And there are hardly any S2 controllers on the market. None in the U.K.,” he added.

Silicon Labs (SiLabs), the $4.5 billion market cap firm that owns the Z-Wave tech, admitted “a known device pairing vulnerability” existed. But it didn’t specify any upcoming updates and downplayed the severity of the attack, adding “there have been no known real-world exploits to report.”

The company referred Forbes to the first description of the S0 decryption attack, revealed way back in 2013 by SensePost, which determined the hack wasn’t “interesting” because it was limited to the timeframe of the pairing process. As a result, SiLabs said it didn’t see the S0 device pairing issue “as a serious threat in the real world” as “there is an extremely small window in which anyone could exploit the issue” during the pairing process, adding that a warning will come up if a downgrade attack happens. “S2 is the best-in-class standard for security in the smart home today, with no known vulnerabilities,” the spokesperson added, before pointing to a blog released by SiLabs Wednesday.

Munro said it would be possible to set up an automated attack that would make it more reliable. “It should be easy to set up an automated listener waiting for the pairing, then automatically grab the key,” he said.

The company said the problem existed because of a need to provide backwards compatibility, as a spokesperson explained: “The feature of S2 in question – device pairing – requires both devices have S2 to work at that level. But of course the adoption of this framework across the entire ecosystem doesn’t happen overnight. In the meantime, we do provide the end user with a warning from the controller or hub if an S0 device is on the network or if the network link has degraded to S0.”

Munro was flabbergasted at the vendor’s overall response. “After attempting responsible disclosure and getting little meaningful response, on full disclosure Z-Wave finally acknowledge that it’s been a known issue for the last few years. Internet of Things (IoT) devices are at their most vulnerable during initial set-up. S2 Security does little to solve that problem.”

advertisement:

The post A #Basic Z-Wave #Hack #Exposes Up To 100 #Million Smart #Home #Devices appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Gov’t to #put new #cybersecurity #measures in #place for smart #devices

Source: National Cyber Security News

As the number of devices grows, so does the level of security needed. The UK government is aiming to tackle this with a new initiative, but what is the tech sectors take on it?

The Government has announced new cybersecurity guidelines will need to be put in place to ensure smart devices are made safer.

Following a stream of cyber security breaches among Internet of Things (IoT) devices, the UK Government has said new cyber security guidelines are necessary to better protect users. The aim is to change the way devices are manufactured, as well as increasing the safety of individuals.

The government has predicted that each household across the UK has at least 10 internet connected devices, which is set to increase to 15 by 2020. With this increase of devices comes a bigger increase in security threats, meaning more must be done from a cybersecurity perspective. Recently, attacks have been carried out on various IoT devices such as smart watches, CCTV cameras and even children’s dolls.

The governments initiative has been developed alongside the National Cyber Security Centre (NCSC), and coincides with the new £1.9bn Cyber Security Strategy that is set to be implemented.

Read More….

advertisement:

View full post on National Cyber Security Ventures

Forever 21 #POS #Devices Contract #Malware #Infections

Source: National Cyber Security – Produced By Gregory Evans

Apparel retailer Forever 21 said in the end-week of December 2017 that malware infection on its point-of-sale machines resulted in hacking of data related to payment cards from a few specific stores during the year. Reportedly, the attack got aggravated due to encryption absent on those machines.

The $4bn retail firm based in Los Angeles published one news release on December 28 to confirm that some party with sinister intentions gained admission into data from the credit and debit cards of a section of customers during the period April 3-November 18, 2017. The attacker could do so via a malware-laced assault combined with inadequate POS security.

With a cyber forensics company that Forever 21 hired, investigation into the problem started. Initially when concrete details couldn’t be obtained, the retail firm cautioned about a few POS devices within certain Forever 21 stores as being impacted where there was little utilization of encryption. Zdnet.com posted this dated January 2, 2018.

It got determined from the investigation that encryption was halted while malicious software was loaded onto certain devices within a few stores in USA at different times from 3rd April-18th November, 2017.

In addition, Forever 21 stated that a machine which logged entire transaction authorizations on payment cards too had malicious software planted onto it within a few of the outlets.

And while it isn’t yet known about the data hack’s intensity it’s also still not clear about the number of outlets and customers impacted albeit Forever 21 is presently having suppliers of POS machines and cyber-security experts with whom it’s working for enhancing its future security.

‘Forever 21’ was as well working with the hacked point-of-sale device manufacturer, the payment processors along with law enforcement for additional probe into the online infiltration, the business firm stated.

Meanwhile, the apparel shop isn’t alone in being victimized with the kind of attack. Point-of-sale contaminations are an increasingly frequent mode by which crooks carry out big-scale seizures of credit and debit card information. Among the targets so far, the Hilton hotel chain, Target the big-box retailer as well as restaurant chains are also included.

The post Forever 21 #POS #Devices Contract #Malware #Infections appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Turn off #cameras and #tracking devices in children’s #Christmas #presents to prevent #hacking, Information #Commissioner tells #parents

Source: National Cyber Security – Produced By Gregory Evans

Parents should turn off the cameras and automatic tracking devices in their children’s Christmas presents because of the risk of hacking, the Information Commissioners’ Office has warned.

With a rise in the number of ‘smart’ toys and devices gracing the wish list this year, parents should consider the safety of them being connected directly to the internet before giving them as gifts, according to the data regulator.

When adults are not going  to personally use cameras in toys to view what is happening remotely then they should consider turning the function off all together, Deputy Commissioner Steve Wood said.

The warning comes amid growing concerns about the ability of criminals to hack into toys containing sensors, microphones, cameras, data storage and other multi-media capabilities.

In a blog on the regulators website Mr Wood wrote: “You wouldn’t knowingly give a child a dangerous toy, so why risk buying them something that could be easily hacked into by strangers?

“In the same way that safety standards are a primary consideration for shoppers buying toys, we want those buying connected items in the coming weeks to take a pause and think about both the child’s online safety, and also the potential threat to their own personal data such as bank details, if a toy, device or a supporting app is hacked into.

“Unlike Santa, those looking to hack into your devices don’t care whether you’ve been naughty or nice.”

Parents are advised that they should ensure that they are buying products from a reputable source, that all passwords and usernames are changed from the default option and to use two-step identification where available.

Mr Wood continued: “Some toys and devices are fitted with web cameras. The ability to view footage remotely is both their biggest selling point and, if not set up correctly, potentially their biggest weakness, as the baby monitor hacking issue of a few years ago demonstrated.

“If you have no intention of viewing footage over the internet, then turn the remote viewing option off in the device’s settings, or else use strong, non-default passwords.”

He added: “One of the main selling points of children’s smart watches is the ability for parents to know where their children are at all times. However, if this isn’t done securely, then others might have access to this data as well. Immediately get rid of default location tracking and GPS settings and set strong, unique passwords.”

Parents are also advised to turn off Bluetooth or set strong passwords to protect their child’s data from hackers.

The Deputy Commissioner concluded: “If you aren’t convinced a smart toy or connected/wearable device will keep your children or your personal information safe, then don’t buy it. If consumers reject products that won’t protect them, then developers and retailers should soon get the message.”

The post Turn off #cameras and #tracking devices in children’s #Christmas #presents to prevent #hacking, Information #Commissioner tells #parents appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Mobile #Pwn2Own 2017 #Hackers #Exploit Fully #Patched #Mobile Devices

Source: National Cyber Security – Produced By Gregory Evans

Mobile #Pwn2Own 2017 #Hackers #Exploit Fully #Patched #Mobile Devices

Security researchers demonstrate new zero-day vulnerabilities in fully patched Apple, Samsung and Huawei mobile devices at the Mobile Pwn2Own 2017 security event in Tokyo.

On the first day of the Mobile Pwn2Own 2017 hacking competition in Tokyo, security researchers demonstrated new zero-day attacks against fully patched mobile devices.

On Nov. 1, different groups of security researchers made a total of seven exploit attempts, five of which were successful. Among the successful exploit targets were fully patched Apple iPhone 7, Samsung Galaxy S8 and Huawei Mate9 Pro devices.

Researchers who demonstrated the successful exploits were rewarded with a total of $350,000 in prize money from Trend Micro’s Zero Day Initiative (ZDI), which runs the Pwn2Own contest. All of the flaws discovered at the event are privately reported to the impacted vendors and are subject to the ZDI’s disclosure policy, which provides vendors with 90 days to fix the vulnerabilities before they are publicly 

Three of the five successful exploits were made against Apple devices, including two browser exploits against Safari and one WiFi exploit. Apple just updated iOS to 11.1 on Oct. 31, which is the version the researchers were able to exploit.

“The team updated all devices to the latest OSes prior to the contest kicking off this morning, including iOS 11.1, as late as 5 a.m. this morning, Tokyo time,” Brian Gorenc, director at Trend Micro’s Zero Day Initiative, told eWEEK.

The iOS 11.1 update patches 14 vulnerabilities, including six that were memory corruption issues in Safari’s WebKit browser rending engine. As it turns out, there are apparently still security issues in iOS 11.1 that Apple will need to patch in a future update.

Security researchers from Tencent Keen Security Lab were able to demonstrate multiple exploits against the fully patched iOS 11.1. Among those exploits was an arbitrary code execution, via a WiFi bug, that also provides privilege escalation and can persist through a reboot. The whole exploit chain included four different bugs and resulted in an award of $110,000.

A second exploit attempt by Tencent Keen Security Lab made use of two different bugs, including one in an iOS system service and one in the browser to exploit Safari. That exploit earned an additional $45,000 in awards from ZDI.

Security researcher Richard Zhu, also known by his alias fluorescence, took aim at iOS 11.1 as well and demonstrated two bugs. Zhu’s bugs were able to exploit Safari and escape the iOS system sandbox, enabling him to run arbitrary code. For his efforts, Zhu was awarded $25,000 by ZDI.

Android

Apple wasn’t the only target at Mobile Pwn2Own 2017, with researchers also taking aim at Android devices from multiple vendors.

Researchers from 360 Security were able to demonstrate a chain of flaws on the Samsung Galaxy S8 that led to arbitrary code execution. The exploit chain included a bug in the Samsung internet browser paired with a privilege escalation in a Samsung application that enabled code execution to persist through a reboot. ZDI awarded the 360 Security team $70,000 for its efforts.

Among the most impactful types of mobile device vulnerabilities are cellular baseband flaws. The baseband is the component that manages all the radio functions on a cellular device. Tencent Keen Security Lab was able to successfully demonstrate a baseband exploit using a Huawei Mate9 Pro smartphone that would allow an attacker to spoof the device. ZDI awarded $100,000 to Tencent Keen Security Lab for the baseband exploit.

“The baseband attack was exciting, and we’re looking forward to seeing another attempt in this category tomorrow [Nov. 2],” Gorenc said. “It’s always interesting to see jailbreaks as well, and we saw two today. Also there was persistency demonstrated with three of the attacks, which is impressive.”

The post Mobile #Pwn2Own 2017 #Hackers #Exploit Fully #Patched #Mobile Devices appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures