Mobile

now browsing by tag

 
 

Companies #sacrifice #security for #mobile #convenience, survey #finds

Ninety-three percent of organizations recognize that mobile devices present a serious and growing security threat, yet many organizations are failing to take even the most basic precautions, according to a recent report by Verizon.

Almost a third of respondents even admitted to having sacrificed mobile security to improve expediency and/or business performance.

“I think they agree it’s a threat, however they’re probably not as comfortable with the precautions they need to be taking,” says Justin Blair, executive director of business wireless services for Basking Ridge, New Jersey-based Verizon. “There’s a level of awareness that needs to be raised about what are the best practices and how to easily implement them.”

Malware, ransomware and device theft or loss emerged as the top threats that companies are concerned about, and are most likely to cause incidents, according to Verizon’s 2018 Mobile Security Index.

Malware is suspicious software that can infect a device, says Gary Davis, whose title at Santa Clara, California-based cybersecurity company McAfee is chief consumer security evangelist. Ransomware is a type of malicious software that takes over a device until a ransom is paid.

McAfee Labs detected more than 16 million mobile malware infestations in the third quarter of 2017 alone, nearly double the number it saw a year earlier.

Many of these threats can be avoided with some simple education and precautions, Davis says.

First, have your employees download a virtual private network (VPN), which establishes an encrypted channel between your device and the internet, he says. Also encourage them to use unique passwords and pins on their device, he says, noting some people disable these functions.

Only one in seven companies surveyed had four basic security practices in place, including changing all default passwords and encrypting data sent over public networks, Blair says.

Only 49 percent of firms have a policy regarding the use of public Wi-Fi, and only 47 percent encrypt the transmission of sensitive data across open, public networks, according to the Verizon report.

Beyond transmitting data across secure networks, another best practice is to update your apps and encourage employees to do the same, says Adam Schwam, president of Farmingdale-based Sandwire Corp., an information technology firm.

“You’re supposed to update them regularly because there could be security holes in them,” he says.

Still, with so many companies allowing or requiring employees to use their own devices, it gets harder to control what employees do with their phones, he says.

It may pay to issue company-owned mobile devices because they give you greater control from an application standpoint, Schwam says.

“If companies do provide a phone, they have the ability to control everything,” he says.

William Collins, president of NST Inc., an East Northport IT services company, understands this, and that is why he issues his employees their mobile devices.

He also uses mobile device management software that allows him to wipe clean a potentially compromised device, stop emails, etc.

“It helps protect intellectual property on the phone if an employee leaves or it’s stolen,” Collins says.

Beyond that, it pays to have mobile device policies in place, says Shari Claire Lewis, a partner in privacy, data and cyber law at Uniondale-based Rivkin Radler LLP.

This policy should include a requirement that a device be protected by a “robust” password that is changed frequently and that the company has the right to wipe out the contents of the device under certain circumstances, she said.

In terms of best practices, it also pays when dealing with confidential or proprietary information that employees not sign into unprotected public Wi-Fi, Lewis says.

Policies, of course, may vary depending upon the firm.

“Your mobile standards require a reasonableness approach that takes into account the sensitivity of the data you’re accessing and the circumstances in which you access it,” she says.

advertisement:

The post Companies #sacrifice #security for #mobile #convenience, survey #finds appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Qualcomm Mobile Security Summit

General Cybersecurity Conference

 May 16 – 18, 2018 | San Diego, California, United States

Cybersecurity Conference Description

We are currently soliciting presentations and suggestions for roundtable discussions in the areas of Automotive, IoT, and Mobile Security. Specific topics of interest include (but are not limited to):

– Vulnerability discovery
– Attacks and mitigations
– Exploit reverse engineering and incident response
– Security development lifecycle
– Patching and device update
– Security of safety-critical systems
– Third-party and open-source code security and implications
– Malware threats and trends
– Threat landscape
– Measuring security

Read More….

advertisement:

The post Qualcomm Mobile Security Summit appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Mobile #networks #investigate flaw that leaves #4G #customers open to #hacking

Source: National Cyber Security News

Security researchers have discovered a set of severe vulnerabilities in 4G LTE protocol that could be exploited to spy on user phone calls and text messages, send fake emergency alerts, spoof location of the device and even knock devices entirely offline.
A new research paper [PDF] recently published by researchers at Purdue University and the University of Iowa details 10 new cyber attacks against the 4G LTE wireless data communications technology for mobile devices and data terminals.
The attacks exploit design weaknesses in three key protocol procedures of the 4G LTE network known as attach, detach, and paging.

Unlike many previous research, these aren’t just theoretical attacks. The researchers employed a systematic model-based adversarial testing approach, which they called LTEInspector, and were able to test 8 of the 10 attacks in a real testbed using SIM cards from four large US carriers.

Authentication Synchronization Failure Attack
Traceability Attack
Numb Attack
Authentication Relay Attack
Detach/Downgrade Attack
Paging Channel Hijacking Attack
Stealthy Kicking-off Attack
Panic Attack
Energy Depletion Attack
Linkability Attack

Among the above-listed attacks, researchers consider an authentication relay attack is particularly worrying, as it lets an attacker connect to a 4G LTE network by impersonating a victim’s phone number without any legitimate credentials.

This attack could not only allow a hacker to compromise the cellular network to read incoming and outgoing messages of the victims but also frame someone else for the crime.

Read More….

advertisement:

View full post on National Cyber Security Ventures

BlackBerry #Mobile site the #latest #target of #cryptocurrency mining #hackers

Source: National Cyber Security – Produced By Gregory Evans

TCL Communication Technology Holding Ltd., the operator of the BlackBerry Mobile site, is the latest victim of cryptocurrency-loving hackers in the latest of a rash of cryptomining hijacking cases.

The website for BlackBerry Mobile was discovered by a Reddit user last week to be serving up code to visitors from Coinhive, the notorious Monero mining script service. The same person who discovered the code did note that it was only the global TCL- owned Blackberrymobile.com site that was affected, not country-specific sites or those owned by BlackBerry Ltd.

Coinhive itself chimed in on Reddit, saying that one of its users had hacked the Blackberry Mobile website using a vulnerability in the Magento webshop software. “We’re sorry to hear that our service has been misused,” the company said. “This specific user seems to have exploited a security issue in the Magento webshop software (and possibly others) and hacked a number of different sites. We have terminated the account in question for violating our terms of service now.”

TCL is far from the first company to be targeted by cryptomining code, and it won’t be the last. The first outbreaks of cryptomining-related hacking occurred in September, when The Pirate Bay and then Showtime were exposed as using the method. As cryptocurrencies boomed, so instances of hackers and site owners trying to cash in on Monero mining. A RiskIQ report Sept. 26 found that more than 1,000 sites were now hijacking the computing power of site visitors to mine for cryptocurrencies.

By October, leading content delivery network Cloudflare Inc. was the first major provider to crack down on the method, banning all sites from its network that have cryptocurrency mining code installed.

The method spread to apps later the same month, when the first reports emerged of Coinhive scripts appearing in Android apps, and the new attack vector has seemingly continued to grow. Only this weekend, a security researcher discovered 291 apps across third-party Android stores that included the miming code, although they appear to be the same app and code with 291 different names.

Commenting on the Android outbreak, HackRead noted that though the biggest victims of cryptocurrency miners were previously website owners and unsuspecting visitors, now Android users are also at risk. The advice, as always, is to practice safe internet: Do not download unknown apps from Android stores, make sure they have up-to-date antivirus software installed and keep an eye on their processor usage because cryptocurrency miners trigger high usage.

The post BlackBerry #Mobile site the #latest #target of #cryptocurrency mining #hackers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Mobile #Pwn2Own 2017 #Hackers #Exploit Fully #Patched #Mobile Devices

Source: National Cyber Security – Produced By Gregory Evans

Mobile #Pwn2Own 2017 #Hackers #Exploit Fully #Patched #Mobile Devices

Security researchers demonstrate new zero-day vulnerabilities in fully patched Apple, Samsung and Huawei mobile devices at the Mobile Pwn2Own 2017 security event in Tokyo.

On the first day of the Mobile Pwn2Own 2017 hacking competition in Tokyo, security researchers demonstrated new zero-day attacks against fully patched mobile devices.

On Nov. 1, different groups of security researchers made a total of seven exploit attempts, five of which were successful. Among the successful exploit targets were fully patched Apple iPhone 7, Samsung Galaxy S8 and Huawei Mate9 Pro devices.

Researchers who demonstrated the successful exploits were rewarded with a total of $350,000 in prize money from Trend Micro’s Zero Day Initiative (ZDI), which runs the Pwn2Own contest. All of the flaws discovered at the event are privately reported to the impacted vendors and are subject to the ZDI’s disclosure policy, which provides vendors with 90 days to fix the vulnerabilities before they are publicly 

Three of the five successful exploits were made against Apple devices, including two browser exploits against Safari and one WiFi exploit. Apple just updated iOS to 11.1 on Oct. 31, which is the version the researchers were able to exploit.

“The team updated all devices to the latest OSes prior to the contest kicking off this morning, including iOS 11.1, as late as 5 a.m. this morning, Tokyo time,” Brian Gorenc, director at Trend Micro’s Zero Day Initiative, told eWEEK.

The iOS 11.1 update patches 14 vulnerabilities, including six that were memory corruption issues in Safari’s WebKit browser rending engine. As it turns out, there are apparently still security issues in iOS 11.1 that Apple will need to patch in a future update.

Security researchers from Tencent Keen Security Lab were able to demonstrate multiple exploits against the fully patched iOS 11.1. Among those exploits was an arbitrary code execution, via a WiFi bug, that also provides privilege escalation and can persist through a reboot. The whole exploit chain included four different bugs and resulted in an award of $110,000.

A second exploit attempt by Tencent Keen Security Lab made use of two different bugs, including one in an iOS system service and one in the browser to exploit Safari. That exploit earned an additional $45,000 in awards from ZDI.

Security researcher Richard Zhu, also known by his alias fluorescence, took aim at iOS 11.1 as well and demonstrated two bugs. Zhu’s bugs were able to exploit Safari and escape the iOS system sandbox, enabling him to run arbitrary code. For his efforts, Zhu was awarded $25,000 by ZDI.

Android

Apple wasn’t the only target at Mobile Pwn2Own 2017, with researchers also taking aim at Android devices from multiple vendors.

Researchers from 360 Security were able to demonstrate a chain of flaws on the Samsung Galaxy S8 that led to arbitrary code execution. The exploit chain included a bug in the Samsung internet browser paired with a privilege escalation in a Samsung application that enabled code execution to persist through a reboot. ZDI awarded the 360 Security team $70,000 for its efforts.

Among the most impactful types of mobile device vulnerabilities are cellular baseband flaws. The baseband is the component that manages all the radio functions on a cellular device. Tencent Keen Security Lab was able to successfully demonstrate a baseband exploit using a Huawei Mate9 Pro smartphone that would allow an attacker to spoof the device. ZDI awarded $100,000 to Tencent Keen Security Lab for the baseband exploit.

“The baseband attack was exciting, and we’re looking forward to seeing another attempt in this category tomorrow [Nov. 2],” Gorenc said. “It’s always interesting to see jailbreaks as well, and we saw two today. Also there was persistency demonstrated with three of the attacks, which is impressive.”

The post Mobile #Pwn2Own 2017 #Hackers #Exploit Fully #Patched #Mobile Devices appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Bitcoin users are opening their wallets to hackers through mobile networks

Source: National Cyber Security – Produced By Gregory Evans

Cryptocurrencies like Bitcoin make a big deal of their security; theoretically, they are almost impossible to hack. Every transaction is stored in a ‘digital ledger’, shared across multiple machines; an attacker would need to compromise every computer in the chain to successfully hack the system. However, the digital wallets that…

The post Bitcoin users are opening their wallets to hackers through mobile networks appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Hacker claims to have decrypted Apple’s Secure Enclave, destroying key piece of iOS mobile security

Source: National Cyber Security – Produced By Gregory Evans

A hacker going by the handle xerub has just released what he claims to be a full decryption key for Apple’s Secure Enclave Processor (SEP) firmware. This could be a major blow for iOS security because of the importance of the SEP: It handles Touch ID transactions and is completely…

The post Hacker claims to have decrypted Apple’s Secure Enclave, destroying key piece of iOS mobile security appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Hackers Target Your Mobile Bank App; You Can Fight Back

Hackers Target Your Mobile Bank App; You Can Fight BackSource: National Cyber Security – Produced By Gregory Evans BRAVE NEW BANK This NerdWallet series delves into what’s new in retail banking and what’s in it for you. We explore some of the surprising things in store for products, tech and security and look at how they’ll affect consumers. By 2021, millions more of us […] View full post on AmIHackerProof.com | Can You Be Hacked?

Mobile is slow, but cyber-security business will help company grow, says Singtel CEO

Source: National Cyber Security – Produced By Gregory Evans

Mobile is slow, but cyber-security business will help company grow, says Singtel CEO

Cyber security is a key growth segment for Southeast Asia’s largest telco Singtel, as price competition in data and voice intensifies globally, its chief executive told CNBC. “Our core carriage business that is your traditional voice, data businesses, those face significant price competition … The growth that we have seen in our ICT (information and communication technology) businesses has certainly …

The post Mobile is slow, but cyber-security business will help company grow, says Singtel CEO appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Samsung’s Facial Recognition related Mobile Security is not yet ready for Mobile Payments

Source: National Cyber Security – Produced By Gregory Evans

Samsung’s Facial Recognition related Mobile Security is not yet ready for Mobile Payments

Samsung has made it official that its facial recognition feature related to mobile security is still not ready to make mobile payments. The world-renowned smartphone maker has also added in its media briefing that it might take at least 4 …

The post Samsung’s Facial Recognition related Mobile Security is not yet ready for Mobile Payments appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures