Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Most Mobile Apps Subject to at Least Nine Vulnerabilities

Most Mobile Apps Subject to at Least Nine Vulnerabilities

Mobile applications show an alarming rate of vulnerability, with the average app susceptible to an average of nine different vulnerabilities.

Further, the research from Checkmarx and AppSec Labs shows that out of those nine different vulnerabilities, 38% of are critical or high-severity.

Interestingly, and despite conventional wisdom, iOS is no more secure than Android when it comes to vulnerabilities built into the code or application logic: Here, the vulnerability rate of iOS and Android applications is almost identical. And, 40% of detected vulnerabilities in iOS applications were found to be critical or high-severity, compared to only 36% on Android.

“When we undertake penetration testing for our customers, we're often asked to test both the Android and iOS versions of the same app,” said AppSec Labs founder Erez Metula. “We realized that since iOS developers wrongly assume that iOS is ‘more secure,’ they let themselves take poor security decisions that open up vulnerabilities in their app.”

Among the types of applications tested were the banking applications of high-street retail banks, which access the personal data of millions of private individuals. Even those applications, which undergo rigorous security testing, were found to suffer from critical vulnerabilities such as faulty authentication, data leakage and more.

Overall, 50% of vulnerabilities are either personal/sensitive information leakage or authentication and authorization faults.

“The mobile application industry is growing at an explosive pace, yet security issues of mobile applications are lagging behind,” said Asaph Schulman, vice president of marketing at Checkmarx. “During 2014-15, Appsec Labs and Checkmarx tested hundreds of mobile applications, of all types including banking, utilities, retail, gaming and even security oriented applications. The results of the study were nothing short of alarming and unless we improve secure coding practices we should expect an increase of major hacks via the mobile application vector in the near future.”

Source: Information Security Magazine

Coffeemakers, Baby Monitors and More Open Up Big IoT Security Holes

Coffeemakers, Baby Monitors and More Open Up Big IoT Security Holes

Investigating some of the latest Internet-of-Things (IoT) products, Kaspersky Lab researchers have discovered serious threats to the connected home—including a coffeemaker that exposes the homeowner’s Wi-Fi password, a baby video monitor that can be controlled by a malicious third party, and a smartphone-controlled home security system that can be fooled by a magnet. 

The security firm’s investigation into the connected home discovered that almost all of the devices tested contained vulnerabilities.

The baby-monitor camera used in the experiment could allow a potential attacker, while using the same network as the camera owner, to connect to the camera, watch the video from it and launch audio on the camera itself. Other cameras from the same vendor allowed for the ability to collect owner passwords, and the experiment showed it was also possible for someone on the same network to retrieve the root password from the camera and maliciously modify the camera’s firmware.

When researching the app-controlled coffeemakers, it was discovered that it’s not even necessary for an attacker to be on the same network as the victim. The coffeemaker was sending enough unencrypted information for an attacker to discover the password for the coffeemaker owner’s entire Wi-Fi network.

On the other hand, Kaspersky Lab researchers found that the smartphone-controlled home security system’s software had just minor issues and was secure enough to resist a cyberattack. Instead, the vulnerability was found in one of the sensors used by the system.

The contact sensor used, which is designed to set off the alarm when a door or a window is opened, works by detecting a magnetic field emitted by a magnet mounted on the door or window. During the experiment, Kaspersky Lab experts were able to use a simple magnet to replace the magnetic field of the magnet on the window, allowing them to open and close a window without setting off the alarm. This vulnerability is also impossible to fix with a software update; the issue is in the design of the home security system itself. Furthermore, the magnetic field sensor-based devices are a common type of sensors, used by multiple home security systems on the market.

“Our experiment, reassuringly, has shown that vendors are considering cyber-security as they develop their IoT devices,” said Victor Alyushin, security researcher at Kaspersky Lab. “Nevertheless, any connected, app-controlled device is almost certain to have at least one security issue. Criminals might exploit several of these issues at once, which is why it is so important for vendors to fix all issues—even those that are not critical. These vulnerabilities should be fixed before the product even hits the market, as it can be much harder to fix a problem when a device has already been sold to thousands of homeowners.”

Kaspersky suggests that before rushing out to buy an IoT device, homeowners should do their due diligence and examine whether any security flaws have been reported in the media. They should also avoid the temptation of purchasing new products recently released on the market. And, when purchasing a baby monitor, it may be wise to choose the simplest RF-model on the market, one that is capable of transmitting only an audio signal, without internet connectivity.

Source: Information Security Magazine

FIDO Alliance Certifies New iOS, Mobile Devices

FIDO Alliance Certifies New iOS, Mobile Devices

The Fast IDentity Online (FIDO) Alliance has reached 72 certified products available in the market.

FIDO, an industry consortium launched in 2013 to provide open standards for simpler, stronger authentication, has announced results from the most recent round of FIDO 1.0 certifications.

FIDO members, and others, leverage open FIDO standards for Android, Apple, iOS and Touch ID to use FIDO authentication in devices, services and applications instead of passwords. Companies, organizations and individuals can use FIDO U2F second-factor devices for stronger authentication, and can eliminate passwords entirely through FIDO UAF biometric solutions such as fingerprint or iris recognition sensors. 

Newly certified FIDO 1.0 products include the first FIDO Certified iOS products from Egis, Nok Nok Labs and Samsung SDS, along with a line-up of smartphones.

For instance, the Nok Nok App SDK for iOS leverages the Secure Enclave and TouchID for both on-device and out of band authentication, allowing deploying organizations to deliver strong authentication across multiple platforms including iOS. And the Egis Touch ID-enabled UAF client allows mobile payment service providers to extend its online payment services on iOS.

If biometric data (like TouchID data) is used by a FIDO authenticator, the biometric information never leaves the device. FIDO authentication to the cloud is always performed by means of industry-standard public key cryptography.

“We are excited to pass the first FIDO Certification Process for iOS 9,” said Steve Ro, Chairman and CEO of Egis. “iOS plays a major part in mobile payment trends. “We will be able to provide more security, easy solutions, and products for authentication based on FIDO specifications. These specifications are changing the nature of authentication with standards for simpler, stronger authentication that reduce reliance on passwords.”

The new products also include FIDO applications, authenticators and servers from DDS, Goodix, Feitian, Hypersecu, LG Electronics, Neowave, Samsung and Sony.

“The FIDO ecosystem is emerging with an abundance of options that enable easy adoption of strong authentication for Internet providers and services, enterprise and consumers,” said Dustin Ingalls, president of the FIDO Alliance. “In less than three years, the FIDO Alliance has delivered standards and a range of products that make it possible now to see a world that doesn’t rely on passwords, but rather is prepared with more secure, private and convenient FIDO authentication.”

Certification testing is based on industry-standard best practices to objectively evaluate technical implementations of the FIDO 1.0 specifications, which are Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F).

Source: Information Security Magazine

Malicious Code-Signing Becomes Dark-Web Cottage Industry

Malicious Code-Signing Becomes Dark-Web Cottage Industry

Hackers are selling digital certificates that allow code-signing of malicious files—and, they’re making a whole cottage-industry business out of it.

According to a report from InfoArmor, hackers are using a malware creation tool called GovRAT, which is bundled with digital certificates for code-signing. It’s primarily an advanced persistent threat (APT) tool, active since early 2014. GovRAT victims so far include political, diplomatic and military employees of more than 15 governments worldwide, the firm said, along with seven banks, 30 defense contractors and more than 100 other corporations.

“Code-signing provides the assurance to users and the operating system that the software is from a legitimate source,” said Travis Smith, senior security research engineer for Tripwire, in an email. “Both obtaining and correctly applying the certificates to legitimate software is expensive and complex. Many protection mechanisms, rightfully so, check for the digital certificate. However, it's possible that additional security measures stop investigating the software beyond this.”

Attackers can thus exploit this lapse in security by obtaining certificates and signing their malware. 

“This decreases the ability for attacker automation, but will increase the value of potential loot,” Smith added. “For organizations which have valuable data, attackers are going to sacrifice automation for stealthier attacks such as code-signed malware.”

GovRAT tool uses Microsoft SignTool and WinTrust to digitally sign malicious code and evade antivirus detection. And once malware signed with the tool is embedded, it can communicate over SSL, obscuring the exfiltration of sensitive data. It also has advanced self-encryption and anti-debugging tools.

Originally offered on the Dark Web for 1.25 Bitcoin ($420, at current rates, or $1,000 at the time), it’s now available only privately—and in an as-a-service model.

And GovRAT is not the only game in town. InfoArmor also has found code-signing certificates in various underground marketplaces that go for between $600-$900, including legitimate certificates issued by Comodo, Thawte DigiCert and GoDaddy.

“[The buyers are] black hats (mostly state-sponsored), malware developers,” Andrew Komarov, president and CIO at InfoArmor, told the Register. “It is [a] pretty professional audience, as typical script kiddies and cyber-criminals don’t need such stuff. It is used in APTs, organized for targeted and stealth attacks. The appearance of such services on the black market allows [hackers] to perform them much more easily, rather like Stuxnet.”

He added, “It is a pretty specific niche of modern underground market. It can’t be very big, as the number of certificates is pretty limited, and it is not easy to buy them, but according to our statistics, the number of such services is significantly growing.”

Hackers can sign not only executable files, but also drivers, Microsoft Office documents, Java content and many other file types—widening the attack surface considerably.

“Organizations should rely on a defense-in-depth security posture so if one defensive mechanism fails, another is in line to detect the attack,” Tripwire’s Smith said. “For attacks such as this, monitoring the list of both signed and unsigned software in the environment will give security administrators an early indication of compromise.”

Source: Information Security Magazine

Zero-Day Attack Compromises a Half-Million Web Forum Accounts—Report

Zero-Day Attack Compromises a Half-Million Web Forum Accounts—Report

Forum software-makers vBulletin and Foxit Software may have been breached by a hacker claiming to have made off with personal data belonging to some 479,895 users between the two.

“Coldzer0” said in a post co-authored with @Cyber_War_News that he exploited the same zero-day vulnerability for both domains, and was able to access user IDs, full names, email addresses, security questions and corresponding answers (both in plain text) and salted passwords for hundreds of thousands of users.

For its part, vBulletin has confirmed that an attack happened: “Very recently, our security team discovered a sophisticated attack on our network,” the company said in a post. “Our investigation indicates that the attacker may have accessed customer IDs and encrypted passwords on our systems.”

The issue affects vBulletin versions 5.1.4 to 5.1.9, it said, and has issued a patch, presumably for the zero-day, and has also forced a password reset for all of its users.

Tod Beardsley, principal security research manager at Rapid7, said in an email that it looks like the vBulletin attack was due to an SQL injection bug in vBulletin's forum software.

“vBulletin is a popular target, since compromising a forum site can provide an effective platform for a watering-hole attack,” he said. “In a watering-hole attack, customers of a particular company, or users that share a common interest, can be effectively targeted via the trusted, but now compromised, website. vBulletin itself is a popular community and forum platform, so an unpatched bug in the platform can expose those downstream users to serious risk.”

Organizations that rely on vBulletin to power their community forums should apply this patch immediately.

Foxit has not yet addressed the hacking claims.

Source: Information Security Magazine

Android Users Warned of Trojanized Auto-Root Adware

Android Users Warned of Trojanized Auto-Root Adware

Security researchers are warning of a new epidemic of 20,000 repackaged apps injected with trojanized Android adware designed to root users' smartphones.

Lookout Security claimed that some of the most popular apps on Google Play including Facebook, Okta, Twitter and WhatsApp have been repackaged, injected with one of three adware families and distributed via third party app stores.

These three families—Shuanet, Shedun and ShiftyBug—are said to share between 71% and 82% of the same code, and use publicly available exploits to root the victim’s device.

ShiftyBug comes with at least eight exploits, Lookout claimed.

After rooting the device they install as a system application, making the malware almost impossible for a regular user to remove.

Rooting the device in this way could leave it exposed to other malicious applications as it effectively enables apps to bypass Android’s sandboxing capabilities, the vendor said.

The trojanized apps can be tricky to spot given that many are merely repackaged legitimate applications, which retain a full set of functionality alongside the malicious code.

The highest detection rates for the adware are the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia, Lookout claimed.

Apart from the risk to enterprise users from having their phone covertly rooted, there’s also a reputation issue at stake for developers of some of these big name titles, the firm added.

The advice from Michael Bentley, senior manager of research and response at Lookout, was simple.

“We always take great care to inform organisations we believe to be affected by any malware, before we go public. In this situation, these apps are not in Google Play, but instead they're copied and distributed via popular third party app stores,” he told Infosecurity by email.

“Stay clear of third party app stores if possible, and if you do use them, check who the app is authored and listed by. You can also use security apps to monitor for suspicious behavior.”

There is a fear that malware writers may progress from trojanized adware to more malicious code using the same infection techniques.

Source: Information Security Magazine

Mac OS X Malware Soars in 2015

Mac OS X Malware Soars in 2015

Mac malware is set to accelerate over the coming months after having its most prolific year ever so far in 2015, according to new research from endpoint security firm Bit9 + Carbon Black.

After an analysis of the year so far, the vendor concluded that five times more Mac malware appeared in 2015 than the previous five years combined.   

It collected 1,400 unique samples over the period using custom built sandboxes and tools such as such as fs_usage, dtrace, and opensnoop.

It found that Mac malware as a whole does not borrow very heavily from Unix or Linux malware, which was unexpected given OS X’s roots in the open source FreeBSD.

Another interesting find was that more than 90% of the Mac malware it discovered still uses the old load command (LC_THREAD and LC_UNIXTHREAD) to define the entry point into the Mach-O format.

This makes it easier to spot potential malware—if a new system is still using the old command.

In addition, the Bit9 + Carbon Black researchers concluded that the vast majority of Mac malware uses one of just seven persistence techniques to remain on an infected system.

These include LaunchAgents; LaunchDaemons; Login items; Browser plugins; StartupItems; Binary infection; and Cron job.

It appears the growing prevalence of Mac malware is unsurprisingly linked to a rising market share among consumers and enterprises.

“For years, Mac users have watched their PC-using counterparts struggle with cyber-attacks, while enjoying the relative immunity that their hardware provides from malware. This view is becoming increasingly outdated; our research shows that Mac users should be just as worried,” argued Bit9 + Carbon Black Emea MD, David Flower.

“With 45 per cent of businesses now offering Macs as an option to staff, our research should be seen as a timely reminder that every device on the network is a potential target—businesses can’t just rely on a clearly outdated perception of invulnerability.”

Source: Information Security Magazine

IBM’s SoftLayer Pegged as Number One Spammer

IBM’s SoftLayer Pegged as Number One Spammer

IBM subsidiary SoftLayer Technologies has been accused of being the world’s largest spammer with levels of unsolicited mail sent by the company rising seven times since a year ago.

Security vendor Cloudmark claimed in its latest Security Threat Report that 42% of all outbound email from the Dallas-based hoster and cloud computing firm in the third quarter was spam.

The seven-fold increase from 12 months ago is mainly due to malicious emails sent to recipients in Brazil, the security player claimed.

Links in these mails will frequently lead recipients to downloading trojan malware or to phishing pages designed to elicit credentials for the Boleto bank payment system popular in the country.

The SoftLayer spam problem has spiked in the past six months, as Cloudmark explained:

“SoftLayer was one of the main pioneers of cloud computing. By automating the provisioning of virtual hardware resources, it enabled the exponential growth of other successful Internet companies. At one point it was consistently adding fifty new servers a day just to support a single client, Tumblr. However, automation in the rapid provisioning of new resources is just as valuable to criminal spammers as it is to growing social networks. SoftLayer has responded to complaints by closing down accounts used by particular spammers, but the spammers are simply coming back with new accounts.”  

Cloudmark said the problem is so bad it is currently blacklisting 30,000 IP addresses—1.4% of the total—from SoftLayer, up from just 11,000 in April.

The security vendor urged IBM to work with Brazilian law enforcers to bring the spammers to justice.

Elsewhere in the report, Cloudmark warned of a continuing rise in successful phishing attacks, citing Verizon figures that nearly one quarter (23%) of recipients open phishing messages.

There’s also a clear link to targeted nation state attacks, with phishing associated with 95% of such threats a couple of years back, the report claimed.

Cloudmark engineering director, Angela  Knox, argued that awareness raising in combination with good internal processes and filtering tools can help organizations.

“An effective anti-phishing strategy should start with awareness of the different types of phishing, and a review of the risk to an organization if an employee falls for one of the various types of phishing,” she told Infosecurity by email.

“The different types of phishing can cause differing levels of harm to an organization and the attackers can be after different items of value, from wiring money, to access to confidential company data, to getting access to the company’s network for ongoing attacks.” 

Two-factor authentication, data encryption, restricted privileges and DNS monitoring can all help reduce risk, she added.

Source: Information Security Magazine

Frost & Sullivan: IoT, Web Intelligence and Big Data Analytics Set To Transform Global Security Markets

Frost & Sullivan: IoT, Web Intelligence and Big Data Analytics Set To Transform Global Security Markets

Changing global dynamics are driving security stakeholders to re-evaluate resources and operational requirements to protect against a range of evolving threats, posing increasingly complex challenges specially to governments and across critical infrastructure says a new Frost & Sullivan report.

The analyst believes cybersecurity continues to grow as one of the largest challenges facing both governments and critical infrastructure operators with engagement between industry and key stakeholders critical to better protect from the increasingly complex cyber- threats. In addition, it sees economic and financial instability, as well as political and social unrest, as having brought controversy and insecurity across a number of countries, impacting security decisions worldwide.

In response to these challenges, the analyst believes that it has identified the top five Mega Trends in the security industry that will shape the way in which governments will protect their citizens and critical assets in the future.

These are: rapid development of technologies that allow greater flexibility and security to end users; the emergence of Internet of Things programed in public safety; rapid growth of IP-enabled devices used by law enforcement departments; increased debate on intelligence and privacy, following the soaring terrorism threat levels across the globe; rising use of Web intelligence and Big Data analytics throughout law enforcement.

The analyst also expects constraints on budgets and an increased focus on business efficiency to squeeze security provider prices with a focus on affordable security solutions that show a clear return on investment both for protection and operation. Frost & Sullivan expects the ‘cyber-problem’ will continue with a call for greater collaboration between government and industry, focus in the boardroom, and better cybersecurity hygiene.

Source: Information Security Magazine

Identity and Access Management Market to Be Worth $24.55 bn by 2022

Identity and Access Management Market to Be Worth $24.55 bn by 2022

A rise in web-based applications and risk management solution  – such as policy-based compliance and audit management – combined with cost containment are set to drive the global identity and access management (IAM) market says Grand View Research.

Additional drivers projected to positively impact IAM include the growing popularity of connected devices, bring your own device (BYOD) and Internet of Things (IoT).

Such dynamics are prompting increased spending by large enterprises and government organizations, along with stringent regulatory compliances. Grand View calculates that this will be in the region of $24.55 billion by 2022.

This is all set to be very good news for the IAM technology market. The analyst believes that growing innovation with interoperable technologies are enabling providers in building advanced solutions including secure print authentication and EV charging station access.

Grand View estimates that cloud-based and hybrid solutions will extend their footprints in the industry with enhanced security and minimize error rates features. Commoditization of identity functions and the explosion of available applications are also expected to compel enterprises to seek more scalable options.

Looking at individual technology areas, the Grand View report predicts that cloud-based identity and access management market will witness ‘robust’ demand by 2022, growing at a CAGR of over 18% from 2015 to 2022. Rising demand for cloud-SSO is also a key factor supporting expansive adoption among enterprises. Public sector and utilities sector accounted for over 25% of the revenue in 2014 and is anticipated to exhibit significant growth over the next seven years.

The current leading players in the identity and access management market include IBM, NetIQ Corporation, Oracle, CA Technologies and HID Global Corporation.

Source: Information Security Magazine