STE WILLIAMS

The playbook simulates a cyberattack on the energy industry to educate regulators, utilities, and IT and OT security experts.

Cyberattacks against the energy sector have shifted from targeting information technology (IT) to operational technology (OT) as attackers aim to disrupt critical infrastructure. This change is forcing companies to rethink how they would detect and remove threats without affecting operations.

To offer guidance, Siemens has published “Simulating a Cyberattack on the Energy Industry: A Playbook for Incident Response,” which demonstrates the response to a cyberattack on a fictional electric utility that leads to a citywide blackout. The idea is to inform cybersecurity, IT, and OT teams of how they should collaborate and make decisions in a high-stress situation.

More than half (54%) of global utilities anticipate an OT attack within the next 12 months, the Ponemon Institute reports, and 64% say sophisticated attacks are a top challenge. Further, Siemens explains in its whitepaper, OT infrastructure is “significantly more vulnerable” than IT infrastructure, and breaches affecting OT have a more destructive effect on operations.

More than one-third (35%) of utilities have no response plan. This playbook outlines the incident response process: preparation for an attack, identifying a breach, containing damage, removing the threat, enacting recovery, and documenting lessons learned from the incident.

Read more details and view the full playbook here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “The Perfect Travel Security Policy for a Globe-Trotting Laptop.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/siemens-shares-incident-response-playbook-for-energy-infrastructure/d/d-id/1337256?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The former Supreme Allied Commander of NATO gives Dark Reading his take on the greatest cyberthreats our nation and its businesses face today.

By any standard James Stavridis has had a remarkable career, beginning with graduation from the U.S. Naval Academy (with a degree in electrical engineering), rising through the ranks of officers to commander of the U.S. Southern Command and U.S. European command to his final position as Supreme Allied Commander Europe.

During his career, Stavridis earned a Ph.D in Law and Diplomacy. After retiring from the Navy, he became dean of The Fletcher School at Tufts University and began a publishing career.

Stavridis serves on the boards of a number of organizations and is a frequent speaker on international politics and technology, most recently at the RSA Conference. Following the conference, Dark Reading’s Curtis Franklin had a chance to talk with the Admiral by phone for a conversation that touched on the cyber security issues that are at the top of his mind for both governments and the enterprise. It’s no surprise that Stavridis has thought quite a bit about cyber threats to the U.S. What may be more surprising is his take on what the government’s role should be when it comes to helping companies defend themselves against some of the same threat actors that bedevil national security agencies.

What follows is an edited transcript of their conversation.

Dark Reading: As you survey the cybersecurity landscape, what concerns you the most?
James Stavridis: In cyber, we see the greatest mismatch between level of threat and level of preparations. In the physical world, we had a lot of threats. You know, Russia. Afghanistan, Libya, the Balkans, piracy — lots of threats, but we were pretty well-prepared to deal with most of them. Unfortunately, in cyber, there was a real gap, and I think continues to be a real gap. I see a lot of concern in the geopolitical space. And I see a lot of concern in the national electoral space. Those are my two areas of real concern and focus right now.

Dark Reading: When it comes to nation-state adversaries, are they something that only our defense department should be concerned with, or should all commercial organizations be concerned?
Stavridis: It is the latter. I often say this about cybersecurity, that we’re still on the beach at Kittyhawk. We’re still figuring out how this is going to work. To shift metaphors to the oceans, it’s as though we’re out at sea, we’re in a bunch of boats, but we haven’t really put in place buoys and navigational aids, and we haven’t really defined who’s going to protect us.

So if if I’m a commercial ship at sea, I know the U.S. Navy is going to come and defend me if I’m an American ship and I’m under attack. And in fact, we actively discourage merchant ships from mounting their own defenses. The defense requirements, I think, ought to be vested in the state.

But in the world of cyber, realistically, if you’re a commercial entity, particularly a target-rich kind of environment like financials or critical infrastructure, say electric grid, the government so far has not really stepped up to that task of broadly protecting you.

Yeah, you can get some help from the NSA and some help from the FBI and some help from the CIA. But broadly speaking, you are going to have to have some mechanisms, at least on the detection and on the defensive side.

I’ll give you a practical example. The eight largest banks in the United States got together and created something called the Financial Systemic Analysis Resilience Center (FSARC). They hired an absolutely terrific cybersecurity expert [to be president and CEO], a guy named Scott DePasquale, [formerly partner at New York based venture capital fund Braemar Energy Ventures]. And they’re hiring people from FBI, CIA, DOJ, DHS. And they are building, effectively, a community of defensive measures and information sharing, just like the title says, analysis and resiliency. We as citizens ought to be encouraging the government to do more of this. In the meantime, I think that many of these commercial entities are going to have to find ways to defend themselves better.

Dark Reading: There are industries where there is some concern about how the government will view sharing information between potential competitors in an industry, whether this creates some sort of anti-competitive environment. Is this the kind of area where we need to continue to evolve the way that regulators look at the activity, or are we on top of this?Stavridis: We are not on top of it. It needs encouragement, and I think this has to be driven within the industries themselves. They need to understand that they are stronger together, in that if they try and stand as lonely citadels protecting themselves, they will lose. This is a team sport.

And I think the government also has a significant role to play. I’ll give you an example. The Congress two years ago finally passed the Cybersecurity Information Sharing Act, which takes a baby step in exactly the direction you just outlined. It formalizes the idea that companies should share information to best protect themselves. And let me give you an example.

You probably fly around frequently. You probably flew to [the RSA Conference], so you willingly put yourself in a metal tube, went up 35,000 feet flying three [to five] hundred miles an hour. Holy cow.

That doesn’t sound very safe, does it? And yet, that’s one of the safest things you can do. That’s safer than walking across the street, and it’s a lot safer than driving in your car on the freeway. We all know that. And that’s why we don’t have a shred of discomfort getting in that metal tube and flying around at high speed.

Why is that? It’s because the airline industry is an example of what the cyber security industry should be doing, what what financial should be doing, what the electric grid company should be doing, what the water utilities should be doing. They should share information.

What happens when a plane crashes? Everybody descends on it. It’s totally transparent. If the left aileron on a 777 was out of place, inexplicably, what would happen? The whole fleet would be grounded globally until we figured out what happened. All that information is transparent and it’s shared. What happens in the cyber side of things, too often, is when companies are attacked, their instinct is to hide the ball.

Why is that? Because their share price will fall. And there’s no incentives built into the system to be open, the incentives go in the other direction, whereas in the airline industry, the massive incentive is that if people lose confidence in flying in those planes, the whole industry is toast. So I think that the cyber side of industry needs to look more like the airline industry.

(continued on next page) 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/out-at-sea-with-no-way-to-navigate-admiral-james-stavridis-talks-cybersecurity/b/d-id/1337253?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A federal grand jury has indicted Charles K. Edwards on 16 counts related to a conspiracy to steal software from one department and sell an enhanced version to another.

A former acting inspector general for the US Department of Homeland Security (DHS) has been indicted on 16 counts of conspiracy to commit theft of government property and defraud the United States, theft of government property, wire fraud, and aggravated identity theft. A subordinate was indicted on the same charges as well as for destruction of records.

Charles K. Edwards, his subordinate Murali Yamazula Venkata, and unnamed others are alleged to have defrauded the US government by stealing confidential and proprietary software from DHS Office of Inspector General (OIG), along with sensitive government databases containing personal identifiable information (PII) of DHS and USPS employees. The ultimate purpose, prosecutors say, was for Edwards’ company, Delta Business Solutions, to sell an enhanced version of the software to the Office of Inspector General for the US Department of Agriculture.

The conspiracy included reconfiguring laptops to provide customer service and demos to potential customers, storing PII on home-based servers for demo and development purposes, and retaining software developers in India to develop custom versions of the software for sale.

Read more here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “The Perfect Travel Security Policy for a Globe-Trotting Laptop.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/former-acting-inspector-general-charged-in-federal-fraud-scheme/d/d-id/1337257?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Boots, a UK pharmacy chain, has suspended payments on the loyalty cards of 14.4 million active customers after its security team spotted “unusual” activity on a number of Boots Advantage Card accounts.

It wasn’t hacked, the company said in a statement, and this isn’t what you’d classify as a breach. Intruders didn’t get into its systems during the attack, Boots said on Thursday. Nonetheless, for the time being, it’s suspended payments made with the loyalty points cards.

This wasn’t our fault, the company said in its statement:

We would like to reassure our customers that these details were not obtained from Boots.

If Boots wasn’t hacked, then where did crooks get the credentials that they’ve evidently used to try to get into people’s Advantage Card accounts so they can make fraudulent purchases on what we refer to in the States as “somebody else’s dime?”

(Or, in this case, on somebody else’s penny: The loyalty cards award shoppers with four points for every £1 they spend. One point will get you one penny’s worth of spending power, so if your card has a balance of, say, 199 points, you could use it to buy something that costs £1.99 at a store or online at boots.com… which, of course, means that anybody who gets access to your account can do the same, regardless of where they’re located. That’s why Boots shut down the program, so nobody can shop with points at either stores or online.)

Boots suggests that the suspicious activity spotted in customers’ accounts is coming from crooks trying to get at their accounts by using credentials that were exposed in some other breach – credentials that those customers have used, reused, re-reused and re-re-re-diculously refused to let go of.

It’s called credential stuffing. Sticking (reused!) passwords into every online place you can think of is a simple way to get into somebody else’s account without permission: just go online and look for lists of breached credentials, often available for sale or for free, then try them out until you hit the jackpot. Or the pennies on people’s loyalty cards, as the case may be.

In its statement, Boots said that a) it’s letting a small number of affected customers know, and b) this wouldn’t happen if people used unique credentials – because yes, using a password twice (or more, of course!) is really, truly a lousy idea.

We can confirm we are writing to a small number of our customers to tell them that we have seen fraudulent attempts to access boots.com accounts. These attempts can be successful if people use the same email and password details on multiple accounts.

We would like to reassure our customers that these details were not obtained from Boots. We are aware that other organisations may be impacted too.

As an extra precaution we have temporarily stopped payment by Boots Advantage Card points on boots.com or in store. This removes the ability for people to attempt to access any Boots accounts, but means that customers will not be able to use Boots Advantage Card points to pay for products in store and online for a short period of time.

A spokeswoman for Boots told the BBC that the breach affected less than 1% of the company’s 14.4 million active Advantage Cards – fewer than 150,000 people. That number’s hazy as yet, given that the company’s investigation is still ongoing.

After the investigation does reach a final number, and if the final number of affected accounts turns out to be anywhere near the small percentage Boots is now estimating, it will mean that millions of customers have been locked out of their loyalty points due to a tiny minority who haven’t made it a priority to protect their online accounts.

Who can blame them? We know it’s hard to come up with strong, unique passwords. Or to keep track of them if you do.

Oh, wait, scratch that – it’s not!

Earn “Loyalty to Security” points!

Want to earn Loyalty to Security points? …Which will buy Better Security For All Of Us Who Get Locked Out of Our Accounts Due to Password Reusers? Take these simple steps:

Pick strong passwords. Watch our video to find out how to come up with a brute:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Say “Yes, please!” to 2FA. If a website gives you the option of using two-factor authentication (2FA or MFA), take them up on it. Here’s an informative podcast that tells you all about 2FA, if you’d like to learn more:

LISTEN NOW

(Audio player above not working? Download MP3 or listen on Soundcloud.)

Use a password manager. We know they’re not perfect, but we still highly recommend using one: the advantages of using one outweigh the security imperfections that have cropped up and which, at any rate, get taken care of in updates.

Don’t dismiss accounts that “don’t matter.”
Boots’ shutdown of its Advantage Card shows that there really isn’t such a thing as a “low-value” account. The crooks don’t care how much you value a given account: if it’s easily hackable, they’ll take advantage of it, and everybody will suffer when a company has to shut down a popular program and launch an investigation.

In cybersecurity, if you aren’t part of the solution, you’re part of the problem. Please, make sure to lock down all your accounts, lest you ruin it for everybody else.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FNcTnrmdBcQ/

The UK’s Information Commissioner’s Office (ICO) said on Wednesday that it’s fined Cathay Pacific Airways £500,000 (USD $647,015, €576,992) for failing to secure passengers’ personal details, leading to malware being installed on its server that harvested millions of people’s names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.

Cathay said at the time that the intruders also accessed 403 expired credit card numbers, as well as 27 credit card numbers that didn’t have a CVV attached.

This wasn’t a one-time security fail, the ICO said. All that data was at risk for over four years.

Cathay, which is based in Hong Kong, first realized in March 2018 that its database had been hit by a brute-force attack. As we’ve explained previously, you can think of such an attack like this:

→ Brute force is the way you open those cheap bicycle locks with wheels numbered 0 to 9 if you forget the code. You turn the dials to 0-0-0 and then click round systematically, counting up digit by digit, until the lock pops open.

Once it found that its database had been rifled through in 2018, Cathay Pacific hired a cybersecurity firm and subsequently reported the incident to the ICO.

Investigations found that the airline lacked appropriate security to secure customers’ data from October 2014 to May 2018. The data was exposed for longer than that, though: Cathay said in October 2018 that its system had been compromised at least seven months prior. As the New York Times reported, Cathay learned in May 2018 that passenger data had been exposed after first discovering suspicious activity on its network in March.

Why didn’t the company announce the breach earlier? It didn’t say.

The incident led to the exposure of a huge trove of personal data belonging to 111,578 people from the UK and about 9.4 million more worldwide.

The ICO says that Cathay Pacific’s systems were entered via a server connected to the internet. Enabled by what the office called a “catalog of errors,” crooks managed to install data-harvesting malware. The security sins turned up by the ICO’s investigation included some basic ones: for example, the ICO found back-up files that weren’t password-protected, unpatched internet-facing servers, use of operating systems that were no longer supported by the developer, and inadequate anti-virus protection.

Steve Eckersley, ICO Director of Investigations:

People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here.

This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected.

The fine imposed on the company would have caused a lot more hurt if the breach had been discovered after the General Data Protection Regulation (GDPR) went into effect.

In July 2019, the ICO flexed its new GDPR muscles for real, imposing record fines on Marriott and British Airways (BA) for their data breaches. It said it was looking to fine BA a record £183.39 million (US $229.34 million at the time) for a breach discovered in September 2018. By diverting user traffic to a bogus site, attackers managed to steal personal data from about 500,000 customers, including their names, addresses, logins, payment card and travel booking details.

Marriott’s breach was similar to Cathay Pacific’s, given that attackers got into the company’s Starwood guest reservation database and stayed there for years: the unauthorized access started in 2014, and the breach was discovered and reported to the ICO in November 2018.

Though it escaped the weight of the GDPR hammer, the ICO Says that Cathay Pacific’s breach was “a serious contravention” of Principle 7 of the 1998 Data Protection Act, which states that “appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.”

For full details on the fine, check out the ICO’s Monetary Penalty Notice.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5xmaDx-HKiQ/

Cryptocurrency security company Ledger has warned users about a rogue Chrome extension that dupes its victims into giving up the keys to their crypto wallets.

Cryptocurrency owners need a wallet just like users of regular cash do. Instead of cash, however, crypto wallets hold digital keys – which grant users access to the blockchain addresses to unlock their funds. Some people write those addresses down on a piece of paper, while others might store them in a file on their computer or in a software application that doubles as a wallet. A hardware wallet is a device dedicated to storing the addresses, and they are built to be as difficult to hack as possible.

Launched in 2014, Ledger claims to have sold over 1.5m hardware wallets. There are two available: the Nano S and the Nano X. Both of them connect to an app called Ledger Live that lets users check balances and send and receive coins and tokens.

The app doesn’t contain a user’s private key. Instead, it accesses it from the hardware wallet when the owner wants to manage their crypto assets. To do this, the user connects the hardware wallet device to the app, which is available on Android and iOS, and also as desktop software.

This week, it emerged that a rogue developer published what they said was a Chrome extension version of Ledger Live on the Chrome store. The extension claimed to let Ledger owners use their hardware wallets to access Ledger Live’s functionality directly within Google’s Chrome browser. All they had to do was enter their Ledger wallet’s seed phrase – a string of 24 words that is the only way to recover their private keys if their wallet is damaged or lost.

The Chrome extension was a scam that copied the seed phrase to a Google form. The author could use it to access all the victim’s private keys and take control of their crypto assets using another Ledger wallet.

Ledger warned people of the scam through its support Twitter account yesterday:

🚨PHISHING ALERT🚨

A fake Chrome extension has been found, asking to enter your 24 word recover phrase

⚠️NEVER shar… twitter.com/i/web/status/1…

—
Ledger Support (@Ledger_Support) March 05, 2020

This isn’t Ledger’s fault. It’s the app equivalent of phishing, where someone creates a malicious site in a legitimate company’s name and uses it to gather sensitive customer information without the real company having anything to do with it.

On its security support page, Ledger explicitly advises customers not to give up their recovery phrase:

Anyone who gets your recovery phrase can take your crypto assets. Ledger does not store your private keys, nor ever asks for it.

According to ZDNet, over 120 Ledger Live users apparently took the bait. The offending app had been taken down by yesterday afternoon, but this reinforces the need for proper user education about cryptocurrency security and the importance of never giving up your seed phrase.

Companies can produce slick hardware solutions that do everything possible to protect customers, but if users are gullible and willingly enter sensitive information into malicious software from a third party, there’s very little the company can do about it.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_TyTmYKi9To/

Years after it was first identified as a possibility, researchers have found it’s still child’s play to hijack subdomains from companies such as Microsoft to use in phishing and malware attacks.

Researchers at Vullnerability.com were able to grab more than 670 subdomains that had previously been used by Microsoft but subsequently forgotten about, including:

• identityhelp.microsoft.com
• mybrowser.microsoft.com
• web.visualstudio.com / webeditor.visualstudio.com
• data.teams.microsoft.com
• sxt.cdn.skype.com
• download.collaborate.microsoft.com
• incidentgraph.microsoft.com
• admin.recognition.microsoft.com

And many others, all of which look like the sort of legitimate subdomains users (including Microsoft employees), would be inclined to trust if lured to them by a phishing attack.

Why wouldn’t someone trust these? They’re subdomain prefixes of big and important domains such as microsoft.com and skype.com that are under the control of those companies.

Imagine the potential power that grabbing and abusing one of these would give an attacker, particularly ones targeting enterprises.

The researchers offer examples that include persuading a visitor to install a spying extension in their browser, phishing enterprise credentials with a fake login page, or asking visitors to upload sensitive documents to data.teams.microsoft.com with the Teams App. They could even deface a subdomain linked to from a larger domain.

All hypothetical exploits of course, but still an appealing alternative to the other domain ruse of typosquatting domains and hoping nobody notices.

Bad housekeeping

The underlying problem here is weak DNS management, in this case by Microsoft, a problem that’s been magnified by the huge proliferation of subdomains used in cloud services.

First, the attackers look for orphaned subdomains by navigating to one they guess might be up for grabs using a scanning tool. If they receive a 404 page-not-found error, they have a candidate.

Let’s say an attacker gets a 404 error for an abandoned shop at shop.example.org.

The attackers can’t edit the DNS records for that site because they don’t own the example.org domain. Instead, they check if the subdomain is an alias for a different domain or subdomain that they might be able to take control of, indicated by a CNAME record.

If the CNAME points to a domain name whose ownership has lapsed, they can try to buy that domain and use it to host a malicious website.

Often though, the CNAME points to a subdomain on a hosting service like Azure, which allows users to create websites using subdomains of .azurewebsites.net.

If the Azure subdomain in the CNAME record is no longer in use the attacker can try to claim it. They can configure a virtual machine on a Microsoft Azure account, install a web server that throws up a clone of a target site, and add the Azure subdomain as a custom domain that points to it.

No verification, no alert to Microsoft that one of their old subdomains has been taken over, and no easy way for enterprise security systems to detect that this apparently legit domain is anything but.

The defence against this is to cleanse the DNS records for the subdomain, but the sheer number that are set up and then fall into disuse means that doesn’t always happen.

Vullnerability says in their blog:

Our team claimed some of those critical subdomains before attackers and reported them ethically to Microsoft.

The issue of subdomain takeover has been around for years and can affect subdomains belonging to any company on any cloud platform and not only Microsoft’s.

However, the issue of vulnerable Microsoft subdomains is becoming an ongoing theme with a separate researcher, Michel Gaschet, finding and reporting another 280 in this state between 2017 and 2019. Microsoft only fixed a few of these, he claimed.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PL8iFDJcMTQ/

We did a double-take when we saw the tweet.

In hindsight, we’re not sure why, because the announcement was short, even for a tweet, and entirely unambiguous:

IT’S ANDROID. FOR THE IPHONE.

Introducing Project Sandcastle: Android for the iPhone. We’re excited to see what the developer community builds fr… twitter.com/i/web/status/1…

—
Corellium (@CorelliumHQ) March 04, 2020

And it really is as simple as that.

Actually, if we’re honest, it’s not quite that simple, as you can see if you look at the “what works” matrix on the Project Sandcastle website.

The green continents and islands denote the components in each device that work properly, while the pink oceans are the bits that you can’t use.

In other words, the phone part of your phone – the row labelled Cellular – won’t work anywhere, so the one thing you won’t be turning your iPhone into is, to put not too fine a point on it, a phone.

Likewise, no audio, even on an iPod; no camera; no Bluetooth; and on some devices, no display.

But the really bad news is the CPU row, which has only three green squares, and tells you that the Sandcastle builds will only work on iPhone 7 devices (and the iPod 7G) for now.

If you happen to have a surplus-to-requirements iPhone 7 lying around, and you decide to give this Android thing a spin please let us know in the comments how you got along. (Some users are reporting serious overheating issues, so take care out there!)

Jailbreaking revisited

Freeing up Apple iDevices to run alternative firmware builds has always divided the IT industry’s opinion – even if all you want to do is run an official iOS version configured in a non-standard way, for example with an SSH server running so you can log in on the command line from your laptop.

It’s known as jailbreaking, a loaded metaphor that different observers interpret in interestingly different ways.

To some, jailbreaking represents a righteous fight for digital freedom, assuming that you’re jailbreaking a device that you bought yourself with your own after-tax income.

To others, it’s evidence of a scofflaw attitude to digital society, typically carried out to get rid of lawfully implemented controls over intellectual property. (Meaning: people do it so they can pirate stuff.)

Indeed, Corellium, the company behind Project Sandcastle, has only two blog postings on its website, and they relate to legal action from Apple to do with “freeing up” iPhones.

But, as Corellium points out on the Sandcastle page:

Android for the iPhone has many exciting practical applications, from forensics research to dual-booting ephemeral devices to combatting e-waste. Our goal has always been to push mobile research forward, and we’re excited to see what the developer community builds from this foundation.

We’re particularly sympathetic to the idea of “combatting e-waste”, not least because the only way to keep using an iPhone after Apple stops supporting it if you don’t use a jailbreak is to run it indefinitely without any security updates.

In other words, if you prefer to repurpose rather than to recycle/replace old electronics (because we know you’d never dump old phones into landfill), then you’re on the horns of a dilemma.

Either you have to figure out your own security fixes and then jailbreak to apply them, running the risk of being called a scofflaw yourself.

Or you have to run the gauntlet of the scofflaw cybercriminals who already have access to a range of attacks that they know you won’t – can’t, in fact – have patched against.

What to do

For the record, we usually end any stories of this sort by advising against allowing jailbroken phones on your business network – indeed, our own Sophos Mobile product helps you to keep jailbroken and rooted devices at arm’s length if that’s what you want.

That’s for the uncomplicated reason that, for IT staff at work, “life’s already too short” without having to deal with mobile devices that are in an unknown and untested state. (In other words, while jailbreaking may allow you to improve security, it frequently, if inadvertently, does the opposite.)

In this case, we don’t think we need to add a “don’t try this at work” warning, given how limited the range and functionality of the current Sandcastle builds are.

If you do want to try it at home, however, you can indeed have Android on your iPhone, provided you don’t want to make any phone calls (although without audio you wouldn’t be able to hear them anyway), as long as you have an iPhone with a model number greater than 6 and smaller than 8.

As Corellium itself says:

Android for the iPhone is in beta and has only had limited testing. Any impact on battery, performance, or other components is unknown. Please use caution in installing and using this version.

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DHq-uVw3EVk/

File this one under “well, duh.” Consumer mag Which? today published research estimating that over a billion Android devices are vulnerable to hackers and malware as they are not receiving security updates.

Data obtained from Google by the publication found that 42.1 per cent of active Android users are languishing on version 6.0 or earlier.

The most current version of Android is version 10, while Android 9.0 Pie and Android 8.0 Oreo continue to receive updates. The Chocolate Factory is expected to release a major update to the world’s most popular mobile operating system, Android 11, later this year.

Anything below Android 8.0, therefore, is vulnerable. Extrapolating from the data, Which? believes that almost one billion Android phones are inherently vulnerable.

Compounding the problem is the proliferation of older devices on sites like Amazon, where they’re sold by third parties. The mag bought a handful of phones – including the Motorola X, Sony Xperia Z2, and Samsung Galaxy A5 2017 – and found they were susceptible to a host of long-discovered vulnerabilities, including Stagefright, Bluefrag and the Joker Android malware.

Which? is encouraging those with older phones who can’t update to take sensible precautions – such as avoiding side-loaded apps and ensuring their data is backed up.

Of course, there’s no silver bullet. The mere existence of a patch doesn’t necessarily mean that manufacturers will actually send them downstream to devices in a timely way – or, indeed, at all.

Google makes a point of delivering monthly security updates to its Pixel phones. Besides that, there are also phones released under the Android One programme, which ensures devices receive at least three years’ worth of security updates, as well as two OS upgrades.

Android users, if you could pause your COVID-19 panic buying for one minute to install these critical security fixes, that would be great

READ MORE

Nokia is perhaps the best example of a vendor that’s jumped on the Android One bandwagon. It’s therefore no surprise that last August, Counterpoint Research ranked it as the top manufacturer for providing device updates, with 96 per cent of devices sold since Q3 2018 on the latest and greatest version of Android.

Following close behind was Samsung and Xiaomi, which had 89 and 84 per cent of their users on the latest version respectively.

Ultimately, this issue is down to the fact that Android has always been utterly fragmented. From its inception, Google has allowed vendors to have almost free rein. This contrasts wildly to Apple, which is known for exercising tight control of its iPhone platform.

And while Google’s approach has allowed a broad sense of differentiation in the smartphone market, it’s come with a cost to consumers.

Manufacturers can determine the life cycle of a phone, and how long it should receive updates. The fewer updates, the less they have to spend in terms of people hours.

Which? is calling for manufacturers to exercise greater transparency and explicitly outline how long their devices will receive critical software updates.

In a statement, Kate Bevan, Computing Editor at Which?, said: “It’s very concerning that expensive Android devices have such a short shelf life before they lose security support – leaving millions of users at risk of serious consequences if they fall victim to hackers.

“Google and phone manufacturers need to be upfront about security updates – with clear information about how long they will last and what customers should do when they run out.”

Which? also wants action on a legislative level to ensure that there’s a benchmark for how long a device will receive updates – although it didn’t specify how long.

“The government must also push ahead with planned legislation to ensure manufacturers are far more transparent about security updates for smart devices – and their impact on consumers,” said Bevan. ®

Sponsored:
Quit your addiction to storage

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/06/1_billion_vulnerable_android_devices_which/

A vulnerability in NordVPN’s payments platform allowed anyone to view users’ payment information and email addresses, a startling HackerOne entry has revealed.

By simply sending an HTTP POST request without any authentication at all to join.nordvpn.com one could read off users’ email addresses, payment method and URL, currency, amount paid and even which product they bought.

The patched flaw was made public in early February on the HackerOne bug bounty platform and was forwarded to The Register by concerned reader Matt, who told us: “Note that this is regardless of whether the users had set strong passwords and otherwise wouldn’t be vulnerable to credential-stuffing attacks.”

When sending a straightforward HTTP POST request to the insecure API, the researcher who found the vuln received this string back:

{"id":42615458,"user_id":20027039,"confirmation":{"id":23093398,"created_at":"2019-12-04 17:01:35","updated_at":"2019-12-04 17:01:35","type":"redirect_post","value":"{"url":"https:\/\/www.coinpayments.net\/index.php","parameters":{"cmd":"_pay","reset":1,"email":"█████","merchant":"e64a9629f9a68cdeab5d0edd21b068d3","currency":"USD","amountf":125.64,"item_name":"VPN order","invoice":"49476958","success_url":"https:\/\/join.nordvpn.com\/payments\/callback\/264cae0b89e44a7bd263431b68d1122d","cancel_url":"https:\/\/join.nordvpn.com\/order\/error\/?error_alert=paymenteu=1","want_shipping":0}}"}}

By changing the “id” and “user_id” numbers, he was able to view random folks’ data, as detailed on the full HackerOne entry.

Professor Alan Woodward of the University of Surrey told The Register that while the vuln was bad, it would require an extra step to enumerate user IDs before the attack would work at scale.

He said: “I assume the structure can be determined and so enumeration wouldn’t be impossible, i.e. having to know the ID isn’t really much protection in itself… It’s the sort of bug that can erode trust, which is vital to VPN providers.”

Prof Woodward added: “It was a simple POST to retrieve data that should not have been openly returned. Writing a script to enumerate the IDs and repeatedly send the POST would presumably have returned data on any of those IDs that were valid.”

NordVPN told The Register it was very happy with its HackerOne membership and bug bounty scheme, while declining to say whether it had informed its customers about the vuln.

Instead, company spokeswoman Jody Myers said: “Such reports are one of the reasons why we have launched the bug bounty program. We are extremely happy with its results and encourage even more researchers to analyze our product. This is an isolated case that potentially affected only a handful of users, due to the implemented rate-limiting. Theoretically, only email addresses could have been seen by a third party.”

Our reader, Matt, spotted another NordVPN disclosure from around the same time which appeared to show rate-limiting had not been implemented on its password reset page. Nonetheless, both bugs have now been patched and bounty’d.

The payment data vuln is of a class called insecure direct object reference, or IDOR. IDOR vulns are, as we reported when defunct travel agency Thomas Cook suffered one in 2018, “a common enough and basic problem on poorly-designed web applications”.

Last year NordVPN came under criticism after an unknown miscreant managed to gain access to one of its servers through a remote management system. Before that, Reg readers and others observed some very strange NordVPN-connected traffic which bore some similarities to botnet command-and-control signalling. ®

Sponsored:
Quit your addiction to storage

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/06/nordvpn_no_auth_needed_view_user_payments/