STE WILLIAMS

Vid The inauguration of President Donald Trump in the US capital was marked by protests, with cops collaring more than 200 people on the day. Now court documents reveal the US government’s efforts to crack the arrestees’ locked phones and slurp their contents.

The filings [PDF] – submitted to the Washington DC Superior Court – state that about 230 alleged rioters were cuffed on January 20 amid public outcry that caused over $100,000 in damage – and gave Alt-Reich campaigner Richard Spencer a sore jaw.

Youtube Video

On Wednesday this week, prosecutors said they seized more than 100 locked cellphones, and claim that these will be accessed and searched.

“The government is in the process of extracting information from the rioters’ cellphones pursuant to lawfully issued search warrants, and expects to be in a position to produce all of the data from the searched rioter cellphones in the next several weeks,” the filing reads.

“All of the rioter cellphones were locked, which requires more time-sensitive efforts to try and obtain the data.”

The papers don’t say how the police expect to be able to crack that many phones in such a short period of time, but it’s to be assumed that many are not the most current models with security mechanisms that thwart data extraction while locked. Nevertheless, it’s an ambitious target.

It may be that arrestees were forced to unlock their phones using fingerprints which, in the eyes of the law, can be required. Passcodes, however, are considered intellectual property of a kind and are therefore covered by the Fifth Amendment’s protection.

Once the phones have had their data slurped, the contents will be put online on the Department of Justice’s cloud-based file-sharing platform called USAfx, which it claims is secure. Defense attorneys can then access the data while preparing for their clients’ court cases.

The US government is also planning [PDF] to conduct the trials en masse to save time. It has split the accused into four groups, ranging in size from a dozen to 138 defendants. Defense teams are complaining that this would deny individuals the trials they deserve.

We’ll have to wait until the trials start before we get an inkling of the methods used to break that many phones, if indeed the tools will be disclosed. As we’ve seen in the FBI’s case, sometimes law enforcement is willing to abandon a trial rather than reveal its methods. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/23/trump_inauguration_arrestees_phones_being_cracked/

Startling leaked documents show the CIA could purchase Apple Macs and iPhones, install spyware onto them, and give them to targets.

The secret files, dumped online today, are the latest documents from WikiLeaks’ Vault 7 series of classified CIA hacking tools and manuals. The files, dated 2008 to 2013, describe malware that could be smuggled onto Apple-designed computers and smartphones before they are handed over to specific targets.

The spying toolkit was made up of various components. One of them is NightSkies, a “beacon” for iPhones that was available shortly after the first generation of Apple’s landmark smartphones went on sale. By periodically pinging a beacon signal to a listening-post system on the internet, the software allows agents to track the infected handheld.

The CIA wanted to port NightSkies to Apple MacBook Air laptops, calling the resulting software DarkSeaSkies, according to the leaked files. This port would include the NightSkies beacon emitter as well as a tool called DarkMatter to install the malware in the machine’s EFI firmware, plus SeaPea to hide its processes and network and file system activities from sight.

DarkSeaSkies would also feature a backdoor so the computer can be remotely controlled, and the ability to download files and run executables. If the malware loses contact with its listening post, it should delete itself. The tool would be installed by agents on a MacBook Air before being shipped to a target.

Crucially, the CIA documents state agents had “the opportunity to gift a MacBook Air to a target that will be implanted with this tool.” In other words, operatives were in a position to give an Apple laptop to someone in the field as a present – perhaps a wedding gift or as a bribe – and wanted to bug the computer to keep tabs on that person. That means the agents wanted to buy the equipment, infect it, and then pass it to the target as a freebie.

This is in contrast to the spin WikiLeaks has put on the manuals. The Julian Assange-led organization is trying to characterize the files as evidence the CIA infiltrated factories and delivery companies to infect machines and handhelds. We’re told that, rather than simply handing over kit as gifts, spies snuck into, or compromised, assembly lines and warehouses, which would be way more risky.

“While CIA assets are sometimes used to physically infect systems in the custody of a target, it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain, including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise,” WikiLeaks said in a statement today.

Yes, of course, it’s possible the agency can get its spyware onto devices by slipping operatives into supply chains – just like the NSA does – but none of today’s documents show that. It’s just internal user guides and wish-lists for surveillance software that you have to install by hand, on a machine physically in front of you. It’s not even clear if any of the described techniques work against Apple’s latest products and software.

Questions

Assange was due to answer questions on his team’s latest leak in a live-streamed press conference on Thursday afternoon, but it was repeatedly delayed for unspecified reasons. Perhaps Jules realized he needed more evidence before besmirching the good name of America’s hardest-working LSD-bothering murder-spies. We asked WikiLeaks to help us understand its thinking: it did not reply.

Next in the dump, there’s Sonic Screwdriver – a Doctor Who reference suggesting the design may have come from the UK’s GCHQ spy nerds – that is stored in an Apple Thunderbolt-to-Ethernet adapter. When plugged into a powered-down Mac laptop’s Thunderbolt port, on booting up the machine, Sonic Screwdriver bypasses the Mac’s firmware password, if set, allowing the CIA operative sitting in front of the computer to begin installing surveillance malware onto the system.

This sounds like a useful gizmo to have if you’re a rogue worker within the supply chain: when no one’s looking, find the machine destined for a target, take it somewhere private, stick in the adapter, install the malware, slip it into its packaging, and send it off. And somehow do all that and not get caught or make it obvious the hardware has been tampered with.

Think about it: why go to all that bother when you can send someone an infected birthday present? Why would a factory-fresh device have a firmware password set on it, which is the whole point of Sonic Screwdriver – to defeat firmware-level protection. Sonic Screwdriver is cleared aimed at molesting seized machines, or during black bag operations, not at interfering with factory-fresh products in transit.

Finally, the files described OS X 10.7 and 10.8 snoop-ware dubbed Triton, and its infector Dark Mallet, plus an EFI firmware updater called DerStarke. Apparently, DerStarke 2.0 was in use by the agency as late as last year.

In summary: curious spykit, yes. Evidence of supply chain meddling, no. D-, must try harder. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/23/wikileaks_cia_darkmatter_vault_7/

Amid fears that terrorists might try smuggling explosives on to airplanes, the Trump administration ordered nine airlines to ban most types of electronic devices from the cabins of US-bound flights. The UK followed suit with similar restrictions, also based on fears of terrorism.

With the exception of smartphones, such items as laptops and tablets must now be placed in checked luggage.

This is bound to cause anxiety for frequent travelers, especially those flying on business – many of whom use their laptops during flights to get work done. For now, the best travelers can do is know what the restrictions entail so they can plan accordingly and avoid added stress at the airport.

To that end, we’ve broken down the basics of what is happening and how best to prepare.

When it takes effect

Affected airlines were notified of the new restrictions at 3 am ET Tuesday, and were given four days to comply. Enforcement of the new rules will begin Friday. Some UK airlines have already rolled out the restrictions. Airlines that refuse to comply face having their permission to fly to the US revoked.

Affected countries and airlines

Who must check their larger devices? If your destination is the US, you’re affected if flying from:

• Jeddah and Riyadh, Saudi Arabia
• Istanbul, Turkey
• Cairo, Egypt
• Dubai and Abu Dhabi, United Arab Emirates
• Doha, Qatar
• Kuwait City
• Amman, Jordan
• Casablanca, Morocco

UK-bound travelers are affected if they’re flying in from:

• Egypt
• Lebanon
• Turkey
• Jordan
• Tunisia
• Saudi Arabia

Flights to the UK from Dubai, Abu Dhabi and Doha are omitted from the restrictions.

Affected airlines

The affected airlines with direct flights to the US are:

• EgyptAir
• Emirates Airline
• Etihad Airways
• Kuwait Airways
• Qatar Airways
• Royal Air Maroc
• Royal Jordanian Airlines
• Saudi Arabian Airlines
• Turkish Airlines

The UK restrictions affect:

• British Airways
• EasyJet
• Jet2.com
• Monarch
• Thomas Cook
• Thomson
• Turkish Airlines
• Pegasus Airways
• Atlas-Global Airlines
• Middle East Airlines
• Egyptair
• Royal Jordanian
• Tunis Air
• Saudia

Banned devices

Though smartphones will still be allowed in the cabin, electronic devices bigger than that must be checked, including laptops, cameras, gaming devices, e-readers and tablets. Passengers who require medical devices at all times will be allowed to bring them in the cabin after a security screening.

At the airport

For those affected, a big point of anxiety is probably based on what happens at the airport. CNN noted that airlines are scrambling to sort out how they’ll implement the rules. Our suggestion: if you’re flying from Friday onward, get to the airport an hour earlier than you normally would.

Put laptops, tablets and other banned devices in the luggage you plan to check in ahead of time. Otherwise, you could be forced to give up your device at the security checkpoint.

Choose another airline

The directions above apply to those using the affected airlines. Which brings us to more advice: try to book travel on an airline that’s not on the list for restrictions, said Deepak Jain, global travel manager at Sophos. He added:

To be honest, I won’t advise anyone to put a laptop in checked baggage. 

If alternative airline schedules don’t fit your needs and you have no choice but to check your devices, Jain has the following advice:

Of course, all this is cold comfort to those used to bringing these devices into the cabin. It would certainly cause heartburn for frequent travelers like some of us at Naked Security.

We wish everyone safe travels and the patience to get through what we hope be a temporary arrangement.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-7ox8XUHTBc/

Sorry, “John Doe”: the courts aren’t buying the notion that you’ve “forgotten” the passwords to unlock external hard drives that the Justice Department believes contain child abuse imagery.

Earlier this week a US Third Court of Appeals in Pennsylvania held that the defendant (referred to in court documents as “John Doe” because his case is partially under seal) is in contempt of court for willfully disobeying and resisting an order to decrypt external hard drives that had been attached to his Mac computer, The Register reports.

Here’s the ruling (PDF), posted courtesy of the Register.

According to the court, Doe voluntarily handed over the password for an Apple iPhone 5S, but he refused to provide the passwords to decrypt his Mac or the external hard drives. Forensic analysts figured out his computer password, but they haven’t been able to decrypt the external hard drives.

The police suspect that images are there, though. The analysts found an image of “a pubescent girl in a sexually provocative position” on the computer, along with logs showing that it had been used to visit sites with names common in child exploitation.

They couldn’t find the images themselves on the Mac, but they did find evidence of Doe having allegedly downloaded thousands of files with the hash values of known child abuse images.

Since 2008, the National Center for Missing Exploited Children (NCMEC) has made available a list of hash values for known child sexual abuse images, provided by ISPs, that enables companies to check large volumes of files for matches without those companies themselves having to keep copies of offending images or to actually pry open people’s private messages.

The hash originally used to create unique file identifiers was MD5, but Microsoft at one point donated its own PhotoDNA technology to the effort.

PhotoDNA creates a unique signature for an image by converting it to black and white, resizing it, and breaking it into a grid. In each grid cell, the technology finds a histogram of intensity gradients or edges from which it derives its so-called DNA. Images with similar DNA can then be matched.

Given that the amount of data in the DNA is small, large data sets can be scanned quickly, enabling companies including Microsoft, Google, Verizon, Twitter, Facebook and Yahoo to find needles in haystacks and sniff out illegal child abuse imagery. Optimally, it works even if the images have been resized or cropped.

In this particular Pennsylvania case, the telltale hash values of known abuse images were found on Doe’s computer. Investigators presumed that those images had been downloaded to the external drives.

Doe eventually unencrypted another cellphone, an iPhone 6 Plus. It contained more than 2,000 images in what had been an encrypted app. Analysts discovered that the phone contained adult porn and indecent images of two very young girls.

But Doe claimed to have forgotten the passwords to decrypt the hard drives. He entered three incorrect passwords during the forensic examination.

The magistrate judge who heard the initial case didn’t swallow the “I forgot” defense, asserting that “Doe remembered the passwords needed to decrypt the hard drives but chose not to reveal them because of the devices’ contents.”

Doe has argued that he’s not in contempt of court because being forced to reveal his password violates his Fifth Amendment protection against self-incrimination. But in August 2015, the magistrate judge said that Doe’s decrypting his devices couldn’t be considered testimony against himself, because the government already knew that there would be child abuse imagery on the devices.

Doe didn’t testify at his own defense over the contempt charge. Nor did he call witnesses or offer evidence as to why he shouldn’t be held in contempt for failing to decrypt the devices. In fact, his own sister, who had lived with him in 2015, had testified that her brother showed her hundreds of abuse images and videos.

Doe was jailed, with a court order (PDF) to keep him locked up indefinitely until he decrypted the drive. The court at the time said he “[carries] the keys to his prison in his own pocket”.

That magistrate judge’s decision was upheld by the US Third Circuit Court of Appeals on Monday.

The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) had filed a friend-of-the-court brief (PDF) in which they backed up the suspect’s Fifth Amendment argument, saying that…

…compelled decryption is inherently testimonial because it compels a suspect to use the contents of their mind to translate unintelligible evidence into a form that can be used against them. The Fifth Amendment provides an absolute privilege against such self-incriminating compelled decryption.

Mark Rumold, senior staff attorney at the EFF, told the Register that Monday’s ruling was disappointing, albeit not entirely surprising. The EFF still holds that individuals shouldn’t be compelled to provide passwords. The Register quoted him:

Any time suspects are forced to disclose the contents of their mind, that’s enough to trigger the Fifth Amendment, end of story.

But The Register also quoted Dan Terzian, a lawyer who’s argued against the EFF on this:

Scores of companies now encrypt their data… In the EFF’s alternate universe, these companies are effectively immune from discovery and subpoenas.

Rumold predicted that the Supreme Court would wind up weighing in on the case.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/c-1TNwhDU9M/

If an email hits your inbox asking for payment in return for a TV license, be careful: a new social engineering attack is circulating that uses spam messages to trick victims into downloading file-deleting malware.

SophosLabs has seen such cases escalate since early January, when attacks struck two organizations, deleted files on shares and replaced them with .JSE files that took the same names as the original files.

The attack begins when the bad guys send emails to people within the targeted organizations. Technically, it’s not a phishing email, which takes the victim to a fake log-in screen. With this particular tactic, the click simply results in the download of a malicious document.

Those who click are infected with the .JSE worm, which then goes to work deleting and replacing files on your network shares. The worm is roughly the same each time, but the payload has changed in each of the attacks SophosLabs analyzed.

On the left, a social engineering trick

Victims were infected using typical spam emails. Below are two messages about the status of a TV license. Choosing that topic was clever on the part of the bad guys, especially for targeting people in the UK, where such licenses are mandatory. The copy is fairly authentic-looking, until you look more closely.

The one on the left is the spam message, which tells the reader that payment is still needed. There is also no customer name or license number, and the logo is slightly off:

If “view invoice” is clicked, it downloads a file called Invoice.doc, which is infected with Troj/DocDl-IGU. Once the file is downloaded and opened, the user has to enable macros. Before macros are enabled, the file looks like this:

Once macros are enabled, the malware begins its attack.

The worm connects to a command-and-control and pulls down a payload. The payload changes with each attack. In one case it was the banking trojan Dridex (v4). In another case it was a different banking trojan known as Gozi.

Defensive measures

Sophos is blocking the malware on behalf of its customers, but it’s important for organizations to warn employees that these emails are making the rounds. Specifically, companies should:

• Explain what the emails look like and how to tell the real from the fake
• Warn employees not to click anything unless it comes from a trusted source

For this type of infection (doc/script/download) there are other techniques people can use to protect themselves. For example:

• Deploy anti-spam software to stop malicious email from getting to the user
• Employ email gateway attachment policies. For example, blocking inbound Office documents with macro content
• Have an Office group policy that block untrusted macros
• Use application controls to prevent unauthorized use of script engines (wscript in this case)
• Back up files frequently

Follow @NakedSecurity
Follow @BillBrenner70

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/H4Y9x_vOl8s/

Columbia Sportswear is suing its former top IT director for allegedly setting himself up with a fake email account the day before he left and then using it to hack the company for more than two years.

The complaint alleges that Michael Leeper used that account to slip into the sporting goods maker’s system 700 times.

As Columbia tells it, three years ago, after 14 years of working at the company, Leeper left his job as senior IT director to become CTO at the technology consultancy and reseller Denali Advanced Integration, which was one of Columbia’s vendors.

Well, at least, Columbia management thought Leeper left. In fact, they’re now claiming, their senior IT guy didn’t entirely leave. Rather, he allegedly left one foot in the network door so he could get back in and do a bit of electronic raiding to benefit his new employer.

According to a lawsuit Columbia filed in US  District Court for the District of Oregon on March 1, Leeper was hired into desktop support in 2000 and steadily rose through the ranks. By the time he left in 2014 to work for Denali, he was senior director of IT infrastructure at Columbia. As such, he had his fingers in all the pies: global IT systems, dealings with technology vendors, Columbia’s email systems, and its broader private computer network.

His duties required him to have “nearly unlimited access to the company’s network,” the lawsuit explains. That gave him a unique advantage:

…while the vast majority of Columbia employees were (and are) permitted to access only their own email accounts and limited other parts of the company’s private computer network, Leeper could access nearly all of that network, including thousands of other employees’ company email accounts. Additionally, unlike the vast majority of other Columbia employees, Leeper could create new network accounts and give existing accounts “permissions” enabling them to access otherwise forbidden parts of Columbia’s network.

Leeper had access to execs’ email accounts, as well as to the company’s finances, its strategic planning, and plenty of other sensitive, proprietary knowledge.

As a reseller, Denali worked as a middleman between Columbia and hardware and software vendors like EMC and IBM from about 2012 to 2016. Denali wasn’t the only reseller competing for Columbia’s business, though. If Denali were to know what hardware or software Columbia needs and what it’s willing to pay, Denali would have that much of an edge over the competition.

On March 2, 2014 – his penultimate day at Columbia – the sporting goods company alleges that Leeper surreptitiously set up a network account under a false name, “Jeff Manning”. The “jmanning” account would enable him to log on remotely to Columbia’s network, according to the complaint.

Columbia alleges that the jmanning account gave Leeper access points to the network via:

• Virtual Private Network (VPN)
• Virtual Desktop Infrastructure (VDI)
• Employees’ private company email accounts (in conjunction with an older “service” network account named “svcmom”

After allegedly boosting permissions on those accounts, Columbia says that Leeper spent the next two and a half years hacking the network on 700 separate occasions. He allegedly went after IT employee emails, accessing dozens of emails on each occasion and allegedly getting unauthorized access to IT equipment upgrade budgets, detailed spreadsheets showing various aspects of Columbia’s prior IT spending and projected spending, communications between Columbia and Denali’s competitors, and, in some cases, contracts between Columbia and Denali’s competitors.

Columbia says it picked up on the network intrusions while implementing an upgrade to its email system in 2016. It reported the matter to the FBI, lawyered up, set about closing down the breach, and tasked its employees to figure out who was behind it.

Columbia is charging Leeper and Denali with violating the Computer Fraud and Abuse Act (CFAA) and the Wiretap Act. It’s also charging Leeper with breaching loyalty.

Columbia’s complaint says that Denali and Leeper haven’t cooperated with its efforts to find out what confidential business information was accessed and what information Denali might still hold.

Columbia has asked the court to order Denali and Leeper to destroy any information they obtained from their intrusion. The company is seeking an unspecified sum in damages.

How do you protect against your own?

We’ve written about insider threats before. Late last year, Jonathan Lee, Sophos’s UK healthcare sector manager, outlined five things healthcare organizations can do to better protect patient data.

They’re good advice, whether you work in a healthcare organization, a sporting goods retailer, or any other industry, so here they are again:

1. Know your risk

The first thing to do is carry out a thorough risk assessment so that you know what threats you face, understand your vulnerabilities and assess the likelihood of being attacked. It’s only when that is complete that you can go on to the next stage of creating an integrated cybersecurity plan.

2. Follow best practice

Health organizations – and others, too – too often spend money on cybersecurity solutions but then fail to properly deploy them. Make sure you’re following the recommendations for best practice when deploying your defenses.

3. Have a tried and tested incident response plan

Work on the assumption that an attack will happen and ensure you have a tried and tested incident response plan than can be implemented immediately to reduce the impact of the attack.

4. Identify and safeguard your sensitive data

It’s almost impossible to protect all your data all of the time, so identify the information you keep that would harm your organization if it were stolen or unlawfully accessed and implement suitable data security procedures to ensure it is appropriately protected.

5. Educate employees

With so many breaches being the result of something an employee has done – inadvertently or otherwise – part of your cybersecurity plan must be to make sure all your staff know the risks they face and their responsibilities. Educating them is your job, and should be part of your plan.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GX-D_p5UOqM/

Malware posing as legitimate software for Siemens control gear has apparently infected industrial equipment worldwide over the past four years.

The cyber-nasty is packaged as software to be installed on Siemens programmable logic controllers (PLC), we’re told. At least 10 industrial plants – seven in the US – were found running the infected software, a study by industrial cybersecurity firm Dragos claims.

According to the Maryland-based biz, this particular malware was specifically thrown at industrial control equipment. Exactly what it does, or did, is not explained, although it is described as “crimeware”. Dragos CEO Robert Lee writes:

Starting in 2013, there were submissions from an ICS environment in the US for Siemens programmable logic controller control software. The various anti-virus vendors were flagging it as a false positive initially, and then eventually a basic piece of malware. Upon our inspection, we found … variations of this file and Siemens theme 10 times over the last four years, with the most recent flagging of this malicious software being this month in 2017.

In short, there has been an active infection for the last four years of an adversary attempting to compromise industrial environments by theming their malware to look like Siemens control software. The malware is simply crimeware but has seemingly been effective.

This malware is separate to common-or-garden adware and bank-raiding Trojans that find their way onto PCs. Dragos conservatively estimates that 3,000 industrial sites a year are infected by traditional cyber-pests. These infections were largely opportunistic Trojans – such as Sivis, Ramnit, and Virut – brought in by staff using infected USB sticks.

Dragos revealed its findings during a keynote at the SANS ICS Security Summit in Orlando, Florida.

Edgard Capdevielle, chief exec at industrial control security specialists Nozomi Networks, said: “That ICS themed malware exists is not surprising, but it is concerning. The reality is that ICS networks today face all the same security challenges as every other IT network, but lack similar security options.

“Historically ICS was designed to be completely segregated and confined by physical boundaries. However, each new IP address punches another hole in the metaphorical wall that separates Information Technology (IT) and Operational Technology (OT). Having established IT connectivity, it’s difficult to put the genie back in the bottle and each of these avenues is a potential point of weakness that can be compromised – by hackers burrowing in or malware (such as ransomware) detonating internally and then radiating out.”

Andrew Cooke, head of cyber consulting at Airbus Defence and Space CyberSecurity, added: “Malware is prevalent in a wide range of industrial systems, often spread by an infected USB stick or by unauthorized remote access. But while the majority of malware found in these systems is low level, it can still pose a serious risk for the organizations concerned. Sophisticated attackers often use these methods to gain valuable intelligence about the way that a system is operated, configured and run.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/22/malware_siemens_plc_firmware/

Add Android Forums to the growing list of web properties that have suffered a security breach.

One in 40 members of the forum (2.5 per cent) were exposed by the hack. Moderators said they’ve been able to identify potential compromised accounts, the passwords of which have been reset. Many of the affected accounts were older and half of them had never posted to Android Forums.

Information taken includes email addresses, hashed passwords, and salt. The administrators speculate that targeted phishing emails by crooks may follow, so extra vigilance is advised. Even those not directly affected by the incident are advised to change their passwords, as a precaution.

The Neverstill Team, which runs the site, apologised for the incident and promised to “reinvigorate” its security efforts. “Among our newest efforts is site-wide HTTPS support, as well as a new 2-step authentication requirement for our staff,” a statement by the developers added.

Android Forums’ breach notice

El Reg learned of the breach following a tip-off from a reader who was notified of the problem. Members of the site can find its breach notification statement here (registration required). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/23/android_forums_breach/

Meanwhile, a separate report by Google says half of all Android devices didn’t install a single security update in 2016.

[This piece was updated and corrected with the exact (1.19%) figure from the report.]

Numbers-crunchers, check this out: In a new report released this morning, Skycure found that 1.19% of all mobile devices are at high risk for malware infections.

While that might sound like a good number, Varun Kohli, vice president of marketing at Skycure, explains that 1.19% of 2 billion mobile devices worldwide translates to 23.8 million infected devices.

“It’s kind of deceiving, but for a company with 1,000 employees that means that 10 devices are at high risk,” Kohli says. “All a bad guy needs is one device to get into the network and start compromising data.”

The study also found that 71% of mobile devices are running on security patches that are at least two months old. This information is fairly in line with Google’s newly published Android Security report, which found that about 50% of Android devices didn’t install a single security update in 2016.

“We still see a lot of vulnerabilities on mobile devices, especially as people hold on to their devices longer,” says Phil Hochmuth, program director for enterprise mobility at IDC. “However, mobile security is getting better, the biometrics have improved, and at corporations if people bring their own devices, they have to comply with the company’s mobile management software.”

Mobile malware – adware, hidden apps, potentially unwanted apps, spyware, and Trojans – grew more than 500% from the first quarter of 2016 to the fourth quarter of that year, according to Skycure’s data.

Skycure’s Kohli offers tips for locking down mobile devices:

1.  Think before you click. Don’t click, install, or connect to anything that you don’t think is safe.

2.  Update right away. Always update to the latest mobile security patch as soon as it’s available.

3.  Consider mobile threat management software. IDC’s Hochmuth says this software has not been automatic in the mobile world as it has been on the desktop, but that’s changing.

4.  Don’t run third-party apps. Only download apps from official app stores such as the Apple App Store or Google Play. Skycure estimates that users who download apps at third-party app stores are 72% more likely to be infected by malware.

5.  Be careful on public WiFi networks. Don’t run sensitive data on a public WiFi network. And when connecting to a WiFi network, make sure it’s a legitimate one. Skycure hosts a site that shows bad WiFi networks in your area, maps.skycure.com.

6.  Use strong passwords. Skycure estimates that 20 to 30% of users don’t have simple password protection. This is the most simple thing people can do and it’s becoming easier as fingerprint biometrics have improved.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/20-million-mobile-devices-at-high-risk-of-attack-study-finds---------/d/d-id/1328463?_mc=RSS_DR_EDT

Russian national Mark Vartanyan pleads guilty in US federal court following his December 2016 extradition from Norway.

Mark Vartanyan, a Russian national and cybercriminal operating under the alias “Kolypto,” pleaded guilty to one charge of computer fraud in US federal court in Atlanta, reports the AP.

Vartanyan admitted involvement with the “development, improvement, maintenance and distribution” of the Citadel Trojan between 2012 and 2014 from Ukraine and Norway, from where he was extradited in December 2016. Threat actors could use Citadel to steal victims’ financial information and other personal data.

The Trojan has infected an estimated 11 million computers and caused more than $500 million in losses. Cybercriminals used it to target major government and financial organizations worldwide.

Vartanyan, who was charged in the US after being extradited from Norway, is set to be sentenced June 21. He is the second person to be charged in a case related to Citadel: The first was Dimitry Belorossov, who was sentenced to 54 months for attacking computers with Citadel through a botnet he operated from Russia. 

Read more on the AP.  

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/russian-man-pleads-guilty-for-role-in-citadel-malware-attacks/d/d-id/1328468?_mc=RSS_DR_EDT