STE WILLIAMS

Learn the Unique Weaknesses of Apple Devices at Black Hat USA

At Black Hat USA this August don’t miss the new Mobile track of Briefings that’s full of cutting-edge insights into the unique weaknesses and strengths of Apple’s hardware.

Look, No Hands! — The Remote, Interaction-less Attack Surface of the iPhone explores the remote, interaction-less attack surface of iOS. In this 50-minute Briefing a Google security engineer will discuss the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explain how to set up tooling to test these components. You’ll also see two informative examples of vulnerabilities discovered using these methods.

You can also check out Attacking iPhone XS Max for expert insight into how Apple’s implementation of Pointer Authentication Code (PAC) on the A12 SoC comes more into play for exploit mitigations This talk will discuss Apple’s PAC implementation based on tests, introduce an ancient bug in the XNU that is still affecting the latest official release of iOS (i.e. 12.1.4), and elaborate on how to bypass PAC and gain arbitrary kernel read/write. You’ll also learn about post exploitation techniques, including how to make arbitrary kernel function call based on arbitrary kernel read/write.

In All Your Apple are Belong to Us: Unique Identification and Cross-Device Tracking of Apple Devices security experts will show a study of Apple device unique identification and cross-device tracking technologies. Experts will list several approaches (e.g., public APIs and vulnerabilities like CVE-2018-4322) to uniquely identify the Apple device even after a system rebooting or resetting. They’ll also present advanced algorithms and vulnerabilities (e.g., CVE-2018-4321) to associate Apple device through deterministic user IDs (e.g., Apple IDs and phone numbers) and probabilistic data (e.g., device names, coordinate information, and IP addresses). Last, but not least, you’ll discuss feasible solutions (e.g., instrumentation and differential privacy) to prevent unique identification and cross-device tracking.

Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/learn-the-unique-weaknesses-of-apple-devices-at-black-hat-usa/d/d-id/1335209?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Security of Cloud Applications

Despite the great success of the cloud over the last decade, misconceptions continue to persist. Here’s why the naysayers are wrong.

A decade or so ago, cloud computing was the hot topic in IT and related business circles. As with any emerging technology, people were skeptical and suspicious, and they had lots of questions about how the cloud worked, whether it was right for their organization, if their data was protected, and so on. As time passed, people became increasingly comfortable with the cloud and began to capitalize on its potential.

One major benefit of the cloud that was understood in its early years is that enterprises can leverage it to get their applications up and running faster, with more manageability, more scalability, less maintenance, and fewer IT resources. Yet despite this recognition — which helped propel the cloud industry beyond the $100 billion mark in just 10 years — there are still lingering misconceptions about deploying applications in the cloud. The most prevalent misconception being that the cloud is a less secure place to deploy applications than deploying them in a private, on-premises data center. Here’s why this notion persists.

While this myth is not grounded in empirical evidence, people connect logically with the idea that things that are under their direct control are more secure than things that someone else controls — in this case, cloud providers. Many enterprises still invest heavily in their own data centers because they believe that running their sensitive business logic and placing their sensitive data in the public cloud means that others — whether rogue employees of the public cloud or other malicious actors — will have an easier time stealing their crown jewels. I get it.

The reality, however, is that the vast majority of the evidence proves the opposite is true. Most of the major system hacks and data leaks in the past few years have not been on data or business logic in public cloud deployments. With the occasional exception of misconfigured public storage buckets, almost all data leaks happen on infrastructure and software managed internally by enterprises, not by cloud providers. But even when presented with this information, the myth of applications being less secure in the cloud continues to hamper business and its subsequent growth.

By not deploying their applications in the cloud, enterprises are missing out on immeasurable advantages. There are obvious cost reductions for most businesses in moving away from owning and operating data centers. There is also significant business value in the flexibility that the public cloud offers enterprises. Public cloud providers significantly reduce the friction, time, and cost of building new functionality and applications, especially complex solutions that employ cutting-edge technologies such as data science, machine learning, artificial intelligence, and blockchain. How can people be made to see the light?

The industry is working hard to educate the masses in this area, but more efforts are required. Validated use cases for regulated sectors such as banking and healthcare are needed; simplification of certifications when building on trusted public cloud building blocks can help as well. Most importantly, a clear blueprint of what cloud-native application security is, and what it enables, is critical so that enterprise customers can have confidence that they are using the right tools and processes to avoid risk.

Additionally, the shift to more cloud-native application technology stacks — such as the move to serverless applications — can accelerate this process to improved application security. Enterprises deploying sensitive serverless applications that have adopted the right approach to minimize risk and maximize security are finding these applications to be the most secure applications they are operating.

Whether an enterprise is using it to deploy applications or store data, the cloud — believe it or not — is simply more secure and more reliable than servers run in-house. Like any other decision when it comes to adopting new technology, enterprises should do their homework when selecting a cloud provider, understand what they’re offering, what their assurances are, and how they provide security. Once your enterprise makes the leap to deploying applications in the cloud, you’ll wonder why it took so long and why you were so worried.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Hillel Solow is the chief technology officer and co-founder of Protego. Prior to this he was chief technology officer in Cisco’s IoT security group, where he worked on innovative security solutions for new technology markets. View Full Bio

Article source: https://www.darkreading.com/cloud/the-security-of-cloud-applications-/a/d-id/1335157?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Summer: A Time for Vacations & Cyberattacks?

About a third of cybersecurity professionals believe that their companies see more cyberattacks during the summer, but the survey data does not convince on the reasons for the perception of a summer bump.

Ah, summer. Sweltering days, family vacations, the annual Black Hat and DEFCON conferences, and — more cyberattacks?

In a survey published on July 11, security firm Lastline found that 58% of security professionals believe there is some seasonality in the attacks on their company, and the majority of that portion — about 52% — peg summer as the prime time for breaches. Both phishing and malware attacks are more likely to be encountered during the summer months, according to the survey of 1,000 security professionals, with 47% and 44% of respondents seeing more of each of those attacks, respectively.

The results are interesting and should raise questions for companies, says John DiLullo, CEO of Lastline.

“I don’t claim to know what is going on in the cybercriminal’s mind, but there is some logic to saying that I may get a higher return on my effort during the summer months, especially when my efforts are aimed at individuals,” he says.

The timing of cyberattacks have been an occasional topic of researchers’ investigation. 

A study of 850 attacks in 2017 and 2018 against UK universities found that the attacks often corresponded to the times of the year when students were at school, suggesting that many of the attacks may be initiated by students. The study, by the Joint Information Systems Committee (JISC), found that attacks dropped off significantly during the summer, dropping from an average of one attack a week during the summer months, from up to 60 a week in the fall.

Yet, the feeling among security professionals that summer is high time for sun and cyberattacks persists. A 2017 blog post by former security firm Secdo, bought by Palo Alto Networks in 2018, also argued that summer, with lower staff counts and workers connecting to unsecure Wi-Fi, continues to endanger corporate networks.

“Summer is an opportunity for hackers to take advantage of less staff on call and increased remote access combined with possible ignorance when it comes to the use of public Wi-Fi and mobile network security,” the company stated in an archived blog post.

Lastline’s survey sheds some light on security professionals’ perceptions of the summer bump in cyberattacks. A third of respondents blamed remote working for the increase in seasonal threats, with the largest portion of security professionals — 68% — most worried about employees connecting to unsecured public Wi-Fi hotspots. Other major worries include workers clicking on phishing emails or interacting with spearphishing attacks, leaving their computers unlocked in public locations, and using unapproved applications, according to the report

“When people are working from home or working remotely, there is a dynamic that happens that — because they are not behind that perimeter in their office, are working with public Wi-Fi providers and on personal devices — you perhaps don’t have as much endpoint protection as in the office,” DiLullo says.

The other common perception is that a shortage in staffing leads to a slower response time. With security staff on vacation, many companies assume that response time would be slowed. Yet Lastline’s survey found the opposite — more security professionals felt that they would respond more quickly to cyberattacks during summer months. In fact, 36% of respondents thought their response to an incident is faster in the summer than other times during the year. Almost half of respondents thought it would be unchanged, and only 12% thought they would be slower.

Companies should still work to speed their response, says Lastline’s DiLullo. 

“If you don’t have the response process automated, and if you find yourself down 20% of your resources, you can imagine the impact that might have on your capability,” he says.

Whether the perceived summer bump is supported by other data and what is behind any actual increase in attacks during the summer is unclear. In addition, the survey is not without its inconsistencies. While 53% of respondents initially answered that they did see a seasonal change, a later question — on whether they thought it was due to remote work — suggests that 74% assume there is a seasonal increase in attacks.

Lastline’s DiLullo acknowledges that the survey raises more questions than it answers.

“I think it is impossible to know exactly what is at the root of this,” he says. “Even the respondents didn’t necessarily cite hard evidence.”

Related Content

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/risk/summer-a-time-for-vacations-and-cyberattacks/d/d-id/1335217?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Monroe College Hit with Ransomware Attack

All campuses are affected, with attackers demanding $2 million in Bitcoin in exchange for decryption keys.

Monroe College, based in the Bronx, New York, has been hit by a ransomware attack demanding $2 million in Bitcoin to release its encrypted data.

According to police sources, the attack has had an impact on Monroes College campuses and facilities in Manhattan, New Rochelle, NY, and Florida. The attack was reported to the police on June 10.

The college has not released details of the attack, though the school’s website was still offline as of this post. The ransomware attack comes on the heels of significant ransomware events at three small towns in Florida and the city of Baltimore, Maryland.

Read more here.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/monroe-college-hit-with-ransomware-attack/d/d-id/1335221?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Most Organizations Lack Cyber Resilience

Despite increasing threats, many organizations continue to run with only token cybersecurity and resilience.

According to Ernst Young’s Global Information Security Survey 2018-19, over half of organizations fail to make organizational protection a key part of their strategic plans. After soliciting the opinions of approximately 1,400 C-suite leaders, EY concludes that larger firms are somewhat more prone to fall short in this area than smaller ones (58% versus 54%).

Overall, EY reports, a solid 77% of organizations still operate with only lackluster cybersecurity and resilience. They may even lack a clear idea of what their most critical information assets are and where they’re located, never mind having adequate safeguards in place to protect them.

Fortunately, cybersecurity budgets are increasing, though bigger firms are more likely to increase their investments in 2019 (63%) and 2020 (67%) than smaller companies (50% and 66%).

System Outages
Whether it’s because of the convergence of operational technology (OT) and IP-based IT networks or the growing use of cloud computing, corporate reliance on the availability of global IT infrastructure is ballooning. And the consequences are rising as well.

Cyberattacks to disrupt the business are now ranked as the third-biggest threat, after phishing (No. 1) and malware (No. 2). This comes as no surprise because distributed denial-of-service (DDoS) attacks, for instance, can trigger a major service interruption that will bring the business to a standstill. Outages have always been painful, but given the trend toward moving workloads and applications off-premises, and operating revenue-critical platforms, business operations virtually come to a stop if the IP network collapses.

“Importantly, more organizations are now beginning to recognize the broad nature of the threat,” says Richard Watson, EY’s Asia-Pacific cybersecurity head. “One thing that has changed for the better over the past 12 months, partly because of some of those big cyberattacks we’ve seen at a global level, is a growing realization that security is also about maintaining the continuity of business operations — and not only about the security of data and privacy.”

No Room for Russian Roulette
Given this reality, it’s jaw-dropping that many organizations seem to think they shouldn’t beef up their cybersecurity practices or dedicate more money to IT unless they’re hit by a major security incident.

For 63% of organizations, a security breach that results in no harm wouldn’t lead to higher spending (although, typically, seemingly innocuous breaches can cause harm that doesn’t manifest until later). Still, many organizations are unclear about whether they’re successfully identifying breaches and incidents.

These firms are playing with fire. As noted in the EY report, the Ponemon Institute estimates the average cost of a security breach to be $3.62 million per incident.

Tackling Corporate Governance
A mere 18% of organizations say that information security has a regular bearing on business strategic plans, a finding that reveals a basic disconnect between cybersecurity and the C-suite. Over half of the EY survey respondents say that information security only somewhat or does not influence their business strategy.

Today, when the digital age and cybercrime is in full bloom, this is somewhere between unwise and unacceptable. In fact, cybersecurity and business strategy must go hand-in-hand and be a continuing agenda item for all executive and non-executive boards, as many of board decisions will influence how well the organization is positioned to deal with a prospective cyberattack.

That said, increasingly, the ultimate responsibility for information security lies with the people at the top levels of the company. For 40% of organizations, the CIO assumes this responsibility. However, in 60% of organizations, the person directly responsible for information security does not sit on the board.

Some 70% of organizations report that their senior leaders have a thorough grasp of security or are taking positive steps to better their knowledge of it. Without question, this trend will increase as security becomes a key driver of growth. Right now, smaller organizations are better at keeping their board informed about information security matters than larger organizations. That said, larger organizations have made more progress: 73% have at least a limited understanding of information security, compared with 68% of their smaller counterparts.

Swinging in the Dark
Less than one in 10 organizations says its information security function fully meets its needs, and many are concerned that much-needed improvements are not yet underway. Seventy-eight percent of larger organizations say their information security function is at least partially meeting their needs, but that number drops to just 65% among their smaller counterparts.

Overall, 92% of organizations are concerned about their information security capabilities in certain important areas. For instance, resources: 30% of organizations are grappling with skills shortages, while 25% report that their budgets are constrained. Smaller firms are particularly worried; 28% of them say their information security function does not currently meet their needs or must be improved. Just over half (56%) report skills shortages or budget constraints.

A paltry 15% of firms say their information security reporting fully meets their expectations. Among those that suffered an incident in the past year, less than a third say their security team discovered the breach. Smaller companies will need to move particularly quickly to address the security reporting issue: almost a quarter (23%) don’t produce information security reports, in contrast with 16% of larger organizations. Only 5% describe the financial implications of each breach.

Addressing the Skills Challenge
Although the right personnel are critical to solving information security challenges, recruiting said personnel is easier said than done. The ongoing and global IT security skills shortage won’t go away anytime soon. Estimates project a worldwide shortfall of about 1.8 million security professionals by 2024 — some studies even predict as much as 3.5 million cyber vacancies. At least the shortfall is democratic: Everyone across the board is running into trouble finding the expertise they need, even in the most well-resourced sectors. Take financial services. “The best graduates no longer want to work in the industry, which is hampering efforts to recruit across the sector,” says Jeremy Pizzala, EY Global Financial Services cybersecurity leader.

The upshot is that depending on an in-house team to deal with IT security is probably an exercise in futility. Today, firms must think laterally and place much more emphasis on machine learning, automation, and AI to either replace or complement external service providers.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across … View Full Bio

Article source: https://www.darkreading.com/risk/most-organizations-lack-cyber-resilience/a/d-id/1335149?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

GDPR superpowers lead to whopper ICO fines for BA, Marriott

Brace yourself, o ye spillers of data: the fury and the might of the GDPR has been unleashed this week, and lo, it is mighty, scary, and really, really expensive.

The UK’s Information Commissioner’s Office (ICO), pumped up with its newfound General Data Protection Regulation (GDPR) legal testosterone, has plans to uber-fine both Marriott and British Airways (BA) for data breaches.

On Monday, the ICO said that it’s looking to fine BA a record £183.39 million (US $229.34 million) for a breach discovered in September 2018. By diverting user traffic to a bogus site, attackers managed to steal personal data from about 500,000 customers, including their names, addresses, logins, payment card and travel booking details.

According to the BBC, the ICO says that this is the biggest penalty it’s ever handed out under the new rules, and it’s the first to be made public.

Then, on Tuesday, the ICO said that it’s also planning to fine Marriott £99,200,396 (US $123 million) for a breach that exposed the data of about 339 million guests globally. Attackers got into the company’s Starwood guest reservation database and stayed there for years: the unauthorized access started in 2014, and the breach was discovered and reported to the ICO in November 2018.

Marriott didn’t actually own Starwood when the breach started; the company bought the hotels group in 2016.

The ICO said that both BA and Marriott have cooperated with its investigations and have fortified security since they discovered the breaches. Both companies also will get a chance to respond to the ICO’s findings and its proposed fines.

Information Commissioner Elizabeth Denham had this to say in the announcement about the Marriott fine:

The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.

Is that decimal point in the wrong place?

The proposed penalty for BA is about 367 times higher than the previous record setter: the £500,000 (US $645,000) penalty handed to Facebook over the Cambridge Analytica scandal. Those were pre-GDPR days: it was the largest fine the ICO could dish out for a data breach before the regulations went into effect last year.

While BA says it’s “surprised and disappointed” at the size of the penalty, it could have been worse. Penalties for violating the GDPR can be as high as €20 million, or 4% of the worldwide annual revenue of the prior financial year – whichever is higher.

Nonetheless, the size of these fines are nothing to sneeze at, and they reflect the fact that the ICO isn’t going to pull its punches. They’re a staggering amount of comeuppance, and anybody in cybersecurity who’s in charge of taking care of their organization’s customer data should – no, let’s instead make that “absolutely must” – take heed.

Having said that, we’re here to help. We’ve pulled together this advice:

Don’t-fall-foul-of-GDPR tips

  1. Patch early, patch often. Minimize the risk of a cyberattack by fixing the vulnerabilities that can be used to gain entry to your systems illegally. There is no perimeter, so everything matters: therefore, patch everything.
  2. Secure personal data in the cloud. Treat the cloud like any other computer: close unwanted ports and services, encrypt data, and ensure that you have proper access controls in place. Do that on all your environments, including QA and development.
  3. Minimize access to personal data. Reduce your exposure by collecting and retaining only the information you need, and by restricting access to the people who need it to do their job.
  4. Educate your team. Ensure everyone who may come into contact with personal data knows how they need to handle it, which is a GDPR requirement.
  5. Document and prove data protection activities. Be able to show that you’ve thought about data protection and that you’ve taken sensible precautions to secure personally identifiable information (PII).

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/r_u_KCTpsPs/

Cyberattack lands ship in hot water

Less than two months after warning of cybersecurity problems on ships, the US Coast Guard has revealed that a large international vessel has suffered a cyberattack.

On Monday 8 July 2019 the Coast Guard issued a Marine Safety Alert reporting a successful malware attack on a vessel back in February.

The alert describes the affected craft as a ‘deep draft’ vessel. The draft is the distance between the surface and the water and its lowest point, so it was a big ship, and it was on an international voyage. It experienced a “significant cyberincident” on its way to the Port of New York and New Jersey.

The crew avoided losing complete control of the ship, but it should be a wake-up call. The report explained the findings of the cybersecurity team that investigated the incident:

The team concluded that although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had not been impacted. Nevertheless, the interagency response found that the vessel was operating without effective cybersecurity measures in place, exposing critical vessel control systems to significant vulnerabilities.

The Coast Guard hasn’t revealed the exact nature of the attack, but the crew knew about the security risk to the ship’s network before the attack happened, the report said. “Most” crew members didn’t use the network for personal business like checking email or making online purchases, it said (it only takes one, though).

The crew did use the network for official business like updating electronic charts and managing cargo data, and members would routinely plug USB drives into the ship’s systems without scanning them for malware, the report added.

The announcement follows a Marine Safety Information Bulletin in May 2019, which warned of cyberadversaries targeting commercial vessels. They were spoofing official email addresses from the Port State Control (PSC) authorities to try and snoop on arrival schedules. They were also trying to inject malicious software into onboard computer systems.

Researchers have found problems with vessel cybersecurity in the past. Penetration testing firm Pen Test Partners used default passwords on satellite communication systems to tamper with their Electronic Chart Display (Ecdis) systems, which provides electronic navigation charts. He could use that to seemingly change ship positions and sizes, he warned, triggering navigation system alerts.

The International Maritime Organization only issued guidelines on cyber risk management in 2016.

Some crooks target maritime companies without going after the ships themselves. Gold Galleon, a hacking crew believed to be operating from Nigeria, was spotted carrying out business email compromise (BEC) attacks on shipping companies last year.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MfU4Z-su530/

Dodgy-govt fave FinSpy snoopware is back and badder than ever for Android and iOS kit

A nasty new variant of the FinSpy snoopware tool that infects and slurps data from Android and iOS phones and tablets is being peddled, we’re told.

Kaspersky said this week the notorious commercial spyware, developed by Gamma Group and sold by its subsidiary Gamma International to allegedly respectable governments, has been showing up in the wild since late last year, most recently in a group of devices located in Myanmar this June.

While FinSpy, also known as FinFisher, has been touted as mobile device surveillanceware as far back as 2012, the Kaspersky research team said this latest version is particularly invasive in its ability to collect user chats, physical movements, and stored files from a wide range of applications. The new code been spotted in 20 countries, with the actual reach likely being much greater, it is claimed.

Bear in mind this software is typically deployed against selected targets, such as foreign agents, journalists, activists, and so on: it’s not usually lobbed at the masses.

“Mobile implants for iOS and Android have almost the same functionality,” Kaspersky said in its report on the matter.

“They are capable of collecting personal information such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers.”

Long a favorite tool of oppressive government regimes, FinSpy is classified as malware by most security firms and has been implicated in human-rights abuses.

Getting the malware onto the target’s gizmo is, however, up to FinSpy’s buyers. Kaspersky notes that while FinSpy uses a number of tricks to elevate its privileges once installed, actually getting the malware onto a mobile device will require spies to either have direct access to the handheld (not particularly hard for most dictatorships to accomplish) or utilize an exploit from a third-party.

For iOS devices, the attacker will have to take the extra step of first jailbreaking the Apple phone or tablet – this is because the snooping capabilities of FinSpy depend on the Cydia package manager in iOS. On Android, the malware will attempt to get complete access through elevating itself to root by deploying the DirtyCow exploit on unpatched handsets.

finspy

Researchers claim ISPs are ‘complicit’ in latest FinSpy snooping rounds

READ MORE

“The Android implant has functionality to gain root privileges on an unrooted device by abusing known vulnerabilities. As for the iOS version, it seems that Gamma’s solution doesn’t provide infection exploits for its customers, as their product seems to be fine-tuned to clean traces of publicly available jailbreaking tools,” Kaspersky explains.

“That might imply physical access to the victim in cases where devices are not already jailbroken. At the same time, multiple features that we haven’t observed before in malware designed for this platform are implemented.”

Once the malware is placed on the handheld, it looks not only for locally stored media and SMS messages, but also puts out feelers for any number of popular messaging apps like WhatsApp, Skype, BlackBerry Messenger and Signal. The spyware attempts to collect communications from those applications, and siphon them off to a server belonging to whoever bought and deployed the software nasty.

The spyware’s customer is also given a set of tools to fine-tune the code for each infection, defining precisely which applications they want to target and what information they need to harvest. This makes FinSpy more practical for governments in geographical areas where one messaging app or means of communication is more popular than others.

The malware is also able to log keystrokes and record voice calls both on the cell network and over VoIP calling services, as well as access to GPS tracking and the ability to hide specific files and utilities on the device.

In short, the Kaspersky team says that despite being around for the better part of a decade, FinSpy remains as invasive and capable as it ever was.

“Since the leak in 2014, Gamma Group has recreated significant parts of its implants, extended supported functionality (for example, the list of supported instant messengers has been significantly expanded) and at the same time improved encryption and obfuscation (making it harder to analyze and detect implants), which made it possible to retain its position in the market,” they note. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/11/finspy_snoopware_update/

Scots NHS symptom checker pings Facebook, Google and other ad peddlers

Exclusive NHS Inform, Scotland’s answer to the NHS 111 Online health symptom checker website, is calling user tracking elements from Google and Facebook.

The trackers from the two American multinational corporations relate to Google’s Tag Manager product, which interfaces with the Google Doubleclick ad network and Google Analytics, and a Facebook user-tracking service, Pixel.

Scots wanting health advice can use the NHS Inform website to answer a series of questions about their illness symptoms before being told what to do. The service is very similar to NHS 111 Online (formerly known as NHS Choices), which does the same thing for the rest of the UK.

On NHS Inform’s “self-help” pages, which are the multiple-question symptom checker, page elements include content from Google Doubleclick, the ad giant’s online self-service ad sales platform, Facebook Pixel, Google Analytics – and a 264 byte GIF from UK ad agency Avid Media, via the agency’s metadsp.co.uk domain.

The NHS Inform page trackers, as gathered from the Self Help Guide Abdominal Pain page

The NHS Inform page trackers, as gathered from its Self Help Guide: Abdominal Pain page. Click to embiggen

NHS 24, the Scottish version of NHS Digital, told The Register:

All partners that NHS 24 works with are compliant with GDPR regulations around privacy. Google tag manager is used only when working with partner organisations to track effectiveness of health information campaigns which are hosted on our websites and once the campaign is complete the tracking code is removed.

In general, these are not used across the entire site, only at the request of partner organisations to support specific campaign activity. We identify unique visits, but not individuals and do not serve customised adverts to anyone. Our campaigns and those with partners are targeted to the general population of Scotland rather than specific user groups.”

The revelations will cause alarm among those concerned about private corporations gaining access to sensitive health data, especially with the recent announcement that Amazon’s creepy always-on surveillance device Alexa will now be capable of reading out results from NHS 111 Online.

Phil Booth, of campaign group Medconfidential, told The Register: “I think it’s terrible that basically an NHS service is pinging out associated IDs to all these advertisers. What is actually going on here? Certainly with these IDs being pinged around, you’re going to be able to identify an individual and market them based on the pages to which they’re being directed. That’s very bad. Why are they consciously adding code that pings to advertisers? Why was the web development contract not written to deliberately and explicitly exclude any of this advertising?”

NHS 24 said that “all data is anonymised” and cited the Scottish Approach to Service Design in support of its approach. Nonetheless, it remains unclear as to why the NHS Inform site is loading content from adservice.google.com, metadsp.co.uk and Facebook Pixel, particularly as none of the trackers (apart from Google Tag Manager) was present on NHS 111 Online’s site when El Reg visited it and opened up our browser element inspector.

Google Tag Manager is a container for analytics-related content tagging; not necessarily a bad thing. On its own, from the website operator’s perspective, Google Tag Manager can be used to plant Google Analytics code snippets which can be used to tell the site’s managers the number of people coming and going from a particular set of webpages. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/11/nhs_inform_loads_facebook_pixel_google_doubleclick_trackers/

Wondering how to whack Zoom’s dodgy hidden web server on your Mac? No worries, Apple’s done it for you

Apple has pushed a silent update to Macs, disabling the hidden web server installed by the popular Zoom web-conferencing software.

A security researcher this week went public with his finding that the mechanism used to bypass a Safari prompt before entering a Zoom conference was a hidden local web server.

Jonathan Leitschuh focused largely on the fact that a user’s webcam would likely be ON automatically, meaning that a crafty bit of web coding would give an attacker a peek into your room if you simply visit their site.

But the presence of the web server was a more serious issue, especially since uninstalling Zoom did not remove it and the web server would reinstall the Zoom client – malware-like behaviour.

Covering a Mac's webcam

Anyone for unintended ChatRoulette? Zoom installs hidden Mac web server to allow auto-join video conferencing

READ MORE

Although no remote execution vulnerability has been published, a web server with an unpublished API is a risk in itself. An element on a web page could link to localhost on the known Zoom port with whatever arguments it chooses.

In response to the bad publicity, Zoom posted a series of on-the-hoof updates. Its initial reaction was to justify the hidden web server as “a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings”.

This soon changed. On 9 July the company updated its Mac app to remove the local web server “via a prompted update”.

The next day Apple itself took action. CEO Eric Yuan wrote on Wednesday:

Apple issued an update to ensure the Zoom web server is removed from all Macs, even if the user did not update their Zoom app or deleted it before we issued our July 9 patch. Zoom worked with Apple to test this update, which requires no user interaction.

Further, Zoom promised an update in a couple of days intending that users who select “Always turn off my video” on first use will have that preference saved automatically.

Apple appears to have concluded that it is better to protect users by silently disabling this component than to respect the wishes of those who like to think they are in control of what gets installed and removed. Few would disagree.

There is another matter, though. On Windows, users may still be joined automatically to conferences, and with their webcam on, unless they have been careful to configure browser preferences otherwise. It is all a matter of how the .zoommtg extension is handled. Convenient, but still leaves users vulnerable to some webcam surprises. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/11/apple_removes_zooms_dodgy_hidden_web_server_on_mac/