Hacker Hacks iPhone Hacking Company’s Secret Hacks*:
- Israel’s NSO Group makes a business of hacking iPhones and Android devices.
- In a reversal of roles, it was hacked by one of its own employees and valuable intellectual property was stolen, then offered on the dark web.
- How the NSO hack went down: The employee disabled the security software on his computer, then copied the source code for NSO Group’s phone hacking tools onto an external drive.
- Next, he went to the dark web and offered the code for as much as $50 million.
- NSO hacker apprehended: One of the people he contacted reported him to the Israeli Justice Ministry.
- Within a very short time the former employee was arrested and the stolen property was secured.
- No IP [Intellectual Property] or company materials have been shared with any third party or otherwise leaked, and no customer data or information was compromised.
- Among other crimes, the former employee was charged with conduct that could harm state security because the Israeli army uses NSO Group’s hacking tools.
*Source: Cultofmac, July 5, 2018
Can 3rd Party Developers Snoop Into Gmail?*:
- Serious security and privacy questions are being raised after a Wall Street Journal (WSJ) report claimed that Google is allowing third-party app developers to scan Gmail accounts.
- Before 2017, there was outcry over Google pitching targeted advertisements based on the content of the email.
- According to the WSJ report, Google lets "outside software developers” scan inboxes so that personalised advertisements can be sent.
- Google does little to police those developers, who train their computers – and, in some cases, employees – to read their users' emails.
- This comes months after Facebook drew major flak after it emerged that Cambridge Analytica had accessed profiles of thousands FB users.
- Facebook chief Mark Zuckerberg had to apologise to the public over this.
- Zuckerberg had then assured that Facebook would work towards strengthening the security system to ensure that data on its server are more secure.
- The WSJ report has undoubtedly put Google on a sticky wicket and the internet giant has some serious questions to answer.
- Since Google is the largest e-mail services provider in the world, the response on the claims by the report would be heavily scrutinised.
*Source: One India, July 3, 2018
Facebook Gave 61 Companies Special Access to User Data After Updating Rules in 2015*:
- Facebook disclosed to Congress last week that it gave 61 companies special access to user data in 2015, a revelation that differs from the social media company's past claims.
- In 2014, Facebook introduced stricter rules for developers that made it harder for third-party apps to access data from Facebook users and their friends, and also made it easier for users to protect their data and privacy.
- Facebook quietly gave 61 companies a six-month extension to implement the new rules. Some of those companies include AOL, Nike, UPS, and Snap.
- Facebook also described how five companies “theoretically could have accessed limited friends’ data as a result of API access that they received in the context of a beta test,” though it said it has now removed the ability for them to do so.
- Facebook said it gave 52 partner companies—including Apple and Amazon—special access to user data through Facebook APIs, which the social media company described as “basic technologies that enable two computing systems to ‘talk’ to one another.”
- The purpose of these partnerships was to build Facebook and Facebook features into the partners’ devices and other products.
- People were only able to access these experiences – and the information needed to support them – when they logged in or connected their Facebook account.
- In April, Facebook publicly announced that they would start shutting down these APIs.
- The news marks the latest development in the wake of Facebook’s Cambridge Analytica scandal, which revealed that the data of some 87 million Facebook users had been harvested by the firm.
- The responses to lawmakers’ questions showed that Facebook didn’t provide a clear timeline as to how it deletes records of user IP addresses, still can’t name a significant competitor, and is looking into eye-tracking technology.
*Source: Big Think, July 3, 2018
Security Researcher Has a Big Problem with Apple iOS 12*:
- A new feature in iOS 12 makes it easier for you to handle two-factor authentication (2FA) requests.
- The process could cause real security problems, at least for some European online-banking customers.
- In iOS 12, already available for beta testing, there's a new Security Code AutoFill feature.
- When you receive a one-time passcode (OTP) sent to your phone via SMS for two-factor authentication purposes, the Security Code AutoFill automatically retrieves the number and gives you the option, above the keyboard, to simply tap on the code to populate the required field.
- A note above the number will say "From Messages" to let you know from which app the number was retrieved.
- The idea is to make it easier for you to log into 2FA-enabled accounts and services.
- Ostensibly, if Apple sends a one-time code to your phone and you see it come in, you won't need to jump between apps to get the code and log in.
- This makes sense within an American context, but it may be dangerous in Europe, where many online banks use an additional security feature.
- Like some American banks, German banks require you to submit a one-time passcode sent to your phone to log into your account, even if you only want to check the balance.
- But if you want to make a payment or otherwise move money around, the bank will ask you to submit a second one-time code sent to your phone so that you can confirm that you are initiating the transaction.
- This second code is called a transaction authentication number (TAN), and unless you submit it, you can't do much with your online account, even if you've already logged in.
- If you see a TAN message pop up on your phone, and you know you haven't initiated a transaction in the past few minutes, then you're supposed to NOT enter the TAN and to call the bank instead to let it know something funny is going on.
- Security Code AutoFill might not be able to tell the difference between a one-time passcode required to log into an account and a TAN required to perform a transaction.
- Unless this feature can reliably distinguish between OTPs in 2FA and TANs in transaction authentication, we can expect that users will also have their TANs extracted and presented without context of the salient information, e.g. amount and destination of the transaction, precisely the verification of this salient information is essential for security.
- The Security Code AutoFill feature could "expose users to online banking fraud by removing the human validation aspect of the transaction signing/authentication process" -- in other words, the TAN.
- The fact that a user verifies this salient information is precisely what provides the security benefit, removing that from the process renders it ineffective.
- If a customer can't tell if a code is an OTP or a TAN, he or she might authorize the movement of money out of an account without knowing it.
- Attackers could also trick users by spoofing the mechanism of Security Code AutoFill with malicious apps or websites.
- Two-factor authentication has become a useful way for companies, such as banks and phone manufacturers, to improve security.
- The idea is to have you input something you know (a password) and verify your identity with information transmitted only to something you have (your phone).
- Apple's new Security Code AutoFill feature doesn't really reinvent the two-factor wheel.
- Quite the contrary; it fetches some information that was already sent to you.
*Source: Toms Guide, July 3, 2018
Over 90 Percent of Endpoint Security Incidents Involve Legitimate Binaries*:
- Cybercriminals use a variety of tactics to cloak their activity and that includes using trusted tools, like PowerShell, to retrieve and execute malicious code from remote sources.
- A new report from eSentire reveals that 91 percent of endpoint incidents detected in Q1 2018 involved known, legitimate binaries.
- ESentire Threat Intelligence data shows heavy use of legitimate Microsoft binaries, such as PowerShell and mshta.exe, popular tools for downloading and executing malicious code in the initial stages of a malware infection.
- PowerShell can also be leveraged by adversaries to reduce their on-disk footprint and evade detective controls by operating in memory and obfuscating command-line parameters.
- The report also shows a dramatic increase in attacks targeting popular consumer-grade routers, like Netgear and Linksys (who between them have over three-quarters of the market).
- Additionally, intrusion attempts across industries grew 36 percent, mostly due to DNS manipulation in consumer-grade routers.
- The increase in attacks against consumer network devices can be attributed to the perceived value in recruiting devices for attacks against businesses, as opposed to leveraging them as potential network entry-points.
- Other findings are that phishing rose 39 percent across industries, with DocuSign, Office 365, and OneDrive being the most popular lures.
- Office 365 showed the highest success rate and popularity for attacks, growing five fold over 2017.
- Education, retail, biotechnology, construction, and non-profit organizations saw the greatest rise in exploit attempts due to a high degree of consumer-grade router exploit attempts, brute forcing, and web server exploit attempts.
- Most brute force attacks originated from infrastructure based in China, followed by the United States, Germany, and Russia.
*Source: Beta News, June 29, 2018