WhatsApp Security Problem Leaves Millions of Users Exposed to Hackers*:
- WhatsApp reached the milestone of 400 million active users and is now very popular across different demographic distribution.
- A "severe" security problem with WhatsApp could have left "hundreds of millions" of accounts vulnerable to hackers.
- The web version of the messaging app, would have allowed people with technical knowledge to take over users' accounts with a simple message; clicking and opening a malicious file could have let hackers see victims’ conversations, photos, and more.
- The flaw was discovered in the end-to-end encryption WhatsApp uses, and WhatsApp has now fixed the problem.
- It is also used in encrypted messaging app Telegram, which has since fixed the problem as well.
- Check Point alerted the companies about the issue, and researchers added that they hadn’t seen anyone exploiting the problem in the course of their research.
- Users should always avoid opening suspicious files and links that come from numbers they don’t know.
*Source: Telegraph, March 16, 2017
Financial Institutions Less AppSec-Savvy Than You’d Think*:
- Financial institutions are known to have in place some of the most advanced application security practices and tools.
- A new benchmarking study out this week shows that even among these well-funded security programs there are still big gaps in their application security practices.
- The study found that while financial organizations almost universally have internal secure coding standards in place, most are hard-pressed to validate them and fewer than half require their third-party vendors to have similar policies and standards.
- The good news is that three out of four respondent’s reported that application security is a critical- or high priority.
- 15% of organizations don’t track via metrics the effectiveness of their appsec programs.
- The report noted that the overreliance on vulnerability counts could potentially be giving these organizations a false sense of security because scanning by SAST and DAST tools alone probably miss about 46% of application-level risks.
- The study showed that 58% of respondents use at least some third-party software, but less than half of organizations require that their vendors have a secure software development lifecycle or application security policy.
- As financial organizations grapple with the demands placed upon them to increase their customer-facing application portfolio for competitive demands, the weaknesses evidenced by this report shows that there’s a lot of work ahead for them on the application security front.
*Source: Dark Reading, March 10, 2017
Twitter App Hack Spews Swastikas and Turkish Spam*:
- Thousands of high-profile Twitter accounts have been spewing swastikas and spam following the hack of a popular third-party Twitter service.
- The hacking traces to third-party analytics service Counter, which bills itself as "the #1 stat site powered by Twitter."
- Counter is aware of the hack and has started an investigation into the matter.
- Hacked accounts displayed slogans in Turkish supporting the president of Turkey ahead of a referendum on whether the president should receive more power.
- Twitter uses OAuth tokens to allow third-party services to maintain persistent access to the service, once authorized by users, but if attackers gain access to the third-party services, it can give them full access to the users’ accounts.
- Twitter users can check permissions on the Twitter website and should regularly disable access for any services or sites they no longer use or trust.
*Source: Data Breach Today, March 15, 2017
Has TalkTalk’s Security Been Breached Yet Again?*:
- Customers claim they are receiving calls from what they believe to be scammers, armed with details about router numbers and passwords, which they say could only have come from within the company.
- The BBC reported this week that it had been contacted by three Indian whistleblowers who claim to have been among hundreds of staff using stolen UK TalkTalk data (though the BBC couldn’t verify the claims).
- The source described how as many as 60 “employees” work in shifts at “call centres” to dupe victims into giving them access to their bank accounts.
- Guardian Money has repeatedly highlighted the scams and detailed around 20 cases where fraudsters were able to quote enough account information to convince their victim that they were speaking with a TalkTalk employee.
- The fraudsters went on to clean out their bank account and TalkTalk denies responsibility and has refused to refund victims, saying it was just one of a number of tech firms targeted.
- The fresh allegations come amid a long and delayed investigation by the Information Commissioner’s Office following a series of known data breaches from 2014 onwards.
*Source: The Guardian, March 11, 2017
Popular Teen Social App Wishbone Hacked*:
- Popular teen social networking app Wishbone was hacked according to a report from Motherboard and millions of email addresses and thousands of cell phone numbers are circulating the internet, many of them from kids under 18.
- Wishbone is one of the top 10 most popular social networking apps for iPhone in the US.
- It lets users vote on pop culture-based questions like whether they prefer Dominos or Pizza Hut, or whether they prefer eyeshadow or eyeliner.
- Hackers apparently accessed the app's database through an unprotected API and took an estimated 2.2 million email addresses and over 287,000 cellphone numbers, along with personal information like birthdates and gender.
- Wishbone stated no passwords or financial information were stolen, and the security hole has been fixed.
*Source: Engadget, March 15, 2017
Why Our Nuclear Weapons Can Be Hacked*:
- It is tempted for the United States to exploit its superiority in cyber-warfare to hobble the nuclear forces of North Korea or other opponents.
- As a new form of missile defense, cyberwarfare seems to offer the possibility of preventing nuclear strikes without the firing of a single nuclear warhead.
- But escalation of this strategy has a downside: United States forces are also vulnerable to such attacks.
- Minuteman missiles were vulnerable to a disabling cyber-attack, and no one realized it for many years.
- In 2010, 50 nuclear-armed Minuteman missiles sitting underground mysteriously disappeared from their launching crews’ monitors for nearly an house.
- The crews could not have fired the missiles on presidential orders or discerned whether an enemy was trying to launch them.
- It was a harrowing scene, and apprehension rippled all the way to the White House; hackers were constantly bombarding our nuclear networks and it was considered possible that they had breached the firewalls.
- The Air Force determined that an improperly installed circuit card was responsible for the lockout, and the problem was fixed.
- Cyberwarfare raises a host of other fears – could a foreign agent launch another country’s missiles? Could a launch be set off by false early warning data that had been corrupted by hackers?
- This is the stuff of nightmares, and there will always be some doubt about our vulnerability.
- We need to conduct a comprehensive examination of the threat and develop a remediation plan.
- We need to better understand the unintended consequences of cyberwarfare.
*Source: New York Times, March 14, 2017