image
One of the more curious behaviors of Apple's new iPhone 11 Pro is that it intermittently seeks the user's location information even when all applications and system services on the phone are individually set to never request this data. Apple says this is by design, but that response seems at odds with the company's own privacy policy. The privacy policy available from the iPhone's Location Services screen says, "If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations." The policy explains users can disable all location services entirely with one swipe (by navigating to Settings > Privacy > Location Services, then switching "Location Services" to "off"). When one does this, the location services indicator — a small diagonal upward arrow to the left of the battery icon — no longer appears unless Location Services is re-enabled. The policy continues: "You can also disable location-based system services by tapping on System Services and turning off each location-based system service." But apparently there are some system services on this model (and possibly other iPhone 11 models) which request location data and cannot be disabled by users without completely turning off location services, as the arrow icon still appears periodically…

Source

image
The Department of Homeland Security plans to extend facial recognition checks to all travelers entering and leaving the U.S. – including previously-exempt U.S. citizens. The proposed ruling, outlined in a recent filing that was first reported this week by TechCrunch, signifies a rapid expansion of the DHS’ use of facial recognition checks at the U.S. border. Previously, the DHS facial recognition checks applied to only non-U.S. citizens traveling to and from the U.S. The checks would scan passenger faces and match them with photos that the government has on file. “The Department of Homeland Security is required by statute to develop and implement a biometric entry-exit data system,” according to the DHS filing. “To facilitate the implementation of a seamless biometric entry-exit system that uses facial recognition and to help prevent persons attempting to fraudulently use U.S. travel documents and identify criminals and known or suspected terrorists, DHS is proposing to amend the regulations to provide that all travelers, including U.S. citizens, may be required to be photographed upon entry and/or departure.” Facial recognition checks have been implemented at various airports through the “Biometric Exit” program, first introduced by the U.S. Customs and Border Protection (CBP) in 2015. As of April, the program was operational in 17 airports and the agency reportedly plans to expand that number to 20 by 2021. The DHS did not respond to a request for comment from Threatpost…

Source

image
Biometric security – which uses fingerprints, voice or facial recognition or retina identification to authenticate users to services – has crossed the chasm into the mainstream, thanks to the prevalence of features like fingerprint readers on laptops and FaceID for iPhones. However, researchers say that information security issues affecting these systems are significant, and must be addressed. Kaspersky researchers found that in the third quarter, one in three (37 percent) of computers within the firm’s telemetry that collect, process and store biometric data were targeted by malware attacks. The malware in question included spyware and remote access trojans (RATs), which accounted for 5.4 percent of all computers analyzed; followed by malware used in phishing attacks (5.1 percent), ransomware (1.9 percent) and trojan bankers (1.5 percent). “It should be noted that other types of malware also included malicious programs designed to steal banking data (1.5 percent). It is not likely that these malicious programs were intended for stealing biometric data,” according to Kaspersky’s analysis, released Monday. “However, it can be expected that mass-distributed malware designed to steal biometric data from banks and financial systems will appear in the near future.” As for the source of the attacks, standard protocol reigned – most campaigns observed in the third quarter came in the form of typical phishing emails containing links to malicious websites or attached Office…

Source

image
A full 80 percent of Android apps are encrypting their traffic by default, according to a Transport Layer Security (TLS) adoption update from Google. That percentage is even greater for apps targeting Android 9 and higher, with 90 percent of those encrypting traffic by default, the tech giant said on Tuesday. TLS is a cryptographic protocol standard ratified by the Internet Engineering Task Force that provides end-to-end communications security over networks by scrambling data in transit, preventing hackers from reading it, intercepting it or tampering with it. TLS can be enabled for any internet communication or online transaction, such as a connection between a mobile shopping website and a user’s mobile browser, or between a banking app and the bank’s backend servers. The security of those connections is then verified via secure TLS certificates. As of October 2019, a third (33 percent) of Android devices run Android 9 (Pie), the latest version of the operating system. That makes it the most popular Android version. According to Google, apps targeting Android 9 or higher automatically have a policy set by default that prevents unencrypted traffic for every domain; and, since November 1, all apps on Google Play must target at least Android 9. “We’re excited to see that progress encrypting mobile application data on networks is mirroring the great progress happening with websites,” said Josh Aas, executive director of the open-source Let’s Encrypt project, told Threatpost….

Source

image
Google has released an update stomping out three critical-severity vulnerabilities in its Android operating system — one of which could result in “permanent denial of service” on affected mobile devices if exploited. The vulnerabilities are part of Google’s December 2019 Android Security Bulletin, which deployed fixes for critical, high and medium-severity vulnerabilities tied to 15 CVEs overall. Qualcomm, whose chips are used in Android devices, also patched 22 critical and high-severity vulnerabilities. “The most severe of these issues is a critical security vulnerability in the Framework component that could enable a remote attacker using a specially crafted message to cause a permanent denial of service,” according to Google’s Monday update. That DoS flaw, CVE-2019-2232, has been addressed for devices running on versions 8.0, 8.1, 9 and 10 of the Android operating system, Google said. The other two critical flaws (CVE-2019-2222 and CVE-2019-2223) exist in Android’s Media framework. This framework includes support for playing a variety of common media types, so that users can easily utilize audio, video and images. Android devices running on operating systems versions 8.0, 8.1,9 and 10 have been addressed for these two bugs, which could enable a remote attacker using a crafted file to execute code within the context of a privileged process. Click to enlarge. Also fixed were three high-severity elevation-of-privilege flaws (CVE-2019-9464, CVE-2019-2217 and…

Source

image
Empower Your Suppliers Against Attack The average business shares data with a complex network of third parties, depending on their operational needs. In a survey of security and risk professionals, Forrester learned that the average business has 4,700 third-party partners with some access to corporate data. Third-party relationships extend your attack surface in ways that are hard to monitor and control. Just 14 percent of the respondents to Forrester’s survey said they were confident they could effectively track all their third parties. Among the most insidious and potentially damaging of these threats is account takeover (ATO), where cybercriminals obtain email and password combinations and use them to gain unauthorized access to corporate networks. This provides criminals a springboard for a variety of attack types. Data collected from the criminal underground suggests there is a constant risk of ATO to large enterprises. SpyCloud research into risk among Fortune 1000 companies showed a total of 23 million exposed corporate credentials with a high rate of password reuse. It’s important for businesses of all sizes to not only view their suppliers’ attack surface as their own but also extend some of their security protections to them. Doing so empowers suppliers to remediate the risks that threaten partner organizations. Here is a rundown of 3 attack types that pose a risk to your business via your third-party ecosystem: Business Email Compromise 2019 saw significant…

Source

image
Researchers have discovered a new Android vulnerability that could allow malware to pose as popular apps and ask for various permissions, potentially allowing hackers to listen in on users, take photos, read and send SMS messages, and basically take over various functions as if they are the device’s owner. Security researchers John Høegh-Omdal, Caner Kaya and Markus Ottensmann at Norwegian app-security provider Promon discovered the flaw—which they dubbed “StrandHogg” from old Norse for the Viking tactic of plundering villages and holding people for ransom. They said attackers can use the vulnerability to allow “real-life malware to pose as legitimate apps, with users unaware they are being targeted,” according to a blog post. “The attack can be designed to request permissions which would be natural for different targeted apps to request, in turn lowering suspicion from victims,” researchers wrote. “Users are unaware that they are giving permission to the hacker and not the authentic app they believe they are using.” If the flaw is exploited, to users it appears that they are clicking on an app that they use every day, such as Facebook or Instagram. However, what happens when they click on the app is that instead of the app a user intended to open starting up, malware is deployed that can give permissions to the hacker, who is directed to the legitimate app, researchers said. The flaw, which can be exploited by “real-life malware,” affects all Android devices, including…

Source

image
A vulnerability in the way Microsoft applications use OAuth for third-party authentication could allow an attacker to take over Azure cloud accounts. OAuth is a protocol that allows app users to share data about their accounts with third-party websites or apps, so that when they sign into the apps they don’t need to re-enter their passwords every time. The vulnerability exists because when Microsoft applications undergo the OAuth 2.0 (the next generation of OAuth) authorization flow, they trust certain third-party domains and sub-domains that are not registered by Microsoft. CyberArk researchers discovered three vulnerable Microsoft applications that trust these unregistered domains: Portfolios (a portfolio management tool), O365 Secure Score (a security analytics tool) and Microsoft Trust Service (a portal providing resources about Microsoft security, privacy and compliance practices). “This vulnerability’s attack surface is very wide and its impact can be very powerful,” said Omer Tsarfati, researcher with CyberArk, in a Monday analysis of the flaw. “By doing nothing more than clicking or visiting a website, the victim can experience the theft of sensitive data, compromised production servers, lost data, manipulation of data, encryption of all the organization’s data with ransomware and more.” OAuth Authentication During a typical OAuth authorization flow, a user from a website or a mobile app can request access from third-party apps in order to log in. In Microsoft’s…

Source

image
The developers behind a commodity remote-access tool (RAT) that allows full control of a victim’s computer has been taken down by Australian and global authorities. The Imminent Monitor RAT (IM-RAT) first appeared in 2012, the work of a developer going by the handle of “Shockwave,” according to researchers at Palo Alto Networks’ Unit 42 division. The RAT was sold via a company calling itself “Imminent Methods.” Advertised as “the fastest remote administration tool ever created using new socket technology that has never been used before,” Unit 42 said that IM-RAT offered full remote-desktop access. That included the ability to access files, processes, Windows manager, Window Registry and the clipboard and the ability to run commands from the command bar. It was licensed to each customer for a $25 fee. Shockwave claimed that the RAT was a legitimate remote-desktop utility, but Unit 42 researchers pointed out that some of its features directly contradicted that assertion. For instance, one of the RAT’s plugins allows users to turn the webcam light off while monitoring. Another version (3.0) of Imminent Monitor introduced the ability to run a cryptocurrency miner on the victim machine. Also, the keylogger keeps its activities hidden from the desktop owner and encrypted. “A crypter, allowing a ‘Fully UnDetectable’ (FUD) client, only has one purpose: To attempt to evade antivirus detection,” according to Unit 42’s analysis, posted Monday. Still, “we at Imminent Methods are not…

Source

image
The U.S. government’s cybersecurity agency has issued a draft directive mandating all agencies to develop vulnerability disclosure policies, which would give ethical hackers clear guidelines for submitting bugs found in government systems. Security experts hope that the directive will light a fire under the feet of federal agencies to create more transparency around the ins and outs of vulnerability disclosure, as well as increase trust overall between the government and security communities. The directive, which is a compulsory order for federal departments and agencies, is in a draft phase and remains open for public comment until Dec. 27, according to its issuer, the Cybersecurity and Infrastructure Security Agency (CISA). Currently, most federal agencies lack a formal mechanism to receive information from white-hat hackers about potential security vulnerabilities on their systems, CISA said in the draft directive, released last week: “Many agencies have no defined strategy for handling reports about such issues shared by outside parties. Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith are authorized.” The directive would aim to change this by requiring agencies to publish policies with detailed descriptions of which systems are in scope, the types of testing that are allowed and how white hat hackers can submit vulnerability reports. The policies would cover all internet-accessible systems or services in government agencies…

Source