A Review of the Best News of the Week on AI, IoT, & Mobile Security

How a WhatsApp call could have taken over your phone (Naked Security – Sophos, Oct 10 2018)
A WhatsApp buffer overflow that crashed your phone due to audio data sent by a caller meant that just answering a call could spell trouble.

Cryptomining attacks against Apple devices increase sharply (Help Net Security, Oct 16 2018)
Check Point has published its latest Global Threat Index for September 2018, revealing a near-400% increase in cryptomining malware attacks against Apple iPhones. These attacks are using the Coinhive mining malware, which continues to occupy the top position in the Index that it has held since December 2017.

Naming & Shaming Web Polluters: Xiongmai (Krebs on Security, Oct 09 2018)
“What do we do with a company that regularly pumps metric tons of virtual toxic sludge onto the Internet and yet refuses to clean up their act? If ever there were a technology giant that deserved to be named and shamed for polluting the Web, it is Xiongmai — a Chinese maker of electronic parts that power a huge percentage of cheap digital video recorders (DVRs) and Internet-connected security cameras.”

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

IBM Opens Up Series of Security, AI and Cloud Initiatives (eWEEK, Oct 15 2018)
In a bid to encourage more open platforms, IBM announced its new Security Connect, MultiCloud Manager and AI OpenScale platforms.

9 million Xiongmai cameras, DVRs wide open to attack (Help Net Security, Oct 10 2018)
The discovered vulnerabilities include a default admin password (i.e., no password, and no requirement to set one in the initial setup phase), insecure default credentials for a hardcoded “default” account, multiple unencrypted communication channels, and a failure to check the integrity of firmware updates, which are not signed.

The Better Way: Threat Analysis & IIoT Security (Dark Reading, Oct 11 2018)
Threat analysis offers a more nuanced and multidimensional approach than go/no-go patching in the Industrial Internet of Things. But first, vendors must agree on how they report and address vulnerabilities.

Current state of IoT deployments and future expansion across enterprises (Help Net Security, Oct 11 2018)
A new Vanson Bourne survey queried 800 senior IT and business decision makers at organizations with a global annual revenue of $500M and higher across 13 different countries in North America, Europe and Asia Pacific.

Google using lock screen passwords to encrypt Android Cloud backups (Naked Security – Sophos, Oct 16 2018)
If, that is, your phone has updated to the Android 9 operating system, otherwise known as Pie. If so, say hi to the Titan chip!

New iPhone Passcode Bypass Method Found Days After Patch (SecurityWeek, Oct 16 2018)
The attack starts by calling the targeted device. If the phone number is not known, the attacker can have Siri read it out to them. Once the call is made, the hacker selects the Messages icon from the call screen and activates VoiceOver via Siri.

Twilio acquires email API platform SendGrid for $2 billion in stock (TechCrunch, Oct 15 2018)
Twilio, the ubiquitous communications platform, today announced its plan to acquire the API-centric email platform SendGrid for about $2 billion in an all-stock transaction. That’s Twilio’s largest acquisition to date, but also one that makes a lot of sense given that both companies aim to make building communications platforms easier for developers.

Google Hardens Android Kernel (SecurityWeek, Oct 11 2018)
Google this week revealed that Android’s kernel is becoming more resilient to code reuse attacks, courtesy of implemented support for LLVM’s Control Flow Integrity (CFI).