A Review of the Best News of the Week on AI, IoT, & Mobile Security

Android Protected Confirmation: transaction security to the next level (Google, Oct 19 2018)
The first major mobile OS API that leverages a hardware protected user interface (Trusted UI) to perform critical transactions completely outside the main mobile operating system.

West Virginia’s voting experiment stirs security fears (Politico, Oct 19 2018)
Overseas residents will be able to cast ballots via mobile app on Election Day, using the same tech that underlies Bitcoin. But is that a wise idea?

Network Anomaly Detection Track Record in Real Life? (Anton Chuvakin – Gartner, Oct 22 2018)
“my long-held impression is that no true anomaly-based network IDS (NIDS) has ever been successful commercially and/or operationally. There were some bits of success, to be sure (“OMG WE CAN DETECT PORTSCANS!!!”), but in total, they (IMHO) don’t quite measure up to SUCCESS of the approach. In light of this opinion, here is a fun question: do you think the current generation of machine learning (ML) – and “AI”-based (why is AI in quotes?) systems will work better?”


Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.


A Cybersecurity Weak Link: Linux and IoT (Dark Reading, Oct 16 2018)
Linux powers many of the IoT devices on which we’ve come to rely — something that enterprises must address.

Critical Vulnerabilities Allow Takeover of D-Link Routers (SecurityWeek, Oct 17 2018)
Researchers have found several vulnerabilities that can be exploited to take full control of some D-Link routers, and patches do not appear to be available. Serious flaws have also been discovered in routers from Linksys.

New Security Woes for Popular IoT Protocols (Dark Reading, Oct 18 2018)
Researchers at Black Hat Europe will detail denial-of-service and other flaws in MQTT, CoAP machine-to-machine communications protocols that imperil industrial and other IoT networks online.

Are the Police Using Smart-Home IoT Devices to Spy on People? (Schneier on Security, Oct 22 2018)
“IoT devices are surveillance devices, and manufacturers generally use them to collect data on their customers. Surveillance is still the business model of the Internet, and this data is used against the customers’ interests: either by the device manufacturer or by some third party the manufacturer sells the data to. Of course, this data can be used by the police as well; the purpose depends on the country.”

Is Google’s Android app unbundling good for security? (Naked Security – Sophos, Oct 18 2018)
If you live in the EU, turning on a new Android device after 29 October 2018 could look quite different…

Fin Firms: Look to Mobile, Social for Comms Risks (Infosecurity Magazine, Oct 19 2018)
Financial firms are looking in the wrong places for communications risks.

Now Apps Can Track You Even After You Uninstall Them (BloombergQuint, Oct 22 2018)
Now Apps Can Track You Even After You Uninstall Them

Common Security Mistakes when Developing Swift Applications – Part I (Checkmarx, Oct 21 2018)
In the past few years we’ve noticed common security problems when developing Swift applications, all of them part of the ten most critical security risks on the OWASP Mobile TOP 10 2016. This playground covers two major flaws, Insecure Data Storage (M2) and Insecure Communication (M3).

UK, US to Sign Accord on AI, Cybersecurity Cooperation (Dark Reading, Oct 22 2018)
Royal Navy, US Navy, and tech industry leaders ready to commit to ‘a framework for dialogue and cooperation’ at inaugural meeting of the Atlantic Future Forum.

Bug in New iOS Lets Attacker Access iPhone Pics (Infosecurity Magazine, Oct 16 2018)
iOS hacker Jose Rodriguez shares a proof-of-concept video of another VoiceOver bypass bug.

Donald Daters app for pro-Trump singles exposes users’ data at launch (Naked Security – Sophos, Oct 17 2018)
A security researcher found a publicly exposed Firebase data repository that was hardcoded in the dating app.

The Titan M Chip Powers Up Pixel 3 Security (Wired, Oct 21 2018)
Google’s latest flagship smartphone includes the Titan M, a security-focused chip that keeps users safe against sophisticated attacks.