A Review of the Best News of the Week on AI, IoT, & Mobile Security

Nokia: IoT Botnets Comprise 78% of Malware on Networks (Infosecurity Magazine, Dec 06 2018)
Nokia is warning of a deluge of IoT malware after revealing a 45% increase in IoT botnet activity on service provider networks since 2016. The mobile networking firm’s Threat Intelligence Report for 2019 is is based on data collected from its NetGuard Endpoint Security product, which it says monitors network traffic from over 150 million devices globally.

Combating Potentially Harmful Applications with Machine Learning at Google: Datasets and Models (Google Online Security Blog, Nov 15 2018)
“In a previous blog post, we talked about using machine learning to combat Potentially Harmful Applications (PHAs). This blog post covers how Google uses machine learning techniques to detect and classify PHAs. We’ll discuss the challenges in the PHA detection space, including the scale of data, the correct identification of PHA behaviors, and the evolution of PHA families.”

Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret (The New York Times, Dec 10 2018)
Dozens of companies use smartphone locations to help advertisers and even hedge funds. They say it’s anonymous, but the data shows how personal it is.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

ASPIRE to keep protecting billions of Android users (Google Online Security Blog, Dec 05 2018)
“ASPIRE (Android Security and PrIvacy REsearch). So we’re inviting all academic researchers to help us protect billions of users. Research collaborations with Android should be as straightforward as collaborating with the research lab next door. To get involved you can…”

2018 Annual Report from AI Now (Schneier on Security, Dec 10 2018)
“The research group AI Now just published its annual report. It’s an excellent summary of today’s AI security challenges, as well as a policy agenda to address them.:

Smarter AI: Machine learning without negative data (ScienceDaily, Nov 26 2018)
A research team has successfully developed a new method for machine learning that allows an AI to make classifications without what is known as ‘negative data,’ a finding which could lead to wider application to a variety of classification tasks.

Is Malware Heading Towards a WarGames-style AI vs AI Scenario? (SecurityWeek, Dec 05 2018)
Adam Kujawa, Director of Malwarebytes Labs, has been contemplating the evolution of malware attack and defense, attempting to work out strategies to stay ahead of cybercriminals in what has always been a technological game of leapfrog.

Artificial Intelligence Hype Frenetic – But not all bad – according to the FT (Gartner Blog Network, Dec 05 2018)
More interestingly Mr.Thornhill nods to ““Amara’s law”, which states that we often overestimate the impact of emerging technologies in the short run and underestimate it in the long run.”

DeepPhish Project Shows Malicious AI is Not as Dangerous as Feared (SecurityWeek, Dec 07 2018)
…a project, called DeepPhish, to examine the extent to which ML technologies can genuinely aid in the detection of phishing, and the extent to which those same technologies could be used by cybercriminals to by-pass anti-phishing defenses.

Major flaws uncovered in leading IoT protocols (Help Net Security, Dec 05 2018)
Trend Micro warned organizations to revisit their operational technology (OT) security after finding major design flaws and vulnerable implementations related to two popular machine-to-machine (M2M) protocols, Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP).

80% of enterprises struggle to protect machine identities (Help Net Security, Dec 05 2018)
Seventy-one percent of respondents believe effective protection of machine identities is critical to the long-term security and viability of their companies. However, on average, financial services organizations are only tracking forty-three percent of the most common types of machine identities.

Symantec Unveils USB Scanning Station for ICS, IoT Environments (SecurityWeek, Dec 05 2018)
Symantec on Wednesday unveiled a new product designed to protect critical infrastructure organizations, including industrial and Internet of Things (IoT) environments, against USB-borne threats.

Android click fraud apps mimic Apple iPhones to boost revenue (Naked Security – Sophos, Dec 10 2018)
SophosLabs has uncovered a click fraud campaign in which malicious Android apps masquerade as being hosted on Apple devices to earn rewards.

Android Trojan steals money from PayPal accounts even with 2FA on (WeLiveSecurity, Dec 11 2018)
ESET researchers discovered a new Android Trojan using a novel Accessibility-abusing technique that targets the official PayPal app, and is capable of bypassing PayPal’s two-factor authentication.

Fake iOS Fitness Apps Steal Money (SecurityWeek, Dec 04 2018)
A series of iOS applications posing as fitness-tracking tools have been stealing users’ money by abusing the Touch ID feature, ESET has discovered.

PowerSnitch’ Hacks Androids via Power Banks (Dark Reading, Dec 08 2018)
Researcher demonstrates how attackers could steal data from smartphones while they charge up.

Secure Messaging Applications Prone to Session Hijacking (SecurityWeek, Dec 11 2018)
Secure messaging applications such as Telegram, Signal and WhatsApp can expose user messages through a session hijacking attack, Cisco’s Talos security researchers warn.