A Review of the Best News of the Week on AI, IoT, & Mobile Security

You Can Now Get $1 Million For Hacking WhatsApp and iMessage (Motherboard, Jan 07 2019)
Companies that buy and sell exploits, or zero-days, are now willing to offer six figures for hacks that allow spies and cops to steal WhatsApp, iMessage and other chat app messages.

A photo will unlock many Android phones using facial recognition (Naked Security – Sophos, Jan 08 2019)
How easy is it to bypass the average smartphone’s facial recognition security? In the case of Android, a lot easier than owners may think.

Machine Learning to Detect Software Vulnerabilities (Schneier on Security, Jan 08 2019)
“No one doubts that artificial intelligence (AI) and machine learning (ML) will transform cybersecurity. We just don’t know how, or when. While the literature generally focuses on the different uses of AI by attackers and defenders ­ and the resultant arms race between the two ­ I want to talk about software vulnerabilities.”


Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.


With AI, promises still outpace reality (SC Media, Jan 03 2019)
People get excited about using machine learning algorithms to recognize suspicious traffic patterns that are predictive of previous security incidents, Chase Lipton says. The model has potential, he adds. But the catch with using pattern recognition is that “you make a giant assumption.”

AI’s Dirty Little Secret and the Rise of Augmented Intelligence (Jumio, Dec 18 2018)
Given these current limitations of AI, there’s a clear need for humans to ensure that the right verification decision is made online. That’s where augmented intelligence comes in. Augmented Intelligence fuses technology with human expertise. The role of AI may become greater in time, but the state of technology still requires a human element — if for nothing else than to tag and train our algorithms and make them iteratively smarter.

More on “AI for cybersecurity” (Gartner Blog Network, Jan 04 2019)
“There is a very important point to understand about the vendors using ML for threat detection. Usually ML is used to identify known behavior, but with variable parameters. What does that mean? It means that many times we know what bad looks like, but not how exactly it looks like.”

Hackers Accessed Smart TVs to Play PewDiePie Propaganda Videos (Motherboard, Jan 02 2019)
Owners of some Chromecasts and smart TVs might see an unusual message on their screens: A message and propaganda video imploring them to subscribe to PewDiePie on YouTube.

Multicloud + IoT: Securing IoT Applications in Diverse, Distributed Environments (SecurityWeek, Jan 03 2019)
The traditional network perimeter is stretching and evolving, and perimeter-based firewalls will not provide sufficient security for IoT workloads operating in diverse environments. IoT and network threats are not one-dimensional, so neither should be an organization’s security. Securing IoT workloads at scale requires establishing a holistic approach from the inside out.

Miori IoT Botnet Targets Vulnerability in ThinkPHP (Infosec Island, Jan 03 2019)
A recent variant of the Mirai botnet is targeting a remote code execution (RCE) vulnerability in the ThinkPHP framework, Trend Micro security researchers warn.

BlackBerry Offers Its Security Technology to IoT Device Makers (SecurityWeek, Jan 07 2019)
BlackBerry on Monday announced that manufacturers of Internet of Things (IoT) devices can now use the company’s technology to improve the safety and security of their products.

Blockchain Technology can be Critical to IoT Infrastructure Security (Entrepreneur, Jan 07 2019)
A blockchain-based cybersecurity platform can secure connected devices using digital signatures to identify and authenticate them, adding them as authorized participants in the blockchain network and ring-fencing critical infrastructure by rendering them invisible to unauthorized access attempts. Each authenticated device joining the blockchain-based secure IoT network is treated as a participating entity, just like in a conventional blockchain network. All communication among these verified participants (IoT devices) are cryptographically secure and are stored in tamper-proof logs.

Vulnerability in Chrome for Android Patched Three Years After Disclosure (SecurityWeek, Jan 02 2019)
A vulnerabilitiy recently patched by Google in Chrome for Android was an information disclosure bug that was originally reported in 2015, but not patched until the release of Chrome 70 in October 2018, security researchers say.

MobSTSPY spyware weaseled its way into Google Play (SC Media, Jan 03 2019)
Once again a spyware disguised as Android applications has made its way into the Google Play store with some of the malicious apps being downloaded more than 100,000 times by users across the globe last year.

No Android passcode? No problem! Skype unlocked it for you (Naked Security – Sophos, Jan 07 2019)
Microsoft closed the hole, which let any unauthenticated phone-grabber answer a Skype call and then roam around on your mobile.

LA sues The Weather Channel over selling users’ location data (Naked Security – Sophos, Jan 08 2019)
The app is accused of being a “location data company powered by weather” and profiting from users’ data without being upfront about it.