A Review of the Best News of the Week on AI, IoT, & Mobile Security

Criminals Are using SS7 attacks to Empty Bank Accounts (Motherboard, Jan 31 2019)
Motherboard has identified a specific UK bank that has fallen victim to so-called SS7 attacks, and sources say the issue is wider than previously reported.

Researchers reveal new privacy attack against 3G, 4G, and 5G mobile users (Help Net Security, Feb 01 2019)
This attack could be performed via next generation IMSI catchers – essentially fake mobile towers – and would allow attackers to:
-Monitor users’ mobile activity (e.g., number of calls, SMSs sent in a given time);
-Create profiles based on that information;
-Use these profiles to monitor their activity remotely even if the users move away from the attack areas.

Rethinking the detection of child sexual abuse imagery on the internet – Enigma 2019 (Elie Bursztein’s site, Feb 04 2019)
“In this talk, we will delve into the most pressing challenges that need to be addressed to be able to keep up with the steady increase of child sexual abuse imagery content and outline promising directions to help meet those challenges…”

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

Open Source & Machine Learning: A Dynamic Duo (Dark Reading, Jan 30 2019)
If machine learning can be demonstrated to solve particular use cases in an open forum, more analysts will be willing to adopt the technology in their workflows.

Machine Learning Integration Options (Gartner Blog Network, Jan 31 2019)
IoT is one of the most disruptive forces organizations must contend with today. IoT solutions integrate multiple technology and business operations and impact mission-critical processes and products. IoT technologies continue to evolve and morph quickly with few true standards.

Companies getting serious about AI and analytics, 58% are evaluating data science platforms (Help Net Security, Feb 01 2019)
New O’Reilly research found that 58 percent of today’s companies are either building or evaluating data science platforms – which are essential for companies that are keen on growing their data science teams and machine learning capabilities – while 85 percent of companies already have data infrastructure in the cloud.

Security Analysis of the LIFX Smart Light Bulb (Schneier on Security, Jan 30 2019)
The security is terrible: In a very short limited amount of time, three vulnerabilities have been discovered:
-Wifi credentials of the user have been recovered (stored in plaintext into the flash memory).
-No security settings. The device is completely open (no secure boot, no debug interface disabled, no flash encryption).
-Root certificate and RSA private key have been extracted.

Security Flaws in Children’s Smart Watches (Schneier on Security, Jan 31 2019)
A year ago, the Norwegian Consumer Council published an excellent security analysis of children’s GPS-connected smart watches. The security was terrible. Not only could parents track the children, anyone else could also track the children.

IoT Security’s Coming of Age Is Overdue (Dark Reading, Feb 04 2019)
The unique threat landscape requires a novel security approach based on the latest advances in network and AI security.

New Canon Printers Bring SIEM Integration, Other Security Features (SecurityWeek, Feb 04 2019)
Imaging giant Canon on Monday unveiled the third generation of its imageRUNNER ADVANCE multifunction printers (MFP). The company says the latest edition introduces significant cybersecurity features designed to help organizations protect their assets.

Apple’s Siri Shortcuts feature vulnerable to abuse, researchers warn (SC Magazine, Feb 04 2019)
Siri Shortcuts, Apple’s recently introduced native feature for iOS 12, can potentially be abused by threat actors to deliver malware to unsuspecting mobile device users, researchers are warning.

Why Facebook’s Banned ‘Research’ App Was So Invasive (Wired, Jan 30 2019)
Until Apple revoked its privileges Wednesday, Facebook was paying iOS users $20 a month to download and install the data-sucking application.

Head of Android Security Says Locking Out Law Enforcement Is an ‘Unintended Side Effect’ (Motherboard, Jan 30 2019)
Google is taking steps to make it harder for someone to push a malicious update that disables the security features on an Android phone.

Attorney claims Apple FaceTime eavesdropping glitch “allowed” recording of deposition (SC Magazine, Jan 30 2019)
Houston attorney Larry Williams is suing Apple over the recently disclosed FaceTime bug which allows callers to listen to the audio of the recipient before they answer the phone, claiming it allowed the recording of a private deposition.

Understanding STIR/SHAKEN (TransNexus, Feb 04 2019)
STIR and SHAKEN use digital certificates, based on common public key cryptography techniques, to ensure the calling number of a telephone call is secure. In simple terms, each telephone service provider obtains their digital certificate from a certificate authority who is trusted by other telephone service providers. The certificate technology enables the called party to verify that the calling number is accurate and has not been spoofed.