AI, IoT, Mobile Security

AI, IoT, & Mobile Security – The Week’s Best News – 2019.12.10

2019-12-10 by Lucas Samaras

A Review of the Best News of the Week on AI, IoT, & Mobile Security

The iPhone 11 Pro’s Location Data Puzzler (Krebs on Security, Dec 03 2019)
“One of the more curious behaviors of Apple’s new iPhone 11 Pro is that it intermittently seeks the user’s location information even when all applications and system services on the phone are individually set to never request this data. Apple says this is by design, but that response seems at odds with the company’s own privacy policy.”

Apple Explains Mysterious iPhone 11 Location Requests (Krebs on Security, Dec 05 2019)
“KrebsOnSecurity ran a story this week that puzzled over Apple‘s response to inquiries about a potential privacy leak in its new iPhone 11 line, in which the devices appear to intermittently seek the user’s location even when all applications and system services are individually set never to request this data. Today, Apple disclosed that this behavior is tied to the inclusion of a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature, and that a future version of its mobile operating system will allow users to disable it.”

The RCS Texting Protocol Is Way Too Easy to Hack (Wired, Dec 04 2019)
Rich Communication Services promises to be the new standard for texting. Thanks to sloppy implementation, it’s also a security mess.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Looking Back at Microsoft Ignite 2019 – Tech Intensity, End to End Security and AI (Infosecurity Magazine, Dec 03 2019)

Microsoft hosted their annual flagship Ignite conference in Orlando Florida in early November. The event attracted over 30,000 attendees and consists of over 1800 sessions across a wide range of topics such as DevOps, coding, identity, security and many product deep dives. Among the headlines, the main trends and talking points were on technical advancements, security additions and company strategies.

Cybersecurity in the Age of AI (Harvard Business Review, Dec 04 2019)
AI is reshaping the landscape of cyber defense. As new security fissures open up, threat analysts deploy more powerful tools to prevent and respond to attacks. Nicole Eagan, CEO of Darktrace, joins Azeem Azhar to discuss the escalating arms race in this new cybersecurity landscape.

Failure Modes in Machine Learning (Schneier on Security, Dec 09 2019)
Interesting taxonomy of machine-learning failures (pdf) that encompasses both mistakes and attacks, or — in their words — intentional and unintentional failure modes. It’s a good basis for threat modeling….

FBI Issues Smart TV Cybersecurity Warning (Infosecurity Magazine, Dec 03 2019)
Feds advise that smart TV owners might not be the only ones who are watching

Failure to secure IoT networks has far-reaching consequences, and transportation is a bullseye target (SC Magazine, Dec 10 2019)
Recent reports estimate that 250 million IoT-enabled vehicles will be on the road by 2020 as demand for tools like smart driving assistance, car monitoring and geolocation services, predictive maintenance, improved fleet management, and more, continue to rise.

Mobile industry has stifled eSIM—and the DOJ is demanding change (Ars Technica, Dec 03 2019)
US warns GSMA, says it must change eSIM standard that blocks competition.

Google: 80% of Android Apps Encrypt Traffic by Default (SecurityWeek, Dec 03 2019)
Google has shared some data on the adoption of Transport Layer Security (TLS) by Android applications and it seems that significant progress has been made over the past two years

FBI: FaceApp Potential Spy Risk (Infosecurity Magazine, Dec 04 2019)
Russian-made app raises counter-intelligence concerns

TikTok Sued in US Over Alleged China Data Transfer (SecurityWeek, Dec 04 2019)
A university student in California has filed a class-action lawsuit against video app TikTok, which she accuses of harvesting large amounts of user data and storing it in China.

Google Patches Critical DoS Flaw in Android 10 (SecurityWeek, Dec 04 2019)
One of the vulnerabilities Google addressed in Android with the December 2019 set of monthly patches is a critical vulnerability that could result in a permanent denial of service.

A Saudi Telecom Exposed a Streaming List of GPS Locations (VICE, Dec 09 2019)
The company, STCS, uploaded a constantly updating list of GPS coordinates in Saudi Arabia, China, and west Africa.

The FCC’s Push to Purge Huawei From US Networks (Wired, Dec 10 2019)
The rural carriers who rely on Huawei are wary of a costly “rip and replace” effort.

AI, IoT, & Mobile Security – The Week’s Best News – 2019.12.03

2019-12-03 by Lucas Samaras

A Review of the Best News of the Week on AI, IoT, & Mobile Security

World-first mobile phone detection cameras rolled out in Australia (the Guardian, Dec 03 2019)
New South Wales hopes to cut fatalities on the state’s roads by a third with devices that operate day and night in all weather

Millions of SMS messages exposed in database security lapse (TechCrunch, Dec 02 2019)
The database is run by TrueDialog, a business SMS provider for businesses and higher education providers, which lets companies, colleges, and universities send bulk text messages to their customers and students. The Austin, Texas-based company says one of the advantages to its service is that recipients can also text back, allowing them to have two-way conversations with brands or businesses.

Crooks are exploiting unpatched Android flaw to drain users’ bank accounts (Help Net Security, Dec 03 2019)
Hackers are actively exploiting StrandHogg, a newly revealed Android vulnerability, to steal users’ mobile banking credentials and empty their accounts, a Norwegian app security company has warned. “Promon identified the StrandHogg vulnerability after it was informed by an Eastern European security company for the financial sector (to which Promon supplies app security support) that several banks in the Czech Republic had reported money disappearing from customer accounts.

Share today’s post on Twitter Facebook LinkedIn

New Amazon capabilities put machine learning in reach of more developers (TechCrunch, Nov 26 2019)
Amazon announced a new approach that it says will put machine learning technology in reach of more developers and line of business users.

Bill Gates Says Open Research Beats Erecting Borders in AI (IT Pro, Nov 21 2019)
“AI is very hard to put back in the bottle,” Gates said, and “whoever has an open system will get massively ahead” by virtue of being able to integrate more insights from more sources.

5G IoT security: Opportunity comes with risks (Help Net Security, Dec 02 2019)
Slowly but surely, 5G digital cellular networks are being set up around the world. It will take years for widespread coverage and use to be achieved, so what better time than now for finding a way to ease into it while keeping security in mind? Opportunity comes with risks “Without a doubt 5G opens up a whole new world of opportunities for services that take advantage of the higher speeds and lower latencies that 5G…

Finns Label Cyber-Secure IoT Devices (Infosecurity Magazine, Nov 27 2019)
Finland has introduced a cybersecurity certification labeling system for IoT devices

Smartwatch exposes locations and other data on thousands of children (WeLiveSecurity, Nov 29 2019)
A device that is supposed to help parents keep track of their children and give them a peace of mind can be turned into a surveillance device

#InfosecNA: Security Risks of 5G, and How to Fix Them (Infosecurity Magazine, Nov 26 2019)
5G’s success will depend on it’s ability to resist, survive and recover from cyber-threats

Facebook, Twitter profiles slurped by mobile apps using malicious SDKs (Naked Security – Sophos, Nov 27 2019)
Hundreds of users gave permission to these third-party apps to access their social media accounts, but the apps got more handsy than that.

Patched WhatsApp vulnerability still impacting thousands of apps (SC Magazine, Nov 26 2019)
A vulnerability in the WhatsApp for Android that was found, disclosed and patched can still affect thousands of additional apps that have not been patched. CVE-2019-11932 allows attackers to use a maliciously coded GIF files to remotely execute code was made public on Oct. 2, 2019 and then patched in WhatsApp version 2.19.244…

New Free Emulator Challenges Apple’s Control of iOS (Dark Reading, Nov 27 2019)
An open-source tool gives researchers and jailbreakers a free option for researching vulnerabilities in the operating system – and gives Apple a new headache.

Authorities Arrest Alleged Member of Group That Hacked Jack Dorsey (VICE, Dec 02 2019)
The alleged member was arrested around two weeks ago, another member of the hacking group told Motherboard.

Fake Android apps uploaded to Play store by notorious Sandworm hackers (Naked Security – Sophos, Dec 02 2019)
The Russian ‘Sandworm’ hacking group has been caught repeatedly uploading fake and modified Android apps to Google’s Play Store.

TikTok owner to separate company over US national security worries (Naked Security – Sophos, Dec 02 2019)
Chinese-owned video-sharing app TikTok might be under fire from US politicians but it’s not going to go down without a fight.

SMS Replacement is Exposing Users to Text, Call Interception Thanks to Sloppy Telecos (VICE, Nov 29 2019)
Researchers from SRLabs found that telecos are implementing the RCS standard in vulnerable ways, which bring back techniques to attack phone networks.

Samsung starts Android 10 update at a record pace: Only three months late (Ars Technica, Dec 02 2019)
International Exynos models get Android 10, but the US will have to wait.

AI, IoT, & Mobile Security – The Week’s Best News – 2019.11.26

2019-11-26 by Lucas Samaras

A Review of the Best News of the Week on AI, IoT, & Mobile Security

Google Offering Up to $1.5 Million for Pixel Titan M Exploits (SecurityWeek, Nov 21 2019)
Google on Thursday announced that it’s expanding its Android bug bounty program, and certain types of exploits can now earn researchers up to $1.5 million

Data breach compromises T-Mobile prepaid accounts (SC Magazine, Nov 22 2019)
Wireless communications company T-Mobile has disclosed a data breach incident that impacts certain customers with pre-paid service accounts. “Our cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account.

The U.S. is racking up tactical victories in Huawei fight (Washington Post, Nov 25 2019)
Only a handful of nations, meanwhile, have followed the U.S. push for a full Huawei ban including Australia, New Zealand and Japan. Britain previously decided to limit Hauwei contracts to the periphery of its 5G networks rather than core systems, but U.S. officials have argued that still gives the company far too much access.

Share today’s post on Twitter Facebook LinkedIn

Ongoing Research Project Examines Application of AI to Cybersecurity (SecurityWeek, Nov 21 2019)
Project Blackfin: Multi-Year Research Project Aims to Unlock the Potential of Machine Intelligence in Cybersecurity

Data security and automation top IT projects for 2020, AI not a priority (Help Net Security, Nov 25 2019)
Data security and automation are the top IT projects for 2020, while artificial intelligence projects are not in the top 10 for IT professionals, according to Netwrix. The online survey asked 1045 IT professionals worldwide to name their top five IT projects for the next year; they could pick from a predefined list or specify their own descriptions.

AWS expands its IoT services, brings Alexa to devices with only 1MB of RAM (TechCrunch, Nov 25 2019)
AWS announced a number of IoT-related updates that, for the most part, aim to make getting started with its IoT services easier, especially for companies that are trying to deploy a large fleet of devices.

California IoT security law: What it means and why it matters (Help Net Security, Nov 20 2019)
In September, California Governor Jerry Brown signed into law a new bill aimed at regulating the security of IoT devices, and it’s set to go into effect in a few short months on January 1, 2020. While the goal of the law is to better address the risks that increased connectivity brings into the workplace, it instead leaves us with more questions than answers.

Securing the Internet of Things (IoT) in Today’s Connected Society (Infosec Island, Nov 19 2019)
The rush to adoption has highlighted serious deficiencies in both the security design of Internet of Things (IoT) devices and their implementation.

#InfosecNA: The Impact of AI, IoT and Emerging Tech (Infosecurity Magazine, Nov 20 2019)
Theresa Payton reflects on the evolving digital and cyber-threat landscape

Botnet and IoT Security Guide 2020 (Help Net Security, Nov 26 2019)
The Council to Secure the Digital Economy (CSDE), a partnership between global technology, communications, and internet companies supported by USTelecom—The Broadband Association and the Consumer Technology Association (CTA), released the International Botnet and IoT Security Guide 2020, a comprehensive set of strategies to protect the global digital ecosystem from the growing threat posed by botnets, malware and distributed attacks.

I ‘Hacked’ My Accounts Using My Mobile Number: Here’s What I Learned (Dark Reading, Nov 19 2019)
A feature that’s supposed to make your account more secure — adding a cellphone number — has become a vector of attack in SIM-swapping incidents. Here’s how it’s done and how you can protect yourself.

Android camera apps could be hijacked to spy on users (Help Net Security, Nov 19 2019)
A vulnerability in the Google Camera app may have allowed attackers to surreptitiously take pictures and record videos even if the phone is locked or the screen is off, Checkmarx researchers have discovered.

Apple Tells Congress You’ll Hurt Yourself if You Try to Fix Your iPhone (VICE, Nov 20 2019)
Apple tries to put a nice face on its anticonsumer policies.

Russia’s ‘Sandworm’ Hackers Also Targeted Android Phones (Wired, Nov 21 2019)
The Kremlin’s uniquely dangerous hacker group has been trying new tricks.

The White House needs a 5G czar to win the race to secure next-generation networks, senators warn (Washington Post, Nov 20 2019)
The U.S. risks losing the next generation of telecommunications systems to China if the White House doesn’t create a new position to oversee 5G policy, the Senate’s top security leaders are warning.

Google plans to take Android back to ‘mainline’ Linux kernel (Naked Security – Sophos, Nov 22 2019)
Android could be returning to its roots.

DOD joins fight against 5G spectrum proposal, citing risks to GPS (Ars Technica, Nov 22 2019)
In letter to FCC’s Pai, secretary of defense notes risks to military operations.

New ‘Ginp’ Android Trojan Targets Credentials, Payment Card Data (SecurityWeek, Nov 26 2019)
A recently discovered Android banking Trojan that features a narrow target list and two-step overlays is capable of stealing both login credentials and credit card data, ThreatFabric reports.

Many Apps Impacted by GIF Processing Flaw Patched Recently in WhatsApp (SecurityWeek, Nov 26 2019)
Trend Micro security researchers have discovered thousands of Android applications impacted by the GIF processing vulnerability that was patched recently in WhatsApp.

Long-known Vulnerabilities in High-Profile Android Applications – Check Point Research (Check Point Research, Nov 26 2019)
A popular mobile app typically uses dozens of reusable components written in a low-level language such as C. These components, called native libraries, are often derived from open-source projects, or incorporate fragments of code from open-source projects.

AI, IoT, & Mobile Security – The Week’s Best News – 2019.11.19

2019-11-19 by Lucas Samaras

Facebook Discloses WhatsApp MP4 Video Vulnerability (Dark Reading, Nov 18 2019)
A stack-based buffer overflow bug can be exploited by sending a specially crafted video file to a WhatsApp user.

146 New Vulnerabilities All Come Preinstalled on Android Phones (Wired, Nov 15 2019)
The dozens of flaws across 29 Android smartphone makers show just how insecure the devices can be, even brand-new.

NSA won’t collect phone location data, promises US government (Naked Security – Sophos, Nov 18 2019)
US intelligence agencies won’t harvest US residents’ geolocation data in future investigations, revealed the US government this month.

How AI bias can harm cybersecurity efforts (Fast Company, Nov 15 2019)
How AI bias can harm cybersecurity efforts

Human Nature vs. AI: A False Dichotomy? (Dark Reading, Nov 18 2019)
How the helping hand of artificial intelligence allows security teams to remain human while protecting themselves from their own humanity being used against them.

Sophos 2020 Threat Report: AI is the new battleground (Naked Security – Sophos, Nov 19 2019)
The SophosLabs 2020 Threat Report highlights a growing battle as smart automation technologies continue to evolve.

Using security orchestration to simplify IoT defense in depth (SC Magazine, Nov 15 2019)
Even as the technology industry continues to scramble to protect personal computers, datacenters and other traditional IT systems from increasingly sophisticated cyberattacks, a new attack target has emerged – the Internet of Things (IoT).

Black Hat Europe Brings A Bevy of IoT Security Insights (Dark Reading, Nov 15 2019)
Attend this London event next month for the latest on how security researchers are finding (and solving) security vulnerabilities in all of your favorite Internet-connected devices.

IoT in 2020: The awkward teenage years (Network World Security, Nov 15 2019)

Much of the hyperbole around the Internet of Things isn’t really hyperbole anymore – the instrumentation of everything from cars to combine harvesters to factories is just a fact of life these days. IoT’s here to stay.

SHAKEN/STIR: Finally! A Solution to Caller ID Spoofing? (Dark Reading, Nov 12 2019)
The ubiquitous Caller ID hasn’t changed much over the years, but the technology to exploit it has exploded. That may be about to change.

The Brave Browser Extends Its Payouts to iOS (Wired, Nov 13 2019)
Nearly four years after Brave proposed paying users to surf the web, that vision is finally coming to the iPhone.

Canada Spy Agencies Split Over Proposed Huawei 5G Ban (SecurityWeek, Nov 13 2019)
Canada’s spy agencies are divided over whether or not to ban Chinese technology giant Huawei from fifth generation (5G) networks over security concerns, the Globe and Mail reported Wednesday.

This App Will Tell You if Your iPhone Gets Hacked (VICE, Nov 14 2019)

A security firm has released a new app that promises to detect when your iPhone has been targeted by hackers, but there are caveats.

What the newly released Checkra1n jailbreak means for iDevice security (Ars Technica, Nov 15 2019)
There are reasons to embrace it. There are reasons to be wary of it. Here’s the breakdown.

Google & Samsung fix Android spying flaw. Other makers may still be vulnerable (Ars Technica, Nov 19 2019)
Camera and mic could be controlled by any app, no permission required.

Redefining security KPIs for 5G service providers (Help Net Security, Nov 19 2019)
Telco security professionals are missing the mark when understanding their consumers’ priorities, according to KPMG’s recent report. In the wake of a security breach, consumers seek proof that the incident isn’t repeatable, while security executives prioritize apologies.

AI, IoT, & Mobile Security – The Week’s Best News – 2019.11.12

2019-11-12 by Lucas Samaras

A Review of the Best News of the Week on AI, IoT, & Mobile Security

Google creates App Defense Alliance to fight bad apps (Google, Nov 11 2019)
Announcing a partnership between Google, ESET, Lookout, and Zimperium. It’s called the App Defense Alliance and together, we’re working to stop bad apps before they reach users’ devices.

Evaluating the Digital Standard (New America, Nov 11 2019)
In 2018, New America’s Open Technology Institute (OTI) launched a project to educate people about the Digital Standard,⁠ a new framework for evaluating the privacy and security of internet-connected consumer products and software. The Standard was developed by a group of organizations including Ranking Digital Rights, in collaboration with Consumer Reports.

Facebook is secretly using your iPhone’s camera as you scroll your feed (The Next Web, Nov 12 2019)
The issue has come to light after a user going by the name Joshua Maddux took to Twitter to report the unusual behavior, which occurs in the Facebook app for iOS. In footage he shared, you can see his camera actively working in the background as he scrolls through his feed.

Share today’s post on Twitter Facebook LinkedIn

Researchers develop machine learning-based detector that stops lateral phishing attacks (Help Net Security, Nov 05 2019)
Lateral phishing attacks – scams targeting users from compromised email accounts within an organization – are becoming an increasing concern in the U.S.

Anti-Deepfake Law in California Is Far Too Feeble (Wired, Nov 05 2019)
Opinion: While well intentioned, the law has too many loopholes for malicious actors and puts too little responsibility on platforms.

Report: The Government and Tech Need to Cooperate on AI (Wired, Nov 06 2019)
It also warns that AI-enhanced national security apparatus like autonomous weapons and surveillance systems will raise ethical questions.

AI wordsmith too dangerous to be released… has been released (Naked Security – Sophos, Nov 11 2019)
The text-generating AI has only been released in neutered forms until now, for fear it would be used to mass-produce fake news and spam.

Twitter wants your feedback on its proposed deepfakes policy (Ars Technica, Nov 11 2019)
The company proposes warning labels—is that enough?

Only 47% of cybersecurity pros are prepared to deal with attacks on their IoT devices (Help Net Security, Nov 08 2019)
Fewer than half (47%) of cybersecurity professionals have a plan in place to deal with attacks on their IoT devices and equipment, despite that fact that nine out of ten express concerns over future threats, according to the Neustar International Security Council (NISC) research.

Ring-a-ding: IoT doorbell exposed customer Wi-Fi passwords to eavesdroppers (Ars Technica, Nov 08 2019)
Bitdefender report in July led to patch of code that sent credentials in plaintext.

xHelper Malware for Android (Schneier on Security, Nov 08 2019)
“xHelper is not interesting because of its infection mechanism; the user has to side-load an app onto his phone. It’s not interesting because of its payload; it seems to do nothing more than show unwanted ads. it’s interesting because of its persistence…”

Google patches bug that let nearby hackers send malware to your phone (Naked Security – Sophos, Nov 05 2019)
Google has patched an Android bug that could have allowed attackers to use NFC to send over a malicious file to the victim’s phone

Bug Hunters Earn $195,000 for Hacking TVs, Routers, Phones at Pwn2Own (SecurityWeek, Nov 06 2019)
White hat hackers have earned a total of $195,000 for demonstrating vulnerabilities in TVs, routers and smartphones on the first day of the Pwn2Own Tokyo 2019 contest taking place these days alongside the PacSec conference.

Security by Sector: How Smartphone Biometric Risks Threaten the Banking Industry (Infosecurity Magazine, Nov 07 2019)
New research shows just how easy it is to bypass smartphone fingerprint tech

Sextortionist whisks away sex tapes using just a phone number (Naked Security – Sophos, Nov 12 2019)
The SIM-swap victim knew he was in trouble when he got a 3:30 a.m. message about his phone service being cut off.

As 5G Rolls Out, Troubling New Security Flaws Emerge (Wired, Nov 12 2019)
Researchers have identified 11 new vulnerabilities in 5G—with time running out to fix them.