AI, IoT, Mobile Security

AI, IoT, & Mobile Security – The Week’s Best News – 2020.02.18

2020-02-18 by Lucas Samaras

A Review of the Best News of the Week on AI, IoT, & Mobile Security

Justice Dept. expands Huawei indictment, charging 5G espionage (SC Media, Feb 14 2020)
The U.S. government expanded its year-old lawsuit against Chinese tech firm Huawei, alleging the company conducted cyber espionage on six American competitors in an attempt to steal trade secrets to gain an unfair advantage.

Sloppy’ Mobile Voting App Used in Four States Has ‘Elementary’ Security Flaws (VICE, Feb 13 2020)
MIT researchers say an attacker could intercept and alter votes, while making voters think their votes have been cast correctly, or trick the votes server into accepting connections from an attacker.

Google Play Protect Scans 100 Billion Android Apps Daily (SecurityWeek, Feb 12 2020)
Google Play Protect now scans over 100 billion applications on Android devices daily, according to new figures disclosed by Google this week.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Using AI to detect a bitcoin mining campaign leveraging Citrix Netscaler vulnerabilities (Darktrace Blog, Jan 27 2020)
Recently discovered Citrix vulnerability strengthens the case for Autonomous Response and its proven ability to prevent novel attacks.

AI filter launched to block Twitter cyberflashing (Naked Security – Sophos, Feb 18 2020)
A small but determined group of Twitter users think it is a good idea to direct message (DM) pictures to complete strangers.

Babel of IoT Authentication Poses Security Challenges (Dark Reading, Feb 13 2020)
With more than 80 different schemes for authenticating devices either proposed or implemented, best practices and reference architectures are sorely needed, experts say.

The challenges of cyber research and vulnerability disclosure for connected healthcare devices (Help Net Security, Feb 18 2020)
From a purely research perspective, there are challenges to do with access. For example, device procurement costs that can be prohibitively expensive, laws and policies that prevent vendors from selling to non-hospitals, sometimes difficult-to-accommodate spatial prerequisites, as well as installation, configuration, and calibration complexities, or even networking codependencies.

Huawei cyber security chief says no operator gives it access to intercept equipment (Reuters, Feb 16 2020)
Huawei’s cyber security chief said on Friday that he was not aware of any mobile operator ever having given the Chinese company access to the equipment used to intercept calls when required to do so by security services.

5G Adoption Should Change How Organizations Approach Security (Dark Reading, Feb 12 2020)
With 5G adoption, businesses will be able to power more IoT devices and perform tasks more quickly, but there will be security ramifications.

Nasty Android malware reinfects its targets, and no one knows how (Ars Technica, Feb 13 2020)
Users report that xHelper is so resilient it survives factory resets.

Apps Remain Favorite Mobile Attack Vector (Dark Reading, Feb 13 2020)
Mobile apps are used in nearly 80% of attacks targeting mobile devices, followed by network and operating system attacks.

Google: Protections Added by Samsung to Android Kernel Increase Attack Surface (SecurityWeek, Feb 13 2020)
A Google Project Zero researcher claims that some of the security features added by Samsung to the Android kernel don’t provide meaningful protection and they actually increase the attack surface.

WhatsApp Defends Encryption as It Tops 2 Billion Users (SecurityWeek, Feb 13 2020)
The Facebook-owned messaging service WhatsApp said Wednesday it now has more than two billion users around the world as it reaffirmed its commitment to strong encryption to protect privacy.

Phishing Campaign Targets Mobile Banking Users (Dark Reading, Feb 14 2020)
Consumers in dozens of countries were targeted, Lookout says.

PhotoSquared: App Leaks Data on Thousands of Users (Infosecurity Magazine, Feb 17 2020)
Researchers find another unsecured S3 bucket

AI, IoT, & Mobile Security – The Week’s Best News – 2020.02.11

2020-02-11 by Lucas Samaras

A Review of the Best News of the Week on AI, IoT, & Mobile Security

Twitter Confirms it Will Only Ban “Harmful” Deepfakes (Infosecurity Magazine, Feb 06 2020)
Social site will otherwise allow manipulated content on its site

YouTube Issues Deepfake Ban Reminder (Infosecurity Magazine, Feb 05 2020)
YouTube reiterates its ban on deepfake videos ahead of the 2020 US election

Shadow’s Cancelled Nevada Caucus App Had Errors, Too (VICE, Feb 07 2020)
An error wouldn’t let users report results in a test version of the app. Shadow confirmed it was fixing some errors at the time.

Share today’s post on Twitter Facebook LinkedIn

AI and Machine Learning will power both Cyber Offense and Defense in 2020 (The Security Ledger, Feb 06 2020)
You can see how an arms race between cyber criminals and organizations is developing – with each needing to adopt the latest technology to keep up.

Facebook, YouTube order Clearview to stop scraping them for faces to match (Ars Technica, Feb 07 2020)
The company claims it scraped three billion images for police to match faces against.

Six Data Points You Should Know about Federated Machine Learning (eWEEK, Feb 07 2020)
How early attempts to deploy machine learning inside real-world use cases have led to a new approach called Federated Machine Learning.

Google has released a tool to spot faked and doctored images (MIT Technology Review, Feb 10 2020)
Jigsaw, a technology incubator at Google, has released an experimental platform called Assembler to help journalists and front-line fact-checkers quickly verify images.

Using ‘radioactive data’ to detect if a data set was used for training (Facebook AI, Feb 10 2020)
“We have developed a new technique to mark the images in a data set so that researchers can determine whether a particular machine learning model has been trained using those images. This can help researchers and engineers to keep track of which data set was used to train a model so they can better understand how various data sets affect the performance of different neural networks.”

IoT Malware Campaign Infects Global Manufacturing Sites (Dark Reading, Feb 05 2020)
The infection uses Lemon_Duck PowerShell malware variant to exploit vulnerabilities in embedded devices at manufacturing sites.

Honware: IoT honeypot for detecting zero-day exploits (Help Net Security, Feb 06 2020)
Two researchers have created a solution that could help security researchers and IoT manufacturers with detecting zero-day exploits targeting internet-connected devices more speedily than ever before. It’s called honware, and it’s a virtual honeypot framework that can emulate Linux-based Customer Premise Equipment (CPE) and IoT devices by using devices’ firmware image.

How IoT devices open a portal for chaos across the network (Help Net Security, Feb 06 2020)
Shadow IoT devices pose a significant threat to enterprise networks, according to a new report from Infoblox. The report surveyed 2,650 IT professionals across the US, UK, Germany, Spain, the Netherlands and UAE to understand the state of shadow IoT in modern enterprises.

Philips WiFi light bulb vulnerable to attack (SC Media, Feb 05 2020)
The light given off by some WiFi light bulbs may expose more than just a dark room as Check Point researchers have found a vulnerability in Philips Hue smart bulbs and bridge enabling them to remotely infiltrate the device.

Next-generation endpoint security goes beyond the endpoint (Network World Security, Feb 06 2020)
AI and behavioral analysis are key to elevating the level of security for devices and back-end systems and are a prerequisite for IoT devices and services. Is your vendor moving in the right direction?

IoT Devices at Major Manufacturers Infected With Malware via Supply Chain Attack (SecurityWeek, Feb 07 2020)
Three of the world’s largest manufacturers had some IoT devices running Windows 7 infected with a piece of malware in what experts believe to be a supply chain attack.

6 Factors That Raise The Stakes For IoT Security (Dark Reading, Feb 10 2020)
Developments that exacerbate the risk and complicate making Internet of Things devices more secure.

Government or vendors? Who should lead the push for IoT security? (Network World Security, Feb 10 2020)
Industry groups and governmental agencies have been taking a stab at rules to improve the security of the internet of things, but so far there’s nothing comprehensive.

Android pulls 24 ‘dangerous’ malware-filled apps from Play Store (Naked Security – Sophos, Feb 06 2020)
The malware-infected apps used to harvest data and sign users up to premium services have been downloaded more than 382 million times.

When Your Used Car is a Little Too ‘Mobile’ (Krebs on Security, Feb 05 2020)
“Out of curiosity, Marulla decided to check if his old MyFordMobile.com credentials from 2016 still worked. They did, and Marulla was presented with an online dashboard showing the current location of his old ride and its mileage statistics. The dashboard also allowed him to remotely start the vehicle, as well as lock and unlock its doors.”

In 2020, 5G deployments will continue at a frantic pace (Help Net Security, Feb 06 2020)
The implementation of massive MIMO in 5G systems is changing, according to a Mobile Experts report. There’s a shift away from the dominant position of 64T64R mMIMO, toward 32T32R systems.

Google patches Bluetooth vulnerability impacting most Android devices (SC Media, Feb 10 2020)
Google has issued a critical security update for Android that affects the Bluetooth functionality on about two-thirds of all Android devices now in use. The vulnerability, CVE-2020-0022, affects devices running Android Oreo (8.0 and 8.1) and Pie (9.0) and can allow remote code execution without any user interaction.

AI, IoT, & Mobile Security – The Week’s Best News – 2020.02.04

2020-02-04 by Lucas Samaras

A Review of the Best News of the Week on AI, IoT, & Mobile Security

NIST tests methods of recovering data from smashed smartphones (Sophos, Feb 04 2020)
Criminals have found to their cost that reducing a device to a pile of rubble means nothing if the internal chips are still in working order.

FCC Confirms ‘One or More’ Carriers Broke the Law Selling Location Data (VICE, Jan 31 2020)
One year later, FCC boss Ajit Pai suggests one or more major carriers could be fined.

United States Welcomes the EU’s Acknowledgement of the Unacceptable Risks Posed by Untrusted 5G Suppliers (US State Dept, Feb 01 2020)
On January 29, the European Union (EU) Network Information Security Cooperation Group released a toolbox of recommended measures to mitigate security risks in 5G networks. The United States welcomes this initiative from Member States, the Commission, and the EU Cybersecurity Agency.

Share today’s post on Twitter Facebook LinkedIn

How to Secure Your IoT Ecosystem in the Age of 5G (Dark Reading, Jan 30 2020)
For businesses planning to adopt 5G, the sheer number of IoT devices creates a much larger attack surface.

IoT laws are coming: What to expect (WeLiveSecurity, Jan 30 2020)
No more default logins on new IoT devices if UK legislators get their way

UK Deems Huawei a Manageable Risk for 5G (Infosecurity Magazine, Jan 29 2020)
Experts welcome balanced decision informed by intelligence services

Ring Doorbell App for Android Sends Out Loads of User Data (SecurityWeek, Jan 29 2020)
The Ring doorbell application for Android contains third-party trackers and sends out a large amount of personally identifiable information (PII), the Electronic Frontier Foundation (EFF) has discovered.

How to Get the Most Out of Your Smartphone’s Encryption (Wired, Jan 29 2020)
Both iPhones and Androids are encrypted by default. But there are steps you can take to safeguard your data on backups and messaging apps.

Win $1.5 million hacking an Android phone (Graham Cluley, Jan 29 2020)
If you can crack the security of the Titan M chip found on the Google Pixel 3, Pixel 3a, and Pixel 4 smartphones, you could be in for a big reward…

Is Siri spying on me? My iPad has shifted to Spanish ads after conversations in my home (USA TODAY, Feb 02 2020)
The ads on iPad apps changed from English to Spanish after a few conversations in the language at home. Could Siri have been listening?

West Virginia plans to make smartphone voting available to disabled people for 2020 election (NBC News, Feb 03 2020)
Cybersecurity experts have long railed against voting apps, saying that any kind of online voting unnecessarily increases security risks.

Huawei outsells Apple in 2019, becomes No. 2 global smartphone vendor (Ars Technica, Jan 31 2020)
The US export ban places a serious cloud over Huawei’s future, though.

DOJ sues US telecom providers for connecting Indian robocall scammers (Ars Technica, Jan 29 2020)
One provider connected 720 million calls in 23 days.

Android Malware for Mobile Ad Fraud Spiked Sharply in 2019 (Dark Reading, Jan 30 2020)
Some 93% of all mobile transactions across 20 countries were blocked as fraudulent, Upstream says.

This Man Created Traffic Jams on Google Maps Using a Red Wagon Full of Phones (VICE, Feb 03 2020)
By pulling 99 phones down empty streets, artist Simon Wreckert made it look like they were gridlocked on Google Maps.

Researchers Find 24 ‘Dangerous’ Android Apps with 382M Installs (Dark Reading, Feb 03 2020)
Shenzhen Hawk Internet Co. is identified as the parent company behind five app developers seeking excessive permissions in Android apps.

AI, IoT, & Mobile Security – The Week’s Best News – 2020.01.28

2020-01-28 by Lucas Samaras

A Review of the Best News of the Week on AI, IoT, & Mobile Security

Bezos Hack Report Puzzles Cyberexperts (WSJ, Jan 27 2020)
A report concluding Saudi Arabia likely hacked into Jeff Bezos’ phone has spurred questions among cybersecurity experts, who say the audit left several major technical questions unexplained and in need of more examination.

Prosecutors Have Evidence Bezos’ Girlfriend Gave Texts to Brother Who Leaked to National Enquirer (WSJ, Jan 27 2020)
Manhattan federal prosecutors have evidence indicating the Amazon CEO’s girlfriend provided text messages to her brother that he then sold to the publisher for its article about Jeff Bezos’ affair.

Government Report Reveals Its Favorite Way to Hack iPhones, Without Backdoors (VICE, Jan 28 2020)
Feds are once again demanding encryption backdoors, but its own data shows it can extract data from phones without them.

Share today’s post on Twitter Facebook LinkedIn

There is no easy fix to AI privacy problems (Help Net Security, Jan 23 2020)
Not only does ML require vast amounts of data for the training process, but the derived system is also provided with access to even greater volumes of data as part of the inference processing while in operation. T

CIOs using AI to bridge gap between IT resources and cloud complexity (Help Net Security, Jan 23 2020)
There’s a widening gap between IT resources and the demands of managing the increasing scale and complexity of enterprise cloud ecosystems, a Dynatrace survey of 800 CIOs reveals.

New Deepfake Method Can Put Words In Anyone’s Mouth (VICE, Jan 24 2020)
The new method makes a deepfake video from an audio source.

Pentagon Blocks Clampdown on Huawei Sales (WSJ, Jan 27 2020)
The Commerce Department has withdrawn proposed regulations making it harder for U.S. companies to sell to Huawei from their overseas facilities after objections from the Pentagon and the Treasury Department.

Spies Like AI: The Future of Artificial Intelligence for the US Intelligence Community (Defense One, Jan 27 2020)
“Imagine that your job is to read every newspaper in the world, in every language; watch every television news show in every language around the world. You don’t know what’s important, but you need to keep up with all the trends and events…”

Half a Million IoT Device Passwords Published (Schneier on Security, Jan 22 2020)
“It’s a list of easy-to-guess passwords for IoT devices on the Internet as recently as last October and November. Useful for anyone putting together a bot network: A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) “smart” devices.”

7 Steps to IoT Security in 2020 (Dark Reading, Jan 24 2020)
There are important steps security teams should take to be ready for the evolving security threats to the IoT in 2020.

UK’s IoT Law Hopes to Drive Security-by-Design (Infosecurity Magazine, Jan 28 2020)
Proposed legislation seeks to protect consumers from cyber risk

Cisco Launches Industrial IoT Security Solution (SecurityWeek, Jan 28 2020)
Cisco on Tuesday announced the launch of a security solution for the Industrial Internet of Things (IIoT) that is designed to help organizations identify threats across their IT and OT environments.

Teenager charged over $50 million SIM-swap cryptocurrency theft (Graham Cluley, Jan 22 2020)
Samy Bensaci, an 18-year-old living in Montreal, Canada, has been charged in connection with the theft of over $50 million worth of cryptocurrency in a SIM-swapping scam.

Ignoring Security Experts, Washington State Eyes Voting by Smartphone (VICE, Jan 22 2020)
Security experts still widely agree that online voting can’t be adequately secured or transparently audited. Yet the siren song of ‘easier voting’ appears irresistible.

Who Made the Spyware Used to Hack Jeff Bezos’ Phone? (VICE, Jan 22 2020)
Experts are debating who helped Saudi Arabia hack the phone of the richest man on Earth.

Apple Addresses iPhone 11 Location Privacy Concern (Krebs on Security, Jan 22 2020)
Apple is rolling out a new update to its iOS operating system that addresses the location privacy issue on iPhone 11 devices that was first detailed here last month.

UK Approves Restricted Huawei Role in 5G Network (SecurityWeek, Jan 28 2020)
Britain on Tuesday greenlighted a limited role for Chinese telecoms giant Huawei in the country’s 5G network, but underscored that “high risk vendors” would be excluded from “sensitive” core infrastructure.

SIM Swappers Are Phishing Telecom Company Employees to Access Internal Tools (VICE, Jan 28 2020)
SIM swappers are particularly interested in a tool called Omni from Verizon that allows hackers to take over phone numbers.

One Small Fix Would Curb Stingray Surveillance (Wired, Jan 27 2020)
The technology needed to limit stingrays is clear—but good luck getting telecoms on board.

Mike Rogers, former Republican House Intel chief, blasts Congress for not taking action on Huawei (Washington Post, Jan 28 2020)
Mike Rogers says partisan warfare has so handicapped Congress that it’s not doing nearly enough to stop a major world threat: Chinese telecom Huawei controlling large portions of next-generation telecommunication networks.

AI, IoT, & Mobile Security – The Week’s Best News – 2020.01.21

2020-01-21 by Lucas Samaras

A Review of the Best News of the Week on AI, IoT, & Mobile Security

SIM Hijacking – new study shows measures aren’t helping (Schneier on Security, Jan 21 2020)
Phone companies have added security measures since this attack became popular and public, but a new study (news article) shows that the measures aren’t helping

Mobile Apps Sharing Personal Data Illegally, Consumer Group Claims (Infosecurity Magazine, Jan 15 2020)
Norwegian Consumer Council names dating apps Grindr, OKCupid and Tinder among offenders in damning report

As Justice Department Pressures Apple, Investigators Say iPhone Easier to Crack (WSJ, Jan 15 2020)
The escalation of a long-running encryption conflict between the Justice Department and Apple has puzzled security experts who say that new hacking tools have made it possible to gain access to many of the company’s devices in criminal investigations.

Share today’s post on Twitter Facebook LinkedIn

Glenn Greenwald Charged With Cybercrimes in Brazil (The New York Times, Jan 21 2020)
Mr. Greenwald is accused of being part of a “criminal investigation” that hacked into the cellphones of prosecutors and public officials.

Consumer Reports Calls for IoT Manufacturers to Raise Security Standards (Dark Reading, Jan 14 2020)
A letter to 25 companies says Consumer Reports will change ratings to reflect stronger security and privacy standards.

IoT cybersecurity’s worst kept secret (Help Net Security, Jan 17 2020)
By improving access to data and taking advantage of them in fundamentally different ways to drive profitability, IT security executives are rapidly changing perceptions of their office. Although making better sense of and use of data may be standard fare in other areas of the enterprise, who knew that modern IoT cybersecurity solutions would become network security’s newest professional lever? Actually, we should have seen it coming…

An Open Source Effort to Encrypt the Internet of Things (Wired, Jan 20 2020)
IoT is a security hellscape. One cryptography company has a plan to make it a little bit less so.

A 101 guide to mobile device management (Help Net Security, Jan 14 2020)
Extending beyond the traditional company network, mobile connectivity has become an extension of doing business and IT staff need to not just rethink how existing activities, operations, and business models can fit into mobile constructs, but rethink how mobility can fundamentally transform the business itself. MDM solution components A mobile device management (MDM) solution provides similar features that you would expect a systems management solution would use to manage PCs.

Play Store Still Peppered with Fleeceware Apps (Infosecurity Magazine, Jan 14 2020)
Risk of being suckered by overpriced app subscriptions persists for Android users

5G Security (Schneier on Security, Jan 14 2020)
The security risks inherent in Chinese-made 5G networking equipment are easy to understand. Because the companies that make the equipment are subservient to the Chinese government, they could be forced to include backdoors in the hardware or software to give Beijing remote access. Eavesdropping is also a risk, although efforts to listen in would almost certainly be detectable.

High-risk Google account owners can now use their iPhone as a security key (Help Net Security, Jan 15 2020)
Google users who opt for the Advanced Protection Program (APP) to secure their accounts are now able to use their iPhone as a security key. About Google’s Advanced Protection Program Google introduced the Advanced Protection Program in late 2017, to help high-risk users – journalists, human rights activists, IT admins, executives, etc. keep their Google accounts safe from targeted attacks. APP is available to both consumer (Google Account) and enterprise users (G Suite).

Mobile Banking Malware Up 50% in First Half of 2019 (Dark Reading, Jan 17 2020)
A new report from Check Point recaps the cybercrime trends, statistics, and vulnerabilities that defined the security landscape in 2019.

Teen Charged Over $50m SIM-Swapping Scam on Blockchain Experts (Infosecurity Magazine, Jan 17 2020)
Teen charged in connection with SIM-swapping scam targeting head of Blockchain Research Institute and his son

Scottish Police Deploy Tech That Extracts Data from Locked Smartphones (Infosecurity Magazine, Jan 21 2020)
Police Scotland is using Cellebrite machines to retrieve data from locked devices