5 mobile security threats you should take seriously in 2018

IDGNS

Mobile security is at the top of every company's worry list these days — and for good reason: Nearly all workers now routinely access corporate data from smartphones, and that means keeping sensitive info out of the wrong hands is an increasingly intricate puzzle. The stakes, suffice it to say, are higher than ever: The average cost of a corporate data breach is $21,155 per day, according to a 2016 report by the Ponemon Institute.

While it's easy to focus on the sensational subject of malware, the truth is that mobile malware infections are incredibly uncommon in the real world — with your odds of being infected significantly less than your odds of being struck by lightning, according to one estimate. That's thanks to both the nature of mobile malware and the inherent protections built into mobile operating systems.

The more realistic mobile security hazards lie in some easily overlooked areas, all of which are only expected to become more pressing in the coming year:

1. Data leakage

It may sound like a diagnosis from the robot urologist, but data leakage is widely seen as being one of the most worrisome threats to enterprise security as we head into 2018. What makes the issue especially vexing is that it often isn't nefarious by nature; rather, it's a matter of users inadvertently making ill-advised decisions about which apps are able to see and transfer their information.

"The main challenge is how to implement an app vetting process that does not overwhelm the administrator and does not frustrate the users," says Dionisio Zumerle, research director for mobile security at Gartner. He suggests turning to mobile threat defense (MTD) solutions — products like Symantec's Endpoint Protection Mobile, CheckPoint's SandBlast Mobile, and Zimperium's zIPS Protection. Such utilities scan apps for "leaky behavior," Zumerle says, and can automate the blocking of problematic processes.

Of course, even that won't always cover leakage that happens as a result of overt user error — something as simple as transferring company files onto a public cloud storage service, pasting confidential info in the wrong place, or forwarding an email to an unintended recipient. That's a challenge the healthcare industry is currently struggling to overcome: According to specialist insurance provider Beazley, "unintended disclosure" was responsible for a full 41 percent of data breaches reported by healthcare organizations in the first three quarters of 2017 — more than double the next highest cause.

For that type of leakage, data loss prevention (DLP) tools may be the most effective form of protection. Such software is designed explicitly to prevent the exposure of sensitive information, including in accidental scenarios.

2. Social engineering

The tried-and-true tactic of trickery is just as troubling on the mobile front as it is on desktops. Despite the ease with which one would think social engineeringcons could be avoided, they remain astonishingly effective.

A staggering 90 percent of data breaches observed by Verizon's Enterprise Solutions division are the result of phishing, according to the company's 2017 Data Breach Investigations Report. While only 7 percent of users fall for phishing attempts, Verizon says, those gullible guys and gals tend to be repeat offenders: The company estimates that in a typical organization, 15 percent of users who are successfully phished will be phished at least one more time within the same year.

What's more, numerous bits of research suggest users are more vulnerable to phishing from mobile devices than desktops — by as much as three times, according to an IBM study, in part because a phone is where people are most likely to first see a message. "We do see a general rise in mobile susceptibility driven by increases in mobile computing overall [and] the continued growth of BYOD work environments," says John "Lex" Robinson, information security and anti-phishing strategist at PhishMe — a firm that uses real-world simulations to train workers on recognizing and responding to phishing attempts.

Robinson notes that the line between work and personal computing is also continuing to blur. More and more workers are viewing multiple inboxes — connected to a combination of work and personal accounts — together on a smartphone, he notes, and almost everyone conducts some sort of personal business online during the workday. Consequently, the notion of receiving what appears to be a personal email alongside work-related messages doesn't seem at all unusual on the surface, even if it may in fact be a ruse.

3. Wi-Fi interference

A mobile device is only as secure as the network through which it's transmitting data. In an era where we're all constantly connecting to public Wi-Fi networks, that means our info often isn't as secure as we might assume.

Just how significant of a concern is this? According to new research being released by enterprise security firm Wandera this week, corporate mobile devices use Wi-Fi almost three times as much as they use cellular data. Nearly a quarter of devices have connected to open and potentially insecure Wi-Fi networks, and 4 percent of devices have encountered a man-in-the-middle attack — in which someone maliciously intercepts communication between two parties — within the most recent month.

"These days, it's not difficult to encrypt traffic," says Kevin Du, a computer science professor at Syracuse University who specializes in smartphone security. "If you don't have a VPN, you're leaving a lot of doors on your perimeters open."

Selecting the right enterprise-class VPN, however, isn't so easy. As with most security-related considerations, a tradeoff is almost always required. "The delivery of VPNs needs to be smarter with mobile devices, as minimizing the consumption of resources — mainly battery —  is paramount," Gartner's Zumerle points out. An effective VPN should know to activate only when absolutely necessary, he says, not when a user is accessing a news site, for instance, or when a user is working within an app that's known to be trustworthy and secure.

4. Out-of-date devices

Smartphones, tablets and smaller connected devices — commonly known as the internet of things (IoT) — pose a new risk to enterprise security in that unlike traditional work devices, they generally don't come with guarantees of timely and ongoing software updates. This is true particularly on the Android front, where the vast majority of manufacturers are embarrassingly ineffective at keeping their products up to date — both with operating system (OS) updates and the smaller monthly security patches between them — as well as with IoT devices, many of which aren't even designed to get updates in the first place.

"Many of them don't even have a patching mechanism built in, and that's becoming more and more of a threat these days," Du says.

Again, a strong policy goes a long way. There are Android devices that do receive timely and reliable ongoing updates. Until the IoT landscape becomes less of a wild west, it falls upon a company to create its own security net around them.

5. Physical device breaches

Last but not least is something that seems silly but remains a disturbingly realistic threat: A lost or unattended device can be a major security risk, especially if it doesn't have a strong PIN or password and full data encryption.

Consider the following: In a 2016 Ponemon Institute study, 35 percent of professionals indicated their work devices had no mandated measures in place to secure accessible corporate data. Worse yet, nearly half of those surveyed said they had no password, PIN, or biometric security guarding their devices — and about two-thirds said they didn't use encryption. Sixty-eight percent of respondents indicated they sometimes shared passwords across personal and work accounts accessed via their mobile devices.

The take-home message is simple: Leaving the responsibility in users' hands isn't enough. Don't make assumptions; make policies. You'll thank yourself later.

via CSO

Read more »

180M Smartphones Vulnerable To Hacker Eavesdropping

Appthority, the enterprise mobile threat protection company, announced news on Thursday (Nov. 9) that it published research on its recent discovery of a so-called Eavesdropper vulnerability, in which hackers can intercept texts, voice messages and other user data from millions of smartphones through their mobile apps.

In a press release, the company said the cyberattack vulnerability is caused by “developers carelessly hard coding their credentials in mobile applications that use the Twilio Rest API or SDK, despite best practices the company clearly outlines in its documentation.” Twilio, said Appthority, has reached out to all developers with affected apps and is actively working to secure their accounts.

According to the company, Appthority mobile security researchers have identified this as a real and ongoing threat affecting close to 700 apps in enterprise mobile environments, over 170 of which are live in the official app stores today. Affected Android apps have been downloaded up to 180 million times, the company said.

What’s more, the company said the issue is not specific to developers who create apps with Twilio. Hard coding of credentials is a common developer error that increases the security risks of mobile apps. Appthority researchers are finding that developers who hardcode credentials in one service are likely to make the same error with other services.

Examples of apps with the Eavesdropper vulnerability include an app for secure communication for a federal law enforcement agency, an app that enables enterprise sales teams to record audio and annotate discussions in real-time and branded and white label navigation apps for customers, such as AT&T and U.S. Cellular, the mobile threat protection company stated in its press release.

“Eavesdropper poses a serious enterprise data threat because it allows an attacker to access confidential company information, which may include a range of sensitive information often shared in an enterprise environment, such as negotiations, pricing discussions, recruiting calls, product and technology disclosures, health diagnoses, market data or M&A planning,” said Seth Hardy, Appthority director of Security Research in the release. “An attacker could convert recorded audio files to text and search a massive data set for keywords and find valuable data.”

via pymnts

Read more »

PayThink 'Self-protection' can shield banks from new Android BankBot card malware

Recently, the Dutch company Securify came across a new sample of the BankBot Android mobile banking malware.

While older samples of BankBot mainly targeted Russian financial institutions, the latest sample shows that BankBot now targets European and American institutions as well. More specifically BankBot now targets over 420 leading institutions in countries such as Germany, France, Austria, the Netherlands, Turkey and the United States.

BankBot is a banking Trojan horse that poses as an apparently benign consumer banking application. When the application is installed and run, it asks for administrative privileges. Once these privileges are granted, the icon disappears from the home screen. From that moment, the device is compromised and BankBot attempts to steal the customer’s credentials (e.g., username and PIN) and debit or credit card information.

Bloomberg News

BankBot tries to steal banking credentials by using a well-known technique called overlay. The malware creates a window that mimics the look and feel of the targeted mobile banking app, and it aims to trick users into entering their credentials. This overlay window is positioned on top of the target app when the user launches it. Because the fraudulent overlay window is created to look exactly like the target app, the user usually believes they are interacting with their institution’s genuine mobile banking app.

The BankBot malware comes with a list of names of mobile banking apps that it targets, and it compares names in this target list against the names of apps running on the Android device of the user. When BankBot detects that a running app is present in its target list, it generates the overlay window and positions it on top of the target app to deceive the device’s owner.

Technologists reviewing the following code snippet of BankBot can see exactly how the malware checks whether any of the processes running on the Android device are present in the target list, and how the malware launches the overlay injection routine. The comments in the code have been added by threat analyst Ernesto Corral to simplify reading.

The overlay itself consists of a customized WebView, which is an Android component that can be used to show a web page within an app. The content of the WebView is downloaded on the fly from the C2 server.

Can runtime application self-protection (RASP) offer protection? An analysis of a test shows RASP successfully defends mobile banking apps targeted by BankBot against overlay attacks. As a result, we can safely say that all of the more than 420 apps targeted by BankBot are protected, if so equipped. This is crucial because virtually all currently known malware families use the same deceptive overlay technique as BankBot. A good example of another malware family using this technique is Marcher, one of the most active banking malware families of 2016 according to Kaspersky’s report Financial Cyberthreats in 2016.

Moreover, RASP’s generic overlay protection mechanism ensures “future-proofing”: Any new mobile banking apps that are targeted by BankBot in the future using the same overlay technique, will also be protected.

Even if a banking Trojan should manage to steal a user’s banking credentials (his or her PIN, for instance), the user’s credentials would be of little value to a fraudster, if the app is protected with two-factor authentication, as were apps and devices in this test.

Apps protected in this way use two authentication elements: something the user knows (for example, the PIN) and something the user has (e.g., a cryptographic key stored on the mobile device), which is used to generate one-time passwords. While overlay attacks can be used to target the knowledge factor, they cannot attack the possession factor to steal the cryptographic key.

Analysts at the threat research labs used in this study analyzed the internals of malware such as Bankbot and Marcher. Findings show that at this point, many or most Android mobile banking malware families use the same approach to create fraudulent overlay windows that deceive users.

Based on lab testing, I and the threat research lab team are confident that RASP technology can, if properly developed and with sufficient security features to detect and prevent application-level intrusions, offer protection against all malware families that use this approach. Furthermore, two-factor authentication functionality can ensure that even successful overlay attacks can be thwarted.

via PaymentSource

Read more »

Google just made it waaaay easier to backup any PC

It's time to back up your PC. Here are 6 things to consider Google just launched a new way to back up your PC data. 6 things you should know about backing up your PC Is it time to rethink the old ways of archiving your data? Maybe all but one of them... Last week, Google announced the new desktop version of its Backup and Sync app, and it got me thinking: What does desktop backup even mean in 2017? Not so long ago, there was one and only way to protect the precious data riding around in your laptop: Connect an external drive (or, if you were really fancy, a network drive), then perform a complete system backup. But is that really necessary anymore? It's time to inject some modern thinking into the old notions of PC backups. Here's what you should know: It's all about the data Think about what you're really trying to preserve in a backup. It's the data, right? Family photos, financial records, school papers, work documents -- stuff like that. OK, but what about software? What about the operating system? A full-system backup lets you preserve these items in addition to your data, the idea being to let you restore everything in one fell swoop should disaster strike. But, remember: What you really care about is the data. Not all software needs to be backed up... In the old days, when you bought software on CDs or even floppy disks, a full-system backup was logical, if only to avoid having to manually reinstall all those programs. Thanks to slow-loading media and comparatively slow PCs, that could be a long, torturous process. Backup or bust Get started with Google's Backup and Sync app Backups: Act like your business depends on them Get ransomware protection with Aomei Backupper Free But think about the software you use today. Some of it is probably web-based, meaning there's nothing to reinstall -- you just sign back into your, say, Google Docs account. As for local apps like CCleaner, Evernote, iTunes, Steam (and Steam games) and your antivirus software, you can quickly and easily re-download and reinstall them. (Even certain data is easily replaceable, like the PDF instruction manual you downloaded for your printer. Why bother backing that up?) So make a little inventory list of the software you're using and see if there's anything that actually needs to be backed up. There might be exceptions, like commercial programs that give you only a one-time download option (video editor CyberLink PowerDirector comes to mind). Those downloads, if you have any, should definitely get backed up along with your other data. ...and neither does Windows (sort of) Assuming you're running Windows 10 ($139.95 at Amazon.com), it's definitely a good idea to make a one-time backup of the OS in case you need it later. You can do this by running Microsoft's media-creation tool, which will put a copy of the OS onto a flash drive (5GB or larger). Ah, but will you need it later? If you're having software-related issues with your PC (malwareinfestation, everyday Windows wonkiness), you can use Windows' Recovery tool to get a factory-fresh reset -- no external media required. But if you have to, say, replace a defunct hard drive, now you'll want that flash drive so you can reinstall Windows. The dirty little secret of full-system backups OK, but if that's the case, doesn't a full-system backup make more sense so you can do a full-system restoration? I'll argue no, for these reasons: Full-system backups take time, even if you're just making incremental ones. Full-system backups require large-capacity external drives, which cost money. You also need backup software. There are freeware options, but do you really want to trust your entire hard drive to a free program? A full-system restore doesn't afford the benefits of a fresh Windows install; instead, you end up with all the same stray Registry keys and fragmented files that were dragging down the system before. Full-system restores are notoriously inconsistent. In my experience, they just flat-out don't work sometimes. Contrast that with a fresh install of Windows, reinstalling your software and then restoring your data: Not much can go wrong with that. Solution: Back up just your data We've come full circle. These days, a full-system backup is of questionable value. That's because the only thing that really matters is your data -- and think about where that data lives. On your hard drive, yes, but also in the cloud? All you need is a service like Amazon Drive, iCloud Drive, Google Drive or Microsoft OneDrive -- anything that automatically syncs your files to online storage. Meanwhile, are there even photos on your PC anymore? If you're like many users, you take pictures with your phone, and that phone copies everything to the cloud. Likewise, are you still using your PC to manage a music collection? If you subscribe to the likes of Apple Music or Spotify, there's nothing you need to back up; all your songs and playlists live on those services. Obviously there are exceptions, like if you have a large video library. Those files consume a lot of space, meaning cloud backup may not be practical. But I suspect many users just want to preserve office documents, tax records and the like, in which case a small amount of cloud storage easily gets the job done. The big caveat Many cloud services suffer from one considerable flaw: They won't protect you against ransomware and other forms of malware. The problem is that files corrupted on your PC will quickly get corrupted in the cloud as well, as part of the automated syncing process. You can overcome that problem by keeping malware off your PC in the first place. But many security experts note that the best way to protect yourself is to make regular local backups of your data. (Just your data, mind you.) And here's the key: Make sure your backup includes older versions of your files. Because as with online backups, it's all too easy for infected files to overwrite clean ones, leaving your backup in the same condition as your hard drive. Some backup services (including Carbonite, Dropbox and Google Drive) support versioning as well, though Google's implementation allows you to access only one file at a time -- just about useless if you have hundreds or even thousands of files to restore. And OneDrive keeps older versions only of Office files. What are your thoughts on modern-day PC backups? Do you think archiving data alone is enough? Share your thoughts in the comments! via cnet

Read more »

Petya: Wiper or Ransomware & How to Protect Yourself

Learn the facts about the recent Petya attack that crippled many organizations worldwide. 

- Is it your regular run-of-the-mill ransomware or a wiper? 
- Who is a target? Why did it spread so quickly?
- How can organizations better protect themselves against similar attacks?

Read more »

Malware Drone Steals Data Off Computer Hard Drive

Researchers at Ben-Gurion University’s cybersecurity lab have come up with a way to use malware installed on a drone to steal data off of computers by watching the optical stream of the LED on the computers’ hard drives and sending it to a camera outside the window.

The drone that steals data was created to showcase how the researchers developed a method to get around a security protection dubbed an “air gap” in which sensitive computer systems are separated from the internet to keep the information protected from hackers. If a hacker can put malware on one of the systems, it can quickly steal the secrets off a machine that is supposed to be isolated and thus protected. According to a report highlighting the demonstration, every blink of a hard drive’s LED indicator can provide sensitive information to a hacker with a line of sight to the computer, whether it’s by using a drone or a telescopic lens.

“If an attacker has a foothold in your air-gapped system, the malware still can send the data out to the attacker,” said Ben-Gurion researcher Mordechai Guri said in the report. “We found that the small hard drive indicator LED can be controlled at up to 6,000 blinks per second. We can transmit data in a very fast way at a very long distance.”

According to the report, exploiting the LED on a computer’s hard drive has the potential to be a much sneakier and longer-distance hack than seen in the past. The researchers in their demonstration were able to move data at around 4,000 bits a second, which the report noted is close to a megabyte per half hour. The person receiving the data can then record it and use optical messages at a later time to decode all the information. What’s more, Guri said the malware can even replay the LED blinks in a loop so that every part of a transmission can be seen.

via pymnts

Read more »