Welcome to your "Hacker Summer Camp" edition of #MobSec5. The seminal infosec conferences of the summ
|
August 5 · Issue #20 · View online |
|
Welcome to your “Hacker Summer Camp” edition of #MobSec5. The seminal infosec conferences of the summer, Black Hat USA and DEF CON, occurred this week resulting in a flurry of mobile security news. Black Hat is a wrap, but DEF CON is just getting started and continues through the weekend ( schedule of talks). We couldn’t find an index of Black Hat’s “Android, iOS, and Mobile Hacking” talk track that included links to both abstracts AND - where available - associated slides, whitepapers, and source code; so we created one right here for you! Below the list you’ll find your regularly scheduled dose of the week’s mobile security news.
|
|
Apple Releases iOS 9.3.4 With Important Security Fix [Update: Jailbreak Patched] - Mac Rumors
“Apple today released an iOS 9.3.4 update for the iOS 9 operating system, just over two weeks after releasing iOS 9.3.3 and less than two months before we expect to see the public release of iOS 10, currently in beta testing.” It’s been reported that this update patches the exploit used for the iOS 9 jailbreak released by Team Pangu in recent weeks.
|
Android Security Bulletin—August 2016 | Android Open Source Project
“The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Nexus devices through an over-the-air (OTA) update.”
|
Apple is launching an invite-only bug bounty program | The Verge
“Apple is planning a new bug bounty program that will offer cash in exchange for undiscovered vulnerabilities in its products.”
During his “Behind the Scenes of iOS Security [abstract only]” talk at Black Hat, Head of Apple Security Engineering and Architecture Ivan Krstic revealed that next month Apple will launch a bug bounty. Payouts range from $25,000 for flaws that “allow access from a sandboxed process to user data outside of that sandbox” to $200,000 for vulnerabilities in the “secure boot firmware components” category (see pictures of two slides from the presentation posted on Twitter). Apple launching a bug bounty program is a great thing, but making it invite-only might miss the point (by failing to bring-to-light vulnerabilities discovered by researchers that aren’t official members of the program).
|
How Bugs Lead to a Better Android | Threatpost
“During a talk at Black Hat 2016, Kralevich, who is one of the original founding members of the Android security team, discussed how the Android team springs into action post bug notification and what it does to fix the problem and learn from its mistakes. He said many of the worst Android bugs have led to a significant hardening of Android’s defenses ranging from protecting data in transit, advanced sandboxing and designing safer APIs.” You can find slides for Nick Kralevich’ talk “The Art of Defense - How Vulnerabilities Help Shape Security Features and Mitigations in Android” here.
|
Hackers break into Telegram, revealing 15 million users' phone numbers | VentureBeat
“Iranian hackers have compromised more than a dozen accounts on the Telegram instant messaging service and identified the phone numbers of 15 million Iranian users, the largest known breach of the encrypted communications system, cyber researchers told Reuters.” The article goes on to explain, “Telegram’s vulnerability…lies in its use of SMS text messages to activate new devices…Telegram’s reliance on SMS verification makes it vulnerable in any country where cellphone companies are owned or heavily influenced by the government.” News of this hack comes just a week after NIST suggested it may soon call SMS-based two-factor authentication (2FA) deprecated. For NowSecure CEO Andrew Hoog’s thoughts about using SMS as an authenticator for 2FA, read his blog post published this week.
|
Here's How to Overcome Newly Discovered iPhone Ransomware | Fortune
“Hackers are trying to fool iPhone owners into paying them $50, even though a simple unlock can be used to circumvent the ransom.” Earlier this week, several people reported seeing a different lock screen on their iPhone that stated (photo), “The device is locked. Unlock 50$. Write on e-mail: helpappledevice@gmail.com.” Apparently the attacker had set these phones to “Lost Mode” and displayed the custom message. To defeat the attack, users need to reset their Apple ID password and take the phone out of Lost Mode.
|
Dashlane, Google launch ‘OpenYOLO,’ an API-based password project for Android apps | TechCrunch
“The two have unveiled OpenYOLO — …short for ‘you only login once’ — an open-source API project for app developers to access passwords stored in password managers, whichever one you happen to use.”
|
Needle iOS security testing tool to be unveiled at Black Hat Arsenal - Help Net Security
“In a session at Black Hat USA 2016 on Wednesday, Marco Lancini, Security Consultant at MWR InfoSecurity, will demonstrate publicly for the first time a new iOS security testing tool.”
|
Did you enjoy this issue?
|
|
|
|
If you don't want these updates anymore, please unsubscribe here
If you were forwarded this newsletter and you like it, you can subscribe here
|
|
|
|