NowSecure - Issue #76

Revue
 
Quite a start to Cybersecurity Awareness Month, eh?First, the Equifax tire-fire continues to burn. Mo
 
October 6 · Issue #76 · View online
NowSecure #MobSec5
Quite a start to Cybersecurity Awareness Month, eh?
First, the Equifax tire-fire continues to burn. Monday, the company announced that they’d underestimated the number of potential breach victims by 2.5 million – bringing the total number to 145.5 million people. Former CEO Richard Smith’s congressional testimony this week also showed that the company’s information security program failed on many levels. For one, Equifax failed to encrypt sensitive customer data at rest. The failures extended to their mobile app security program as well. Because their Equifax Mobile app for Android and iOS failed to validate certificates post-authentication; they’ve been without a live mobile app for more than four weeks. How would your organization’s mobile app being offline for a month affect your business? NowSecure can help you build a mobile app security program to prevent vulnerabilities like this making it through to production–contact us or check out our mobile app security program management handbook. (Oh, and the IRS awarded Equifax a no-bid $7.25 million dollar contract at the end of September to “verify taxpayer identities and help prevent fraud,” weeks after the breach was announced September 7.)
Next, Verizon announced this week that the August 2013 Yahoo breach was also worse than originally thought. We’ll let this CNN headline do the talking, “Every single Yahoo account was hacked - 3 billion in all.”
Finally, yet another alleged breach of NSA information was revealed this week. In 2015, according to the Wall Street Journal, Russian attackers stole NSA files residing on an NSA employee’s home computer and were tipped off to the files’ existence via Kaspersky antivirus software installed on the computer. The Washington Post reports that “A Russian law requires telecommunications companies in the country to provide access to their networks. Kaspersky’s servers are located in Moscow, which means that customer data flowing through its servers passes through those same telecom providers’ networks, a person familiar with the matter told The Post.”
Now, on to the week’s mobile security news!
This week’s edition of #MobSec5 includes:
  • Android Security Update available now
  • iOS 11.0.2 available now
  • Whitehouse Chief of Staff’s phone hacked
Thanks for reading. Have a great weekend, be good, and stay safe.

Android Security Bulletin—October 2017  |  Android Open Source Project
Apple releases iOS 11.0.2 for iPhone and iPad, including crackling audio fix for iPhone 8 | 9to5Mac
Over The Air - Vol. 2, Pt. 2: Exploiting The Wi-Fi Stack on Apple Devices | Google Project Zero
SMR-OCT-2017 | Samsung Mobile Security
iOS 11’s Misleading “Off-ish” Setting for Bluetooth and Wi-Fi is Bad for User Security | Electronic Frontier Foundation
Uber iOS app can virtually ‘see’ your phone screen, and Apple approved it | Digital Trends
John Kelly's personal cellphone was compromised, White House believes | POLITICO
NATO troops say Russia is hacking their smartphones - Vox
WebUSB - How a website could steal data off your phone | MWR Labs
Slides - Inside Android's Safety Attestation | Collin Mulliner
Gas Pump Skimmers | learn.sparkfun.com
CISO: Think about how your customers actually use your mobile apps | Computerworld
Did you enjoy this issue?
Thumbs up 1ae5a7bdfcd3220e2b376aa0c1607bc5edaba758e5dd83b482d03965219a220b Thumbs down e13779fa29e2935b47488fb8f82977fedcf689a0cc0cc3c19fa3c6bb14d1493b
Carefully curated by NowSecure #MobSec5 with Revue.
If you were forwarded this newsletter and you like it, you can subscribe here.
If you don't want these updates anymore, please unsubscribe here.