NowSecure #MobSec5 - Week of Jan. 9

“The supposed ‘backdoor’ the Guardian is describing is actually a feature working as intended, and it would require significant collaboration with Facebook to be able to snoop on and intercept someone’s encrypted messages, something the company is extremely unlikely to do.”

“A hacker provided Motherboard with a large cache of customer information, databases, and more.”

The data Motherboard received may include customer usernames and passwords for Cellebrite accounts (potentially identifying Cellebrite’s customers) in addition to files containing evidence seized from mobile devices – which, if true, could present chain-of-custody problems. Cellebrite markets a product that can extract data from mobile devices including call logs, SMS, MMS, media, e-mail, location information, and more. It’s rumored that the FBI hired Cellebrite to unlock the iPhone of San Bernadino suspect Syed Farook, though neither organization has confirmed. Are you running into obstacles trying to gather the data you need to diagnose and investigate mobile security incidents? Save a seat for NowSecure CEO Andrew Hoog’s talk “How Android and iOS Security Enhancements Complicate Threat Detection” included in the Mobile & IoT Security track at RSA Conference 2017 in February (and visit us at booth N3334).

“A bug in GoDaddy’s domain validation process forced the registrar to revoke SSL certificates and reissue more than 6,000 certs.”

“According to a cybersecurity notice from the Food and Drug Administration, certain pacemakers and cardiac devices are currently vulnerable to hacking.”

The FDA’s report explains vulnerabilities in St. Jude Medical’s Merlin@home™ transmitter that wirelessly monitors implantable pacemakers and defibrillators, and comes on the tail of cybersecurity guidance for medical devices published by the agency in December 2016.  On Monday, St. Jude announced the release of security updates for the Merlin@home transmitter. Cybersecurity company MedSec discovered security flaws in St. Jude’s technology and partnered with investment firm Muddy Waters to announce the vulnerabilities this past summer. Both companies hoped to profit from a short sale of St. Jude shares thinking prices would drop with news of the security issues going public. On their website, Muddy Waters wrote that St. Jude’s announcement was vindication but said the security update failed to fix all of the reported vulnerabilities. Of the update, MedSec CEO Justine Bone wrote, “severe vulnerabilities remain unaddressed including the ability to issue an unauthorized command from a device other than the Merlin@home device.”

“If an enemy or criminal gains access to someone’s cellphone, they gain access to all aspects of that person’s life — both work and personal.”

“The Israeli army said it uncovered a covert operation by Hamas to spy on the military via social media and cellphones.”

“The program will ‘secure tactical mobile handheld devices to support distributed multilevel information sharing without the need for reaching back to large-scale fixed infrastructure, create new networks based on resilient and secure architectures that work in challenging environments, and develop software that rapidly configures security across the network,’ DARPA says.”

“Google cloud KMS is designed to help organizations create, use, rotate and destroy AES-256 standard symmetric encryption keys for protecting data in cloud environments.”

“Independent mobile security experts have questioned whether the technology offers much by way of benefits over that offered by native Pixel smartphones.”

“Now it’s much harder for an attacker to modify protected pointers in memory without being detected.”