NowSecure #MobSec5 - Week of January 8

“To initiate a Spectre- or Meltdown-based attack, the attacker must be able to run code on the victim’s processor. WebKit is affected because in order to render modern web sites, any web JavaScript engine must allow untrusted JavaScript code to run on the user’s processor.”

Even with security updates, though, the widespread exposure to Spectre and Meltdown emphasizes the need for a layered approach to cybersecurity. We’ve shared some thoughts on a layered approach for mobile. Read “Defense in Depth: A Layered Approach to Mobile Security with MDM, MAM & Mobile App Vetting” on the NowSecure blog.

“A new report from security firms IOActive and Embedi reveals that flaws in mobile industrial control system applications could be exposing industrial IT systems to risks.”

Our team found that 85% of third-party mobile apps, including some industrial control system apps, have major risks, violating at least one of the OWASP mobile top 10 criteria. >>>REGISTER to learn more on January 23 at 1pm CT: “85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?”

“…due to flaws in both Signal and WhatsApp (which I single out because I use them), it’s theoretically possible for strangers to add themselves to an encrypted group chat.”

“The malicious app, which has 1,000-5,000 installs as of writing, is capable of remote command execution, information theft, SMS sending, URL forwarding, and click ad fraud. It can also sign up users for premium SMS subscription services without their permission.”

“We were working on an iOS app which provide paid video content. So the possibility of getting the video being recorded using the iOS 11 screen capture feature was something that needs to be handled. Here is how I did it.”

“Users are, of course, prompted for permission to access their microphones, but one expert quoted in the piece argues the wording is still misleading.”

“A bug report submitted on Open Radar this week has revealed a security flaw in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.”

“They also advertised a variety of capabilities: scanning, cleaning junk, saving battery, cooling the CPU, locking apps, as well as message security, WiFi security, and so on. The apps were actually able to perform these simple tasks, but they also secretly harvested user data, tracked user location, and aggressively pushed advertisements.”

“In this article I will give you a primer on the Advanced Encryption Standard (AES), common block modes, why you need padding and initialization vectors and how to protect your data against modification.”

“Backups of virtual machines on some hosts could be accessed or altered by an attacker.”

“Microsoft has paused distributing its Meltdown and Spectre security updates for some older AMD machines after reports of PCs not booting.”

“The groups said they believe such a bill should establish a standard for data protection and a process to notify breach victims, law enforcement and applicable regulatory agencies.”