Hello #MobSec5 readers! The Spectre & Meltdown spectacle continues this week, among other mobile
|
January 12 · Issue #86 · View online |
|
Hello #MobSec5 readers! The Spectre & Meltdown spectacle continues this week, among other mobile security news including:
- Strangers potentially adding themselves to encrypted group chats
- Industrial IT systems at risk due to flaws in ICS mobile apps
- Apps disguised as security tools bombard users with ads and track users’ location
Thanks for reading. Have a great weekend, be good, and stay safe.
|
|
What Spectre and Meltdown Mean For WebKit | WebKit
“To initiate a Spectre- or Meltdown-based attack, the attacker must be able to run code on the victim’s processor. WebKit is affected because in order to render modern web sites, any web JavaScript engine must allow untrusted JavaScript code to run on the user’s processor.” Update, update, update - remain vigilant about security updates. Companies like Apple and Google made statements last week with their steps of mitigation, some requiring customer action. Webkit released an update on Monday and has advised app developers to switch to the Modern Webkit API as a defense against attacks exploiting these flaws.
|
IOActive and Embedi Discover 147 Vulnerabilities in ICS Mobile Apps | eWeek
“A new report from security firms IOActive and Embedi reveals that flaws in mobile industrial control system applications could be exposing industrial IT systems to risks.”
|
Attack of the Week: Group Messaging in WhatsApp and Signal | A Few Thoughts on Cryptographic Engineering
“…due to flaws in both Signal and WhatsApp (which I single out because I use them), it’s theoretically possible for strangers to add themselves to an encrypted group chat.”
|
First Kotlin-Developed Malicious App Signs Users Up for Premium SMS Services | TrendLabs Security Intelligence Blog
“The malicious app, which has 1,000-5,000 installs as of writing, is capable of remote command execution, information theft, SMS sending, URL forwarding, and click ad fraud. It can also sign up users for premium SMS subscription services without their permission.”
|
Detecting screen capturing in iOS 11 | @abhimuralidharan via Medium
“We were working on an iOS app which provide paid video content. So the possibility of getting the video being recorded using the iOS 11 screen capture feature was something that needs to be handled. Here is how I did it.”
|
Hundreds of Creepy Mobile Games Can Use Your Mic to Track What You Watch on TV | Gizmodo
“Users are, of course, prompted for permission to access their microphones, but one expert quoted in the piece argues the wording is still misleading.”
|
macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password [Updated] | Mac Rumors
“A bug report submitted on Open Radar this week has revealed a security flaw in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.”
|
Apps Disguised as Security Tools Bombard Users With Ads and Track Users' Location | TrendLabs Security Intelligence Blog
“They also advertised a variety of capabilities: scanning, cleaning junk, saving battery, cooling the CPU, locking apps, as well as message security, WiFi security, and so on.
The apps were actually able to perform these simple tasks, but they also secretly harvested user data, tracked user location, and aggressively pushed advertisements.” Even mobile security apps need to be scrutinized for leaking sensitive data and violating the OWASP Mobile Top 10 criteria. Add to your layered defense strategy by vetting third-party apps. Join our webinar on January 23 to understand what the real risk posed by third-party app. >>> REGISTER HERE for “85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?”
|
Security Best Practices: Symmetric Encryption with AES in Java and Android | ProAndroidDev
“In this article I will give you a primer on the Advanced Encryption Standard (AES), common block modes, why you need padding and initialization vectors and how to protect your data against modification.”
|
EMC, VMware security bugs throw gasoline on cloud security fire | Ars Technica
“Backups of virtual machines on some hosts could be accessed or altered by an attacker.”
|
Microsoft halts AMD Meltdown and Spectre patches after reports of unbootable PCs | The Verge
“Microsoft has paused distributing its Meltdown and Spectre security updates for some older AMD machines after reports of PCs not booting.”
|
Multi-Industry Organizations Call for National Data Protection Standard | ExecutiveBiz
“The groups said they believe such a bill should establish a standard for data protection and a process to notify breach victims, law enforcement and applicable regulatory agencies.”
|
Did you enjoy this issue?
|
|
|
|
If you don't want these updates anymore, please unsubscribe here
If you were forwarded this newsletter and you like it, you can subscribe here
|
|
|