NowSecure #MobSec5 - Week of Mar. 20

“Today, we’re sharing the third annual Android Security Year In Review, a comprehensive look at our work to protect more than 1.4 billion Android users and their data.”

The report provides the status of various Google initiatives aimed at securing the Android platform including data from approximately 1.4 billion devices. With their monthly Android security bulletins in 2016, Google patched a total of 655 vulnerabilities – 133 of critical, 365 of high, 154 of moderate, and 3 of low severity. While the document highlights a number of improvements, what sticks out is that just over half of Android devices across 200 manufacturers and 2,000 models had a 2016 patch level as of December 2016.  The flip side suggests that about half of Android devices did not receive security updates last year. However, Director of Android Security Adrian Ludwig did tell Wired he estimates that twice as many people installed an Android patch in 2016 compared to 2015 – which if true is a sure sign of progress. Regardless, the security problems fertilized by Android fragmentation remain. In the same article, Samsung Mobile Security Director Henry Lee discussed the challenges manufacturers face in applying Android security updates to their customized operating systems. Lee said that 60 percent of Samsung users received an update in 2016.

“So, today, I’m excited to share a first developer preview of the next version of the OS: Android O. The usual caveats apply: it’s early days, there are more features coming, and there’s still plenty of stabilization and performance work ahead of us. But it’s booting :).”

“Today, March 23rd 2017, WikiLeaks releases Vault 7 ‘Dark Matter,’ which contains documentation for several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB).”

The release includes a user guide from 2008 for a program called NightSkies v1.2. The program is a “beacon/loader/implant tool for the Apple iPhone 3G v2.1,” which collects location and other data from an iPhone. The guide includes instructions for configuring and installing the tool on factory-fresh devices. WikiLeaks’ claim that NightSkies suggests the CIA has been infecting the iPhone supply chain has been met with some skepticism. So far it seems disclosed documentation has only included mention of implanting NightSkies on a MacBook Air that is given to a target as a gift. Apple has said in a statement that, “Based on our initial analysis, the alleged iPhone vulnerability affected iPhone 3G only and was fixed in 2009 when iPhone 3GS was released. Additionally, our preliminary assessment shows the alleged Mac vulnerabilities were previously fixed in all Macs launched after 2013.” In related news, the US government may have confirmed that some items from the Vault 7 stash are authentic via a request that certain documents not be admitted in court, according to MotherBoard.

“A partnership between the secret-spilling group and Google, Microsoft, and Apple has already hit its first road block.”

The companies that develop technology products mentioned in the Vault 7 release are wrestling with how to move forward “because the vulnerabilities come from highly-classified documents (which may have been illegally obtained).” Apple alluded to this concern in their statement this week writing, “We have not negotiated with WikiLeaks for any information. We have given them instructions to submit any information they wish through our normal process under our standard terms. Thus far, we have not received any information from them that isn’t in the public domain. We are tireless defenders of our users’ security and privacy, but we do not condone theft or coordinate with those that threaten to harm our users.”

“Here are the basics about the new restrictions, plus some tips for surviving a transatlantic flight without your favorite electronic devices.”

“From voice timbre to body movement patterns to the rhythm of your heartbeat, the human body offers a half-dozen sexier, less hackable ways to key in a passcode.”

“Nest’s Dropcam and Dropcam Pro security cameras can be wirelessly attacked via Bluetooth to crash and stop recording footage. This is perfect for burglars and other crooks who want to knock out the cams moments before robbing a joint.”

“Weed, low pay, and a lack of female employees, are what’s leaving the US susceptible to cyber attacks. In its latest published report on the nation’s cyber security strategy (2015), the US department of justice found that 40 per cent of FBI cyber security positions were unfilled.”

“Chrome to immediately stop recognizing EV status and gradually nullify all certs.”

Google’s sanctions stem from problems it has with Symantec CAs. One example involved the issuance of test certificates for third-party domains without those domain-holders’ permission. This could have allowed anyone with those certificates to impersonate servers hosting those third-party sites, which serves as a good mobile app security reminder. When an app connects to a server to facilitate certain functionality, best practices call for authenticating that server’s identity via its certificate. To avoid connecting with servers posing as trusted servers, apps should implement certificate-pinning to add an extra layer of defense against man-in-the-middle attacks. Certificate-pinning consists of hard-coding the specific certificate for a back-end server into an app. The app will then only connect with servers presenting those hard-coded certificates, reducing the risk that it will connect with an impersonator.