A rising onslaught of phishing messages delivered via SMS (aka “smishing”) has been hitting mobile users around the world in the last few months. The fake messages impersonate payment, package delivery and streaming services, government and healthcare organizations, popular IT and email providers, online retailers, hospitality organizations, and so on. SMS phishing is popular because it’s effective The attackers’ goal is to get users to share sensitive information either via SMS or by entering it … More
The post We got used to SMS notifications and phishers are capitalizing on it appeared first on Help Net Security.
The global network slicing market size is projected to grow from $161 million in 2020 to $1,284 million by 2025, at a Compound Annual Growth Rate (CAGR) of 51.5% during the forecast period, according to MarketsandMarkets.
The network slicing market is gaining traction due to the evolution of cellular network technology, which has offered higher data speeds and lower latency. The rapid rise in the volume of data being carried by cellular networks has been driven largely by consumer demand for video and the shift of business toward the use of cloud services.
Services segment to grow at the highest CAGR during the forecast period
Services play a vital role in the deployment and integration of next-generation networking solutions in an enterprise’s business environment. Services are considered an important component of the network slicing market, as they majorly focus on improving the business processes and optimizing the enterprise’s network.
Services are considered as the backbone of network slicing, as they are instrumental in fulfilling the clients’ requirements, such as network testing, planning and optimization, support and maintenance, and consulting
Automotive segment to grow at the highest CAGR during the forecast period
The automotive industry also makes use of the 5G technology to boost the productivity, enhance the efficiency, increase drive the brand loyalty, and offer autonomous and cooperative vehicles with significantly improved security standards and multimodal transportation solutions.
The introduction of next-generation technologies, such as 5G gave birth to numerous applications, such as AR, virtual realityVR, and tactile internet.
North America region to record the highest market share in 2020
North America is one of the most technologically advanced regions in the world. Consumers based in this region have readily adopted 4G-enabled smartphones that make the region as one of the established and most advanced mobile regions in the world.
According to the Ericsson Mobility Report published in 2017, North America records the largest use of smartphones, and traffic per smartphone is expected to increase from 7.1GB per month by the end of 2017 to 48GB by the end of 2023.
The increasing number of internet subscribers, expanding mobile data traffic, and growing government emphasis on enhancing telecommunications infrastructure to meet the users’ demand for seamless connectivity would drive the market to a great extent in the region.
Further, the region is expected to be the early adopter of 5G services in areas such as AR/VR, autonomous driving, and AI owing to the high customer digital engagement.
These days, you’d be hard-pressed to find connected devices that do not come with companion smartphone applications. In fact, it’s very common for contemporary devices to offload most (if not all) of its display to the user handset.
Smartphones and the rise of IoT
Relying on the ubiquity of smartphones and the rise of remote controls, users and vendors alike have embraced the move away from physical device interfaces. This evolution in the IoT ecosystem, however, brings major benefits AND serious drawbacks.
While users enjoy the remote capabilities of companion apps and vendors bypass the need for hardware interfaces, studies show that they present serious cybersecurity risks. For example, the communication between an IoT device and its app is often not properly encrypted nor authenticated – and these issues enable the construction of exploits to achieve remote control of victim’s devices.
How the industry got here
It is important to explain that connected devices have not always been this way. I’m sure others like myself do not need to cast their minds far back to remember a time when smartphones did not even exist. User input during these halcyon days relied on physical interfaces on the device itself, interfaces that typically consisted of basic touch screens or two-line LCD displays.
Though functional, these physical interfaces were certainly limited (and limiting) when compared to the applications that superseded them. Devices without physical interfaces are smaller, consume less power, and look better. Developers, meanwhile, enjoy the relative ease of creating an app – with the additional support of software development kits – instead of manually programming physical interfaces. Perhaps most importantly, it’s many times cheaper for vendors to create devices with companion apps than to create devices with physical interfaces.
All that is without even starting on the benefits of remote connectivity! Smartphone apps enable users anywhere in the world to set the temperature of their air conditioning and record from their home security webcam with the click of a screen. These apps are simply much more expressive and intuitive than physical interfaces, enabling users to customize what they like from wherever they are. On the other hand, however, it is this element of remote connectivity which presents the compromise between usability and security.
The dangers of device companion apps
Unfortunately, the majority of companion apps have the potential to open devices to bad actors. Researchers last year found that about half are potentially exploitable through protocol analysis since they use local communication or local broadcast communication, thus providing an attack path to exploit lack of crypto or use of hardcoded encryption keys. Further, this study into companion apps from some of Amazon’s most popular devices found a lack of encryption in one-third of cases and the use of hardcoded keys in one-fifth of cases.
These findings were confirmed in another study where researchers tested more than 2000 device companion apps for security faults. The researchers found more than 30 devices from 10 vendors relied on the same cloud service to manage their devices, with the cloud service reporting security weakness that previously allowed attackers to take full control by device ID and password enumeration.
To make matters worse, there is little incentive for vendors to release fixes when vulnerabilities are uncovered. Most vendors in this space are small and medium-sized businesses that lack the budget for software quality control and security best practices. This issue is only exacerbated by the relative inexpensiveness of the devices they sell, meaning that vendors simply do not have the resources necessary to implement security best practices like monitoring agents or authentication hardware.
What users must do
The good news is that secure communication between a device and an app is possible. For example, EZVIZ smart home security applications support local communication between the companion app and the device over the local network. The shared encryption key is enclosed in the device box in the form of a QR code and must be scanned by the companion app. This strategy is better than hardcoded keys, provided that the key in the QR code is of sufficient length and randomness.
Another security workaround is possible to ensure that commands between the client and the device cannot be intercepted by a third-party. Peer-to-peer is a private connection type used by German smart heating and cooling provider SOREL to ensure its smartphone app communicates without interference. Moreover, the connection offers the company minimized risk since end users only manage their data on their device.
The bad news is that users today remain at the mercy of the vendors. There is currently no legislation that requires device makers to ensure that their devices or companion apps implement certain cybersecurity protocols. As we have seen time and again, vendor indifference to cybersecurity consistently results in subpar security protocols.
Therefore, the onus is on users to take extra cybersecurity steps in this context of vendor ambivalence. Until legislators catch up or manufacturers begin to implement stricter security protocols for their devices and apps, users will need to take matters into their own hands to make certain that the devices they bring into the workplace or the home are safe from outside forces. While the benefits of companion apps are clear, it is only the user who can prevent the worst dangers of these digital interfaces from becoming reality.
Google has released Chrome 86 for desktop and mobile, which comes with several new and improved security features for mobile users, including:
- New password protections
- Enhanced Safe Browsing
- Easier password filling
- Mixed form warnings and mixed downloads warnings/blocks
New password security features in Chrome 86
The Password Checkup feature came first in the form of a Chrome extension, then was built into Google Account’s password manager and Chrome, and now it has been enhanced with support for the “.well-known/change-password” standard – a W3C specification that defines a well-known URL that sites can use to make their change password forms discoverable by tools (e.g. Chrome, or the latest version of Safari)
This change means that, after they’ve been alerted that their password has been compromised, Chrome will take users directly to the right “change password” form. Hopefully, this will spur more users to act upon the alert.
Enhanced Safe Browsing is added to Chrome for Android
Enhanced Safe Browsing mode, which was first introduced in Chrome 83 (for desktop versions), allows users to get a more personalized protection against malicious sites.
“When you turn on Enhanced Safe Browsing, Chrome can proactively protect you against phishing, malware, and other dangerous sites by sharing real-time data with Google’s Safe Browsing service. Among our users who have enabled checking websites and downloads in real time, our predictive phishing protections see a roughly 20% drop in users typing their passwords into phishing sites,” noted AbdelKarim Mardini, Senior Product Manager, Chrome.
In addition to this, Safety Check – an option that allows users to scan their Chrome installation to check whether the browser is up to date, whether the Safe Browsing service is enabled, and whether any of the passwords the user uses have been compromised in a known breach – is now available to Chrome for Android and iOS.
Biometric authentication for autofilling of passwords on iOS
iOS users can finally take advantage of the convenient password autofill option that was made available a few months ago to Android users.
The option allows iOS users to authenticate using Face ID, Touch ID, or their phone passcode before their saved passwords are automatically filled into sites and iOS apps (the Chrome autofill option must be turned on in Settings).
Mixed form/download warnings
Mixed content, i.e., insecure content served from otherwise secure (HTTPS) pages, is a danger to users.
Chrome 86 will warn users when they are about to submit information through a non-secure form embedded in an HTTPS page and when they are about to initiate insecure downloads over non-secure links.
For the moment, Chrome will block the download of executables and archive files over non-secure links but show a warning if the user tries to download documents files, PDFs, and multimatedia files. The next few Chrome versions will block those as well.
Last but not least, Google has fixed 35 security issues in Chrome 86, including a critical use after free vulnerabilities in payments (CVE-2020-15967).
Popular mobile messengers expose personal data via discovery services that allow users to find contacts based on phone numbers from their address book, according to researchers.
When installing a mobile messenger like WhatsApp, new users can instantly start texting existing contacts based on the phone numbers stored on their device. For this to happen, users must grant the app permission to access and regularly upload their address book to company servers in a process called mobile contact discovery.
A recent study by a team of researchers from the Secure Software Systems Group at the University of Würzburg and the Cryptography and Privacy Engineering Group at TU Darmstadt shows that currently deployed contact discovery services severely threaten the privacy of billions of users.
Utilizing very few resources, the researchers were able to perform practical crawling attacks on the popular messengers WhatsApp, Signal, and Telegram. The results of the experiments demonstrate that malicious users or hackers can collect sensitive data at a large scale and without noteworthy restrictions by querying contact discovery services for random phone numbers.
Attackers are enabled to build accurate behavior models
For the extensive study, the researchers queried 10% of all US mobile phone numbers for WhatsApp and 100% for Signal. Thereby, they were able to gather personal (meta) data commonly stored in the messengers’ user profiles, including profile pictures, nicknames, status texts and the “last online” time.
The analyzed data also reveals interesting statistics about user behavior. For example, very few users change the default privacy settings, which for most messengers are not privacy-friendly at all.
The researchers found that about 50% of WhatsApp users in the US have a public profile picture and 90% a public “About” text. Interestingly, 40% of Signal users, which can be assumed to be more privacy concerned in general, are also using WhatsApp, and every other of those Signal users has a public profile picture on WhatsApp.
Tracking such data over time enables attackers to build accurate behavior models. When the data is matched across social networks and public data sources, third parties can also build detailed profiles, for example to scam users.
For Telegram, the researchers found that its contact discovery service exposes sensitive information even about owners of phone numbers who are not registered with the service.
Which information is revealed during contact discovery and can be collected via crawling attacks depends on the service provider and the privacy settings of the user. WhatsApp and Telegram, for example, transmit the user’s entire address book to their servers.
More privacy-concerned messengers like Signal transfer only short cryptographic hash values of phone numbers or rely on trusted hardware. However, the research team shows that with new and optimized attack strategies, the low entropy of phone numbers enables attackers to deduce corresponding phone numbers from cryptographic hashes within milliseconds.
Moreover, since there are no noteworthy restrictions for signing up with messaging services, any third party can create a large number of accounts to crawl the user database of a messenger for information by requesting data for random phone numbers.
“We strongly advise all users of messenger apps to revisit their privacy settings. This is currently the most effective protection against our investigated crawling attacks,” agree Prof. Alexandra Dmitrienko (University of Würzburg) and Prof. Thomas Schneider (TU Darmstadt).
Impact of research results: Service providers improve their security measures
The research team reported their findings to the respective service providers. As a result, WhatsApp has improved their protection mechanisms such that large-scale attacks can be detected, and Signal has reduced the number of possible queries to complicate crawling.
The researchers also proposed many other mitigation techniques, including a new contact discovery method that could be adopted to further reduce the efficiency of attacks without negatively impacting usability.
QR codes are rising in popularity and use, according to a consumer sentiment study by MobileIron. Sixty-four percent of respondents stated that a QR code makes life easier in a touchless world – despite a majority of people lacking security on their mobile devices, with 51% of respondents stating they do not have or do not know if they have security software installed on their mobile devices.
Mobile devices have become even more important and ingrained in everyone’s lives during the COVID-19 pandemic, and 47% of respondents have noticed an increase in QR code use.
At the same time, employees are using mobile devices – and in many cases, their own unsecured devices – more than ever before to connect with others, interact with a variety of cloud-based applications and services, and stay productive as they work from anywhere.
Many employees are also using their mobile devices to scan QR codes in their everyday lives, putting themselves and enterprise resources at risk.
QR codes skyrocketed in popularity and use during the pandemic
- 84% of people have scanned a QR code before, with 32% most recently having scanned a QR code in the past week and 26% most recently having scanned a QR code in the past month.
- In the last six months, 38% of respondents have scanned a QR code at a restaurant, bar or café; 37% of respondents have scanned a QR code at a retailer; and 32% have scanned a QR code on a consumer product.
- 53% of respondents want to see QR codes used more broadly in the future.
- 43% of respondents plan to use a QR code as a payment method in the near future.
- 40% of people would vote using a QR code received in the mail, if it was an option.
Attackers are also capitalizing on security gaps during the pandemic and increasingly targeting mobile devices with sophisticated attacks. Mobile devices are appealing targets for hackers because the mobile user interface prompts users to take immediate actions, while limiting the amount of information available. Plus, users are often distracted when on their mobile devices, making them more likely to fall victim to attacks.
“Hackers are launching attacks across mobile threat vectors, including emails, text and SMS messages, instant messages, social media and other modes of communication,” said Alex Mosher, Global VP of Solutions, MobileIron.
“I expect we’ll soon see an onslaught of attacks via QR codes. A hacker could easily embed a malicious URL containing custom malware into a QR code, which could then exfiltrate data from a mobile device when scanned. Or, the hacker could embed a malicious URL into a QR code that directs to a phishing site and encourages users to divulge their credentials, which the hacker could then steal and use to infiltrate a company.”
QR codes pose significant risks to both end users and enterprises
- 71% of respondents cannot distinguish between a legitimate and malicious QR code, whereas 67% of those surveyed are able to distinguish between a legitimate and malicious URL.
- While 67% of respondents are aware that QR codes can open a URL, they are less aware of the other actions that QR codes can initiate. Only 19% of respondents believe scanning a QR code can draft an email; 20% believe scanning a QR code can start a phone call; and 24% believe scanning a QR code can initiate a text message.
- 51% of respondents have privacy, security, financial or other concerns about using QR codes, but still use them anyway; 34% have no concerns about using QR codes.
- 35% of respondents are unsure whether hackers can target victims using a QR code.
“Companies need to urgently rethink their security strategies to focus on mobile devices,” continued Mosher. “At the same time, they need to prioritize a seamless user experience. A unified endpoint management solution can provide the IT controls needed to secure, manage and monitor every device, user, app and network being used to access business data, while maximizing productivity.
“Organizations can also build upon UEM with a mobile threat defense solution to detect and remediate mobile threats, including malicious QR codes, even when a device is offline.”
A LexisNexis Risk Solutions report tracks global cybercrime activity from January 2020 through June 2020. The period has seen strong transaction volume growth compared to 2019 but an overall decline in global attack volume. This is likely linked to growth in genuine customer activity due to changing consumer habits.
The period has seen strong transaction volume growth compared to 2019 but an overall decline in global attack volume. This is likely linked to growth in genuine customer activity due to changing consumer habits.
The report analyzes data from more than 22.5 billion transactions processed, a 37% growth year over year. Mobile device transactions also continue to rise, with 66% of all transactions coming from mobile devices in the first half of 2020, up from 20% in early 2015.
There’s also an uptick in transactions from new devices and new digital identities. This is attributed to many new-to-digital consumers moving online to procure goods and services that were no longer available in person or harder to access via a physical store, during the pandemic.
Attacks by region
The EMEA region saw lower overall attack rates in comparison to most other global regions from January through June 2020. This is due to a high volume of trusted login transactions across relatively mature mobile apps.
The attack patterns in EMEA were also more benign and had less volatility and fewer spikes in attack rates. However, there are some notable exceptions. Desktop transactions conducted from EMEA had a higher attack rate than the global average and automated bot attack volume grew 45% year over year.
The UK originates the highest volume of human-initiated cyberattacks in EMEA, with Germany and France second and third in the region. The UK is also the second largest contributor to global bot attacks behind the U.S.
One example of a UK banking fraud network saw more than $17 million exposed to fraud across 10 financial services organizations. This network alone consisted of 7,800 devices, 5,200 email addresses and 1,000 telephone numbers.
Decline in attack rate
The overall human-initiated attack rate fell through the first half of 2020, showing a 33% decline year over year. The breakdown by sector shows a 23% decline in financial services and a 55% decline in e-commerce attack rates.
Latin America experienced the highest attack rates of all regions globally and realized consistent growth in attack rates from March to June 2020. The attack patterns in North America and EMEA had less volatility and fewer spikes in attack rates from the six-month period observed.
Attack vector global view
Media is the only industry that recorded an overall year over year growth in human-initiated cyberattacks. There was a 3% increase solely across mobile browser transactions.
Globally, automated bots remain a key attack vector in the Digital Identity Network. Financial services organizations experienced a surge in automated bot attacks and continue to experience more bot attacks than any other industry.
Across the customer journey
New account creations see attacks at a higher rate than any other transaction type in the online customer journey. However, the largest volume of attacks targets online payments. Login transactions have seen the biggest drop in attack rate in comparison to other use cases.
Analysis across new customer touchpoints in the online journey is included in this report for the first time, providing additional context on key points of risk such as money transfers and password resets.
All industries have felt the impact of COVID-19. There are clear peaks and troughs in transaction volumes coinciding with global lockdown periods.
Financial services organizations realized a growth in new-to-digital banking users, a changing geographical footprint from previously well-traveled consumers and a reduction in the number of devices used per customer. There have also been several attacks targeting banks offering COVID-19-related loans.
E-commerce merchants have seen an increase in digital payments and several other key attack typologies that coincide with the lockdown period. These included account takeover attacks using identity spoofing and more first-party chargeback fraud.
Rebekah Moody, director of fraud and identity at LexisNexis Risk Solutions, said: “The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry.”
Bring your own PC (BYOPC) security will reach mainstream adoption in the next two to five years, while it will take five to 10 years for mainstream adoption of secure access service edge (SASE) to take place, according to Gartner. Hype cycle for endpoint security, 2020 “Prior to the COVID-19 pandemic, there was little interest in BYOPC,” said Rob Smith, senior research director at Gartner. “At the start of the pandemic, organizations simply had no … More
The post Bring your own PC and SASE security to transform global businesses appeared first on Help Net Security.
If you needed another reason not to use a charger made available at a coffeeshop or airport or by an acquaintance, here it is: maliciously modified fast chargers may damage your phone, tablet or laptop and set it on fire.
Researchers from Tencent‘s Xuanwu Lab have demonstrated how some fast chargers may be easily and quickly modified to deliver too much power at once and effectively “overwhelm” digital devices:
How is this possible?
As out use of digital mobile devices increased, so did the need to be able to charge them quickly. Fast chargers and power banks are not a rarity anymore, and most digital devices now support fast charging.
The charging operation is performed after the power supply terminal and the power receiving device negotiate and agree on the amount of power both parties can support.
The set of programs that complete the power negotiation and control the charging process is usually stored in the firmware of the fast charge management chip at the power supply terminal and the power receiver terminal, the researchers explained.
Unfortunately, that code can be rewritten by malicious actors because “some manufacturers have designed interfaces that can read and write built-in firmware in the data channel, but they have not performed effective security verification of the read and write behavior, or there are problems in the verification process, or the implementation of the fast charge protocol has some memory corruption problems.”
Even worse: the attack (dubbed BadPower) can be performed in a way that will not raise any suspicion: the attacker may rewrite the firmware by simply connecting a mobile device loaded with attack code to the charger.
Users’ mobile devices can also be implanted with malware with BadPower attack capabilities and be the infection agent for every fast charger that is connected to it.
Tencent’s researchers tested 35 of the 234 fast charging devices currently available on the market, and found that at least 18 of them (by 8 different brands) are susceptible to BadPower attacks.
They also discovered that at least 18 fast-charging chip manufacturers produce chips with the ability to update firmware after the product is built.
End users are advised to keep their devices safe by not giving their own fast charger and power bank to others and by not using those belonging to other people or establishments.
Ultimately, though, this is a problem that has to be solved by the manufacturers.
They should make sure that fast chargers’ firmware is without common software vulnerabilities and make sure that firmware can’t be modified without authorization.
“At the same time, we also suggest adding technical requirements for safety verification during firmware update to the relevant national standards for fast charging technology,” the researchers added.
“It is recommended to add components such as chip fuses to non-fast charging and receiving equipment powered by the USB interface, or an overvoltage protection circuit that can withstand at least 20V. It is recommended that powered devices that support fast charging continue to check the input voltage and current after power negotiation to confirm that they meet the negotiated range.”
There’s no denying the convenience of USB media. From hard drives and flash drives to a wide range of other devices, they offer a fast, simple way to transport, share and store data. However, from a business security perspective, their highly accessible and portable nature makes them a complete nightmare, with data leakage, theft, and loss all common occurrences.
Widespread remote working appears to have compounded these issues. According to new research, there’s been a 123% increase in the volume of data downloaded to USB media by employees since the onset of COVID-19, suggesting many have used such devices to take large volumes of data home with them. As a result, there’s hundreds of terabytes of potentially sensitive, unencrypted corporate data floating around at any given time, greatly increasing the risk of serious data loss.
Fortunately, effective implementation of USB control and encryption can significantly minimize that risk.
What is USB control and encryption?
USB control and encryption refers to the set of techniques and practices used to secure the access of devices to USB ports. Such techniques and practices form a key part of endpoint security and help protect both computer systems and sensitive data assets from loss, as well as security threats (e.g., malware) that can be deployed via physical plug-in USB devices.
There are numerous ways that USB control and encryption can be implemented. The most authoritarian approach is to block the use of USB devices altogether, either by physically covering endpoint USB ports or by disabling USB adapters throughout the operating system. While this is certainly effective, for the vast majority of businesses it simply isn’t a workable approach given the huge number of peripheral devices that rely on USB ports to function, such as keyboards, chargers, printers and so on.
Instead, a more practical approach is to combine less draconian physical measures with the use of encryption that protects sensitive data itself, meaning even if a flash drive containing such data is lost or stolen, its contents remain safe. The easiest (and usually most expensive) way to do this is by purchasing devices that already have robust encryption algorithms built into them.
A cheaper (but harder to manage) alternative is to implement and enforce specific IT policies governing the use of USB devices. This could either be one that only permits employees to use certain “authenticated” USB devices – whose file systems have been manually encrypted – or stipulating that individual files must be encrypted before they can be transferred to a USB storage device.
Greater control means better security
The default USB port controls offered as part of most operating systems tend to be quite limited in terms of functionality. Security teams can choose to leave them completely open, designate them as read-only, or fully disable them. However, for those wanting a more nuanced approach, a much greater level of granular control can be achieved with the help of third-party security applications and/or solutions. For instance, each plugged-in USB device is required to tell the OS exactly what kind of device it is as part of the connection protocol.
With the help of USB control applications, admins can use this information to limit or block certain types of USB devices on specific endpoint ports. A good example would be permitting the use of USB-connected mice via the port, but banning storage devices, such as USB sticks, that pose a much greater threat to security.
Some control applications go further still, allowing security teams to put rules in place that govern USB ports down to an individual level. This includes specifying exactly what kinds of files can be copied or transferred via a particular USB port or stipulating that a particular port can only be used by devices from a pre-approved whitelist (based on their serial number). Such controls can be extremely effective at preventing unauthorized data egress, as well as malicious actions like trying to upload malware via an unauthorized USB stick.
A centrally controlled solution saves significant logistical headaches
It’s worth noting that a normal business network can contain hundreds, or even thousands of endpoints, each with one or more USB ports. As such, control and encryption solutions that can be managed centrally, rather than on an individual basis, are significantly easier to implement and manage. This is particularly true at this current point in time, where remote working protocols make it almost impossible to effectively manage devices any other way.
While portable USB drives and devices are seen as a quick, convenient way to transport or store data by employees, they often present a major headache for security professionals.
Fortunately, implementing USB control and encryption solutions can greatly improve the tools at a security team’s disposal to deal with such challenges and ensure both the network and sensitive company data remains protected at all times.
There’s a massive amount of complexity plaguing today’s enterprise endpoint environments. The number of agents piling up on enterprise endpoint devices – up on average – is hindering IT and security’s ability to maintain foundational security hygiene practices, such as patching critical vulnerabilities, which may actually weaken endpoint security defenses, Absolute reveals.
Also, critical endpoint controls like encryption and antivirus agents, or VPNs, are prone to decay, leaving them unable to protect vulnerable devices, data, and users – with more than one in four enterprise devices found to have at least one of these controls missing or out of compliance.
Increasing security spend does not guarantee security
In addition to heightening risk exposure, the failure of critical endpoint controls to deliver their maximum intended value is also resulting in security investments and, ultimately, wasted endpoint security spend.
According to Gartner, “Boards and senior executives are asking the wrong questions about cybersecurity, leading to poor investment decisions. It is well-known to most executives that cybersecurity is falling short. There is a consistent drumbeat directed at CIOs and CISOs to address the limitations, and this has driven a number of behaviors and investments that will also fall short.”
“What has become clear with the insights uncovered in this year’s report is that simply increasing security spend annually is not guaranteed to make us more secure,” said Christy Wyatt, President and CEO of Absolute.
“It is time for enterprises to increase the rigor around measuring the effectiveness of the investments they’ve made. By incorporating resilience as a key metric for endpoint health, and ensuring they have the ability to view and measure Endpoint Resilience, enterprise leaders can maximize their return on security investments.”
The challenges of maintaining resilience
Without the ability to self-heal, critical controls suffer from fragility and lack of resiliency. Also, endpoint resilience is dependent not just on the health of single endpoint applications, but also combinations of apps.
The massive amount of complexity uncovered means that even the most well-functioning endpoint agents are at risk of collision or failure once deployed across today’s enterprise endpoint environments.
IT and security teams need intelligence into whether individual endpoint controls, as well as various combinations of controls, are functioning effectively and maintaining resilience in their own unique endpoint environment.
Single vendor application pairings not guaranteed to work seamlessly together
In applying the criteria for application resilience to same-vendor pairings of leading endpoint protection and encryption apps, widely varied average health and compliance rates among these pairings were found.
The net-net here is that sourcing multiple endpoint agents from a single vendor does not guarantee that those apps will not ultimately collide or decay when deployed alongside one another.
Progress in Windows 10 migration
Much progress was made in Windows 10 migration, but fragmentation and patching delays leave organizations potentially exposed. Our data showed that while more than 75 percent of endpoints had made the migration to Windows 10 (up from 54 percent last year), the average Windows 10 enterprise device was more than three months behind in applying the latest security patches – perhaps unsurprisingly, as the data also identified more than 400 Windows 10 build releases across enterprise devices.
This delay in patching is especially concerning in light of a recent study that shows 60 percent of data breaches are the result of a known vulnerability with a patch available, but not applied.
Relying on fragile controls and unpatched devices
Fragile controls and unpatched devices are being relied on to protect remote work environments. With the rise of remote work environments in the wake of the COVID-19 outbreak, as of May 2020, one in three enterprise devices is now being used heavily (more than 8 hours per day).
The data also shows a 176 percent increase in the number of enterprise devices with collaboration apps installed as of May 2020, versus pre-COVID-19. This means the average attack surface, and potential vulnerabilities, has expanded significantly across enterprises.
The percentage of companies admitting to suffering a mobile-related compromise has grown, despite a higher percentage of organizations deciding not to sacrifice the security of mobile devices to meet business targets.
To make things worse, the C-suite is the most likely group within an organization to ask for relaxed mobile security protocols – despite also being highly targeted by cyberattacks.
In order to select a suitable mobile security solution for your business, you need to consider a lot of factors. We’ve talked to several industry professionals to get their insight on the topic.
Liviu Arsene, Global Cybersecurity Analyst, Bitdefender
A business mobile security solution needs to have a clear set of minimum abilities or features for securing devices and the information stored on them, and for enabling IT and security teams to remotely manage them easily.
For example, a mobile security solution for business needs to have excellent malware detection capabilities, as revealed by third-party independent testing organizations, with very few false positives, a high detection rate, and minimum performance impact on the device. It needs to allow IT and security teams to remotely manage the device by enabling policies such as device encryption, remote wipe, application whitelisting/blacklisting, and online content control.
These are key aspects for a business mobile security solution as it both allows employees to stay safe from online and physical threats, and enables IT and security teams to better control, manage, and secure devices remotely in order to minimize any risk associated with a compromised device. The mobile security solution should also be platform agnostic, easily deployable on any mobile OS, centrally managed, and allow users to switch from profiles covering connectivity and encryption (VPN) settings based on the services the user needs.
Fennel Aurora, Security Adviser at F-Secure
Making any choice of this kind starts from asking the right questions. What is your company’s threat model? What are your IT and security management capabilities? What do you already know today about your existing IT, shadow IT, and employees bring-your-own-devices?
If you are currently doing nothing and have little IT resources internally, you will not have the same requirements as a global corporation with whole departments handling this. As a farming supplies company, you will not face the same threats, and so have the same requirements, as an aeronautics company working on defense contracts.
In reality, even the biggest companies do not systematically do all of the 3 most basic steps. Firstly, you need to inventory your devices and IT, and be sure that the inventory is complete and up-to-date as you can’t protect what you don’t know about. You also need at minimum to protect your employees’ devices against basic phishing attacks, which means using some kind of AV with browsing protection. You need to be able to deploy and update this easily via a central tool. A good mobile AV product will also protect your devices against ransomware and banking trojans via behavioral detection.
Finally, you need to help people use better passwords, which means helping them install and start using a password manager on all their devices. It also means helping them get started with multi-factor authentication.
Jon Clay, Director of Global Threat Communications, Trend Micro
Many businesses secure their PC’s and servers from malicious code and cyber attacks as they know these devices are predominately what malicious actors will target. However, we are increasingly seeing threat actors target mobile devices, whether to install ransomware for quick profit, or to steal sensitive data to sell in the underground markets. This means is that organizations can no longer choose to forego including security on mobile devices – but there are a few challenges:
- Most mobile devices are owned by the employee
- Most of the data on the mobile device is likely to be personal to the owner
- There are many different device manufacturers and, as such, difficulties in maintaining support
- Employees access corporate data on their personal devices regularly
Here are a few key things that organizations should consider when looking to select a mobile security solution:
- Lost devices are one reason for lost data. Requiring users to encrypt their phones using a passcode or biometric option will help mitigate this risk.
- Malicious actors are looking for vulnerabilities in mobile devices to exploit, making regular update installs for OS and applications extremely important.
- Installing a security application can help with overall security of the device and protect against malicious attacks, including malicious apps that might already be installed on the device.
- Consider using some type of remote management to help monitor policy violations. Alerts can also help organizations track activities and attacks.
Discuss these items with your prospective vendors to ensure they can provide coverage and protection for your employee’s devices. Check their research output to see if they understand and regularly identify new tactics and threats used by malicious actors in the mobile space. Ensure their offering can cover the tips listed above and if they can help you with more than just mobile.
Jake Moore, Cybersecurity Specialist, ESET
Companies need to understand that their data is effectively insecure when their devices are not properly managed. Employees will tend to use their company-supplied devices in personal time and vice versa.
This unintentionally compromises private corporate data, due to activities like storing documents in unsecure locations on their personal devices or online storage. Moreover, unmanaged functions like voice recognition also contribute to organizational risk by letting someone bypass the lock screen to send emails or access sensitive information – and many mobile security solutions are not fool proof. People will always find workarounds, which for many is the most significant problem.
In oder to select the best mobile security solution for your business you need to find a happy balance between security and speed of business. These two issues rarely go hand in hand.
As a security professional, I want protection and security to be at the forefront of everyone’s mind, with dedicated focus to managing it securely. As a manager, I would want the functionality of the solution to be the most effective when it comes to analyzing data. However, as a user, most people favor ease of use and convenience at the detriment of other more important factors.
Both users and security staff need to be cognizant of the fact that they’re operating in the same space and must work together to strike the same balance. It’s a shared responsibility but, importantly, companies need to decide how much risk they are willing to accept.
Anand Ramanathan, VP of Product Management, McAfee
The permanent impact of COVID-19 has heightened attacker focus on work-from-home exploits while increasing the need for remote access. Security professionals have less visibility and control over WFH environments where employees are accessing corporate applications and data, so any evaluation of mobile security should be based on several fundamental criteria:
- “In the wild security”: You don’t know if or how mobile devices are connecting to a network at any given time, so it’s important that the protection is on-device and not dependent on a connection to determine threats, vulnerabilities or attacks.
- Comprehensive security: Malicious applications are a single vector of attack. Mobile security should also protect against phishing, network-based attacks and device vulnerabilities. Security should protect the device against known and unknown threats.
- Integrated privacy protection: Given the nature of remote access from home environments, you should have the ability to protect privacy without sending any data off the device.
- Low operational overhead: Security professionals have enough to do in response to new demands of supporting business in a COVID world. They shouldn’t be obligated to manage mobile devices differently than other types of endpoint devices and they shouldn’t need a separate management console to do so.
As millions of employees continue to work from home for the foreseeable future and in some cases perhaps indefinitely, balancing the ongoing demands of employee productivity and information security will be paramount.
The historical “castle and moat” model of protecting IT infrastructure is outdated and will be further challenged by the emergence of a new hybrid workforce that is sometimes remote, sometimes on-premise.
When the pandemic first hit, IT departments responded quickly with what one IT analyst called the “Remote Lite” approach—just get staff the basic equipment they need to work from home as efficiently as possible. Now, however, “Remote Lite” needs to quickly morph into a more “Remote Right” approach which takes into account the requirements of permanently managing remote employees’ security, connectivity and productivity.
As many security experts agree, remote work is rapidly expanding the potential attack surface for hackers as the number of endpoint devices given access to a corporation’s network increases. Pharmaceutical companies, particularly those working on Covid-19 vaccines, are just one example of a vertical industry that is experiencing a significant increase in cyberattacks.
A recent survey conducted by Barracuda Networks found that “almost half (46%) of global businesses have encountered at least one cybersecurity scare since shifting to a remote working model during the COVID-19 lockdown.” Cyberattacks that result in the theft of sensitive financial and customer data or intellectual property are just a few of the threats remote workers’ unsecured home networks, poorly managed devices or compromised VPN connections can expose.
It is inevitable that organizations will need embrace more adaptive and people-centric security models to support a permanently distributed, work-from-anywhere workforce. The challenge for CIOs will be enabling a first-class user experience similar to being in the office while maintaining an equally as strong security posture.
Home security hygiene
CIOs will undoubtedly make technology investments to address these increasing threat vectors exposed by a hybrid workforce. Additional safeguards such as biometric identification, multi-factor authentication (MFA), expanded virtual desktop infrastructure (VDI) and enhanced VPN solutions are just some of the IT investments they should consider.
At the same time, non-technology investments will remain critical. 90% of cybersecurity breaches today occur from phishing attacks, therefore increasing employee training, ongoing phishing testing and increased security monitoring will remain table stakes.
Remote device choice
The modern millennial workforce puts a premium on information access anytime, anywhere and on any device. Yet, their experiences vary on multiple dimensions in terms of access, performance and permissions. As security solutions optimized for specific devices in known locations evolve to meet the needs of the hybrid workforce, using approaches like VDI, users will likely benefit from greater device choice and expanded BYOD options.
Additionally, the concept of “work-from-home kits” may expand. Bundling devices pre-configured to run on secure networks overlaid on consumer internet connectivity with perhaps ergonomically sensitive set-ups will support employee well-being, while also enabling corporately managed network connectivity. While it might be inconvenient for users to have an extra device, in regulated industries such as healthcare, financial services and utilities, it may be essential to respond effectively in today’s threat environment.
Securing unstructured data
For many, passwords have been the tool of choice to restrict access to documents and presentations. Services like Microsoft 365 offer more comprehensive safeguards limiting the distribution of information and restricting document privileges to authenticated users, though many organizations have not widely deployed these features.
Furthermore, as unstructured data moves outside enterprise firewalls, the ability to manage documents is greatly reduced. Therefore, implementing more robust security measures to manage the lifecycle of unstructured data will shift from a nice to have feature, into a must-have control for many organizations.
Planning for a digital-first future
Rahm Emanuel, the former Mayor of Chicago, once said that “we should never let a serious crisis go to waste”, it’s an opportunity to do things you think you could not do before.” Taking this into account, if organizations were not prioritizing security investments and digital transformation before, now is the time.
There was a 37 percent increase worldwide in enterprise mobile phishing encounter rate between the fourth quarter of 2019 and the first quarter of 2020, according to Lookout.
The cost of enterprise mobile phishing
The report also shows that unmitigated mobile phishing threats could cost organizations with 10,000 mobile devices as much as $35 million per incident, and up to $150 million for organizations with 50,000 mobile devices.
“Cybercriminals are exploiting the ability to socially engineer victims on their mobile device in order to steal their credentials or sensitive private data.”
Today, the number of people working away from the office is at a record high. In order to stay productive, employees have turned to their smartphones and tablets.
Mobile devices make it harder to spot tell-tale signs of a phishing link
Phishing has been the most commonly used method for cybercriminals to infiltrate an organization, and businesses have deployed user training and email phishing security to combat them. But with mobile devices, phishing risks no longer simply hide in email, but in SMS, messaging apps, and social media platforms.
In addition, with a smaller form factor and simplified user experience, mobile devices also make it harder to spot the tell-tale signs of a phishing link – enabling a higher success rate for the cybercriminals attacking mobile compared to desktop devices.
“Phishing has evolved into a massive problem that expands far beyond the traditional email bait and hook,” said Phil Hochmuth, program vice president of enterprise mobility at IDC.
“On a small screen and with a limited ability to vet links and attachments before clicking on them, consumers and business users are exposed to more phishing risks than ever before. In a mobile-first world, with remote work becoming the norm, proactive defense against these attacks is critical.”
Unprecedented times call for unprecedented actions and the ongoing COVID-19 pandemic has caused what is likely to be the biggest shift towards remote working that the world has ever seen. But, while the technology has been around for quite some time, recent events demonstrate just how few businesses are capable of switching from an office-based setup to a remote one in a fast, secure, and non-disruptive manner.
There’s a significant number of reasons why it is prudent to have a remote working infrastructure in place. Truth be told, “in the event of a global pandemic” probably wasn’t very high up most people’s list before 2020. In normal circumstances, common occurrences like adverse weather, transportation issues, and power outages can also severely affect the productivity of business if employees can’t access what they need outside the office.
That being said, proper implementation of any remote working program is key. In particular, the right security tools must be in place, otherwise businesses risk exposing themselves to a wide range of cyber threats.
This article examines some of the major considerations for any business looking to tackle the security challenges of remote working and implement a program that will enable employees to work both effectively and securely from anywhere.
Security challenges of remote working: Finding the right approach
Historically, office-based businesses have managed off-site workers through the use of virtual private networks (VPNs) and managed devices with installed software agents – also known as the mobile device management (MDM) approach. While still a relatively popular strategy today, it raises an increasing number of privacy concerns, mainly because it gives businesses the ability to monitor everything employees do on their device. VPN technology is also widely considered to be outdated and its complexity means skilled IT professionals are required to manage/maintain it properly.
For businesses without legacy technology to consider, a bring your own device (BYOD) approach is often preferable. Not only does it significantly reduce IT costs, but employees will always be able to work on their device in the event of unforeseen circumstances that prevent them from traveling to the office.
Unlike a managed device approach, employees using their own personal devices have more freedom over what and where they can view or download sensitive data, making robust security even more critical. Below are three security technologies that can be used to complement the flexibility a BYOD program provides:
1. Data loss prevention technology keeps businesses in control
One of the biggest issues with a BYOD approach is how to prevent sensitive data loss or theft from unmanaged devices. The use of data loss prevention (DLP) technology can significantly mitigate this, giving businesses much more control over their data than they would otherwise have. With DLP in place, any unauthorized attempts to access, copy or share sensitive information – whether intentional or not – will be prevented, keeping it out of the wrong hands and helping to prevent security breaches.
2. Behavioral analytics quickly detects suspicious user activity
Implementation of user and entity behavior analytics (UEBA) is a great way to quickly detect anomalous behavior that might indicate a potential security breach amongst your remote workforce. UEBA works by learning and establishing benchmarks for normal user behavior and then alerting security teams to any activity that deviates from that established norm. For instance, if a remote worker typically logs in from London but is suddenly seen to be logging in from Paris, particularly under the current circumstances, this would raise an immediate alert that something is amiss.
3. Agentless technology delivers robust security without breaching privacy
Employees using personal devices as part of a BYOD program can often be resistant to agent-based security tools being installed on them. Not only are some – like MDM – considered an invasion of privacy, but they can also impact device performance and functionality. Conversely, agentless security tools utilize cloud technology, meaning they require no installation but still give security teams the control they need to monitor, track and even wipe sensitive data if/when necessary.
Furthermore, because agentless security tools only monitor company data on the device, employees can be confident that their personal data and activity remain completely private. Leading agentless security solutions even include cloud based DLP as part of their offering, meaning businesses can cover multiple bases in one go.
Over the last few months, the pandemic has forced many businesses to fundamentally change the way they operate. For some, this switch to remote working has been quick and painless, but for many others, a lack of foresight or advanced planning has made it a significant challenge.
Of course, hindsight is a wonderful thing, but even in the midst of this pandemic, it’s not too late to change tack. By combining BYOD with powerful cloud security and analytics technology, businesses of all shapes and sizes can quickly establish an effective, secure remote working program, keeping the wheels of business turning when even the most unexpected things happen.
Security measures and password best practices have not taken priority in many regions during the shift to remote work due to the COVID-19 pandemic, according to a survey by OneLogin.
Nearly 1 in 5 (17.4%) global respondents have shared their work device password with either their spouse or child, potentially exposing corporate data.
External threats were also a factor with 36% of global respondents admitting they have not changed their home Wi-Fi password in more than a year, leaving corporate devices exposed to a potential security breach.
Remote work implementation speed left companies vulnerable
The speed required to institute remote work in the early part of 2020 has left many companies dealing with security gaps, particularly as it relates to using work devices for personal purposes.
The majority of global remote workers agree (63%) that organizations will align in favor of continued remote work post-pandemic. If this trend continues, many businesses are unknowingly putting company data at risk.
“Organizations everywhere are facing unprecedented challenges as millions of people are working from home,” said Brad Brooks, CEO and president of OneLogin. “Passwords pose an even greater risk in this WFH environment and – as our study supports – are the weakest link in exposing businesses’ customers and data to bad actors.”
Remote work security gaps around the world
A closer look at how individual countries practice security highlights differences in password sharing, willingness to access high-risk websites and more. The study found the following:
- Risky sites: US remote workers are 3X as likely to use work devices to access adult entertainment as the French
- Home networks: US workers are more likely than any other country to have changed their Wi-Fi password within the last month
- Device security: 14% of US remote workers never changed their passwords on their device
- Shadow IT: A third of US respondents have downloaded an app on their work device without approval
- Password sharing: 1 in 5 (21%) US workers have shared a work-related password electronically – more than twice as many as the UK (7.8%)
The device people use to communicate online – a smartphone, desktop, or tablet – can affect the extent to which they are willing to overshare intimate or personal information about themselves, according to University of Pennsylvania researchers.
Do smartphones alter what people are willing to disclose about themselves?
A study suggests that they might.
The research indicates that people are more willing to reveal personal information about themselves online using their smartphones compared to desktop computers. For example, Tweets and reviews composed on smartphones are more likely to be written from the perspective of the first person, to disclose negative emotions, and to discuss the writer’s private family and personal friends.
Likewise, when consumers receive an online ad that requests personal information (such as phone number and income), they are more likely to provide it when the request is received on their smartphone compared to their desktop or laptop computer.
Why do smartphones have this effect on behavior?
Co-author Shiri Melumad explains that “Writing on one’s smartphone often lowers the barriers to revealing certain types of sensitive information for two reasons; one stemming from the unique form characteristics of phones and the second from the emotional associations that consumers tend to hold with their device.”
First, one of the most distinguishing features of phones is the small size; something that makes viewing and creating content generally more difficult compared with desktop computers. Because of this difficulty, when writing or responding on a smartphone, a person tends to narrowly focus on completing the task and become less cognizant of external factors that would normally inhibit self-disclosure, such as concerns about what others would do with the information.
Smartphone users know this effect well – when using their phones in public places, they often fixate so intently on its content that they become oblivious to what is going on around them.
The second reason people tend to be more self-disclosing on their phones lies in the feelings of comfort and familiarity people associate with their phones. Melumad adds, “Because our smartphones are with us all of the time and perform so many vital functions in our lives, they often serve as ‘adult pacifiers’ that bring feelings of comfort to their owners.”
The downstream effect of those feelings shows itself when people are more willing to disclose feelings to a close friend compared to a stranger or open up to a therapist in a comfortable rather than uncomfortable setting.
As Co-author Robert Meyer says, “Similarly, when writing on our phones, we tend to feel that we are in a comfortable ‘safe zone.’ As a consequence, we are more willing to open up about ourselves.”
The analysis: Smartphone pushing you to overshare?
The data to support these ideas is far-ranging and includes analyses of thousands of social media posts and online reviews, responses to web ads, and controlled laboratory studies. For example, initial evidence comes from analyses of the depth of self-disclosure revealed in 369,161 Tweets and 10,185 restaurant reviews posted on TripAdvisor, with some posted on PCs and some on smartphones.
Using both automated natural-language processing tools and human judgements of self-disclosure, the researchers find robust evidence that smartphone-generated content is indeed more self-disclosing. Perhaps even more compelling is evidence from an analysis of 19,962 “call to action” web ads, where consumers are asked to provide private information.
Interacting with firms
Consistent with the tendency for smartphones to facilitate greater self-disclosure, compliance was systematically higher for ads targeted at smartphones versus PCs.
The findings have clear and significant implications for firms and consumers. One is that if a firm wishes to gain a deeper understanding of the real preferences and needs of consumers, it may obtain better insights by tracking what they say and do on their smartphones than on their desktops.
Likewise, because more self-disclosing content is often perceived to be more honest, firms might encourage consumers to post reviews from their personal devices.
But therein lies a potential caution for consumers–these findings suggest that the device people use to communicate can affect what they communicate. This should be kept in mind when thinking about the device one is using when interacting with firms and others.
Five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and mobile devices running Android while remaining undetected for nearly a decade, according to BlackBerry.
The report provides further insight into pervasive economic espionage operations targeting intellectual property, a subject that the Department of Justice recently said is the focus of more than 1000 open investigations in all of the 56 FBI field offices.
Most large organizations rely on Linux
The cross-platform aspect of the attacks is also of particular concern in light of security challenges posed by the sudden increase in remote workers. The tools identified in these ongoing attack campaigns are already in place to take advantage of work-from-home mandates, and the diminished number of personnel onsite to maintain security of these critical systems compounds the risks.
While the majority of the workforce has left the office as part of containment efforts in response to the COVID-19 outbreak, intellectual property remains in enterprise data centers, most of which run on Linux.
Linux runs nearly all of the top 1 million websites online, 75% of all web servers, 98% of the world’s supercomputers and 75% of major cloud service providers (Netcraft, 2019, Linux Foundation, 2020).
Most large organizations rely on Linux to run websites, proxy network traffic and store valuable data. The report examines how APTs have leveraged the “always on, always available” nature of Linux servers to establish a “beachhead for operations” across a wide swath of targets.
“Linux is not typically user-facing, and most security companies focus their engineering and marketing attention on products designed for the front office instead of the server rack, so coverage for Linux is sparse,” said Eric Cornelius, Chief Product Architect at BlackBerry.
“These APT groups have zeroed in on that gap in security and leveraged it for their strategic advantage to steal intellectual property from targeted sectors for years without anyone noticing.”
APT groups: Other key findings
The APT groups examined in this report are likely comprised of civilian contractors working in the interest of the Chinese government who readily share tools, techniques, infrastructure, and targeting information with one another and their government counterparts.
The APT groups have traditionally pursued different objectives and focused on a wide array of targets; however, it was observed that there is a significant degree of coordination between these groups, particularly where targeting of Linux platforms is concerned.
The research identifies two new examples of Android malware, continuing a trend seen in a previous report which examined how APT groups have been leveraging mobile malware in combination with traditional desktop malware in ongoing cross-platform surveillance and espionage campaigns.
One of the Android malware samples very closely resembles the code in a commercially available penetration testing tool, yet the malware is shown to have been created nearly two years before the commercial tool was first made available for purchase.
The report examines several new variants of well-known malware that are getting by network defenders through the use code-signing certificates for adware, a tactic that the attackers hope will increase infection rates as AV red flags are dismissed as just another blip in a constant stream of adware alerts.
The research also highlights a shift by attackers towards the use of cloud service providers for command-and-control and data exfiltration communications which appear to be trusted network traffic.
A team of cybersecurity researchers has discovered that a large number of mobile apps contain hardcoded secrets allowing others to access private data or block content provided by users.
Hidden behaviors within the app
The study’s findings: that the apps on mobile phones might have hidden or harmful behaviors about which end users know little to nothing, said Zhiqiang Lin, an associate professor of computer science and engineering at The Ohio State University and senior author of the study.
Typically, mobile apps engage with users by processing and responding to user input, Lin said. For instance, users often need to type certain words or sentences, or click buttons and slide screens. Those inputs prompt an app to perform different actions.
For this study, the research team evaluated 150,000 apps. They selected the top 100,000 based on the number of downloads from the Google Play store, the top 20,000 from an alternative market, and 30,000 from pre-installed apps on Android smartphones.
They found that 12,706 of those apps, about 8.5 percent, contained something the research team labeled “backdoor secrets” – hidden behaviors within the app that accept certain types of content to trigger behaviors unknown to regular users.
They also found that some apps have built-in “master passwords,” which allow anyone with that password to access the app and any private data contained within it. And some apps, they found, had secret access keys that could trigger hidden options, including bypassing payment.
“Both users and developers are all at risk if a bad guy has obtained these ‘backdoor secrets,’” Lin said. In fact, he said, motivated attackers could reverse engineer the mobile apps to discover them.
Reverse engineering is a threat
Qingchuan Zhao, a graduate research assistant at Ohio State and lead author of this study, said that developers often wrongly assume reverse engineering of their apps is not a legitimate threat.
“A key reason why mobile apps contain these ‘backdoor secrets’ is because developers misplaced the trust,” Zhao said. To truly secure their apps, he said, developers need to perform security-relevant user-input validations and push their secrets on the backend servers.
The team also found another 4,028 apps – about 2.7 percent – that blocked content containing specific keywords subject to censorship, cyber bullying or discrimination. That apps might limit certain types of content was not surprising – but the way that they did it was: validated locally instead of remotely, Lin said.
“On many platforms, user-generated content may be moderated or filtered before it is published,” he said, noting that several social media sites, including Facebook, Instagram and Tumblr, already limit the content users are permitted to publish on those platforms.
“Unfortunately, there might exist problems – for example, users know that certain words are forbidden from a platform’s policy, but they are unaware of examples of words that are considered as banned words and could result in content being blocked without users’ knowledge,” he said.
“Therefore, end users may wish to clarify vague platform content policies by seeing examples of banned words.”
In addition, he said, researchers studying censorship may wish to understand what terms are considered sensitive. The team developed an open source tool, named InputScope, to help developers understand weaknesses in their apps and to demonstrate that the reverse engineering process can be fully automated.
There has been a spike in digital commerce since social distancing became widespread globally, according to a TransUnion research.
The research found a 23% increase in global e-commerce transactions in the week following the World Health Organization declaring the novel coronavirus outbreak a pandemic on March 11th compared to the average weekly volume in 2020.
“It is clear that social distancing has changed consumer shopping behaviors globally and will continue to do so for the foreseeable future,” said Greg Pierson, senior vice president of business planning and development at TransUnion. “No doubt fraudsters will continue to follow the trends of good consumers and adjust their schemes accordingly.”
Increase in account takeover
In a recent survey of 1068 Americans 18 and older, 22% said they have been targeted by digital fraud related to COVID-19. The survey reported a 347% increase in account takeover and 391% rise in shipping fraud attempts globally against its online retail customers from 2018 to 2019.
“With so many reported data breaches, it’s not just about if your account will be hijacked, it’s about when,” said Melissa Gaddis, senior director of customer success for TransUnion Fraud & Identity Solutions.
“Once a fraudster breaks into an account, they have access to everything imaginable resulting in stolen credit card numbers and reward points, fraudulent purchases, and redirecting shipments to other addresses.”
E-commerce fraud and transaction methods
Typical methods used to take over an account include buying login details on the dark web, credential stuffing, hacking, phishing, romance scams and social engineering.
Shipping fraud is when criminals take over a customer account but don’t change the shipping address in order to avoid detection. Once the package has shipped, they intercept it at the carrier site and change the shipping address.
Besides account takeover and shipping fraud, there were also other significant e-commerce fraud and transaction trends:
- 42% decrease in promotion abuse from 2018 to 2019. Cybercriminals access accounts to drain loyalty points or create multiple new accounts to use the same promotion over and over, often against website and app terms. TransUnion believes this decrease can be attributed to fraudsters turning to more lucrative schemes such as account takeover.
- 78% of all e-commerce transactions came from mobile devices in 2019. That’s a 33% increase from 2018. E-commerce companies are scrambling to ensure a mobile-first experience for consumers not just to browse but to buy.
- 118% increase in risky transactions from mobile devices in 2019. Fraudsters have taken notice that more e-commerce transactions are coming from mobile devices and are trying to replicate that consumer behavior in order to avoid detection.
“Although the death of brick and mortar has been well documented, there is still plenty of room for e-commerce growth with one report claiming online retail only makes up 14% of all global retail sales,” said Gaddis.
“With so much room left for growth, it’s important that retailers stay ahead of the emerging transaction and retail trends to provide a friction-right experience for consumers and a fraudster-proof barrier.”
We sat down with Demi Ben-Ari, CTO at Panorays, to discuss the cybersecurity risks of remote work facilitated by virtual environments.
The global spread of the COVID-19 coronavirus has had a notable impact on workplaces worldwide, and many organizations are encouraging employees to work from home. What are the cybersecurity implications of this shift?
Having a sizable amount of employees suddenly working remotely can be a major change for organizations and presents numerous problems with regard to cybersecurity.
One issue involves a lack of authentication and authorization. Because people are not seeing each other face-to-face, there is an increased need for two-factor authentication, monitoring access controls and creating strong passwords. There’s also a risk of increased attacks like phishing and malware, especially since employees will now likely receive an unprecedented amount of emails and online requests.
Moreover, remote working can effectively widen an organization’s attack surface. This is because employees who use their own devices for work can introduce new platforms and operating systems that require their own dedicated support and security. With so many devices being used, it’s likely that at least some will fall through the security cracks.
Finally, these same security considerations apply to an organization’s supply chain. This can be challenging, because often smaller companies lack the necessary know-how and human resources to implement necessary security measures. Hackers are aware of this and can start targeting third-party suppliers with the goal of penetrating upstream partners.
What are the hidden implications of human error?
With less effective communication, organizations are unquestionably more prone to human error. When you’re not sitting next to the person you work with, the chances of making configuration mistakes that will expose security gaps are much higher. These cyber gaps can then be exploited by malicious actors.
IT departments are especially prone to error because they are changing routine and must open internal systems to do external work. For example, because of the shift to a remote workplace, IT teams may have to introduce network and VPN configurations, new devices, ports and IT addresses. Such changes effectively result in a larger attack surface and create the possibility that something may be set up incorrectly when implementing these changes.
The fact that people are not working face-to-face exacerbates the situation: Because it’s harder to confirm someone’s identity, there’s more room for error.
What are the potential compliance implications of this huge increase in mobile working?
There’s greater risk, because employees are not on the organization’s network and the organization is not fully in control of their devices. Essentially, the organization has lost the security of being in a physical protected area. As a result, organizations also open themselves up to greater risk of not adequately complying with regulations that demand a certain level of cybersecurity.
Another compliance issue is related to change. For example, an organization may be certified for SOC2, but those controls may not remain in place with people working from home. Thus a major, sudden change like a mass remote workforce can unintentionally lead to noncompliance.
How can organizations efficiently evaluate new vendors, eliminate security gaps and continuously monitor their cyber posture?
As part of their third-party security strategy, organizations should take the following steps:
1. Map all vendors along with their relationship to the organization, including the type of data they access and process. For example, some vendors store and process sensitive data, while others might have access to update software code on the production environment.
2. Prioritize vendors’ criticality. Some vendors are considered more critical than others in terms of the business impact they pose, the technology relationship with an organization or even regulatory aspects. For example, a certain supplier might be processing all employee financial information while another supplier might be a graphic designer agency that runs posters of a marketing event.
3. Gain visibility and control over vendors. This can be accomplished by using a solution to thoroughly assess vendors, preferably with a combination of scanning the vendor’s attack service along with completion of security questionnaires. With the shift to remote working, organizations should also be sure to include questions that assess vendors’ preparedness for working at home.
4. Continuously monitor vendors’ security posture. Visibility and control require a scalable solution for the hundreds or even thousands of suppliers that organizations typically engage with these days. Organizations should ensure that their solution alerts of any changes in cyber posture and that they respond accordingly. For example, organizations may decide to limit access, or even completely close connections between the supplier and the organization’s environment.