As we near 2021, it seems that the changes to our working life that came about in 2020 are set to remain. Businesses are transforming as companies continue to embrace remote working practices to adhere to government guidelines. What does the next year hold for organizations as they continue to adapt in the age of the Everywhere Enterprise?
We will see the rush to the cloud continue
The pandemic saw more companies than ever move to the cloud as they sought collaboration and productivity tools for employee bases working from home. We expect that surge to continue as more companies realize the importance of the cloud in 2021. Businesses are prepared to preserve these new working models in the long term, some perhaps permanently: Google urged employees to continue working from home until at least next July and Twitter stated employees can work from home forever if they prefer.
Workforces around the world need to continue using alternatives to physical face-to-face meetings and remote collaboration tools will help. Cloud-based tools are perfect for that kind of functionality, which is partly why many customers that are not in the cloud, want to be. The customers who already started the cloud migration journey are also moving more resources to public cloud infrastructure.
People will be the new perimeter
While people will eventually return to the office, they won’t do so full-time, and they won’t return in droves. This shift will close the circle on a long trend that has been building since the mid-2000s: the dissolution of the network perimeter. The network and the devices that defined its perimeter will become even less special from a cybersecurity standpoint.
Instead, people will become the new perimeter. Their identity will define what they’re allowed to access, both inside and outside the corporate network. Even when they are logged into the network, they will have minimal access to resources until they and the device they are using have been authenticated and authorized. This approach, known as zero trust networking, will pervade everything, covering not just employees, but customers, contractors, and other business partners.
User experience will be increasingly important in remote working
Happy, productive workers are even more important during a pandemic. Especially as on average, employees are working three hours longer since the pandemic started, disrupting the work-life balance. It’s up to employers to focus on the user experience and make workers’ lives as easy as possible.
When the COVID-19 lockdown began, companies coped by expanding their remote VPN usage. That got them through the immediate crisis, but it was far from ideal. On-premises VPN appliances suffered a capacity crunch as they struggled to scale, creating performance issues, and users found themselves dealing with cumbersome VPN clients and log-ins. It worked for a few months, but as employees settle in to continue working from home in 2021, IT departments must concentrate on building a better remote user experience.
Old-school remote access mechanisms will fade away
This focus on the user experience will change the way that people access computing resources. In the old model, companies used a full VPN to tunnel all traffic via the enterprise network. This introduced latency issues, especially when accessing applications in the cloud because it meant routing all traffic back through the enterprise data center.
It’s time to stop routing cloud sessions through the enterprise network. Instead, companies should allow remote workers to access them directly. That means either sanitizing traffic on the device itself or in the cloud.
User authentication improvements
Part of that new approach to authentication involves better user verification. That will come in two parts. First, it’s time to ditch the password. The cybersecurity community has advocated this for a long time, but the work-from-home trend will accelerate it. Employees accessing from mobile devices are increasingly using biometric authentication, which is more secure and convenient.
The second improvement to user verification will see people logging into applications less often. Sessions will persist for longer, based on deep agent-based device knowledge that will form a big part of the remote access experience.
Changing customer interactions will require better mobile security
It isn’t just employees who will need better mobile security. Businesses will change the way that they interact with customers too. We can expect fewer person-to-person interactions in retail as social distancing rules continue. Instead, contact-free transactions will become more important and businesses will move to self-checkout options. Retailers must focus more on mobile devices for everything from browsing products, to ordering and payment.
The increase in QR codes presents a great threat
Retailers and other companies are already starting and will continue to use QR codes more and more to bridge contact with things like menus and payment systems, as well as comply with social distance rules. Users can scan them from two meters away, making them perfect for payments and product information.
The problem is that they were never designed for these applications or digital authentication and can easily be replaced with malicious codes that manipulate smartphones in unexpected and damaging ways. We can expect to see QR code fraud problems increase as the usage of these codes expands in 2021.
The age of the Everywhere Enterprise
One overarching message came through clearly in our conversations with customers: the enterprise changed for the longer term in 2020, and this will have profound effects in 2021. What began as a rushed reaction during a crisis this year will evolve during the next as the IT department joins HR in rethinking employee relationships in the age of the everywhere enterprise.
If 2020 was the year that businesses fell back on the ropes, 2021 will be the one where they bounce forward, moving from a rushed reaction into a thoughtful, measured response.
Security researcher Rafay Baloch has discovered address bar spoofing vulnerabilities in several mobile browsers, which could allow attackers to trick users into sharing sensitive information through legitimate-looking phishing sites.
“With ever growing sophistication of spear phishing attacks, exploitation of browser-based vulnerabilities such as address bar spoofing may exacerbate the success of spear phishing attacks and hence prove to be very lethal,” he noted.
“First and foremost, it is easy to persuade the victim into stealing credentials or distributing malware when the address bar points to a trusted website and giving no indicators forgery, secondly since the vulnerability exploits a specific feature in a browser, it can evade several anti-phishing schemes and solutions.”
The address bar spoofing vulnerabilities and affected mobile browsers
Unlike desktop browsers, mobile browsers are not great at showing security indicators that might point to a site’s malicious nature. In fact, pretty much the only consistent indicator is the address bar (i.e. a suspicious-looking URL in it).
So if the attacker is able to spoof the URL and show the one the user expects – for example, apple.com for a phishing site that impersonates Apple – chances are good the user will enter their login credentials into it. The vulnerabilities discovered by Baloch permit exactly that, and affect the:
- UC Browser, Opera Mini, Yandex Browser and RITS Browser for Android
- Opera Touch, Bolt Browser and Safari for iOS
“By messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website.”
Fixes for some, not for others
As 60+ days have passed since the vendors were appraised of the existence of the flaws, Baloch released some details and several PoC exploits.
In the meantime:
- Apple and Yandex pushed out fixes
- Opera released security updates for Opera Touch and is expected to do the same for Opera Mini in early November
- Raise IT Solutions planned to release a fix for the RITS Browser this week, but hasn’t yet
- UCWeb (the creators of the UC Browser) haven’t responded to the report, and it’s doubtful whether the creator of the Bolt Browser knowns about the vulnerabilities, as they haven’t been able to contact him (disclosure notification bounced when sent to the support email listed)
Users should implement the offered updates (if they don’t have the “auto-update” option switched on). Those who use browsers that still don’t have fixes available might want to consider switching to a browser that’s more actively developed/patched.
But all should be extra careful when thinking about clicking on links received via text or email from unknown sources. These flaws have been remediated, but other similar ones will surely be discovered in the future – let’s just hope it’s by researchers, and not attackers.
Google has released Chrome 86 for desktop and mobile, which comes with several new and improved security features for mobile users, including:
- New password protections
- Enhanced Safe Browsing
- Easier password filling
- Mixed form warnings and mixed downloads warnings/blocks
New password security features in Chrome 86
The Password Checkup feature came first in the form of a Chrome extension, then was built into Google Account’s password manager and Chrome, and now it has been enhanced with support for the “.well-known/change-password” standard – a W3C specification that defines a well-known URL that sites can use to make their change password forms discoverable by tools (e.g. Chrome, or the latest version of Safari)
This change means that, after they’ve been alerted that their password has been compromised, Chrome will take users directly to the right “change password” form. Hopefully, this will spur more users to act upon the alert.
Enhanced Safe Browsing is added to Chrome for Android
Enhanced Safe Browsing mode, which was first introduced in Chrome 83 (for desktop versions), allows users to get a more personalized protection against malicious sites.
“When you turn on Enhanced Safe Browsing, Chrome can proactively protect you against phishing, malware, and other dangerous sites by sharing real-time data with Google’s Safe Browsing service. Among our users who have enabled checking websites and downloads in real time, our predictive phishing protections see a roughly 20% drop in users typing their passwords into phishing sites,” noted AbdelKarim Mardini, Senior Product Manager, Chrome.
In addition to this, Safety Check – an option that allows users to scan their Chrome installation to check whether the browser is up to date, whether the Safe Browsing service is enabled, and whether any of the passwords the user uses have been compromised in a known breach – is now available to Chrome for Android and iOS.
Biometric authentication for autofilling of passwords on iOS
iOS users can finally take advantage of the convenient password autofill option that was made available a few months ago to Android users.
The option allows iOS users to authenticate using Face ID, Touch ID, or their phone passcode before their saved passwords are automatically filled into sites and iOS apps (the Chrome autofill option must be turned on in Settings).
Mixed form/download warnings
Mixed content, i.e., insecure content served from otherwise secure (HTTPS) pages, is a danger to users.
Chrome 86 will warn users when they are about to submit information through a non-secure form embedded in an HTTPS page and when they are about to initiate insecure downloads over non-secure links.
For the moment, Chrome will block the download of executables and archive files over non-secure links but show a warning if the user tries to download documents files, PDFs, and multimatedia files. The next few Chrome versions will block those as well.
Last but not least, Google has fixed 35 security issues in Chrome 86, including a critical use after free vulnerabilities in payments (CVE-2020-15967).
Where there’s money, there’s also an opportunity for fraudulent actors to leverage security flaws and weak entry-points to access sensitive, personal consumer information.
This has caused a sizeable percentage of consumers to avoid adopting mobile banking completely and has become an issue for financial institutions who must figure out how to provide a full range of financial services through the mobile channel in a safe and secure way. However, with indisputable demand for a mobile-first experience, the pressure to adapt has become unavoidable.
In order to offer that seamless, omnichannel experience consumers crave, financial institutions have to understand the malicious actors and fraudulent tactics they are up against. Here are a few that have to be on the mobile banking channel’s radar.
1. Increased device usage sparks surge in mobile malware
Banking malware has become a very common mobile threat, even more so now as fraudsters leverage fear and uncertainty surrounding the global pandemic. According to a recent report by Malwarebytes, mobile banking malware has surged over recent months, focused on stealing personal information and using weakened remote connections and mobile devices in a work-from-home environment to gain access to more valuable corporate networks.
The financial burden of a data breach resulting from mobile malware could potentially set organizations back millions of dollars, as well as do some serious damage to customer trust and loyalty.
2. Sacrificing software quality and security by effecting premature product rollouts
Securing mobile is a laborious task that requires mobile app developers to factor in several entities, including device manufacturers, mobile operating system developers, app developers, mobile carriers, and service providers. No platform nor device can be secured in the same way, meaning developers are constantly having to overcome a unique set of challenges in order to reduce the risk of fraudulent activity.
The reality of such a complex ecosystem is that mobile app developers are not always qualified to understand all the risks at play, which leads to unsecured mobile data, connections, and transactions. Additionally, the speed at which the market moves thanks to emerging technologies and innovations creates an added layer of pressure for developers. Lacking the resources and time to properly protect consumers can lead to high-profile attacks where sensitive data is exploited.
3. Vulnerabilities in digital security protocols
At any given time, every entity in the ecosystem described above must have high confidence in the entity on the other side of the transaction to ensure its legitimacy. A lack of digital security protocols like secure sockets layer (SSL) and transport layer security (TLS) in mobile banking apps makes it difficult to establish encrypted links between every entity that ultimately help prevent phishing and man-in-the-middle attacks.
If we continue growing our ecosystem at the current rate, adding to its complexity and connecting more and more third-party services and networks, we can no longer avoid fixing the broken system we have for SSL certificate validation.
4. Unreliable mobile device identification
Another issue at play is device identification. The only way other entities in the ecosystem can recognize a unique device is through device fingerprinting. This is a process through which certain unique attributes of a device – operating system, type and version of web browser, the device’s IP address, etc. – are combined for identification. This information can then be pulled from a database for future fraud prevention purposes and a range of other use-cases.
Data privacy concerns and limited data sharing on devices, however, have weakened the process and reliability of identification. If we do not have enough discrete data points to establish a reliable digital fingerprint, the whole system becomes ineffective.
5. Time to update authentication techniques
Fraudsters are always on the lookout for ways to intercept confidential login information that grants them access to protected accounts. Two-factor authentication (2FA) has become banks’ preferred security method for reliably authenticating users trying to access the mobile channel and staying ahead of cybercriminals.
More often than not, 2FA relies on one-time-passwords (OTPs) delivered by SMS to the account holder upon attempted login. Unfortunately, with phishing – especially via SMS – on the rise, hackers can gain access to a mobile device and OTPs delivered via SMS, and gain access to accounts and authenticate fraudulent transactions.
There are also a number of other tactics – e.g., SIM-swapping – attackers use to gain access to sensitive information and accounts.
6. Lack of industry regulation and standards
Without the establishment of rigorous standards and guidance on online banking security and protecting the end-user, low consumer trust will inhibit mass market acceptance. The Federal Financial Institutions Examination Council (FFIEC) has yet to issue ample guidance on the topic of authentication and identification on mobile devices. Mobile security standards need to be a top priority for regulators, especially as new technologies and mobile malware continue to disrupt the market.
The underlying theme for banks to keep in mind is that trust is a currency they cannot afford to lose in such a competitive financial services market. In the race to provide seamless, omnichannel banking experiences, integrating better security protocols without compromising usability can feel like a constant balancing act. Researching the latest tools and technology as well as building trusted partner relationships with third-party service providers is the only way banks can differentiate themselves in a dynamic security landscape.
There’s a massive amount of complexity plaguing today’s enterprise endpoint environments. The number of agents piling up on enterprise endpoint devices – up on average – is hindering IT and security’s ability to maintain foundational security hygiene practices, such as patching critical vulnerabilities, which may actually weaken endpoint security defenses, Absolute reveals.
Also, critical endpoint controls like encryption and antivirus agents, or VPNs, are prone to decay, leaving them unable to protect vulnerable devices, data, and users – with more than one in four enterprise devices found to have at least one of these controls missing or out of compliance.
Increasing security spend does not guarantee security
In addition to heightening risk exposure, the failure of critical endpoint controls to deliver their maximum intended value is also resulting in security investments and, ultimately, wasted endpoint security spend.
According to Gartner, “Boards and senior executives are asking the wrong questions about cybersecurity, leading to poor investment decisions. It is well-known to most executives that cybersecurity is falling short. There is a consistent drumbeat directed at CIOs and CISOs to address the limitations, and this has driven a number of behaviors and investments that will also fall short.”
“What has become clear with the insights uncovered in this year’s report is that simply increasing security spend annually is not guaranteed to make us more secure,” said Christy Wyatt, President and CEO of Absolute.
“It is time for enterprises to increase the rigor around measuring the effectiveness of the investments they’ve made. By incorporating resilience as a key metric for endpoint health, and ensuring they have the ability to view and measure Endpoint Resilience, enterprise leaders can maximize their return on security investments.”
The challenges of maintaining resilience
Without the ability to self-heal, critical controls suffer from fragility and lack of resiliency. Also, endpoint resilience is dependent not just on the health of single endpoint applications, but also combinations of apps.
The massive amount of complexity uncovered means that even the most well-functioning endpoint agents are at risk of collision or failure once deployed across today’s enterprise endpoint environments.
IT and security teams need intelligence into whether individual endpoint controls, as well as various combinations of controls, are functioning effectively and maintaining resilience in their own unique endpoint environment.
Single vendor application pairings not guaranteed to work seamlessly together
In applying the criteria for application resilience to same-vendor pairings of leading endpoint protection and encryption apps, widely varied average health and compliance rates among these pairings were found.
The net-net here is that sourcing multiple endpoint agents from a single vendor does not guarantee that those apps will not ultimately collide or decay when deployed alongside one another.
Progress in Windows 10 migration
Much progress was made in Windows 10 migration, but fragmentation and patching delays leave organizations potentially exposed. Our data showed that while more than 75 percent of endpoints had made the migration to Windows 10 (up from 54 percent last year), the average Windows 10 enterprise device was more than three months behind in applying the latest security patches – perhaps unsurprisingly, as the data also identified more than 400 Windows 10 build releases across enterprise devices.
This delay in patching is especially concerning in light of a recent study that shows 60 percent of data breaches are the result of a known vulnerability with a patch available, but not applied.
Relying on fragile controls and unpatched devices
Fragile controls and unpatched devices are being relied on to protect remote work environments. With the rise of remote work environments in the wake of the COVID-19 outbreak, as of May 2020, one in three enterprise devices is now being used heavily (more than 8 hours per day).
The data also shows a 176 percent increase in the number of enterprise devices with collaboration apps installed as of May 2020, versus pre-COVID-19. This means the average attack surface, and potential vulnerabilities, has expanded significantly across enterprises.
The percentage of companies admitting to suffering a mobile-related compromise has grown, despite a higher percentage of organizations deciding not to sacrifice the security of mobile devices to meet business targets.
To make things worse, the C-suite is the most likely group within an organization to ask for relaxed mobile security protocols – despite also being highly targeted by cyberattacks.
In order to select a suitable mobile security solution for your business, you need to consider a lot of factors. We’ve talked to several industry professionals to get their insight on the topic.
Liviu Arsene, Global Cybersecurity Analyst, Bitdefender
A business mobile security solution needs to have a clear set of minimum abilities or features for securing devices and the information stored on them, and for enabling IT and security teams to remotely manage them easily.
For example, a mobile security solution for business needs to have excellent malware detection capabilities, as revealed by third-party independent testing organizations, with very few false positives, a high detection rate, and minimum performance impact on the device. It needs to allow IT and security teams to remotely manage the device by enabling policies such as device encryption, remote wipe, application whitelisting/blacklisting, and online content control.
These are key aspects for a business mobile security solution as it both allows employees to stay safe from online and physical threats, and enables IT and security teams to better control, manage, and secure devices remotely in order to minimize any risk associated with a compromised device. The mobile security solution should also be platform agnostic, easily deployable on any mobile OS, centrally managed, and allow users to switch from profiles covering connectivity and encryption (VPN) settings based on the services the user needs.
Fennel Aurora, Security Adviser at F-Secure
Making any choice of this kind starts from asking the right questions. What is your company’s threat model? What are your IT and security management capabilities? What do you already know today about your existing IT, shadow IT, and employees bring-your-own-devices?
If you are currently doing nothing and have little IT resources internally, you will not have the same requirements as a global corporation with whole departments handling this. As a farming supplies company, you will not face the same threats, and so have the same requirements, as an aeronautics company working on defense contracts.
In reality, even the biggest companies do not systematically do all of the 3 most basic steps. Firstly, you need to inventory your devices and IT, and be sure that the inventory is complete and up-to-date as you can’t protect what you don’t know about. You also need at minimum to protect your employees’ devices against basic phishing attacks, which means using some kind of AV with browsing protection. You need to be able to deploy and update this easily via a central tool. A good mobile AV product will also protect your devices against ransomware and banking trojans via behavioral detection.
Finally, you need to help people use better passwords, which means helping them install and start using a password manager on all their devices. It also means helping them get started with multi-factor authentication.
Jon Clay, Director of Global Threat Communications, Trend Micro
Many businesses secure their PC’s and servers from malicious code and cyber attacks as they know these devices are predominately what malicious actors will target. However, we are increasingly seeing threat actors target mobile devices, whether to install ransomware for quick profit, or to steal sensitive data to sell in the underground markets. This means is that organizations can no longer choose to forego including security on mobile devices – but there are a few challenges:
- Most mobile devices are owned by the employee
- Most of the data on the mobile device is likely to be personal to the owner
- There are many different device manufacturers and, as such, difficulties in maintaining support
- Employees access corporate data on their personal devices regularly
Here are a few key things that organizations should consider when looking to select a mobile security solution:
- Lost devices are one reason for lost data. Requiring users to encrypt their phones using a passcode or biometric option will help mitigate this risk.
- Malicious actors are looking for vulnerabilities in mobile devices to exploit, making regular update installs for OS and applications extremely important.
- Installing a security application can help with overall security of the device and protect against malicious attacks, including malicious apps that might already be installed on the device.
- Consider using some type of remote management to help monitor policy violations. Alerts can also help organizations track activities and attacks.
Discuss these items with your prospective vendors to ensure they can provide coverage and protection for your employee’s devices. Check their research output to see if they understand and regularly identify new tactics and threats used by malicious actors in the mobile space. Ensure their offering can cover the tips listed above and if they can help you with more than just mobile.
Jake Moore, Cybersecurity Specialist, ESET
Companies need to understand that their data is effectively insecure when their devices are not properly managed. Employees will tend to use their company-supplied devices in personal time and vice versa.
This unintentionally compromises private corporate data, due to activities like storing documents in unsecure locations on their personal devices or online storage. Moreover, unmanaged functions like voice recognition also contribute to organizational risk by letting someone bypass the lock screen to send emails or access sensitive information – and many mobile security solutions are not fool proof. People will always find workarounds, which for many is the most significant problem.
In oder to select the best mobile security solution for your business you need to find a happy balance between security and speed of business. These two issues rarely go hand in hand.
As a security professional, I want protection and security to be at the forefront of everyone’s mind, with dedicated focus to managing it securely. As a manager, I would want the functionality of the solution to be the most effective when it comes to analyzing data. However, as a user, most people favor ease of use and convenience at the detriment of other more important factors.
Both users and security staff need to be cognizant of the fact that they’re operating in the same space and must work together to strike the same balance. It’s a shared responsibility but, importantly, companies need to decide how much risk they are willing to accept.
Anand Ramanathan, VP of Product Management, McAfee
The permanent impact of COVID-19 has heightened attacker focus on work-from-home exploits while increasing the need for remote access. Security professionals have less visibility and control over WFH environments where employees are accessing corporate applications and data, so any evaluation of mobile security should be based on several fundamental criteria:
- “In the wild security”: You don’t know if or how mobile devices are connecting to a network at any given time, so it’s important that the protection is on-device and not dependent on a connection to determine threats, vulnerabilities or attacks.
- Comprehensive security: Malicious applications are a single vector of attack. Mobile security should also protect against phishing, network-based attacks and device vulnerabilities. Security should protect the device against known and unknown threats.
- Integrated privacy protection: Given the nature of remote access from home environments, you should have the ability to protect privacy without sending any data off the device.
- Low operational overhead: Security professionals have enough to do in response to new demands of supporting business in a COVID world. They shouldn’t be obligated to manage mobile devices differently than other types of endpoint devices and they shouldn’t need a separate management console to do so.
Google has released a patch for CVE-2020-0096, a critical escalation of privilege vulnerability in Android that allows attackers to hijack apps (tasks) on the victim’s device and steal data.
Dubbed StrandHogg 2.0 because its similar to the StrandHogg vulnerability exploited by hackers in late 2019, it affects all but the latest version of Android. The good news is, though, that there is no indication it is being actively used by attackers.
About StrandHogg 2.0 (CVE-2020-0096)
Like StrandHogg before it, CVE-2020-0096:
- Doesn’t need the target device to be rooted and doesn’t require any specific permissions
- Allows hackers to hijack nearly any app, i.e., to insert an overlay when the app is opened. The overlay take the form of a login screen, request for permissions, etc.
Unlike StrandHogg, StrandHogg 2.0:
- Can attack nearly any app on a given device simultaneously at the touch of a button (and not just one app at a time)
- Is more difficult to detect because of its code-based execution.
“The key difference between StrandHogg (1.0), and StrandHogg 2.0 is that the former uses an attribute called taskAffinity to achieve the task hijacking,” Promon researchers explained.
“For the attacker, the disadvantage of taskAffinity is that it has to be compiled into AndroidManifest.xml of the malicious app, in plaintext. While taskAffinity has many legitimate uses, it still means that this serves as a tip-off to Google Play Protect to detect malicious apps exploiting StrandHogg (1.0).”
StrandHogg 2.0 uses a different method for task hijacking that leaves no markers. Also, hackers can use obfuscation and reflection to make static analysis of the malicious app difficult.
Promon researcher John Høegh-Omdal says that malware that exploits StrandHogg 2.0 will be harder for anti-virus and security scanners to detect.
Who’s affected and what to do?
According to Promon’s research, the vulnerability affects all Android versions below Android 10 (with the caveat that early Android versions (<4.0.1) have not been tested). Google has released a patch to Android ecosystem partners in April 2020 and a fix for Android versions 8.0, 8.1, and 9 to the public in May 2020.
“Attackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability and the concern is that, when used together it becomes a powerful attack tool for malicious actors,” says Tom Lysemose Hansen, CTO and founder of Promon.
As with StrandHogg, users are advised to be wary of permission pop-ups that don’t contain an app name and apps that they have already logged into asking for login credentials.
“Android users should update their devices to the latest firmware as soon as possible in order to protect themselves against attacks utilising StrandHogg 2.0. Similarly, app developers must ensure that all apps are distributed with the appropriate security measures in place in order to mitigate the risks of attacks in the wild,” Hansen advises.
These measures include setting all of the app’s public activities to launchMode=”singleTask” OR launchMode=”singleIn stance” in AndroidManifest.xml.
The C-suite is the most likely group within an organization to ask for relaxed mobile security protocols (74%) – despite also being highly targeted by malicious cyberattacks, according to MobileIron.
The study combined research from 300 enterprise IT decision makers across Benelux, France, Germany, the U.K. and the U.S., as well as 50 C-level executives from both the U.K. and the U.S. The study revealed that C-level executives feel frustrated by mobile security protocols and often request to bypass them.
Make security exceptions for the C-suite
- 68% of C-level executives said IT security compromises their personal privacy, while 62% said security limits the usability of their device, and 58% claimed IT security is too complex to understand.
- 76% of C-level executives admitted to requesting to bypass one or more of their organization’s security protocols last year. Of these, 47% requested network access to an unsupported device, 45% requested to bypass multi-factor authentication (MFA) and 37% requested access to business data on an unsupported app.
“Accessing business data on a personal device or app takes data outside of the protected environment, leaving critical business information exposed for malicious users to take advantage of. Meanwhile, MFA – designed to protect businesses from the leading cause of data breaches, stolen credentials – is being side-stepped by C-Suite execs.”
C-level execs highly vulnerable to cyberattacks
The study also revealed that C-level execs are highly vulnerable to cyberattacks:
- 78% of IT decision makers stated that the C-suite is the most likely to be targeted by phishing attacks, and 71% claimed the C-suite is the most likely to fall victim to such attacks.
- 72% of IT decision makers claimed the C-suite is the most likely to forget or need help with resetting their passwords.
“These findings highlight a point of tension between business leaders and IT departments. IT views the C-suite as the weak link when it comes to cybersecurity, while execs often see themselves as above security protocols,” said Foster.
“In today’s modern enterprise, cybersecurity can’t be an optional extra. Businesses need to ensure they have a dynamic security foundation in place that works for everyone within the organization. This means that mobile security must be easy to use, while also ensuring that employees at every level of the business can maintain maximum productivity without interference, and without feeling that their own personal privacy is being compromised.”
Mobile service providers say they are making substantial progress toward ushering in a new generation of 5G networks that will enable ultra-high-speed mobile connectivity and a wide variety of new applications and smart infrastructure use cases.
Progress includes steady work toward virtualizing core network functions and a reexamination of the security investments they will need to protect their networks and customers.
COVID-19 is not expected to significantly delay the progress of 5G deployments, according to a global study report, developed by the Business Performance Innovation (BPI) Network, in partnership with A10 Networks.
The percentage of mobile service providers who say their companies are “moving rapidly toward commercial deployment” has increased significantly in the past year, climbing from 26 percent in a survey announced in early 2019 to 45 percent in the new survey. Virtually all respondents say improved security is a critical network requirement and top concern in the 5G era.
Adding standalone 5G
Early 5G networks are being designed in accordance with the already-approved non-standalone 5G standard. However, 30 percent of respondents say they are already proactively planning to add standalone 5G, and another 9 percent say their companies will move directly to standalone.
Standalone 5G will require a whole new network core utilizing a cloud-native, virtualized, service-based architecture. Many respondents, in fact, say they are making significant progress toward network virtualization.
“Our latest study indicates that major mobile carriers around the world are on track with their 5G plans, and more expect to begin commercial build-outs in the coming months,” said Dave Murray, director of thought leadership with the BPI Network.
“While COVID-19 may result in some short-term delays for operators, the pandemic ultimately demonstrates a global need for higher speed, higher capacity 5G networks and the applications and use case they enable.”
- 81% say industry progress toward 5G is moving rapidly, mostly in major markets, or is at least in line with expectations.
- 71% expect to begin 5G network build-outs within 18 months, including one-third who have already begun or will do so in 2020.
- 95% percent say virtualizing network functions is important to their 5G plans, and some three-quarters say their companies are either well on their way or making good progress toward virtualization.
- 99% view deployment of mobile edge clouds as an important aspect of 5G networks, with 65% saying they expect edge clouds on their 5G networks within 18 months.
“Mobile operators globally need to proactively prepare for the demands of a new virtualized and secure 5G world,” said Gunter Reiss, worldwide vice president of A10 Networks, a provider of secure application services for mobile operators worldwide.
“That means boosting security at key protection points like the mobile edge, deploying a cloud-native infrastructure, consolidating network functions, leveraging new CI/CD integrations and DevOps automation tools, and moving to an agile and hyperscale service-based architecture as much as possible.
“All of these improvements will pay dividends immediately with existing networks and move carriers closer to their ultimate goals for broader 5G adoption and the roll-out of new and innovative ultra-reliable low-latency use cases.”
Challenges: The security mandate
The industry’s top 5G challenges:
- Heavy cost of build-outs (59%)
- Security of network (57%)
- Need for new technical skills (55%)
- Lack of 5G enabled devices (42%)
Importance of security to 5G:
- 99% rate security as important to their 5G planning, higher than even network reach and coverage or network capacity and throughput
- 97% say increased traffic, connected devices and mission-critical use case significantly increase security and reliability concerns for 5G
- 93% say their security investments are already being affected (52%) or are under review (41%) due to 5G requirements
Top use cases expected to power 5G adoption
Next two years:
- Ultra-high-speed connectivity (81%)
- Industrial automation & smart manufacturing (62%)
- Smart cities (54%)
- Connected vehicles
Next 5 to 6 years:
- Smart cities (62%)
- Ultra-high-speed connectivity (59%)
- Connected Vehicles (57%)
- Industrial automation & smart manufacturing (42%)
“Mobile operators globally need to be proactively preparing for the demands of a new 5G world,” Reiss said.
We sat down with Demi Ben-Ari, CTO at Panorays, to discuss the cybersecurity risks of remote work facilitated by virtual environments.
The global spread of the COVID-19 coronavirus has had a notable impact on workplaces worldwide, and many organizations are encouraging employees to work from home. What are the cybersecurity implications of this shift?
Having a sizable amount of employees suddenly working remotely can be a major change for organizations and presents numerous problems with regard to cybersecurity.
One issue involves a lack of authentication and authorization. Because people are not seeing each other face-to-face, there is an increased need for two-factor authentication, monitoring access controls and creating strong passwords. There’s also a risk of increased attacks like phishing and malware, especially since employees will now likely receive an unprecedented amount of emails and online requests.
Moreover, remote working can effectively widen an organization’s attack surface. This is because employees who use their own devices for work can introduce new platforms and operating systems that require their own dedicated support and security. With so many devices being used, it’s likely that at least some will fall through the security cracks.
Finally, these same security considerations apply to an organization’s supply chain. This can be challenging, because often smaller companies lack the necessary know-how and human resources to implement necessary security measures. Hackers are aware of this and can start targeting third-party suppliers with the goal of penetrating upstream partners.
What are the hidden implications of human error?
With less effective communication, organizations are unquestionably more prone to human error. When you’re not sitting next to the person you work with, the chances of making configuration mistakes that will expose security gaps are much higher. These cyber gaps can then be exploited by malicious actors.
IT departments are especially prone to error because they are changing routine and must open internal systems to do external work. For example, because of the shift to a remote workplace, IT teams may have to introduce network and VPN configurations, new devices, ports and IT addresses. Such changes effectively result in a larger attack surface and create the possibility that something may be set up incorrectly when implementing these changes.
The fact that people are not working face-to-face exacerbates the situation: Because it’s harder to confirm someone’s identity, there’s more room for error.
What are the potential compliance implications of this huge increase in mobile working?
There’s greater risk, because employees are not on the organization’s network and the organization is not fully in control of their devices. Essentially, the organization has lost the security of being in a physical protected area. As a result, organizations also open themselves up to greater risk of not adequately complying with regulations that demand a certain level of cybersecurity.
Another compliance issue is related to change. For example, an organization may be certified for SOC2, but those controls may not remain in place with people working from home. Thus a major, sudden change like a mass remote workforce can unintentionally lead to noncompliance.
How can organizations efficiently evaluate new vendors, eliminate security gaps and continuously monitor their cyber posture?
As part of their third-party security strategy, organizations should take the following steps:
1. Map all vendors along with their relationship to the organization, including the type of data they access and process. For example, some vendors store and process sensitive data, while others might have access to update software code on the production environment.
2. Prioritize vendors’ criticality. Some vendors are considered more critical than others in terms of the business impact they pose, the technology relationship with an organization or even regulatory aspects. For example, a certain supplier might be processing all employee financial information while another supplier might be a graphic designer agency that runs posters of a marketing event.
3. Gain visibility and control over vendors. This can be accomplished by using a solution to thoroughly assess vendors, preferably with a combination of scanning the vendor’s attack service along with completion of security questionnaires. With the shift to remote working, organizations should also be sure to include questions that assess vendors’ preparedness for working at home.
4. Continuously monitor vendors’ security posture. Visibility and control require a scalable solution for the hundreds or even thousands of suppliers that organizations typically engage with these days. Organizations should ensure that their solution alerts of any changes in cyber posture and that they respond accordingly. For example, organizations may decide to limit access, or even completely close connections between the supplier and the organization’s environment.
Google has announced the rollout of two new non-negotiable security features for Android users who have also enrolled in the company’s Advanced Protection Program (APP).
What is the Advanced Protection Program?
In late 2017, Google decided to provide additional security for those who are at an elevated risk of targeted attacks – e.g., journalists, human rights and civil society activists, campaign staffers, people in abusive relationships, etc. – and are willing to trade off a bit of convenience for more protection.
Initially offered only for consumer/personal Google accounts, in 2019 the program was made available for G Suite accounts, so that high-risk employees such as IT admins, executives, and employees in regulated or high-risk verticals such as finance or government can better secure their email accounts.
Users who enroll must use a physical security key (or their Android, iPhone or iPad device) to gain access their account, are not able to use untrusted third-party apps that require access to their email account, must go through a stricter account recovery process, have some download protections from Google Safe Browsing (when signed into Google Chrome with the same identity), and their accounts have enhanced email scanning for threats.
The new Google Advanced Protection security features
On Wednesday, Google said that the company is now automatically turning Google Play Protect on for all devices with a Google Account enrolled in Advanced Protection and will require that it remain enabled.
Google Play Protect is a security suite for Android devices that scans and verifies apps users want to download/ have downloaded from Google Play and third-party app stores, periodically scans the device for potentially malicious apps, and more.
Google will now also start blocking most apps that come from third-party app stores from being installed on any devices with a Google Account enrolled in Advanced Protection.
“You can still install non-Play apps through app stores that were pre-installed by the device manufacturer and through Android Debug Bridge. Any apps that you’ve already installed from sources outside of Google Play will not be removed and can still be updated,” explained Roman Kirillov, Engineering Manager, Android Security and Privacy.
“G Suite users enrolled in the Advanced Protection Program will not get these new Android protections for now; however, equivalent protections are available as part of endpoint management.”
The percentage of companies admitting to suffering a mobile-related compromise has grown (39%, when compared to last years’ 33%) despite a higher percentage of organizations deciding not to sacrifice the security of mobile and IoT devices to meet business targets, Verizon has revealed in its third annual Mobile Security Index report, which is based on a survey of 876 professionals responsible for the buying, managing and security of mobile and IoT devices, as well as input from security and management companies such as Lookout, VMWare and Wandera.
The report also shows that attackers hit businesses big and small, and operating in diverse industries, and that those that had sacrificed mobile security in the past year were 2x as likely to suffer a compromise.
66% of those that suffered a mobile-related compromise said that the impact was major, and 55 percent of those companies said that they suffered lasting repercussions.
“Among those in our survey that had experienced a compromise, downtime was even more common as a consequence than loss of data. Financial services companies were particularly concerned about this – 95% said that their customers expect a reliable service and that even a few minutes of unplanned downtime could have an adverse impact on the company’s reputation,” Verizon pointed out.
Phishing continues to be the most common attack type leveraged against all users and it’s getting ever more sophisticated and targeted.
Mobile users are at a disadvantage because red flags are more difficult to spot in emails rendered on mobile devices, but also because phishers are taking advantage of other communication mediums – such as messaging, gaming, social media apps – for which many organizations don’t have filtering in place.
When attendees of a mobile security event were sent a phishing email that purported to be from the hotel they were staying in, offering a free drink at the bar, a whooping 70% opened it and clicked on the link, according to VMware. Similarly, in a test carried out by a Lookout customer, 54% of executives tapped on a malicious link included in an SMS that looked like it was from a hotel they were due to check into.
Hackers are coming up with new and effective pretextes to get targets to click on malicious links, and are coming up with new ways to disguise them:
They are also finding new ways to hide malicious links and text from spam and phishing filters used by email/SaaS providers (one of the most recent is using customized fonts and a simple substitution cipher).
Downloading and installing apps that ask for permission to access all kinds of (potentially sensitive) data represents a risk but malware posing legitimate apps presents a more immediate danger.
“Of organizations that were compromised, 21% said that a rogue or unapproved application had contributed to the incident,” Verizon noted.
Other risks come from insecurely coded apps by reputable companies, mobile cryptojacking apps and the general user inconsistency when it comes to regularly updating their many apps.
For example: six months after WhatsApp announced that users had been subject to a spate of attacks where hackers exploited a buffer overflow vulnerability to run malicious code on victims’ devices (without requiring user interaction), more than 1 in 15 users hadn’t updated and remained susceptible to attack.
Then there are the threats involving the devices: device loss and theft, SIM swapping, juice jacking, unsecured devices open to compromise by physically present attackers (e.g., office colleagues, abusive partners, etc.).
Finally, the network threats: insecure networks, MitM attacks (through rogue access points), etc. Some companies bad employees from using public Wi-Fi to perform work-related tasks but 55% of those who know that public Wi-Fi is prohibited use it anyway, Verizon found.
49% of organizations are now using IoT devices – to enhance productivity, physical security, products and services, and measure the wellness of people – and most adopters consider them critical or very important to the smooth running of their organization.
Almost half of those that Verizon surveyed that were using IoT had at least one full-scale deployment and 33% said they have over 1,000 IoT devices in use. Nearly a third (31%) of those with IoT deployments admitted to having suffered a compromise involving an IoT device.
While the biggest concern at the moment is IoT devices getting conscripted into a botnet, organizations should also be concerned about data tampering and IoT devices being used as a stepping stone to more sensitive data and wider business systems.
The good news regarding IoT is that new regulations are slowly coming into force to help protect businesses, consumers and citizens from IoT-related attacks, and they are expected to push manufacturers into implementing more security in their products, but also organizations into using these features.
“Even though IoT-specific regulations are yet to come into force in most jurisdictions, we’re already seeing a shift in the mindset of organizations. Seventy-four percent of IoT respondents said they have reassessed the risk associated with IoT devices in light of regulatory changes,” Verizon pointed out.
Exploiting a vulnerability in the mobile communication standard LTE, researchers at Ruhr-Universität Bochum can impersonate mobile phone users. Consequently, they can book fee-based services in their name that are paid for via the mobile phone bill – for example, a subscription to streaming services.
David Rupprecht and Dr. Katharina Kohls from the Chair of System Security developed attacks to exploit security gaps in the mobile phone standard LTE
“An attacker can book services, for example stream shows, but the owner of the attacked phone would have to pay for them,” illustrates Professor Thorsten Holz from Horst Görtz Institute for IT Security, who discovered the vulnerability together with David Rupprecht, Dr. Katharina Kohls and Professor Christina Pöpper.
According to the researcher, the vulnerability may also affect investigations of law enforcement agencies because attackers can not only make purchases in the victim’s name, but can also access websites using the victim’s identity.
For example, an attacker can upload secret company documents and to network operators or law enforcement authorities, it would look as if the victim is the perpetrator.
Almost all mobile phones and tablets at risk
The discovered vulnerability affects all devices that communicate with LTE, i.e. virtually all mobile phones, tablets, and some connected household appliances. Only changing the hardware design would mitigate the threat.
The team is attempting to close the security gap in the latest mobile communication standard 5G, which is currently being rolled out. “For a technical perspective this is possible,” explains David Rupprecht.
“However, mobile network operators would have to accept higher costs, as the additional protection generates more data during the transmission. In addition, all mobile phones would have to be replaced and the base station expanded. That is something that will not happen in the near future.”
Attacker has to be nearby
The problem is the lack of integrity protection: data packets are transmitted encrypted between the mobile phone and the base station, which protects the data against eavesdropping. However, it is possible to modify the exchanged data packets.
“We don’t know what is where in the data packet, but we can trigger errors by changing bits from 0 to 1 or from 1 to 0,” as David Rupprecht elaborates. By provoking such errors in the encrypted data packets, the researchers can make a mobile phone and the base station decrypt or encrypt messages.
They not only can convert the encrypted data traffic between the mobile phone and the base station into plain text, they can also send commands to the mobile phone, which are then encrypted and forwarded to the provider – such as a purchase command for a subscription.
The researchers use so-called software-defined radios for the attacks. These devices enable them to relay the communication between mobile phone and base station. Thus, they trick the mobile phone to assume that the software-defined radio is the benign base station; to the real network, in turn, it looks as if the software-defined radio was the mobile phone.
For a successful attack, the attacker must be in the vicinity of the victim’s mobile phone.
93 percent of total mobile transactions in 20 countries were blocked as fraudulent in 2019 according to a report on the state of malware and mobile ad fraud released by Upstream.
The number of malicious apps discovered in 2019 rose to 98,000, up from 63K in 2018. These 98,000 malicious apps had infected 43 million Android devices.
Android is the most vulnerable OS
With Android devices now accounting for an estimate 75-85% of all smartphone sales worldwide Android is by far the most dominant mobile OS. At the same time it is the most vulnerable due to its open nature, making it a favorite playground for fraudsters.
While it is always a good rule of thumb for consumers to only download mobile applications from Google’s official storefront, Google Play, thanks to its scale and set up, rogue apps are still getting through its defenses.
Of the top 100 most active malicious apps that were blocked in 2019, 32 percent are reported still available to download on Google Play. A further 19 percent of the worst-offending apps were previously on Google Play but have since been removed, while the remaining 49 percent are available through third-party app stores.
Fraudulent mobile transactions: Most targeted apps
Fraudsters appear to target some app categories more than others. Ironically, apps designed to make a device function better and make everyday life easier are the ones most likely to be harmful with 22.32 percent of malicious apps for 2019 falling under the Tools / Personalization / Productivity category globally.
The next most popular categories cybercriminals target are Games (18.97 percent) and Entertainment/Shopping (15.76 percent).
Indicating scale, in the course of only a few months in 2019, Secure-D reported on the suspicious background activity of five very popular Android apps: 4shared, a popular file-sharing app, Vidmate, a video downloader, Weather Forecast a preinstalled app on Alcatel devices, Snaptube, another video and audio app, and ai.type, an on-screen keyboard app.
With a total of nearly 700 million downloads, these were or had been at some point available on Google Play. In these five cases alone, 353 million suspicious mobile transactions were detected and blocked preventing $430 million in fraudulent charges.
“Mobile ad fraud is a criminal enterprise on a massive scale. Though it may seem that it is only targeted at advertisers, it greatly affects the whole mobile ecosystem. Most importantly it adversely impacts consumers; eating up their data allowance, bringing unwanted charges, messing with the performance of their device, and even targeting and collecting their personal data,” said Dimitris Maniatis, CEO of Upstream.
“It is more than an invisible threat, it is an epidemic, calling for increased mobile security that urgently needs to rise up in the industry’s priority list. Left unchecked, ad fraud will choke mobile advertising, erode trust in operators and lead to higher tariffs for users.”
The effects of mobile ad fraud are particularly damaging in emerging markets where data costs are significantly higher. As evidenced from detailed data presented from five such markets including Brazil and South Africa fraud rates in most cases exceed the 90% mark.
Consumers in emerging markets more vulnerable to digital fraud
As the report highlights consumers in emerging markets are more vulnerable to digital fraud; they are unaware of the dangers as they often go online for the first time via their mobile devices and data depletion caused by malware has a much greater effect on them due to the high cost of data in their countries.
In Africa 1 GB of data costs prepaid mobile subscribers the equivalent of 16 hours of work at minimum wage.
“A key part of successfully tackling mobile fraud is awareness”, explains Maniatis, “something that the whole industry, surprisingly, lacks. With all indicators pointing that its value will grow in the hundreds of billions in the next three years, we cannot afford to remain idle. This is the main reason we steadily and openly share all our findings with the whole community.”
“Mobile ad fraud remains a hidden threat for most consumers. It usually goes undetected and is not high on people’s agendas when choosing apps. However, aas the industry delays its response, consumers should take steps to stay safe from mobile ad fraud in 2020.”
Extending beyond the traditional company network, mobile connectivity has become an extension of doing business and IT staff need to not just rethink how existing activities, operations, and business models can fit into mobile constructs, but rethink how mobility can fundamentally transform the business itself.
MDM solution components
A mobile device management (MDM) solution provides similar features that you would expect a systems management solution would use to manage PCs. However, mobile devices are not network-connected in the same manner as PCs, so a solution for mobile device management must rethink communications.
Mobile devices have the capabilities to communicate with each other in much more accessible and pervasive ways, and a good solution can harness this by utilizing diverse communication methods, such as communicating via the Internet.
The basic components of a mobile device management solution would consist of a server and an agent which would communicate with each other in order to complete commands and tasks. This allows the solution to gather inventory from the device, deploy apps, and set restrictions on the device greatly increasing the solutions’ security capabilities.
Things to take into consideration
If you’re thinking of taking advantage of a dedicated MDM solution or deploying MDM capabilities as part of a wider Unified Endpoint Management approach, there are a few things you need to take into consideration:
A good MDM solution must be accessible, which typically means it’s a cloud-based solution. This can reduce a lot of network and infrastructure issues that could occur with an on-premise solution. If your company has a footprint outside the main office, accessing the MDM solution from anywhere is of paramount importance.
It needs to be scalable and encompass the total number of devices that would be interacting with your company data and therefore need to be managed. It’s likely that some company staff may use personal devices for business as well as those issued by your organization. In the age of BYOD, it can be challenging to monitor every device that accesses your organization’s network. The feature set for a good MDM solution needs to be able to take into account multiple devices within its actions and not just be designed for a single-device focus.
Most importantly, it needs to be secure. From a platform perspective, all of your data needs to be encrypted both at rest and in transit. At the device level, restrictions should be available as part of the feature set so that lost or stolen devices can be handled effectively. Enforcement of policies that can occur perpetually is desired (as opposed to setting restrictions at a single instance).
While some MDM providers deliver on-premise solutions that require you to install and set them up, others provide cloud-based solutions that can be accessible from anywhere. That leaves just the enrolment of devices to complete before your mobile devices can be managed. Personal devices will need users to enroll their devices while company-owned devices could be managed through their respective business channels (e.g., Apple DEP, Android for Work, etc.).
What should you consider when choosing a mobile device management solution?
Identify your goals and requirements first. How will you use mobile devices within the work environment in the near term and in the future? Will you allow personal devices to be used, only provide company-issued devices to access company data, or have a mixture of both?
Ensure that all the stakeholders are on the same page. This means that IT, HR, executive leadership and even regular employees need to weigh in on the policies you will implement regarding mobile device management.
Try before you buy! Most MDM providers offer a free trial for their solution, so be sure to kick the tires and use its features to see if it meets your needs.
A solid MDM strategy is one that encompasses both the scope and the limitations of your company. Be sure to understand where the company can best utilize mobile devices to increase productivity and limit downtime.
With more and more employees bringing their own personal devices into a work environment, the attack surface for threats exploiting vulnerabilities in mobile devices is growing rapidly. Even vulnerabilities in consumer messaging apps such as WhatsApp are now becoming a concern for enterprises of all sizes, and with cybercriminals increasingly targeting human vulnerabilities, it is of paramount importance to secure the devices they are using.
You cannot secure what you don’t know about, which is why gaining visibility over all mobile devices interacting with your network through MDM is so crucial. With these tips, your business can implement this vital security step effectively and comprehensively.
Hackers are actively exploiting StrandHogg, a newly revealed Android vulnerability, to steal users’ mobile banking credentials and empty their accounts, a Norwegian app security company has warned.
“Promon identified the StrandHogg vulnerability after it was informed by an Eastern European security company [Wultra] for the financial sector (to which Promon supplies app security support) that several banks in the Czech Republic had reported money disappearing from customer accounts. At the time, this was covered (but not explained), in the Czech media. Promon’s partner gave Promon a sample of the suspected malware to investigate,” Promon researchers explained.
All versions of Android are affected and all of the top 500 most popular Android apps are at risk, they found.
“StrandHogg is unique because it enables sophisticated attacks without the need for the device to be rooted. To carry out attacks, the attacker doesn’t need any special permissions on the device. The vulnerability also allows an attacker to masquerade as nearly any app in a highly believable manner,” they noted.
About the StrandHogg vulnerability
StrandHogg allows attackers to show to users fake login screens and ask for all types of permissions that may ultimately allow them to:
- Read and send SMS messages (including those delivering second authentication factors)
- Phish login credentials
- Make and record phone conversations
- Listen to the user through the microphone
- Take photos through the device’s camera
- Get access to photos, files on the device, location and GPS information,the contacts list, phone logs, etc.
“StrandHogg (…) uses a weakness in the multitasking system of Android to enact powerful attacks that allows malicious apps to masquerade as any other app on the device. This exploit is based on an Android control setting called ‘taskAffinity’ which allows any app – including malicious ones – to freely assume any identity in the multitasking system they desire,” the researchers explained. (More technical details are available here.)
Malware taking advantage of this vulnerability springs into action when the victim clicks the app icon of a legitimate app (click on the image for a larger version):
“The potential impact of this could be unprecedented in terms of scale and the amount of damage caused because most apps are vulnerable by default and all Android versions are affected,” noted Promon CTO Tom Lysemose Hansen.
What can users do?
Mobile security company Lookout has identified 36 malicious apps exploiting the StrandHogg vulnerability, and among them were variants of the BankBot banking trojan.
Malware using the StrandHogg flaw was not found on Google Play but was installed on target devices through several dropper apps/hostile downloaders distributed through Google Play.
These particular apps have been removed by Google, but dropper apps often bypass Google Play’s protections and trick users into downloading them by pretending to have the functionality of popular apps.
Despite Penn State University researchers theoretically describing certain aspects of the StrandHogg vulnerability in 2015 and Promon notifying Google of their discovery this summer, Google has yet to plug the security hole, but they said they are investigating ways to improve Google Play Protect’s ability to protect users against similar issues.
Promon researchers say that it’s difficult for app makers to detect if attackers are exploiting StrandHogg against their own app(s), but that the risk can be partly mitigated by setting the task affinity of all activities to “”(empty string) in the application tag of AndroidManifest.xml.
As, according to the researchers, there’s no effective block or reliable detection method against StrandHogg on Android devices, users are advised to be on the lookout for things like:
- An app or service that they have already logged into asking for a login
- Permission pop-ups that don’t contain an app name
- Buttons and links in the user interface that do nothing when clicked on
- Typos and mistakes in the user interface.
It’s called Chameleon—a computer virus—but maybe it should be called FrankenVirus. You wouldn’t believe what it can do: literally move through the air, as in airborne—like a biological pathogen.
And like some Franken-creation, it came from a laboratory, cultivated at the University of Liverpool’s School of Computer Science and Electrical Engineering and Electronics.
Chameleon leaps from one WiFi access point to another. And the more access points that are concentrated in a given area (think of them almost like receptor sites), the more this virus gets to hop around and spread infection.
The scientists behind this creation have discovered that the more dense a population, the more relevant is the connectivity between devices, as opposed to how easy it was for the virus to get into access points.
Access points are inherently vulnerable, and Chameleon had no problem locating weak visible access points from wherever it was at, and it also avoided detection.
“When Chameleon attacked an AP it didn’t affect how it worked, but was able to collect and report the credentials of all other WiFi users who connected to it,” explains Professor Alan Marshall in an article on Forbes.com. He added that this malware pursued other WiFi APs to connect to and infiltrate.
The scientists made this virus subsist only on the network—a realm where anti-virus and anti-malware systems typically do not scavenge for invaders. Protective software seeks out viruses on your device or online. Thus, Chameleon earns its name.
Think of this virus like the burglar who goes from house to house overnight, jiggling doorknobs to see which one is unlocked. WiFi connections are like unlocked doors, or locked doors with rudimentary locks.
Chameleon’s creators have come up with a virus that can attack WiFi networks and spread its evil fast. The researchers now want to come up with a way to tell when a network is at imminent risk.
Information technology is now part of our day to day life. Mobile applications have now developed various types of security risk that involves language inherent risk, malicious data infiltration where sensitive data is covertly transmitted from the phone. Threats include platform specific risk and various other flaws.
An increase in the popularity of smart phones and tablets among large number of personnel working in big industries and corporate world, security professionals are pondering on the ways to protect sensitive data and transaction of business operations considered to be critical from the hands of cyber criminals. Security personnel from IT world are putting hard to face the question of inherent security and privacy posture.
Undoubtedly it is significant to learn about the growing security risks and violation of privacy. Most of the organizations are largely dependent on information security protocol. Since there has been growing tendencies of violation of privacy, it would be very relevant to make sure that data and information are protected for larger benefits for consumer and clients. Moreover, incorporating high standards of security for organization’s IT infrastructure is the need of the hour.
In order to learn vulnerabilities and weakness of the IT infrastructure installed in one’s organization penetration testing service will proved to be worth mentioning. Similarly, for mobile application security, penetration testing services will be viable asset.
Mobile application security is considered to be a major form of software development network in the entire world. It would be important to note that almost all the IT companies are encompassed with the feature of mobile application development. Installation of penetration testing services is in great demand for its significance as a test for a strong IT solution.
A need to maintain proper mobile application security is always emphasized by the experts that lead to gain benefits for the companies in various aspects. Question may be raised on the benefits to be gained. The first and foremost advantage for installation of testing services is identification of the threats to the information, an asset of a company.
In order to strengthen security systems, identification of the vulnerabilities are essential. To heal the possibility of threat, security experts dealing in the mobile application security are introducing penetration testing services. It is a fact that good results are coming out.
Mobile app security is the hot topic among the IT professionals with huge growth in the mobile ecosystem. There is growing consensus on reducing the cost on IT security that is surely possible with the use of penetration testing services. Companies specialized in the mobile app security system will check the possible measures to find out the potential threats. This reduces the cost as individual servers are not verified frequently to know the possible exposure of security risks.
Many security parameters are followed to trim down the possible threats. This include robust registration and activation process, enabling user authentication, use of strong pass codes and implementation of account lockout. Beside these security measures, enterprises are advised to avoid storing sensitive data on the device, avoidance of insecurely passing on sensitive user data over wifi networks and use of platform security risk.
Use of security application for mobile and tablets prevents possibilities form certain vulnerabilities to both the enterprise and device itself. Hackers are discouraged through a strong application that is designed properly.
Do you know that there is always a tradeoff between convenience and security? With the convenience of storing and taking along hefty chunks of data in a small portable USB Flash Drive, there is always a price you have to pay which is not the cost of your flash drive but the cost of a compromise to the security.
Given the discovery that in recent times; a great number of students, business men, lawyers and professionals, who may use USB devices frequently, become a victim of data security breach resulting in a great and unavoidable loss of so much of their private and extremely important data. Do you want to be one amongst them too? Or are you willing to understand the security concerns of your data and ready to implement the perfect data security solution we have for you?
The security and confidentiality of your precious data is just as similar as the security of the home you live in. So get ready for setting up a perfect alarm and surveillance system for your USB Drives because what we have in store for you is worth the price you pay for.
With a fast, unfailing, portable and extremely convenient program like USB Secure, the protection of your thumb drives, memory sticks, pen drives, and flash drives is just a one-click operation. The functionality of this program is as simple as presented in its description.
Wait a second, are you thinking that you are running low on your system memory and worried that you won’t be able to run this program on your system? If that’s what is bothering you, then we have good news for you. Now, you don’t need to worry about the space on your hard drive or how many programs are installed on your computer already. USB Secure installs the program to your USB drive or external drive and doesn’t add any baggage to your PC. The program is clean, lean and mean and does what it says.
In order to Secure USB drive, what you need to do is to plug in your USB device and download the.exe file of USB secure directly on your USB device. Run the downloaded file afterwards and set the password which the program will prompt you for.
Once you set and confirm a password in USB Secure, all you need to do is hit the ‘Protect’ button. The protection process will be immediate and all files in your USB Drive will be protected and become invisible in a few seconds. Once protected, don’t think that your data is locked forever, it can be accessed anytime. All you do is enter your password and click the ‘unprotect’ button. This will open up all locked data in a few seconds.
With an intention to keep you away from the hassle of running the software separately by searching it in your drives, the Auto play feature of this program pops an option to open your USB with password every time you plug in your Flash drive. Irritated by these nagging auto play options? Just disable the feature of Auto Play by un-checking the Auto-Play feature from the USB Secure options.
A few clicks and a small investment gives you guaranteed peace of mind and is much better than the cost you pay, if the privacy of the information stored in your USB drive is jeopardized. Think about It.!
For more information please visit
Who in the world is unaware of the recent data theft by Edward Snowden from the NSA (National Security Agency). Edward Snowden has stolen the extremely confidential information from the system of the National Security Agency and exposed it to the world’s media. The interesting fact is that, he did not perform any ninja action to steal the data; it has been just like a walk in the park for him. He was equipped with no hi-tech tool but the extremely common USB flash drive. He just plugged his USB flash drive in the computer and fetched the data out which he intended to steal. This incident once again brought the USB flash drive in the focus of the news and once again highlighted the threats that are imposed to your data because of this wonderful invention. The USB memory sticks haunt our data in the following ways.
The deed that is done by Edward Snowden tops the list, which means the insider threat. The internal employees of the company are more likely to steal data using the USB flash drive. The businesses allow the employees to carry data home so that they can work from home using their own device and increase the output. This principle is known as BYOD (Bring Your Own Device). There is no difficulty to the employees at all who want to steal data and then use that for their own good. As the companies have no check and balance of how many USB drives are being plugged into the system, who is using which device, what data the employees are accessing, these all are the factors which are proving worse for the organizations.
USB flash drives are getting better and better as with every day passing by and providing greater convenience. But, still, the convenience is not so convenient. Employees tend to save confidential and sensitive information in their USB flash drives that is almost of the size of a human thumb. It is quite obvious that keeping such a small device would be a tough task. The USB flash drives are prone to getting lost or stolen; these lost or stolen USB jump drives are likely to spill the sensitive data out. Using data security software that can Password Protect USB can save your data saved in the USB flash drives from getting leaked.
Cyber criminals use USB drives as a tool of spreading viruses. They store mal programs in the jump drives and then drop in parking lots and other public places where that USB stick can get the attention of the people. According to a study, even the 78 percent security experts admitted that they have plugged in an alien USB drive which they found lying somewhere around. These small portable data storing devices are responsible for more than quarter of the viruses that spread and infect the computers.
The best way to avoid such data breaches is to restrict employees from using their own portable drives, equip the USB drive with proper security tools and avoid plugging in alien USB sticks. Any incident of data breach can harm you a lot financially as well as your reputation. Keep yourself educated with the security threats and keep your data safe.
For more information please visit:
Today we depend on digital files to obtain and exchange information especially in Mobile Security.
As technology progresses, so does the amount and the size of data that is exchanged between people. We often share our photographs, videos, emails and other personal files with each other. However, the sizes of the digital files are increasing overtime.
Take for example High-definition videos, a 1080p, 20 min video can take more than 5 gigabyte of storage space on a hard-drive. Another example of files that take up a lot of space are digital photographs, which are also advancing in technology, allowing the photographer to take high-quality images that can range in file sizes of 20 to 30 megabytes, thus requiring large amounts of storage space per photograph. Therefore, sharing large files with friends and colleagues can be an issue sometimes.
Nevertheless, portable hard-drives and USB storage devices can make sharing of large files a breeze. You can simply plug in your USB storage device and transfer large files onto that device, enabling you to transport large amounts of data easily and conveniently. Portable hard-drives and USB storage devices are widely used by everyone to transport large files from one PC to another. However, people often forget to delete personal and secret folders which contain certain information that should not fall into the wrong hands. Sadly, sometimes that is exactly what happens when we lose or misplace our portable storage devices. For example, you’re an artist, who has painstakingly designed a brochure for a large multinational company. You submit your layout for that brochure to company officials, which you have stored on to a USB storage device. After reviewing your design and artwork, the company rejects it, and you are dismissed. You leave the building, and drive home. Next day you wake up and realize that you forgot to collect your USB Storage device on your way out.
Nevertheless, you go back and collect it from them. A few months later, you are at the doctor’s office, and next to the magazine rack you see the company’s new brochure, which has been recently printed and distributed. After thoroughly reviewing the brochure you are shocked to find the similarity between the new brochure and the one you submitted for approval. It then becomes obvious that the company had copied all of your work.
Incidents like these occur daily, because people often overlook the significance of file security on portable storage devices. Portable storage devices can safely be used if users install a file protection program on them. These security programs are installed directly onto the portable hard-drive or a portable USB device and need no installation onto any other hard-drive on a personal computer. In a nutshell, these security programs turn your USB storage device into a Secure USB storage device, which enables you to password protect your personal files and also hide them. These USB file security programs are an invaluable asset for anyone, who does not want his or her secret files being accessed by anyone.