Two weird ways your iPhone or Mac can be hacked

By: Adrian Kingsley-Hughes

For most people, the security that Apple has baked into an iPhone or Mac is more than enough. But determined criminals can find creative ways to bypass the locks to get at your data. Should you be worried?

For the majority of users, the security offered by iOS and macOS is more than enough, and they can go about their day-to-day business secure in the knowledge that their data is safe.

But determined criminals can find a way around these safeguards, and while these two hacks are impractical for widespread use, they go to show just how creative ne’er-do-wells can be when it comes to cracking security measures.

First, let’s look at how a cable can be used to hack a Mac. Enter the O.MG Cable. This is an Apple Lightning charging cable with a twist. That twist is that it has been custom-modified with electronics that allow it to be used to access any Mac it has been connected to over a Wi-Fi network.

“In the end, I was able to create 100 percent of the implant in my kitchen and then integrate it into a cable. And these prototypes at DEF CON were mostly done the same way,” MG, the creator of the cable, told Vice.

The cables retail for $200 each.

The O.MG Cable also features a remote kill switch as a way to hide its existence.

How do you prevent these sorts of hacks? Use your own cable (customize it in a way unique to you so it can’t be surreptitiously replaced) and don’t plug charging cables into computers.

As for hacking into an iPhone, security researchers at the Black Hat hacker convention in Las Vegas managed to bypass the iPhone’s Face ID authentication system in 120 seconds.

More: https://www.zdnet.com/article/two-weird-ways-your-iphone-or-mac-can-be-hacked/

What is cryptojacking? How to prevent, detect, and recover from it

By: Michael Kan

Criminals are using ransomware-like tactics and poisoned websites to get your employees’ computers to mine cryptocurrencies. Here’s what you can do to stop it.

Cryptojacking is the unauthorized use of someone else’s computer to mine cryptocurrency. Hackers do this by either getting the victim to click on a malicious link in an email that loads crypto mining code on the computer, or by infecting a website or online ad with JavaScript code that auto-executes once loaded in the victim’s browser.

Either way, the crypto mining code then works in the background as unsuspecting victims use their computers normally. The only sign they might notice is slower performance or lags in execution.

Why cryptojacking is on the rise

No one knows for certain how much cryptocurrency is mined through cryptojacking, but there’s no question that the practice is rampant. Browser-based cryptojacking is growing fast. Last November, Adguard reported a 31 percent growth rate for in-browser cryptojacking. Its research found 33,000 websites running crypto mining scripts. Adguard estimated that those site had a billion combined monthly visitors.

This February, Bad Packets Report found 34,474 sites running Coinhive, the most popular JavaScript miner that is also used for legitimate crypto mining activity. In July, Check Point Software Technologies reported that four of the top ten malware it has found are crypto miners, including the top two: Coinhive and Cryptoloot.

“Crypto mining is in its infancy. There’s a lot of room for growth and evolution,” says Marc Laliberte, threat analyst at network security solutions provider WatchGuard Technologies. He notes that Coinhive is easy to deploy and generated $300 thousand in its first month. “It’s grown quite a bit since then. It’s really easy money.”

In January, researchers discovered the Smominru crypto mining botnet, which infected more than a half-million machines, mostly in Russia, India, and Taiwan. The botnet targeted Windows servers to mine Monero, and cybersecurity firm Proofpoint estimated that it had generated as much as $3.6 million in value as of the end of January.

Superdrug’s online customers targeted by criminals

By: BBC NEWS Technology

Superdrug has warned its online customers to change their passwords after criminals claimed to have obtained their personal details.

The chain said the group claimed they had stolen details of 20,000 customers, but it had only seen evidence so far that 386 customers had been affected.

Names, addresses and “in some cases” date of births and phone numbers “may have been accessed”, Superdrug said.

No customers’ payment card details had been accessed, it said.

Superdrug said there was “no evidence” its systems had been compromised.

It said it believed the criminals had got customers’ email addresses and passwords from other websites “and then used those credentials to access accounts on our website”.

The group had tried to extort a ransom from Superdrug, it said.

The retailer said it had “notified directly” all customers which it believed had been affected.

It also posted a tweet, telling customers the email they sent was “genuine”.

Some customers reacted with anger to the tweet, saying the chain should have apologised.

MORE: https://www.bbc.com/news/business-45265601

Mobile App Threats Continue to Grow

By: Curtis Franklin Jr

Criminals looking to profit from corporate resources and information keep going after mobile devices, two new reports confirm.

 Security threats aimed at mobile devices are evolving and shifting – and show no sign of going away. Those are the key results found in a pair of just-released reports on mobile security.

More specifically, the reports look at the security of third-party mobile applications and the effectiveness of carrier-based protection. The picture that emerges is one of risk that varies across industries but is never truly low, as well as the importance of trying to stop the actions of malicious apps as high in the network chain as possible.

In its study of third-party app risk, BitSight researchers found that vulnerable apps are common across all industries, with the vulnerabilities including data leakage, privilege abuse, unencrypted personally identifiable information, and credential theft. The differences are in the proportion of vulnerabilities that make up the total picture of each industry.

For example, BitSight’s research shows that finance had the highest rate (34%) of broken SSL configurations, while 32% of business services and education apps failed at encrypting user data. But in no industry is there a single, simple vulnerability. As Immunity researcher Lurene Grenier said at the recent Talos Threat Summit, “There are probably 10 full iPhone [exploit] chains at any given time. And that’s the most secure calling platform.”

In a speech at Interop ITX in May, Mike Murray, vice president of security intelligence at Lookout, pointed out why criminals are so interested in mobile malware. “The phone is no longer a phone. It’s an electronic device that has access to every part of our digital lives,” he said. “Unfortunately, we still think of it and protect it like it’s a Motorola flip-phone.”

A second report, Telco Security Trends, Q2 2018, conducted by Allot, looks at malware traffic from four communications service providers (CSPs) across Europe and Israel. It found that the CSPs were stopping an average of two pieces of malware per device per day.

More: https://www.darkreading.com/vulnerabilities—threats/mobile-app-threats-continue-to-grow/d/d-id/1332052