Privacy a Key Concern for Telecoms and Consumers

By: Kacy Zurkus

Two recently published surveys about the telecom industry revealed that privacy as it relates to security and the internet of things (IoT) has become a top concern for both businesses and consumers.

Allot Telco’s security trends report for 2018’s third quarter found that 50% of consumers polled were concerned about loss of privacy or a cyber-attack. Additionally, 72% of the consumers surveyed stated that they were willing to pay a monthly fee, averaging at $5.26, for an IoT security service, and 16% of those who would buy security services would make that investment in their internet service providers (ISPs).

More than 1,200 consumers across 10 different countries participated in the survey, which found that “to improve the security posture of homes and connected devices, the following must occur: Security at the device level must improve and security must be delivered at the network level.”

Similar sentiments were mirrored in the recent 2018 Annual Industry Survey, published by Telecoms.com, which showed that 75% of the 1,500 executives from global telecom industries who participated in the survey said that privacy was the key concern of consumers living in a highly connected smart home, followed by identity theft, fraud and vandalism through hacking into connected devices.

More: https://www.infosecurity-magazine.com/news/privacy-key-concern-for-telecoms/

Mobile phones Worried about being bugged? Don’t keep your phone in the microwave

By: Alex Hern

 Under surveillance ... Tory MP Steve Baker. Photograph: Ben Stansall/AFP/Getty Images
Under surveillance … Tory MP Steve Baker. Photograph: Ben Stansall/AFP/Getty Images

While the unusual technique reportedly employed by the MP Steve Baker does work, there are easier ways to ensure your privacy

We have all had conversations that made us want to destroy our phones in rage, but that is not why Theresa May’s nemesis, the Brexiter MP Steve Baker, apparently put his in the microwave.

According to reports, Baker – who led the campaign last week to trigger a vote of no confidence in the Tory leader – is paranoid about surveillance and keeps his phone in the microwave overnight to avoid being “bugged”.

To be fair to Baker, he is right – at least about the microwave. The metallic mesh on the door of a typical oven forms a Faraday cage on the outside of the cooker, preventing the energetic microwaves from cooking you as they cook your meal. Put a phone in there and the barrier will work just as well to prevent any signals getting in or out. If you are really concerned, 30 seconds at 800W will definitely prevent any further eavesdropping for good (and may destroy your kitchen, too).

But there are more convenient ways of achieving the same end. For £20, you can buy a “Faraday bag” – a small pouch with the same mesh built in – allowing you to achieve signal blackout while keeping your microwave free for reheating last night’s dinner. Even better for Baker, the bag in question is made in Britain, thus ensuring continued supply in the event of a no-deal Brexit.

 

More: https://www.theguardian.com/technology/shortcuts/2018/nov/26/worried-about-being-bugged-dont-keep-phone-microwave-steve-baker-privacy

Vulnerability Found in Cisco Webex Meetings

By: Kacy Zurkus

A security researcher has discovered a vulnerability in an elevation of privilege in the update service of the Cisco Webex Meeting application. The update service fails to properly validate user-supplied parameters, according to SecureAuth.

The vulnerability was discovered by Marcos Accossatto from SecureAuth exploits’ writers team, and the release of today’s vulnerability advisory was a coordinated effort between SecureAuth and Cisco. Reportedly used by millions of people each month, the video conferencing product’s flaw (CVE-2018-15442) impacts code execution in Cisco Webex Meetings v33.6.2.16 and likely affects older versions as well, though they were not checked.

With a common weakness enumeration (CWE-78) classified as OS command injection, the vulnerability could allow an unprivileged local attacker to run arbitrary commands with system user privileges by invoking the update service command with a crafted argument, according to the advisory.

In the privilege escalation proof of concept (PoC), the researcher wrote: “The vulnerability can be exploited by copying to an a local attacker controller folder, the ptUpdate.exe binary. Also, a malicious dll must be placed in the same folder, named wbxtrace.dll. To gain privileges, the attacker must start the service with the command line: sc start webexservice install software-update 1 ‘attacker-controlled-path’ (if the parameter 1 doesn’t work, then 2 should be used).”

While the video conferencing provider had fixed this vulnerability last month, Accossatto was reportedly able to bypass that fix using DLL hijacking. Cisco’s Webex Meetings has now released a new patch and updated its previous security notice.

More: https://www.infosecurity-magazine.com/news/vulnerability

Alleged SIM Swap Fraudster Stole $1m from Exec

By: Phil Muncaster

A Manhattan man is alleged to have stolen $1m in cryptocurrency from a Silicon Valley executive in a classic SIM swapping attack.

Nicholas Truglia, 21, allegedly targeted several victims including Saswata Basu, CEO of blockchain service 0Chain Myles Danielsen, vice-president of Hall Capital Partners and Gabrielle Katsnelson, co-founder of startup SMBX.

He was apparently able to hijack all of their mobile phone accounts, convincing carrier staff to transfer their numbers to new SIMs, but didn’t managed to grab any funds as a result.

However, a fourth victim wasn’t so lucky. San Francisco father-of-two, Robert Ross, also had his account hijacked and this time Truglia was allegedly able to use it to access $500,000 in a Coinbase account and $500,000 in a Gemini account.

Typically, this is possible because SIM swap attackers are able to intercept the two-factor authentication codes sent via text message to ‘enhance’ account security.

Truglia was arrested at his West 42nd Street high-rise apartment where police were able to recover $300,000 in stolen funds. He now faces 21 counts related to six victims, according to reports.

The case highlights the growing pressure on mobile operator staff to ensure they carry out the appropriate identity checks on the phone or in store, when individuals request numbers to be ported to new SIMs.

However, sometimes the scammers may get help from individuals working on the inside.

More: https://www.infosecurity-magazine.com/news/alleged-sim-swap-fraudster-stole/

Hacking Your Ride: Risks Posed by Automotive Smartphone Apps

By: Nick Holland

 

In the latest edition of the ISMG  Report, Asaf Ashkenazi of mobile security firm Inside

In the latest edition of the ISMG Security Report, Asaf Ashkenazi of mobile security firm Inside Secure discusses new threats to car security posed by certain smartphone apps.Automotive

In this report, you’ll hear (click on player beneath image to listen):

  • Ashkenazi discuss emerging threats to automotive security;
  • Saryu Nayyar of the security firm Gurucul explain how behavioral authentication can streamline customer onboarding;
  • Ryan Witt of Proofpoint discuss how “very attackable people” who are potential targets for hackers can be identified.

The ISMG Security Report appears on this and other ISMG websites on Fridays. Don’t miss the Nov. 9 and Nov. 16 editions, which respectively discuss cracking down on criminals’ use of encrypted communications and China’s economic espionage campaign.

More: https://www.bankinfosecurity.com/interviews/hacking-your-ride-risks-posed-by-automotive-smartphone-apps-i-4181

Half a million Android users tricked into downloading malware from Google Play

By: Zack Whittaker

More than half a million users have installed Android malware posing as driving games — from Google’s own app store.

Lukas Stefanko, a security researcher at ESET, tweeted details of 13 gaming apps — made by the same developer — which were at the time of his tweet downloadable from Google Play. Two of the apps were trending on the store, he said, giving the apps greater visibility.

Combined, the apps surpassed 580,000 installs before Google pulled the plug.

Anyone downloading the apps were expecting a truck or car driving game. Instead, they got what appeared to be a buggy app that crashed every time it opened.

In reality, the app was downloading a payload from another domain — registered to an app developer in Istanbul — and installed malware behind the scenes, deleting the app’s icon in the process. It’s not clear exactly what the malicious apps do; none of the malware scanners seemed to agree on what the malware does, based on an uploaded sample to VirusTotal. What is clear is that the malware has persistence — launching every time the Android phone or tablet is started up, and has “full access” to its network traffic, which the malware author can use to steal secrets.

We reached out to the Istanbul-based domain owner, Mert Ozek, but he did not respond to our email. (If that changes, we’ll update).

Gartner Lists Top 10 Strategic IoT Technologies, Trends Through 2023

By: Chris Preimesberger

At its symposium and IT expo Nov. 7 in Barcelona, Spain, IT researcher and market analyst Gartner announced what it sees as the most important strategic internet of things (IoT) technology trends that will drive digital business innovation from now through 2023.

“The IoT will continue to deliver new opportunities for digital business innovation for the next decade, many of which will be enabled by new or improved technologies,” Nick Jones, research vice president at Gartner, said in a media advisory. “CIOs who master innovative IoT trends have the opportunity to lead digital innovation in their business.”

In addition, CIOs must obtain the necessary skills and partners to support key emerging IoT trends and technologies because by 2023 most CIO will be responsible for more than three times as many endpoints as they were this year, the researcher said.

Analysts discussed how CIOs can lead their businesses to discover IoT opportunities and make IoT projects a success during Gartner Symposium/ITxpo, which is taking place in Barcelona through Nov. 8.

Following is Gartner’s list of the 10 most strategic IoT technologies and trends that it expects will enable new revenue streams and business models during the next five years.

Trend No. 1: Trusted

Gartner forecasts that 14.2 billion connected things will be in use in 2019, and that the total will reach 25 billion by 2021, producing an immense volume of data. “Data is the fuel that powers the IoT, and the organization’s ability to derive meaning from it will define their long-term success,” said Nick Jones, research vice president at Gartner. “AI will be applied to a wide range of IoT information, including video, still images, speech, network traffic activity and sensor data.”

The technology landscape for AI is complex and will remain so through 2023, with many IT vendors investing heavily in AI, variants of AI coexisting, and new AI-based tolls and services emerging. Despite this complexity, it will be possible to achieve good results with AI in a wide range of IoT situations. As a result, CIOs must build an organization with the tools and skills to exploit AI in their IoT strategy.

More: https://www.itpro.co.uk/data-breaches/32393/attackers-steal-credit-card-details-in-vision-direct-data-breach

 

Attackers steal credit card details in Vision Direct data breach

By: Keumars Afifi-Sabet

Personal information and sensitive credit card details, including CVV codes, taken in five-day attack

Attackers have compromised Vision Direct customers’ contact information and financial details, including complete card numbers, expiry dates and the CVV security code.

The UK retailer specialising in contact lenses told a number of its customers this weekend that their details had been stolen in a data breach that lasted five days, between 3 and 8 November.

The attackers made away with personal information, such as full name, address, phone number, email address, and password, as well as customers’ financial details including the CVV security code required to complete online transactions.

 “Unfortunately this information could be used to conduct fraudulent transactions,” Vision Direct UK said in a letter to customers.

“Vision Direct has taken steps to prevent any further data theft, the website is working normally and we are working with the authorities to investigate how this theft occurred.”

Vision Direct did not say how many users may have been affected and did not offer an explanation at this early stage.

The company has asked users to review their bank statements as soon as possible and change their passwords on the website.

More: https://www.itpro.co.uk/data-breaches/32393/attackers-steal-credit-card-details-in-vision-direct-data-breach

Bank Scam Using Google Maps loophole

By: Julia Sowells

We know how easy it is to find a service on Google Maps. You need a plumber to fix your leaky tank, hit the Google Maps to get the guy who is nearby. Nevertheless, there’s a chance that you may end up finding somebody in the guise of a plumbers, who manage to list himself on Google’s online map service.

According to the English daily “The Hindu” a con artists edit bank contact details and get customers to share Personal Identification Numbers

Scamsters seem to have stumbled upon a gold mine in the form of a loophole in the Google Maps interface. Taking advantage of the fact that on Google Maps, an establishment’s contact details can be edited by anyone, a group of Thane-based con artists have been putting up their own contact numbers and getting customers who call them into revealing sensitive account details.

According to the Maharashtra cyber police, the trend began over a month ago. Police officers said that if one searches for a particular branch of a bank on Google, the results include the Google Mapspage. But the contact information on the page, such as the address and phone number, can be edited by anyone as part of Google’s User Generated Content policy.

“We have received at least three complaints from the Bank of India (BoI) over the last one month. In all three instances, we immediately notified the authorities at Google,” Superintendent of Police Balsing Rajput of the State cyber police said.

Mr. Rajput said many customers search online for their bank’s contact details, and after getting the incorrect number, call it with their queries. Unknown to them, they are actually speaking to a scamster who, under some pretext, convinces them to reveal details such as their Personal Identification Numbers (PIN) or the CVV numbers of their debit and credit cards, enabling the scamsters to withdraw money from their accounts.

More: https://hackercombat.com/bank-scam-using-google-maps-loophole/