Say what you may about Apple’s infamous app-approval process. But Google Play Store’s permissive approach is what allows such apps to exists.
Security researchers have found a new kind of government malware that was hiding in plain sight within apps on Android’s Play Store. And they appear to have uncovered a case of lawful intercept gone wrong.
Source: Researchers Find Google Play Store Apps Were Actually Government Malware
Find out more about spyware/malware and some techniques to prevent infection here.
This is a common and recurring problem due to lack of awareness and the difficulty of securing data. Think twice before you donate your old devices. At least make an attempt to erase or remove the storage device before doing so.
If you are concern with data compliance, you may refer to
NIST SP 800-88r1 – Guidelines for Media Sanitization. For the rest of us, try to adopt security best practices such as:
- Full disk encryption
- Use of dedicated software to wipe, especially those from the manufacturer
- Physical destruction
In the space of six months, one security researcher found thousands of files from dozens of computers, phones and flash drives — most of which contained personal information. All the researcher did was scour the second-hand stores for donated and refurbished tech. New research published by security firm Rapid7 revealed how problematic discarded technology can […]
Source: Donated devices are doxing your data, says new research
Writing secure software is impossibly hard. Even with all the resources that the Chrome team has and focus on security that they are famous for, vulnerabilities can still exists and may be exploited for nefarious purpose.
When a security expert on the Chrome team says, “update your Chrome installs… like right this minute” – well, here’s how to check!
Source: Serious Chrome zero-day – Google says update “right this minute”
Free vulnerability scan by the government for Japan netizens.
Can’t say it’s a bad idea, if it’s well-managed. The fact is there are a lot of devices out there which have default credentials or unpatched vulnerabilities. These devices usually end up being exploited by threat actors for personal gains. Ability to identify vulnerable devices is a necessary first step towards mitigating potential cyber incidents.
Japan will attempt to access Internet-connected devices in homes and offices to find their vulnerabilities. The first-of-its-kind survey is aimed at beefing up cyber-security.
Source: Govt. to access home devices in security survey – News – NHK WORLD – English
This is a serious one. A vulnerability exists on Android that will allow the phone to be hacked simply by viewing a malicious PNG image.
The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.
Source: Android Security Bulletin — February 2019 | Android Open Source Project
The cost of data is not just the bytes that are required to store them. Increasingly laws will target companies for over-collecting, misusing, and not doing enough to protect PII data.
California recently passed an extremely powerful, far-reaching law, the California Consumer Privacy Act (CCPA), that will likely drive even more change than the GDPR. Here’s what your dev team needs to know and how to prepare.
Source: CCPA will hit your dev team harder than GDPR. Here’s why.
This is a serious hijack of a toolchain used by developers.
Pear.php.net shuts down after maintainers discover serious supply-chain attack.
Source: If you installed PEAR PHP in the last 6 months, you may be infected | Ars Technica
Marvell Wifi System-on-chip, which is used by Valve Steamlink, PS 4, Microsoft Surface and Samsung Chromebook is susceptible to remote compromise. Here’s the kicker: the device can be compromised just by the fact that it’s powered on. There is no need for the victim to visit any website or click on any links. That’s what makes this RCE (remote code execution) so dangerous and potent.
This vulnerability can be triggered without user interaction during the scanning for available networks. This procedure is launched every 5 minutes regardless of a device being connected to some Wi-Fi network or not. That’s why this bug is so cool and provides an opportunity to exploit devices literally with zero-click interaction at any state of wireless connection (even when a device isn’t connected to any network).
Source: Remotely compromise devices by using bugs in Marvell Avastar Wi-Fi: from zero knowledge to zero-click RCE – Embedi
This is a case that will test the limits of exclusion in the brave new world of cybersecurity insurance. Basically, the insurance company is refusing to pay for cybersecurity related damages by citing an exclusion clause which states the malware was created as part of a cyber warfare.
What if courts and lawyers actually start believing the cyberwar narrative and acting as if any damage caused to Western companies is uninsurable war damage?
What will happen to the insurance of cyber risks if any attack could potentially be declared part of a war?
Source: Mondelez Lawsuit Shows the Dangers of Attributing Cyberattacks – Bloomberg
CAPTCHA is almost ubiquitous in today’s web applications and an extremely popular CAPTCHA implementation is Google’s, namely reCaptcha. reCaptcha provides an audio version for visually-impaired users. Researchers manage to make use of free speech-to-text services to defeat audio reCaptcha.
unCaptcha: Talk is cheap in defeating reCaptcha
Source: unCaptcha: A Low-Resource Defeat of reCaptcha’s Audio Challenge