Category: Mobile

Apple Issues Patches for 2 Actively Exploited Zero-Days in iPhone, iPad and Mac Devices

Apple on Thursday rolled out emergency patches to address two zero-day flaws in its mobile and desktop operating systems that it said may have been exploited in the wild.

The shortcomings have been fixed as part of updates to iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1, and watchOS 8.5.1. Both the vulnerabilities have been reported to Apple anonymously.

Tracked as CVE-2022-22675, the issue has been described as an out-of-bounds write vulnerability in an audio and video decoding component called AppleAVD that could allow an application to execute arbitrary code with kernel privileges.

Apple said the defect was resolved with improved bounds checking, adding it’s aware that “this issue may have been actively exploited.”

The latest version of macOS Monterey, besides fixing CVE-2022-22675, also includes remediation for CVE-2022-22674, an out-of-bounds read issue in the Intel Graphics Driver module that could enable a malicious actor to read kernel memory.

The bug was “addressed with improved input validation,” the iPhone maker noted, once again stating there’s evidence of active exploitation, while withholding additional details to prevent further abuse.

The latest updates bring the total number of actively exploited zero-days patched by Apple to four since the start of year, not to mention a publicly disclosed flaw in the IndexedDB API (CVE-2022-22594), which could be weaponized by a malicious website to track users’ online activity and identities in the web browser.

  • CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
  • CVE-2022-22620 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution

In light of active exploitation of the flaws, Apple iPhone, iPad, and Mac users are highly recommended to upgrade to the latest versions of the software as soon as possible to mitigate potential threats.

The iOS and iPad updates are available to iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Source :
https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html

Samsung Confirms Data Breach After Hackers Leak Galaxy Source Code

Samsung on Monday confirmed a security breach that resulted in the exposure of internal company data, including the source code related to its Galaxy smartphones.

“According to our initial analysis, the breach involves some source code relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees,” the electronics giant told Bloomberg.

The South Korean chaebol also confirmed that it doesn’t anticipate any impact to its business or its customers as a result of the incident and that it has implemented new security measures to prevent such breaches in the future.

The confirmation comes after the LAPSUS$ hacking group dumped 190GB of Samsung data on its Telegram channel towards the end of last week, allegedly exposing the source code for trusted applets installed within TrustZone, algorithms for biometric authentication, bootloaders for recent devices, and even confidential data from its chip supplier Qualcomm.

The news of the leak was first reported by Bleeping Computer on March 4, 2022.

If the name LAPSUS$ rings familiar, it’s the same extortionist gang that made away with a 1TB trove of proprietary data from NVIDIA last month, namely employee credentials, schematics, driver source code, and information pertaining to the latest graphics chips.

Samsung Galaxy Source Code

The group, which first emerged in late December 2021, also placed an unusual demand urging the company to open-source its GPU drivers forever and remove its Ethereum cryptocurrency mining cap from all NVIDIA 30-series GPUs to prevent more leaks.

It’s not immediately clear if LAPSUS$ has made any similar demands to Samsung before publishing the information.

The fallout from the NVIDIA leaks has also led to the release of “over 70,000 employee email addresses and NTLM password hashes, many of which were subsequently cracked and circulated within the hacking community.”

That’s not all. Two code-signing certificates included in cache dump from NVIDIA have been used to sign malicious Windows drivers and other tools often used by hacking crews, namely Cobalt Strike beacons, Mimikatz, and other remote access trojans.

“Threat actors started on 1st March, a day after torrent [was] posted,” security researcher Kevin Beaumont said in a tweet last week.

Source :
https://thehackernews.com/2022/03/samsung-confirms-data-breach-after.html

100 Million Samsung Galaxy Phones Affected with Flawed Hardware Encryption Feature

A group of academics from Tel Aviv University have disclosed details of now-patched “severe” design flaws affecting about 100 million Android-based Samsung smartphones that could have resulted in the extraction of secret cryptographic keys.

The shortcomings are the result of an analysis of the cryptographic design and implementation of Android’s hardware-backed Keystore in Samsung’s Galaxy S8, S9, S10, S20, and S21 flagship devices, researchers Alon Shakevsky, Eyal Ronen, and Avishai Wool said.

Trusted Execution Environments (TEEs) are a secure zone that provide an isolated environment for the execution of Trusted Applications (TAs) to carry out security critical tasks to ensure confidentiality and integrity.

On Android, the hardware-backed Keystore is a system that facilitates the creation and storage of cryptographic keys within the TEE, making them more difficult to be extracted from the device in a manner that prevents the underlying operating system from having direct access.

Instead, the Android Keystore exposes APIs in the form of Keymaster TA (trusted application) to perform cryptographic operations within this environment, including secure key generation, storage, and its usage for digital signing and encryption. On Samsung mobile devices, the Keymaster TA runs in an ARM TrustZone-based TEE.

However, security flaws uncovered in Samsung’s implementation meant that they could provide an adversary with root privileges a workable path to recover the hardware-protected private keys from the secure element. The list of issues identified is as below –

  • Initialization Vector (IV) reuse in Keymaster TA (CVE-2021-25444) – An IV reuse vulnerability in Keymaster prior to SMR AUG-2021 Release 1 allows decryption of custom keyblob with privileged process. (Impacts Galaxy S9, J3 Top, J7 Top, J7 Duo, TabS4, Tab-A-S-Lite, A6 Plus, and A9S)
  • Downgrade attack in Keymaster TA (CVE-2021-25490) – A keyblob downgrade attack in Keymaster prior to SMR Oct-2021 Release 1 allows [an] attacker to trigger IV reuse vulnerability with privileged process. (Impacts Galaxy S10, S20, and S21)

In a nutshell, successful exploitation of the flaws against the Keymaster TA could achieve unauthorized access to hardware-protected keys and data secured by the TEE. Implications of such an attack could range from an authentication bypass to advanced attacks that can break fundamental security guarantees offered by cryptographic systems.

Following responsible disclosure in May and July 2021, the issues were addressed via security updates shipped in August and October 2021 for the affected devices. The findings are expected to be presented at the USENIX Security Symposium later this August.

“Vendors including Samsung and Qualcomm maintain secrecy around their implementation and design of [TrustZone operating systems] and Tas,” the researchers said. “The design and implementation details should be well audited and reviewed by independent researchers and should not rely on the difficulty of reverse engineering proprietary systems.”

Source :
https://thehackernews.com/2022/02/100-million-samsung-galaxy-phones.html

Why You Need to Care About Data Privacy & 5 Tips for Better Data Security

The privacy of our data has always been important. However, because we’re sharing more of it than ever before, being aware of data privacy and taking the necessary steps to protect it has never been more crucial. In this article, in celebration of Data Privacy Week, we cover why data privacy is so important, what can happen if your data were to fall into the wrong hands, and what you can do to protect your personal data.

Find out if your email address appeared in any data leaks

What is data privacy and why is it important?

Data privacy often refers to the practice of handling sensitive data in line with regulatory requirements. In most developed countries, there are specific data privacy laws in place that regulate how companies can collect, store, and share customer data.

While the EU has a comprehensive data privacy law, the General Data Protection Regulation (GDPR), which covers all different types of data, only three US states currently have similar, all-encompassing data privacy laws (California, Virginia, and Colorado). Instead, the US has many different laws designed to target specific types of data. For example, the Fair Credit Reporting Act (FCRA) protects information in your credit report, and the Family Educational Rights and Privacy Act (FERPA) protects students’ education reports from being freely accessible.

However, because of how much time we spend online nowadays, we’re putting more of our personal data out there for others to see than ever before. As a result, it is not only important to understand how protected your data is when you share it with a company, but also how private it is when you share it online.

How to protect your data privacy

Here are some of our top tips for data privacy protection:

  1. Only give your data to trustworthy companies and websites — Perhaps you’ve come across a new online clothing store or seen an app on the app store that takes your fancy, but you’re unsure if you can trust the company. If you’ve never heard of the company before, it’s best to do some quick research to learn whether or not you can trust it with your data.
  2. Think twice before sharing — With social media being such a big part of our everyday lives, it’s easy to forget that what we post online, stays online forever. Always think twice before sharing something online. Don’t publicly share personal information such as your address, phone number, or social security number.
  3. Take advantage of privacy settings — On every website, app, and game that you use, make sure you’re taking advantage of the built-in privacy settings. By doing so, you’ll ensure that only people you know can view your information.
  4. Use strong passwords and enable 2FA — When you create an online account, you almost always need to share lots of personal data — your full name, email address, and date of birth, for example. Although this data isn’t publicly accessible, if a hacker were to gain access to one of your accounts, they would be able to see all this information. To avoid this happening, make sure to use only strong, tough-to-hack passwords and that all your accounts have two-factor authentication (2FA) enabled.
  5. Use a VPN on public Wi-Fi — Unprotected Wi-Fi networks are notoriously unsecure. Because no password is required to access them, nearby hackers can steal any data transferred over them. To protect yourself, always use a VPN on public Wi-Fi networks.

Data leaks in 2021 — T-Mobile, LinkedIn, Moncler & CoinMarketCap

The truth is, no matter how well a company abides by data privacy laws and how thoroughly it protects its customers’ data, it can never be 100% data leak-proof. In 2021 alone, a shocking number of companies suffered high-profile data leaks, including T-MobileLinkedInMoncler, and CoinMarketCap. Those leaks resulted in hundreds of millions of people having their sensitive personal data leaked, which is used by criminals to commit all sorts of crimes — with the most concerning of them all being identity theft.

According to the Federal Trade Commission, there were over 1 million reports of identity theft in 2021. Below are some of the things the FTC says criminals can do with your data:

  • Get new credit cards in your name.
  • Open a phone, electricity, or gas account in your name.
  • Steal your tax refund.
  • Get medical care under your name (and leave you with a huge bill!).
  • Pretend to be you if they get arrested.

Cybercriminals often put stolen data up for sale on underground forums on the regular internet, as well as the dark web. And as you can imagine, personal information that is particularly valuable to them can fetch a high price. On average, on the dark web, a driver’s license will go for $205, an ID card for $213, and a passport sells for a whopping $684!

How to stay protected from data leaks

You might be thinking that staying protected from data leaks is an impossible task, but the answer is easy: Trend Micro™ ID Security . Available for Android and iOS, Trend Micro™ ID Security can scan the internet and the dark web 24/7 for your personal information. If your data is leaked, the app notifies you immediately so you can take action to avoid people stealing your identity. If your information is out there, you’ll be the first to know!

Here are some of the features offered by Trend Micro™ ID Security :

  • Personal Data Protection Score — See exactly how safe your online personal data is with your customized Protection Score.
  • 24/7 Comprehensive Personal Data Monitoring — ID Security can scan the internet and the dark web for all your personal information including up to 5 email addresses and bank account numbers, 10 credit card numbers, your Social Security number, and lots more.
  • Social Media Account Protection — Strengthen the security of your social media accounts. Be instantly alerted if your Facebook or Twitter account’s data is leaked by cybercriminals.

To learn more about Trend Micro™ ID Security and claim your free 30-day trial, click the button below.Get ID Security

Source :
https://news.trendmicro.com/2022/01/27/why-you-need-to-care-about-data-privacy-5-tips-for-better-data-security/

Outlook Mobile Server settings you’ll need from your email provider

Outlook for Microsoft 365 Outlook for Microsoft 365 for Mac Microsoft 365 for home More…

Most email apps like Outlook are able to automatically configure email server settings. If you need server settings or help finding your server settings, click on one of the links below:

Find your Exchange mailbox server settings

If you’re connecting to an Exchange mailbox and not using Microsoft 365 email, or if you aren’t sure if you’re using Microsoft 365 email, do the following to look up your settings:

  1. Sign in to your account using Outlook Web App. For help signing in, see Sign in to Outlook Web App.
  2. In Outlook Web App, on the toolbar, select Settings Settings icon > Mail POP and IMAP.
  3. The POP3, IMAP4, and SMTP server name and other settings you may need to enter are listed on the POP and IMAP settings page.

What server settings do I need from my email provider?

To help you get the info you need, we’ve put together a handy chart of the email server settings you should ask for. You will most likely have to set up your email as an IMAP or POP account as well. What are POP and IMAP? Check with your provider if you’re not sure which to use.

Note: When you use an IMAP or POP account, only your email will sync to your device. Any calendar or contacts associated with that account will be stored only on your local computer.

Follow these instructions to get your email settings:

  1. Print out this page and keep it within reach.
  2. Call your email provider and ask them about the settings in the chart below.
  3. Write down the corresponding email server settings in the empty column.
  4. Return to your email app and enter the information to complete your email setup.

Note: You may only need some of the settings on this list. Find out from your email provider what you will need to access your email on your mobile device.

General Email Settings

SettingDescriptionWrite Your Setting HereExample
Email AddressThe email address you want to set up.yourname@contoso.com
PasswordThe password associated with your email account.——–
Display NameThe name you want your email recipients to see.Mike Rosoft
DescriptionAdd a description of your email account.Personal, work, etc.

Incoming Mail Server Settings

These settings are for sending email to your email provider’s mail server.

SettingDescriptionWrite Your Setting HereExample
Host NameYour incoming mail server name.outlook.office365.com
UsernameThe email address you want to set up.yourname@contoso.com
PortThe port number your incoming mail server uses.Most use 143 or 993 for IMAP, or 110 or 995 for POP.
Server or DomainThis is your email provider.yourprovider.com, gmail.com, etc.
SSL?Is your email encrypted using SSL?(SSL is enabled by default in the Outlook mobile app)SSL Enabled

Outgoing Mail Server Settings (SMTP)

These settings are for sending email to your email provider’s mail server.

SettingDescriptionWrite Your Setting HereExample
SMTP Host NameOutgoing mail server name. Most often smtp.yourprovider.comsmtp.office365.com
SMTP UsernameThe email address you want to set up.yourname@contoso.com
SMTP PasswordThe password associated with your email account.——–
SSL?Is your email encrypted using SSL?(SSL is enabled by default in the Outlook mobile app)SSL Enabled

Still having trouble? We’re listening.

  • If you’re using an email provider such as Gmail, Yahoo, etc. Contact them for help in setting up your email account.See Troubleshoot email setup on mobile Outlook mobile apps or check the server status of Outlook.com.
  • If you have a work or school account that uses Microsoft 365 for business or Exchange-based accounts, talk to your Microsoft 365 admin or technical support.

    Source :
    https://support.microsoft.com/en-us/office/server-settings-you-ll-need-from-your-email-provider-c82de912-adcc-4787-8283-45a1161f3cc3

5 Security Lessons for Small Security Teams for the Post COVID19 Era

A full-time mass work from home (WFH) workforce was once considered an extreme risk scenario that few risk or security professionals even bothered to think about.

Unfortunately, within a single day, businesses worldwide had to face such a reality. Their 3-year long digital transformation strategy was forced to become a 3-week sprint during which offices were abandoned, and people started working from home.

Like in an eerie doomsday movie, servers were left on in the office, but nobody was sitting in the chairs.

While everyone hopes that the world returns to its previous state, it’s evident that work dynamics have changed forever. From now on, we can assume a hybrid work environment.

Even companies that will require their employees to arrive daily at their offices recognize that they have undergone a digital transformation, and work from home habits will remain.

The eBook “5 Security Lessons for Small Security Teams for a Post-COVID19 Era” (download here) helps companies prepare for these new work dynamics. The practical insights and provided recommendations make this a very helpful guide for small security teams that feel the brunt of security on a daily basis and now need to add one more item to their security strategy planning and execution.

This eBook details the following five security lessons derived from current business, IT, and threat landscape trends:

  1. You can’t do it all. In particular, they suggest asking your security vendor for their customer success and offered services. Some vendors provide a range of free offerings, but many customers don’t realize this and forego the opportunity to extend their security team virtually.
  2. Response speed is the name of the game. Everyone will tell you that automation is key. The guide takes it a step further and also suggests how to remove overheads from security stacks as well as how to reduce analyst work inefficiencies.
  3. More corporate devices to be issued to employees. This point provides best practices for securely procuring and managing all of those new devices, also when the security team works remotely.
  4. Supply chain attacks are on the rise. Your supplier’s security, unfortunately, becomes your security. The guide provides tips on how to receive more visibility into the threats that now reside in your environment, including how to address this challenge in a budget-constrained way.
  5. Economies have changed. When ransomware is growing to insurmountable amounts, what are the ways – from training to technologies – to best protect your business.

At the end of the day, small security teams deal with many challenges. As all security teams go, they have the burden of tedious tasks and operational demands while needing to keep the business going.

But on top of that, they have a stricter budget and human resource limitations. In each practical step, this guide takes these constraints into consideration.

Source :
https://thehackernews.com/2021/02/5-security-lessons-for-small-security.html

Google Pixel 4a is the first device to go through ioXt at launch

Trust is very important when it comes to the relationship between a user and their smartphone. While phone functionality and design can enhance the user experience, security is fundamental and foundational to our relationship with our phones.There are multiple ways to build trust around the security capabilities that a device provides and we continue to invest in verifiable ways to do just that.

Pixel 4a ioXt certification

Today we are happy to announce that the Pixel 4/4 XL and the newly launched Pixel 4a are the first Android smartphones to go through ioXt certification against the Android Profile.

The Internet of Secure Things Alliance (ioXt) manages a security compliance assessment program for connected devices. ioXt has over 200 members across various industries, including Google, Amazon, Facebook, T-Mobile, Comcast, Zigbee Alliance, Z-Wave Alliance, Legrand, Resideo, Schneider Electric, and many others. With so many companies involved, ioXt covers a wide range of device types, including smart lighting, smart speakers, webcams, and Android smartphones.

The core focus of ioXt is “to set security standards that bring security, upgradability and transparency to the market and directly into the hands of consumers.” This is accomplished by assessing devices against a baseline set of requirements and relying on publicly available evidence. The goal of ioXt’s approach is to enable users, enterprises, regulators, and other stakeholders to understand the security in connected products to drive better awareness towards how these products are protecting the security and privacy of users.

ioXt’s baseline security requirements are tailored for product classes, and the ioXt Android Profile enables smartphone manufacturers to differentiate security capabilities, including biometric authentication strength, security update frequency, length of security support lifetime commitment, vulnerability disclosure program quality, and preloaded app risk minimization.

We believe that using a widely known industry consortium standard for Pixel certification provides increased trust in the security claims we make to our users. NCC Group has published an audit report that can be downloaded here. The report documents the evaluation of Pixel 4/4 XL and Pixel 4a against the ioXt Android Profile.

Security by Default is one of the most important criteria used in the ioXt Android profile. Security by Default rates devices by cumulatively scoring the risk for all preloads on a particular device. For this particular measurement, we worked with a team of university experts from the University of Cambridge, University of Strathclyde, and Johannes Kepler University in Linz to create a formula that considers the risk of platform signed apps, pregranted permissions on preloaded apps, and apps communicating using cleartext traffic.

Screenshot of the presentation of the Android Device Security Database at the Android Security Symposium 2020

In partnership with those teams, Google created Uraniborg, an open source tool that collects necessary attributes from the device and runs it through this formula to come up with a raw score. NCC Group leveraged Uraniborg to conduct the assessment for the ioXt Security by Default category.

As part of our ongoing certification efforts, we look forward to submitting future Pixel smartphones through the ioXt standard, and we encourage the Android device ecosystem to participate in similar transparency efforts for their devices.

Acknowledgements: This post leveraged contributions from Sudhi Herle, Billy Lau and Sam Schumacher

Source :
https://security.googleblog.com/2020/08/pixel-4a-is-first-device-to-go-through.html

10 things to know about Android 10

Android 10 is here! With this release, we focused on making your everyday life easier with features powered by on-device machine learning, as well as supporting new technologies like Foldables and 5G. At the same time, with almost 50 changes related to privacy and security, Android 10 gives you greater protection, transparency, and control over your data. This builds on top of our ongoing commitment to provide industry-leading security and privacy protections on Android. We also built new tools that empower people of all abilities, and help you find the right balance with technology.

Here are the 10 things you should know, centered on innovation, security and privacy and digital wellbeing:

Simpler, smarter, and more helpful

1. Smart Reply now suggests actions. So when someone sends you a message with an address or a YouTube video, you can open and navigate in Google Maps or open up the video in YouTube—no copying and pasting required. And Smart Reply now works across all your favorite messaging apps.

2. Come to the dark side… with Dark Theme. You can enable Dark Theme for your entire phone or for specific apps like Photos and Calendar. It’s easier on your eyes, and your phone battery too.

3. Take advantage of larger, edge-to-edge screens with the new gesture navigation. With simple swipes, you can go backwards, pull up the homescreen, and fluidly move between tasks. After switching, you won’t want to go back to visible buttons.

4. With a single tap, Live Caption will automatically caption videos, podcasts and audio messages across any app—even stuff you record yourself. Live Caption will become available this fall, starting with Pixel.

New privacy and security features put you in control

5. You can choose to only share location data with apps while you’re using them. You’ll also receive reminders when an app that you are not actively using is accessing your location, so you can decide whether or not to continue sharing.

6. In a new Privacy section under Settings, you’ll find important controls like Web & App Activity and Ad Settings in one place.

7. With Google Play system updates, important security and privacy fixes can now be sent to your phone from Google Play, in the same way your apps update. So you get these fixes as soon as they’re available, without having to wait for a full OS update.

Find the right balance with technology for you and your family

8. You have greater control over where and when notifications will alert you. Mark notifications as “Silent” and they won’t make noise or appear on your lockscreen, so you’re only alerted by notifications when you want to be.

9. Now Family Link is part of every device running Android 10, right in settings under Digital Wellbeing. Parents can use these tools to set digital ground rules like daily screen time limits, device bedtime, time limits on specific apps, and more. They can also review the apps children install on their devices, as well as their usage.

10. Want to be in the zone but not off the grid? Digital Wellbeing now brings you Focus mode. Select the apps you find distracting—such as email or the news—and silence them until you come out of Focus mode. Sign up for the Beta to try it.

There’s lots more in Android 10, including a new enterprise feature that lets you use different keyboards for your personal and work profiles, app timers for specific websites so you can balance your time on the web, new gender-inclusive emoji, and support for direct audio streaming to hearing aid devices.

Android 10 begins rolling out to Pixel phones today, and we’re working with our partners to launch and upgrade devices to Android 10 this year. Learn more at android.com/10.

 

Source :
https://www.blog.google/products/android/android-10/
Exit mobile version