Week in review: iOS zero-days exploited, hacking cellphone towers and brain implants

Here’s an overview of some of last week’s most interesting news, reviews and articles:

Backdoor uses TeamViewer to spy on victims
A backdoor Trojan with spying capabilities that has been previously directed against European and Russian users is now being lobbed at US users, Dr. Web researchers have warned.

Apple plugs three actively exploited iOS zero-days
The update, released on Thursday, comes in the wake of a discovery made by researchers from University of Toronto’s Citizen Lab and security firm Lookout: someone has attempted to compromise the iPhone of UAE-based human rights activist Ahmed Mansoor through the use of a lawful surveillance kit made by Israel-based firm NSO Group.

Review: iStorage datAshur Pro
iStorage datAshur Pro is a part of the new(er) generation of encrypted flash drives, the ones that have the autentication mechanism on the device – in this case a PIN input pad.

Implant leaked by Shadow Brokers targets Juniper’s NetScreen firewalls
Juniper Networks has become the latest company to acknowledge that one of the implants leaked by the Shadow Brokers targets some of their products. EXTRABACON, one of the Equation Group exploits leaked by the Shadow Brokers, can also be made to work on a wider range of Cisco Adaptive Security Appliance (ASA) firewalls than previously reported.

Automotive security: How safe is a next-generation car?
Launched in June of this year, the Automotive Security Review Board (ASRB) is a non-profit industry consortium that came about due to the multifaceted objectives of removing barriers to the evolution of automotive innovation, without cybersecurity becoming an inhibiting factor.

WhatsApp will share your phone number with Facebook
For the first time in four years, WhatsApp is updating its Terms of Service and Privacy Policy, and the big news is that the messaging service will share users’ phone numbers with Facebook.

Passwords, biometrics and multi-factor verification: What businesses need to know
Verifying identity is a double headache for small businesses.

A closer look at IT risk management and measurement
In this podcast recorded at Black Hat USA 2016, Casey Corcoran, Partner, FourV Systems, talks about the most significant trends cyber security and risk management. He discusses the credibility of the CISO, a new breed of security tools, as well as insurance companies trying to get into the risk management space.

Hackers can easily take over cellphone towers, researchers found
Zimperium researchers have unearthed three critical vulnerabilities in widely used software running on base transceiver stations (BTS), i.e. the equipment that makes cellphone towers work.

Brainjacking: Hacking brain implants
Did you know that Dick Cheney, former US Vice President who held that office from 2001 to 2009, had the wireless telemetry on his implantable cardioverter-defibrillator disabled during his time in office for fear of political assassination? That was in 2007, and already the fear of what hackers could do to implanted medical electronic devices was real.

Essential Pokémon GO protection tips
Since its release, Pokémon GO has become the most downloaded game in history on iOS and Android. However, Gemalto is now warning its millions of players around the world to stay safe and ensure they only battle fellow players’ gyms, not viruses and identity theft.

Stolen devices to blame for many breaches in the financial services sector
Bitglass performed an analysis of all breaches in the financial services sector since 2006, with data aggregated from public databases and government mandated disclosures. They found that leaks nearly doubled between 2014 and 2015, a growth trend on track to continue in 2016.

Shadow Brokers, digital attacks, and the escalation of geopolitical conflict
Last week’s data dump by the Shadow Brokers has left many wondering how the US will respond.

Researchers design a chip that checks for sabotage
With the outsourcing of microchip design and fabrication a worldwide, $350 billion business, bad actors along the supply chain have many opportunities to install malicious circuitry in chips.

Cybercriminals select insiders to attack telecom providers
Cybercriminals are using insiders to gain access to telecommunications networks and subscriber data, according to Kaspersky Lab. In addition, these criminals are also recruiting disillusioned employees through underground channels and blackmailing staff using compromising information gathered from open sources.

Twitter-controlled Android backdoor delivers banking malware
A backdoor Trojan named Twitoor is the first instance of Android malware that receives its commands from a Twitter account.

Android 7.0 Nougat is out, with new security features
Google has released Android 7.0 Nougat, and the newest version of the popular mobile OS is already being rolled out to Google’s existing Nexus devices.

Key elements for successfully prioritizing vulnerability remediation
In this podcast recorded at Black Hat USA 2016, Tim White, Director of Product Management at Qualys, talks about Qualys ThreatPROTECT, a cloud-based solution that helps IT professionals automatically prioritize the vulnerabilities that pose the greatest risk to their organization. How? By correlating active threats against your vulnerabilities.

Snowden documents definitely link Shadow Brokers’ leak to the NSA
The Intercept’s Sam Biddle revealed that the leaked data contains things that definitely point to the NSA as the creator of the hacking tools.

Open sourced: Cyber reasoning system that won third place in DARPA’s Cyber Grand Challenge
Earlier this month, the DARPA-backed Cyber Grand Challenge (CGC) has shown that a future in which computer systems will (wholly or partially) replace bug hunters and patchers looms near. Now, the team that has won third place in the contest – Shellphish of Santa Barbara, California – has open sourced many of the components of its winning Mechanical Phish cyber reasoning system.

Display the cryptographic signing information about any file on your Mac
Verifying a file’s cryptographic signature can help the user deduce its trustability. If you’re using OS X, there is no simple way to view a file’s signature from the UI, unless you’re using the WhatsYourSign utility.

18-year-old random number generator flaw fixed in Libgcrypt, GnuPG
Researchers have discovered a “critical security problem” that affects all versions of the Libgcrypt cryptographic library and, therefore, all versions of the GnuPG (a.k.a. GPG) hybrid-encryption software.

The deception technology market is exploding
Deception technology was introduced as an advanced security solution to detect and prevent targeted attacks. Deceptions are achieved through the use of purposeful obfuscations, deceitful responses, feints, misdirection, and falsehoods.




Share this