Security News This Week: At Least 76 iOS Apps Are Vulnerable to Attacks
There’s a lot going on in the world, but the slow march of cybersecurity research and incidents plods on no matter what else is happening. This week research showed that many mobile VPNs fall short on delivering security and privacy benefits. International law may be the best mechanism for addressing large-scale ransomware attacks on Internet of Things devices (like hotel door locks). Attacks using a stealthy type of “fileless” malware that hides in computer RAM are on the rise. And it’s time to get real about strategies for keeping smart TV manufacturers from spying.
In the political sphere, the Email Privacy Act, which would reform dated and problematic aspects of the Electronic Communications Privacy Act, took a step in Congress toward becoming law. Trump’s Homeland Security Advisor Tom Bossert seems promising—he’s known as an effective and even-keeled dude. And links between Silicon Valley and the Pentagon remain strong in spite of recent political turmoil in the US. Oh, and there’s no easy fix for a clever and effective slot machine cheat developed by Russian criminals that has been plaguing casinos around the world for years. So have fun with that one.
But wait! There’s more. Each Saturday we round up the news stories that we didn’t break or cover in depth but that still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
Dozens of iOS Apps Are Vulnerable to Man-in-the-Middle Data Attacks
Seventy-six iOS apps are vulnerable to man-in-the-middle data interception attacks, thanks to sloppy configuration that could allow a forged certificate to be authenticated and decrypt data protected by the Transport Layer Security (TLS) protocol, thus exposing it. Will Strafach, CEO of mobile security company Sudo Security Group, found the compromised apps while the company was developing its mobile app analysis product. Problems with TLS validation have been around for a long time, and they’re particularly problematic for apps that handle sensitive data like health or financial information. Nineteen of the 76 apps Strafach found handle this type of “high risk” data. Apple has advocated that iOS developers use its App Transport Security protocol to ensure that every iOS app implements TLS, but ATS alone still doesn’t resolve certificate verification issues. Apple also indefinitely pushed back the deadline to implement ATS—the cutoff was originally supposed to be the end of 2016. Strafach says that hundreds of other apps he analyzed seemed to have the same flaw, but he only pursued analysis of those that he could confirm were jeopardized.
Arby’s Breach Affected Payment Systems at Hundreds of Corporate Locations
Arby’s has been working to address a breach of customer credit and debit card information since it learned of the situation in mid-January. Malware on payment systems at hundreds of restaurant locations around the US captured hundreds of thousands of card numbers throughout the fall. Arby’s says that only a portion of its 1,000 corporate-owned locations were impacted, and that franchise locations were not affected. It says that the malware has been eradicated from its networks. Arby’s Restaurant Group “immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant,” the company told Krebs on Security. The investigation is ongoing.
Republican Officials Found an Encrypted Chat App to Prevent Breaches
Members of the Trump administration and other republicans have been using a secure messaging app called “Confide” to communicate with lower risk of leaks, according to an Axios report. Confide uses end-to-end encryption, with the bonus twist that messages self-destruct after being read. The service also integrates with iMessage, so it’s easy to use. Official government electronic communications are legally required to be accessible and archivable for transparency, so depending on who is using these apps and for what, they could be too secure. But the trend may simply reflect broader adoption of end-to-end encrypted apps like WhatsApp and Signal, and may not be part of official government interactions.
State-Sponsored Hackers Set Their Sights on Accounts of Prominent US Journalists
Google has notified some well-known US journalists that state-sponsored attackers have been trying to steal their Google account passwords and access their Gmail. Jonathan Chait of New York Magazine, David Sanger of the New York Times, Brian Stelter of CNN, Julia Ioffe of the Atlantic and others told Politico that they had received the Google warnings. A Google spokesperson said in a statement that, “Since 2012, we’ve notified users when we believe their Google accounts are being targeted by government-backed attackers. We send these warnings out of an abundance of caution—they do not indicate that a user’s account has already been compromised or that a more widespread attack is occurring when they receive the notice.” Stay safe out there, journos!