Over 3,300 Android apps may be violating kids’ privacy, study says

Researchers find that a great portion of popular children’s apps may run afoul of US privacy legislation by improperly collecting data – albeit often probably unintentionally. A response from Google to the unflattering findings wasn’t long in coming.

Tomáš Foltýn

More than 3,300 children-oriented Android apps on Google Play are possibly gathering kids’ data in an improper manner, which could put the apps in violation of US child privacy legislation, a recent paper has found.

The study, called “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale, examined 5,855 of the most popular children-focused Android apps. It found that “roughly 57%” of the apps – which makes out to 3,337 in number – are potentially violating the US’ Children’s Online Privacy Protection Act (COPPA).

COPPA protects children under 13 from invasive collection of personally identifiable information (PII). The law regulates how apps, games or websites are allowed to gather and process sensitive data from children. In so doing, it prohibits some data collection practices outright while requiring a parent’s consent for others.

The 5,855 apps tested were made by 1,889 developers and have racked up 4.5 billion installs between them. They are listed in 63 different Google Play categories, obviously most of them in various ‘games’ categories.

So what exactly are the apps up to?

The team of seven researchers hailing mainly from US and Canadian universities used an automatic testing process to detect how the apps handled data.

They found that the potential violations came in several forms. For example, 28% of the apps accessed sensitive data protected by Android permissions. Perhaps most worryingly, nearly 5% of all apps collected children’s geolocation or contact information, notably the device owner’s email address or phone number, without the permission of a parent.

Nearly three-fourths (73%) transmitted sensitive data over the internet, but 40% of them didn’t apply reasonable security measures by failing to use Transport Layer Security (TLS), the standard for securing data in transit.

The study also identified potential non-compliance in almost 19% of the apps that collected so-called persistent identifiers (such as the device’s unique IMEI number or WiFi MAC address) with third parties for prohibited purposes, notably user profiling and ad targeting. According to COPPA, these identifiers are considered personal information if they can be used to recognize a user over time and across different websites or online services.

In addition, 39% of the apps transmitted Google’s advertising identifier known as AAID together with another (and immutable) identifier to the same destination, thus apparently acting in breach of the terms of service of the Google Play’s Designed for Families (DFF) program.

Personally identifiable information (PII) collected by many of the tested apps

(credit: Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale)

The researchers pinned the bulk of the blame for the data slurping on the apps’ inclusion and use of third-party software development kits (SDKs). “While many of these SDKs offer configuration options to respect COPPA by disabling tracking and behavioral advertising, our data suggest that a majority of apps either do not make use of these options or incorrectly propagate them across mediation SDKs,” reads the paper.

Bearing this in mind, the researchers surmise that “many privacy violations are unintentional and caused by misunderstandings of third-party SDKs.”

Over to Google

The researchers acknowledged Google’s steps to ensure compliance with COPPA, but added that “there appears to not be any (or only limited) enforcement”. As a result, they urged the company to be more active in its vetting process.

Meanwhile, Tom’s Guide quoted a Google spokesperson as saying in response to the findings:

“We’re taking the researchers’ report very seriously and looking into their findings. Protecting kids and families is a top priority, and our Designed for Families program requires developers to abide by specific requirements above and beyond our standard Google Play policies. If we determine that an app violates our policies, we will take action. We always appreciate the research community’s work to help make the Android ecosystem safer.”

The researchers’ made their findings for each tested app available at a dedicated website: https://www.appcensus.mobi/.

https://www.welivesecurity.com/2018/04/25/android-apps-violating-kids-privacy/?utm_source=newsletter&utm_medium=email&utm_campaign=wls-newsletter-270418

“Malware of Mass Disruption” the WMD of the future? Insights from the stage at RSA 2018

ESET's Global Security Evangelist Tony Anscombe expands on his theory

One might wonder why one of the final mainstage presentations at RSA 2018 had “Weapons of Mass Destruction” (WMDs) in its title? When ESET Global Security Evangelist Tony Anscombe finished with his presentation, however, no one was asking that question; instead what emerged was a better understanding of how the evolution of malware has led us to the digital weaponry of today and tomorrow.

The central question of Anscombe’s presentation was: Can malware be used as a weapon of mass destruction? He contends that it can and notes that we are at a tipping point where malware evolution has led us to the latest development in cyberweapons; this is what Anscombe coins “Malware of Mass Disruption.” He defines this as the following:

·         Any malware that targets infrastructure and thus could damage or disable services and could potentially cause death or serious bodily injury

·         Any malware designed to inhibit first responders or emergency response from providing lifesaving treatment

·         Any malware that targets health care or medical devices and could potentially cause death or serious bodily injury

·         Any software that is intended to damage or disable medical systems or devices

Over the years, we have had some close calls that give a glimpse into the effect digital weapons can have. In 2017, the United Kingdom’s National Health Service (NHS) was a major victim of the WannaCryptor (aka WannaCry, WCrypt) attack [ESET detects this as Win32/Filecoder.WannaCryptor.C, or less formally as “WannaCryptor.C” — Ed.]. According to a government report, at least 6,912 NHS appointments were canceled, with estimates that the total may be as high as 19,000. These numbers only reflect NHS hospital appointments – the impact on local physician visits is unknown. Within this number are 139 urgent referrals of patients who potentially have cancer.

It would not be unreasonable to consider a malware attack a ‘weapon’ when it does in fact affect the urgent health care of patients. If the WMD definition and title were adjusted to become Malware of Mass Disruption, then the WannaCryptor attacks would certainly be categorized this way.

Perhaps one of the most notorious attacks to cause disruption to society on a large scale was the 2015 malware known as BlackEnergy, which caused power outages in Ukraine, impacting 225,000 customers for up to six hours. The malicious actors responsible attacked three regional electric power distribution companies with synchronized and coordinated attacks within 30 minutes of each other and impacted multiple central and regional facilities.

And that was only the beginning. In 2016, a new attack, later attributed to malware dubbed Industroyer, deprived the capital city of Ukraine, Kiev, of power for approximately one hour. This attack differed significantly from BlackEnergy as it targeted Industrial Control Systems (ICS). By exploiting weaknesses in the software of the ICS devices, the attackers were able to control electricity substation switches and circuit breakers directly, ultimately controlling the delivery of power.

The critical infrastructure of a city might just be the crown jewel to a nation-state actor. Attacking the power infrastructure of a city, country or even a building has the potential to cause huge disruption, and, depending on the circumstances, endanger life. Imagine if an intensive care unit of a hospital lost power; the outcome could be fatal. While this is a hypothetical scenario, it may not be far from reality – if a cybercriminal can switch off the power to a city, they probably have the ability to switch off the supply to a building and, with the right resources, change the way any backup systems may operate.

“Using the word ‘weapon’ in association with malware may be a step too far for some people,” noted Anscombe. But he points out an important malware history lesson, bringing attention to the first major attack against infrastructure, dubbed Stuxnet. “This showed, really for the first time, that a nation state could actually attack the infrastructure of another nation state by using malware as the tool or weapon,” he said.

Since prominent infrastructure attacks like Stuxnet, various examples point to a conclusion that malware has the potential to “be a weapon in the arsenal of any government or organization that wants to inflict damage or disruption on another person, organization or country – or the world as a whole,” he pointed out.

From notorious attacks like WannaCryptor, to aggressive blackouts caused by BlackEnergy and Industroyer, to attacks that potentially affect election outcomes, the reality exists that the bad actors creating and utilizing malware are disrupting our sense of safety, security and democracy.

“I will leave you to decide whether to call these weapons,” he concluded.

https://www.welivesecurity.com/2018/04/26/malware-mass-disruption-rsa2018/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Ethereum cryptocurrency wallets raided after Amazon’s internet domain service hijacked

Graham Cluley

Approximately US $150,000 worth of Ethereum-based cryptocurrency stolen.

Online cryptocurrency website MyEtherWallet.com has confirmed that for a period of time yesterday some visitors could have been redirected to a phishing site designed to steal users’ credentials and – ultimately – empty their cryptocurrency wallets.

According to reports, whoever was behind the attack may have successfully stolen approximately US $152,000 worth of Ethereum-based cryptocurrency.

However, assuming that MyEtherWallet itself was at fault may be a mistake, as the website explained in its statement:

“This is not due to a lack of security on the [MyEtherWallet] platform. It is due to hackers finding vulnerabilities in public facing DNS servers.”

This explanation is confirmed by British security researcher Kevin Beaumont, who described in a blog post that some of MyEtherWallet’s traffic had been redirected to a server based in Russia after traffic intended for Amazon’s DNS resolvers was pointed to a server hosted in Chicago by Equinix.

For the scheme to succeed, someone pulled off a hijack of a crucial component of the internet known as Border Gateway Protocol (BGP), to reroute traffic intended for Amazon’s Route 53 DNS service to the server in Chicago. As a consequence, for some users, entering myetherwallet.com into their browser did not take them to the genuine site but instead to a server at an IP address chosen by the hackers.

The only obvious clue that a typical user might have spotted was that when they visited the fake MyEtherWallet site they would have seen am error message telling them that the site was using an untrustworthy SSL certificate.

It seems that the attackers made an elementary mistake in not obtaining a valid SSL certificate. Their good certainly helped alert some users that something fishy was occurring.

All the same, it’s somewhat depressing to realise that some users saw an alert message and ignored it. Everybody who had their accounts compromised chose to proceed on the website despite having been presented with a security warning.

Despite making such a simple error with their SSL certificate, the hackers don’t seem to have done badly for themselves – both in this attack and in the past. Fascinatingly, the bogus MyEtherWallet website set up by the criminals was moving stolen cryptocurrency into a wallet which already contained some US $27 million worth of assets. Inevitably that raises questions of its own – have the hackers already made a substantial fortune through other attacks, or might their activities be supported by a nation state?

In a statement Equinix confirmed that a customer’s equipment at its Chicago data center was used in the hackers’ hijacking of Amazon’s Route 53 DNS service:

“The server used in this incident was not an Equinix server but rather customer equipment deployed at one of our Chicago IBX data centers… We generally do not have visibility or control over what our customers – or customers of our customers – do with their equipment.”

For their part, a statement from Amazon points a finger of blame at others:

“Neither AWS nor Amazon Route 53 were hacked or compromised. An upstream Internet Service Provider (ISP) was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered. These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer’s domain to the malicious copy of that domain.”

With no-one keen to accept responsibility for what occurred, my advice to cryptocurrency fans is to take matters into their own hands. You have to be responsible for the security of your investments, and perhaps the most sensible thing to do is to keep your cryptocurrency wallets offline if you’re worried about them being plundered by cybercriminals.

Personally I would advocate not only avoiding putting your cryptocurrency wallet online, but also keeping them off your smartphone or computer and perhaps invest in a hardware wallet instead.

https://www.welivesecurity.com/2018/04/25/ethereum-cryptocurrency-wallets-raided/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Ransomware runs rampant in 2017, Verizon report finds

    

       

                                                                               

        Tomáš Foltýn

Social engineering attacks that involve pretexting nearly tripled on an annual basis while phishing simulations show that curiosity gets the better of 4% of people.

Ransomware takes the cake as the most prevalent type of malicious software in Verizon’s latest Data Breach Investigations Report (DBIR).

The US-based telecommunications company analyzed input from 67 organizations and examined more than 53,000 security incidents, including 2,200-odd data breaches, in 65 countries between November 2016 and October 2017.

Compared to the previous 12 months, ransomware attacks doubled – so much so that they accounted for 39% of all malware-specific security breaches. Ransomware has been experiencing a meteoric rise in recent years, having come in 22^nd from among all malware-related cases in the 2014 report.

What has made this variety of malware so popular among cybercriminals? Put simply, ransomware provides attackers with an unrivaled combination of little risk or cost and a high level of effectiveness. Off-the-shelf toolkits are easy to come by, and little to no technical skills are required to deploy ransomware.

Another reason why ransomware has become a high-reward, low-risk proposition is that there’s no need to monetize stolen data. Making things even worse for the victims, attackers are increasingly setting their sights on encrypting lucrative, business-critical targets such as file servers or databases, rather than “only” user devices. That way, they can extort the victims for more money, according to Verizon.

Meanwhile, it was hacking – such as through the use of stolen credentials – that was the leading method for facilitating a breach (48%). Malware in general was instrumental in 30% of breaches. Locked in a neck-to-neck race, errors and social engineering attacks (17% each) came next. Some incursions involve overlaps of attack paths.

When all kinds of security incidents are considered, i.e. events that compromise the integrity, confidentiality or availability of an information asset in some way, Verizon found denial-of-service (DoS) attacks to be the most common by far.

Who and why?

Summary of findings (credit: Verizon’s 2018 DBIR report)

Almost three-quarters (73%) of breaches were perpetrated by outsiders, while more than one in four (28%) involved insiders in some capacity. The healthcare industry was the odd man out in this respect, as the threat there is greater from inside than from outside (56% vs 43%). This involves a rather large amount of employee error and misuse of access privileges. Health care had another dubious distinction, since it was the most frequent victim of a breach (24%) from among all nine industries under review.

Financial gain remains by far the biggest motivation for intruders, having been identified behind 76% of breaches. Espionage came a distant second (13%). Verizon notes that most attacks are opportunistic and target the unprepared, rather than aiming at billion-dollar enterprises. Nearly six in ten victims are classified as small businesses.

People are people

A typical organization was found to be almost three times more likely to suffer a breach via a social engineering-based attack than via a software vulnerability. This supports a common refrain that, besides being the greatest asset of any organization, humans are also its weakest link.

Taken together, phishing and pretexting accounted for 93% of breaches that involved social engineering tactics. There was a notable increase in the prevalence of pretexting incidents in particular, with their number soaring from 61 to 170 on an annual basis.

To be sure, it’s not always easy to draw a line between phishing and pretexting, and they’re not necessarily mutually exclusive. For the purposes of the report, however, Verizon notes that pretexting usually involves some back-and-forth communication, beginning with a false narrative that is designed to acquire information or influence behavior. Malware isn’t usually deployed.

Meanwhile, phishing is more of a “fire and forget” approach and it involved malware in two out of three incidents. Either way, email was the usual attack vector, and finance and HR departments were the most common targets.

In addition, the telecom giant included some interesting data from contributing organizations that specialize in security awareness training. Phishing simulations run by the organizations found that 78% of employees didn’t click a single phish all year. On the flip side, on average 4% of people in any given phishing campaign will fall for such an email, and “the vampire only needs one person to let them in”, Verizon notes. Notably, the more phishing emails someone has clicked, the more they are likely to click again in the future.

https://www.welivesecurity.com/2018/04/24/ransomware-runs-rampant-report/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Nieuwe oplossingensuite ESET Enterprise Security gelanceerd op RSA 2018

Het cybersecurity bedrijf ESET heeft een nieuwe generatie enterprise security producten en diensten gelanceerd en presenteerde zijn 30-jarige expertise op RSA 2018.

Bij deze bijzondere producten uit de nieuwste suite voor bedrijven vindt men de volledig nieuwe ESET Enterprise Inspector, een Endpoint Detection & Response (EDR) oplossing met functionaliteiten en granulariteit die alle producten op de markt overtreffen, alsook ESET Dynamic Threat Defense, een tool die off-premise cloud sandboxing biedt en gebruik maakt van machine learning en gedrag gebaseerde detectie om zero-day aanvallen te voorkomen.

ESET zegt ook vaarwel aan ESET Remote Administrator en verwelkomt de spiksplinternieuwe ESET Security Management Center, een enterprise-grade console die monitoring, beheer en reporting biedt voor alle besturingssystemen.

Al deze ESET bedrijfsoplossingen kunnen naadloos worden geïntegreerd in een enkele display zodat men zichtbaarheid krijgt op zero-day bedreigingen, APT en botnets terwijl ze ook naadloos en gemakkelijk aanpassingen maken aan beleid en configuraties van endpoint security producten.

„We zijn rond de wereld getrokken om de specialisten in IT-security van bedrijven te spreken en te luisteren naar hun behoeftes,“ aldus Juraj Malcho, CTO van ESET. „Wat we hoorden was dat zij één enkele console wilden met een zichtbaarheid in alle stadia van het onderscheppen van bedreigingen: voorspelling, preventie, detectie en herstel. Dit is wat we ervan gemaakt hebben. U zult merken dat we in geen enkele van onze berichten of producten de term ‘next-gen‘ gebruiken omdat we sinds 2005 bezig zijn met wat iedereen nu ‘next-gen‘ noemt. Onze focus ligt minder op hypes en meer op R&D en het uitbouwen van oplossingen die echt werken.“

De bedrijfsoplossingen van ESET zijn gebouwd door experten in cybersecurity en worden ondersteund door machine learning. Het gebruik van machine learning om beslissingen te automatiseren en mogelijke bedreigingen te evalueren is een essentieel onderdeel van de aanpak van ESET – maar het is slechts zo sterk als de mensen die achter het systeem staan.

Menselijke ervaring is van het grootste belang bij het verstrekken van de meest accurate dreigingsinformatie omdat bedreigingsfactoren intelligente tegenstanders zijn.  De endpoint producten van ESET bevatten een systeem voor cloudreputatie dat relevante informatie levert over de meest recente bedreigingen alsook goedaardige bestanden. ESET LiveGrid^®, het reputatiesysteem van ESET, bestaat wereldwijd uit 110 miljoen sensoren en wordt geverifieerd door onderzoeks- en ontwikkelingscentra, zodat de klanten de hoogste graad van vertrouwen krijgen als ze informatie en rapporten op hun console bekijken.

De bedrijfsklare producten en diensten die op RSA gelanceerd werden, zijn:

Producten:

·         ESET Security Management Center

·         ESET Enterprise Inspector

·         ESET Dynamic Threat Defense

Diensten:

·         ESET Threat Monitoring

·         ESET Threat Hunting

·         ESET Threat Intelligence (re-release)

„Ik denk dat velen niet weten dat ESET onder zijn klanten enkele van de meest iconische onderneming ter wereld telt,“ besluit Juraj Malcho. „Nu zullen nog meer bedrijven gebruik kunnen maken van ESET om te beantwoorden aan en te reageren op het toenemende volume en de verfijning van cyberaanvallen.“

Op eset.com/us/rsa is meer informatie te vinden.

Multibancair betalingsplatform Isabel 6 nu ook beschikbaar op Mac

Sinds meer dan 20 jaar staat Isabel synoniem voor een multibancair betalingsplatform voor financiële professionals. 30.000 bedrijfsklanten met 70.000 gebruikers maken er gebruik van voor het afhandelen en automatiseren van hun financiële transacties.

Tot dusver was dit online platform enkel beschikbaar in een Windows-omgeving. Sinds het begin van dit jaar is daar verandering in gekomen want Isabel 6 is nu ook beschikbaar voor Mac-gebruikers. De laatste jaren merkten we een stijgende vraag bij de bedrijven om Isabel 6 ook op Mac te laten draaien.

Sinds de lancering begin dit jaar zijn er nu al honderden gebruikers overgeschakeld naar de Mac-oplossing. Verwacht wordt dat het er op het eind van het jaar enkele duizenden zijn, mede dankzij de interesse van Mac-gebruikers die tot dusver geen toegang hadden tot een multibancaire internet banking oplossing voor professionals.

Meer info op www.isabel.eu/mac

Isabel 6 maakt deel uit van Isabel Group (www.isabelgroup.eu)