Gartner: IT Security Spending to Reach $96 Billion in 2018


By Dawn Kawamoto

Dec 8, 2017

Identity access management and security services to drive worldwide spending growth.

Worldwide IT security spending is expected to climb 8% next year to $96.3 billion, fueled by investments in identity access management and security services – two areas on tap to rise faster than the overall spending growth rate, according to a Gartner report released this week.

Identity access management (IAM), the smallest slice in the overall IT security spending pie, is expected to jump 9.7% to $4.7 billion in 2018 over the previous year, the report states. Rising regulatory compliance and data privacy requirements over the past three years are driving demand for IAM products and services across the globe, according to the report, which points to the EU General Data Protection Regulation (GDPR) as one example.

Security services, the largest slice of the spending pie, is projected to increase 8.8% to $57.7 billion in 2018, compared with the previous year, Gartner reports. This spending jump is fueled by a skills shortage, growing threat landscape, and complexity in managing IT security, the report finds.

And within the security services sector, spending on outsourcing services is expected to jump 11% to $18.5 billion in 2018.


How to Track a Cellphone Without GPS—or Consent


By Dell Cameron

December 08, 2017

As the Supreme Court mulls over the case of Carpenter v. United States, which may have far-reaching consequences for police who track suspects without a warrant via their cellphones, four engineers at Princeton University have revealed a brand-new method for identifying the location of a cellphone user. The result of their ingenuity is as remarkable as it is alarming.

Using only data that can be legally collected by an app developer without the consent of a cellphone’s owner, researchers have been able to produce a privacy attack that can accurately pinpoint a user’s location and trajectory without accessing the device’s Global Position System—GPS. And while the ramifications of this ability falling into the wrong hands are distressing, the way in which they pulled it off is nothing short of genius.

To protect a cellphone user’s privacy, any app distributed through Google Play or the Apple App Store must explicitly ask for the user’s permission before accessing location services. We know that even with that functionality turned off in a phone’s settings, law enforcement is able to track cellphones using either historical cell-site data (identifying cell towers you’ve been closest to) or cell-site data collected using a class of law enforcement devices colloquially referred to as Stingrays. But as it turns out, neither cell-site data nor locational services are needed to track a cellphone owner with GPS-like precision.

In fact, all you really need is your phone’s internal compass, an air pressure reading, a few free-to-download maps, and a weather report.

Your cellphone comes equipped with an amazing array of compact sensors that are more or less collecting information about your environment at all time. An accelerometer can tell how fast you’re moving; a magnetometer can detect your orientation in relation to true north; and a barometer can measure the air pressure in your surrounding environment. You phone also freely offers up a slew of non-sensory data such as your device’s IP address, timezone, and network status (whether you’re connected to Wi-Fi or a cellular network.)

All of this data can be accessed by any app you download without the type of permissions required to access your contact lists, photos, or GPS. Combined with publicly available information, such as weather reports, airport specification databases, and transport timetables, this data is enough to accurately pinpoint your location—regardless of whether you’re walking, traveling by plane, train, or automobile.

MORE: https://gizmodo-com.cdn.ampproject.org/c/s/gizmodo.com/how-to-track-a-cellphone-without-gps-or-consent-1821125371/amp


Android Flaw Lets Hackers Inject Malware Into Apps Without Altering Signatures



December 08, 2017

Millions of Android devices are at serious risk of a newly disclosed critical vulnerability that allows attackers to secretly overwrite legitimate applications installed on your smartphone with their malicious versions.

Dubbed Janus, the vulnerability allows attackers to modify the code of Android apps without affecting their signature verification certificates, eventually allowing them to distribute malicious update for the legitimate apps, which looks and works same as the original apps.

The vulnerability (CVE-2017-13156) was discovered and reported to Google by security researchers from mobile security firm GuardSquare this summer and has been patched by Google, among four dozen vulnerabilities, as part of its December Android Security Bulletin.

However, the worrisome part is that majority of Android users would not receive these patches for next few month, until their device manufacturers (OEMs) release custom updates for them, apparently leaving a large number of smartphone users vulnerable to hackers.

The vulnerability affects apps using APK signature scheme v1 installed on devices running Android versions 5 (Lollipop) and 6 (Marshmallow).

MORE: https://thehackernews.com/2017/12/android-malware-signature.html?m=1

Hackers leak WhatsApp screenshots and intimate photos of WWE Diva Paige


By Pierluigi Paganini

November 6, 2017

A new batch of WhatsApp screenshots and intimate photos of the WWE celebrity Diva Paige was published on a popular celebrity leak website.

In March, hackers leaked online nude photos and videos of WWE Diva Paige (real name is Saraya Jade-Bevis), and now a new batch of x-rated images of the celebrity appeared on the Internet.

Other WWE celebrities are listed on the popular websites, other athletes, in fact, were targeted by the same hackers.

The same website proposes personal and private photos of WWE’s Diva and ring announcer JoJo.

Hackers published WhatsApp screenshots of explicit photos and selfies along with chat conversations with WWE wrestler Xavier Woods.

The WWE star is planning to return to fight after the convalescence of successful neck surgery.

The same content was also shared by Twitter account.

The hacker who leaked the pictures online announced to release more content in coming days.
Unfortunately, these events are becoming even more frequent, in 2017 personal and private photos of other WWE celebrities were leaked online.

The colleagues at the Hackread.com reported the data leaks belonging Maria, Melina, KaitlynCharlotte Flair, and Victoria.

On August, intimate images of Miley Cyrus, Stella Maxwell, Kristen Stewart, Tiger Woods and Lindsey Vonn have been posted online by the same celebrity leak website.

MORE: http://securityaffairs.co/wordpress/65223/hacking/diva-paige-data-leak.html

The Impact of GDPR On Today’s Mobile Enterprise

by John Aisien

Many organizations worldwide have begun preparing for the General Data Protection Regulation (GDPR), a set of rules created by European lawmakers to enhance data protection and privacy for individuals within the European Union (EU).

GDPR enforcement is scheduled to begin in May 2018, and the penalties for non-compliance are steep—as much as 4 percent of the violating company’s global annual revenue, depending on the nature of the offense Clearly, GDPR compliance is becoming a priority for many organizations—including those headquartered outside the European Union. A 2017 PwC survey of 200 security, IT, and business executives from U.S. companies showed that 92 percent considered GDPR compliance to be a top business priority for their data-privacy and security efforts this year.

Companies are prepared to invest in compliance efforts. The PwC study shows that 77percent plan to allocate $1 million or more to GDPR readiness and compliance efforts; 68 percent said they will spend between $1– $10 million, and 9 percent are expected to spend more than $10 million.

More: https://www.scmagazine.com/the-impact-of-gdpr-on-todays-mobile-enterprise/article/710019/

Man-in-the-middle flaw left smartphone banking apps vulnerable


By Danny Palmer

A flaw in certificate pinning exposed customers of a number of high-profile banks to man-in-the-middle attacks on both iOS and Android devices

A vulnerability in the mobile apps of major banks could have allowed attackers to steal customers’ credentials including usernames, passwords, and pin codes, according to researchers.

The flaw was found in apps by HSBC, NatWest, Co-op, Santander, and Allied Irish bank. The banks in question have now all updated their apps to protect against the flaw.

Uncovered by researchers in the Security and Privacy Group at the University of Birmingham, the vulnerability allows an attacker who is on the same network as the victim to perform a man-in-the-middle attack and steal information.

The vulnerability lay in the certificate pinning technology, a security mechanism used to prevent impersonation attacks and use of fraudulent certificates by only accepting certificates signed by a single pinned CA root certificate.

While certificate pinning usually improves security, a tool developed by the researchers to perform semi-automated security-testing of mobile apps found that a flaw in the technology meant standard tests failed to detect attackers trying to take control of a victim’s online banking. As a result, certificate pinning can hide the lack of proper hostname verification, enabling man-in-the-middle attacks.

MORE: https://www-zdnet-com.cdn.ampproject.org/c/www.zdnet.com/google-amp/article/man-in-the-middle-flaw-left-smartphone-banking-apps-vulnerable/


Process Doppelgänging: New Malware Evasion Technique Works On All Windows Versions


by Mohit Kumar

December 07, 2017

A team of security researchers has discovered a new malware evasion technique that could help malware authors defeat most of the modern antivirus solutions and forensic tools.

Dubbed Process Doppelgänging, the new fileless code injection technique takes advantage of a built-in Windows function and an undocumented implementation of Windows process loader.

Ensilo security researchers Tal Liberman and Eugene Kogan, who discovered the Process Doppelgänging attack, presented their findings today at Black Hat 2017 Security conference held in London.

Process Doppelgänging Works on All Windows Versions

Apparently, Process Doppelgänging attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10.

Tal Liberman, the head of the research team at enSilo, told The Hacker New that this malware evasion technique is similar to Process Hollowing—a method first introduced years ago by attackers to defeat the mitigation capabilities of security products.

In Process Hollowing attack, hackers replace the memory of a legitimate process with a malicious code so that the second code runs instead of the original, tricking process monitoring tools and antivirus into believing that the original process is running.

Since all modern antivirus and security products have been upgraded to detect Process Hollowing attacks, use of this technique is not a great idea anymore.

On the other hand, Process Doppelgänging is an entirely different approach to achieve the same, by abusing Windows NTFS Transactions and an outdated implementation of Windows process loader, which was originally designed for Windows XP, but carried throughout all later versions of Windows.

MORE: https://thehackernews.com/2017/12/malware-process-doppelganging.html?m=1

Voltar Para o Topo