Archive for September 9, 2023

The Apple Software Updates From Earlier This Week Were Intended To Patch Two Zero Days Used By Pegasus Spyware

Posted in Commentary with tags on September 9, 2023 by itnerd

Earlier this week, Apple released updates to watchOS, iOS, and macOS. It was weird because I was expecting Apple to be releasing nothing as new versions of those operating systems are inbound in the next couple of weeks. However looking at the security information gave us the first hint that Apple might have been forced to release this as the words “Apple is aware of a report that this issue may have been actively exploited” were used in the security information. And now we know the reason why they were released. These updates patch flaws that were used by the infamous Pegasus spyware that is sold by the equally infamous NSO Group:

Citizen Lab, an internet watchdog group that investigates government malware, published a short blog post explaining that last week they found a zero-click vulnerability — meaning that the hackers’ target doesn’t have to tap or click anything, such as an attachment — used to target victims with malware. The researchers said the vulnerability was used as part of an exploit chain designed to deliver NSO Group’s malware, known as Pegasus.

“The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” Citizen Lab wrote.

Once they found the vulnerability, the researchers reported it to Apple, which released a patch on Thursday, thanking Citizen Lab for reporting them.

Based on what Citizen Lab wrote in the blog post, and the fact that Apple also patched another vulnerability and attributed its finding to the company itself, it appears Apple may have found the second vulnerability while investigating the first.

Ken Westin, Field CISO, Panther Labs had this comment:

“While this exploit initially appears to have been utilized by the NSO Group with their Pegasus spyware, the vulnerability has been identified, and differences between the software versions have been documented. This suggests that exploits targeting this vulnerability are likely to become more widespread and may extend beyond commercial spyware use.

The initial exploit employed by the NSO Group for their Pegasus spyware may have been somewhat targeted. However, the NSO Group has not been transparent about the targets of these exploits. In many cases, they have claimed a lack of visibility regarding their use. Regrettably, this software has been used to target innocent individuals, including journalists and dissidents, by authoritarian regimes. While Pegasus exhibits some level of targeting in its usage, the primary concern now, with the patch being published, is the identification of the vulnerability. As a result, it is likely that exploits will become more widespread.”

While Pegasus is a highly targeted form of spyware, that should not stop you from immediately updating your Apple Watch, iPad, iPhone, or MacBook ASAP to make sure that you are secure as possible. The reason being is that other threat actors might try to leverage this flaw agains those who have not updated.

Wyze Seems To Have A Privacy Issue Related To Their Cameras

Posted in Commentary with tags , on September 9, 2023 by itnerd

A reader tipped me off to this Reddit thread where Wyze has had some sort of issue has broadcasted private camera streams randomly to others. That’s one hell of a privacy issue. But not the company’s first one. I wrote about another privacy issue with Wyze back in 2019. Thus I am not shocked by this. The Verge confirms that this was happening on Friday along with additional Reddit threads illustrating that this issue was widely seen by uses, and they also report the following:

After we published this story, Wyze spokesperson Dave Crosby shared a statement explaining what happened. Although Crosby says the issue is resolved and that is “back up and running,” the status page still says is under maintenance as of Saturday morning. (Crosby says the company will update the status page “shortly.”)

Here is Crosby’s statement:

This was a web caching issue and is now resolved. For about 30 minutes this afternoon, a small number of users who used a web browser to log in to their camera on may have seen cameras of other users who also may have logged in through during that time frame. The issue DID NOT affect the Wyze app or users that did not log in to during that time period.

Once we identified the issue we shut down for about an hour to investigate and fix the issue.

This experience does not reflect our commitment to users or the investments we’ve made over the last few years to enhance security. We are continuing to investigate this issue and will make efforts to ensure it doesn’t happen again. We’re also working to identify affected users.

That’s nice. But again, I’ll point out that this is not the first time that Wyze has run into a privacy issue. Besides what I mentioned above, there was this:

In March 2022, Wyze revealed that it had been aware of a security vulnerability for three years that could have let bad actors access WyzeCam v1 cameras, but quietly discontinued the camera rather than telling customers about it.

My take home message is that nobody should buy Wyze cameras. They may be cheap on Amazon. But they’re clearly insecure and the company cannot be trusted.

API Expanding Attack Surfaces: 74% Reporting Multiple Breaches 

Posted in Commentary with tags on September 9, 2023 by itnerd

In its 2023 State of API Security Report, security company Traceable reported a sharp increase in API-related data breaches. The report is based on feedback from 1629 cybersecurity experts in over six major industries across the United States, the United Kingdom and the European Union.

Fully 58% of respondents either strongly agree or agree that APIs are expanding the attack surface across all layers of the technology stack, with fully 57% saying that traditional defensive measures are not capable of distinguishing “legitimate from fraudulent activity at the API layer.”

  • 74% Reported at least 3 API-related data breaches in the past two years
  • 48% of Organizations say API sprawl is their top challenge
  • Just 38% can distinguish between vaild API activity, user behaviors, and data flow
  • Organizations are managing an average of 127 third-party API connections
  • Majority are not confident in WAF, WAAP or Lifecycle Management Tools to protect APIs

“34% of organizations feel uncertain about the efficacy of their tools like WAF and WAAP, rating them as moderately effective (scores of 5 or 6). Meanwhile, 23% rate theirs as less effective (scores of 1 to 4). Although 43% find their solutions more satisfactory (scores of 7 to 10), it underscores that over half aren’t fully confident in their API security measures” the report stated.

Ted Miracco, CEO, Approov Mobile Security had this comment:

“APIs clearly enable innovation and interoperability, but unfortunately this study reinforces the risks posed by porous APIs and the inadequacy of traditional controls. With API breaches rampant and third-party connections multiplying, many organizations are flying blind. This uncertainty, especially in mobile apps, demands radically new API security paradigms centered on identity, Zero Trust, and continuous validation, and attestation of API requests. Companies must review and in some cases re-architect their API protections. Otherwise it is not a question of “if” but rather of “when” their next API breach will strike.”

This is an area where improvements can be made to enhance security. Hopefully this report is noted and heeded by those who work with APIs so that we are all a whole lot safer.

Pentagon: Emerging Cyber Threats Call For DOD And Private Collaboration

Posted in Commentary with tags on September 9, 2023 by itnerd

The Department of Defense published an article yesterday covering a top Pentagon information security executive’s call for collaboration and cooperation throughout the Defense Department and across private sector partners in order to maintain a robust defense against emerging cyber threats.

During a FedTalk discussion with government and private sector technology executives in Washington, Principal Deputy Chief Information Officer Leslie Beavers warned emerging cybersecurity challenges pose a “whole of government, almost whole of society threat,” and “at the end of the day, security requires everyone to be a part of the solution.”

In addition to developing a stronger workforce, Beavers outlined several key approaches underway within DoD including a transition to the zero-trust security paradigm which will move the DoD into a more modern security framework.

In accomplishing these key goals, she said close partnership with industry partners is critical.

“The Department of Defense, as large as it is, is heavily reliant on civilian infrastructure and companies as well as other government organizations. It’s a journey that we have to go on together,” Beavers said.

Ted Miracco, CEO, Approov Mobile Security had this to say:

   “State-sponsored cyberattacks from adversaries like China and Russia are a major component of the emerging threats facing the US defense industry and government. Countering these threats requires even greater information sharing and collaboration between the US government and private sector cybersecurity companies. The initiatives underway at DOD are an important piece of confronting this complex challenge as it isn’t just a defense problem, it can impact both national security and the economy. It’s encouraging to see cybersecurity leaders like Beavers emphasize the role everyone must play in this effort.”

Jason Keirstead, VP of Collective Threat Defense, Cyware follows with this:

   “I’m glad to see the DoD’s focus on collaboration. It’s arguably one of the most important areas that can produce tangible cybersecurity improvements. When we consider the expansive and complex nature of the Defense Industrial Base (DIB), the most basic and effective countermeasure that we can deploy against the adversary is to more rapidly develop and deploy our response. Collective defense enables trusted collaboration inside and outside organizations, allowing the DoD and the DIB to work together to accelerate these initiatives, reducing the attack surface an adversary has to work with.”

Working with others when it comes to cybersecurity can only help to make all of us more secure. Thus I applaud this and I hope that we see more of this sort of things.

Johnson & Johnson Discloses IBM Breach Exposing Patient’s Medical Information

Posted in Commentary with tags on September 9, 2023 by itnerd

According to a notice on Johnson and Johnson owned Janssen Pharmaceutical’s website, CarePath customers’ personal and medical information has been compromised in a data breach involving its third-party technology service provider, IBM.

CarePath is an application designed to help patients gain access to Janssen medications, discounts on prescriptions, guidance on insurance and other helpful tools. IBM manages the CarePath application and database supporting these functions.

After the pharmaceutical firm became aware of a method that could give unauthorized users access to the CarePath database, Janssen informed IBM and the security gap was fixed. IBM then began an investigation which revealed that CarePath users who enrolled on Janssen’s online services before July 2nd had the following details accessed by unauthorized users:

  • Name and contact information
  • Date of birth
  • Health insurance information
  • Medication information
  • Medical condition information

In an unrelated incident last month, the Colorado Department of Health Care Policy & Financing informed four million individuals that their personal and medical data had been exposed due to the breach on IBM.

Emily Phelps, Director, Cyware had this to say:

   “In today’s interconnected world, securing environments is increasingly complex. We have useful technologies that make it easy for individuals and organizations to engage with each relevant data but can also provide unauthorized access to sensitive information. This is why advanced security collaboration and orchestration are so important. Not all security-related technologies play well together, making it difficult for teams to quickly identify gaps and vulnerabilities. We need to not only get the right information to the right people; we need it to be context-rich, making it clear what steps are needed and what action must be taken.”

Ted Miracco, CEO, Approov Mobile Security follows up with this:

   “Healthcare organizations can no longer simply trust the security posture of every vendor in their supply chain, even if that vendor is as trusted as IBM. As medical devices, apps, clouds and partners increasingly integrate, attack surfaces multiply exponentially. Breaches via third parties will continue absent real-time attestation of app, device and user legitimacy on every request. API interconnections cannot automatically imply interoperability of security and healthcare organizations must re-architect environments where every access attempt, especially from mobile devices, is authenticated and authorized.”

Healthcare is a prime target for threat actors because that sector is seen as weak from a cybersecurity standpoint. That sector really needs to do more to stop these sorts of events from happening.

Review: Otofly Apple Watch Magnetic Buckle Silicone Band

Posted in Products with tags on September 9, 2023 by itnerd

Today I am reviewing the Otofly Apple Watch Magnetic Buckle Silicone Band which is the latest in a number of Apple Watch bands that Otofly sent me to review.

Now this looks like a typical silicone band. But it has a cool trick.

It has a magnetic folding clasp that holds everything together. It snaps together and my attempts to get it to pop open via shaking my arm failed miserably. I also took it on a 42K bike ride and had no issues with it staying on my wrist. However, I did once get the clasp to pop open by having the buckle hook on the edge of a TV that I was installing. I am guessing that this is due to the fact that the clasp is a bit thick which makes it likely to catch on something. But that situation should be an edge case. Pardon the pun.

You can adjust the size of the band using this clasp. And my testing, it didn’t come loose. Thus the use case for this band could be for everyday wear. Seeing as it comes in 15 colours, you can likely find a colour that works for you. And while wearing it, it felt comfortable on my wrist. Even while sleeping.

The Otofly Apple Watch Magnetic Buckle Silicone Band goes for $29.99 and it’s one of those bands that is totally worth looking at if you’re in the market for an Apple Watch band that is a bit different than what’s out there.