Welcome to this week’s assemblage of the mobile security news that matters – the NowSecure #MobSec5.
This week’s edition includes:
- Cybersecurity regulations for New York financial institutions now in effect
- Techno-teddy bears tattle on tots
- A critique of common mobile security travel tips
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
New Cybersecurity Regulations Begin Today For NY Banks
“New York’s new security regulations for financial industry viewed as potential model for other states.”
The New York State Department of Financial Services Cybersecurity Regulations went into effect this week and other states may follow suit with similar requirements. Over the next two years, financial firms in New York will need to take steps to comply with the regulations that include requirements for penetration testing and vulnerability assessments. If you’re looking for information on where mobile apps fall into scope for various compliance regimes, watch or review the slides from our webinar about compliance in the mobile enterprise which includes five audit-preparation tips.
“More internet-connected medical devices flood into the healthcare industry every day, but we’re not moving fast enough to defend them.”
“Cloudflare said it could not find evidence of malicious exploitation of the Cloudbleed vulnerability, even though the bug was triggered 1.2 million times.”
Based on a representative sample of cached pages that leaked data as a result of the Cloudbleed vulnerability, Cloudflare CEO Matthew Prince wrote in a blog post published Wednesday that the company has not found evidence that passwords, credit card numbers, or health records were exposed. Prince explains that 6,457 sites were affected, but Cloudflare worked with major search engines to remove 80,000 unique cached pages that may have exposed sensitive data. He warns against presuming that no passwords, credit card numbers, health records, Social Security numbers, or customer encryption keys were exposed, but states that any exposure was likely limited based on the sample. NowSecure CTO David Weinstein explained in a blog post that a number of popular iOS apps use Cloudflare services. On Monday NowSecure CEO Andrew Hoog will discuss the Cloudbleed vulnerability and its ramifications as part of an online panel (registration link).
“A company that sells ‘smart’ teddy bears leaked 800,000 user account credentials—and then hackers locked it and held it for ransom.”
“This is a well-known attack vector: It’s often used by the Android rooting and modding community, but our guess is that it’s way more popular with law enforcement and government agencies.”
“Password management applications, recommended by many security experts as the only viable way to deal with large sets of passwords that are unique and sufficiently complex, introduce their own set of problems – namely the general fallibility of software.”
The researchers that identified the issues claim that some Android apps in the sample stored the master password in plaintext or hard-coded crypto keys in the program. As of March 1, the researchers report that all of the affected vendors had fixed the security flaws. If you use any of the following password manager apps for Android, be sure to apply any available updates: MyPasswords, Infomaticore, LastPass, Keeper, F-Secure KEY Password, Dashlane, Hide Pictures Keep Safe Vault, Avast Passwords, and 1Password.
Stop Fabricating Travel Security Advice
(The Grugq – Medium)
“Along with the apparent increase in searching traveller’s laptops and phones, there has been a rise in amateur smuggling suggestions (seemingly by US citizens who aren’t exposed to any risk at the border.) This advice is terrible, dangerous and possibly endangers anyone reckless enough to follow it.”
“Researchers suspect developers didn’t intentionally spawn the malicious apps.”
“The Trump administration does not want to reform an internet surveillance law to address privacy concerns, a White House official told Reuters on Wednesday, saying it is needed to protect national security.”
“The files appear to have been accessed through a backup of Andrea Manafort’s iPhone stored on a computer or iCloud account, through which hackers conceivably could have accessed all the contents of her phone.”
P.S. If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now via the NowSecure Subscription Center.