This is your Shared Security Weekly Blaze for April 1st 2019 with your host, Tom Eston. In this week’s episode: Apple’s new privacy focused credit card, the ASUS live update software backdoor, and recent statistics on Malware attacks.
Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Apple announced last week that it’s partnered with financial firm Goldman Sachs on a new type of credit card which is focused on privacy and security. The credit card, which is called “Apple Card”, is paired with Apple Pay so you can use it like you normally do with your iPhone, but it also includes a traditional physical card made out of titanium, laser-etched and has no visible card number, CVV code, expiration date, or signature on the card itself. Now that credit card, completely has Apple written all over it. In regards to the technology, the credit card number will be stored in the iPhone’s Secure Element chip and all purchases must be authenticated through Touch ID or Face ID. Apple also says that they will not track what you’ve purchased, where you’ve shopped, or how much you’ve paid for purchases and that Goldman Sachs will not share or sell your data to third-party marketing firms. Other perks include a cash back program on all purchases, no annual fees, and insight into spending habits right on your iPhone. If this all sounds amazing, you may be asking yourself “What’s the catch?”. Well, the Apple Card is still a credit card so from what we know so far is that interest rates will vary between 13 and 24% and are based on your “creditworthiness” and that any late or missed payments will drive up your interest rate.
My take is that I think it’s great to see Apple making more of their products and services with privacy and security in mind. I think we all give Apple some grief over their sometimes overly aggressive marketing campaigns like they did at CES in Las Vegas this year when they proclaimed on a large billboard “What happens on your iPhone, stays on your iPhone”. But perhaps, now we’re really starting to see Apple put their money where their mouth is.
Computer hardware manufacture ASUS confirmed that their “live update” tool, which provides firmware updates, drivers, and patches for all of their laptops and other consumer hardware, was compromised by an Advanced Persistent Threat group. This is a great example of what is called a supply chain attack where a central update repository was compromised to spread malware. ASUS said in their press release that “a small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group”. ASUS also stated that it had reached out to affected users and worked with them to ensure any security risks were removed. Kaspersky, which makes anti-virus software, claims it’s detected the ASUS supply-chain malware, conveniently named ShadowHammer, on 57,000 computers. Kaspersky says that there may be even more devices that have been affected.
In related news, TechCrunch reports that a security researcher warned ASUS about two months ago that ASUS developers were disclosing passwords within their GitHub code repositories which could be used to access the ASUS corporate network. These repositories were publicly available and the researcher notes that one of the repositories was a daily release mailbox where automated build notifications were sent. Within these emails contained the full file path of where drivers and other files were stored on the ASUS internal network. This information, combined with access to this mailbox could have easily have been used for phishing or targeting other developers via social engineering. While there have been no reports of compromised systems, it does show a lack of overall security awareness of ASUS’s developers.
Now in regards to remediation, ASUS says the backdoor has been fixed and that ASUS users should update to the latest version of its “Live Update” software. Do you own a ASUS laptop or other device? If you do, be sure to check out our show notes for a link where you can download a tool from ASUS which will determine if your ASUS system was affected by the backdoor.
And now a word from our sponsor, Edgewise Networks.
Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.
Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.
Visit edgewise.net to get your free month of visibility.
For the third-year in a row malware, and in particular ransomware attacks have significantly increased according to cybersecurity company SonicWall which analyzed 10.52 million malware attacks in 2018 via the network of one million sensors used by SonicWall’s customers. Other interesting data from SonicWall’s report show that Ransomware volume from a global perspective reached 206.4 million attacks in 2018 which is an 11 percent year-over-year increase. This increase has to do with ransomware authors mixing and matching different malware components to create new variants which become harder to block. Ironically, the US in particular had the largest increase in ransomware attacks from last year. From a phishing perspective, SonicWall recorded 26 million attacks and noted a 4.1 percent drop. The reason? Well attackers seem to be changing their approach by moving towards hiding malware in PDF’s as well as Microsoft Office documents and conducting more targeted attacks. You may remember on last week’s podcast I noted that Microsoft Office is the biggest target for cybercriminals which is why we all need to be more aware of phishing attacks using attachments that may be hiding malware. Check out our show notes to download the full SonicWall report.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.