You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 87 for September 22nd 2019: Everything you need to know about Apple iOS 13, Venmo scams you need to be aware of, and new details about “Simjacking” attacks
This week I had the pleasure of interviewing Aaron Zar, co-founder and CEO of our sponsor Silent Pocket. Aaron’s a great guy and I think you’ll enjoy hearing how he started Silent Pocket and his take on why our digital privacy is more important than ever. We’ll be publishing this episode soon so be on the lookout for it. And if you haven’t taken a look at Silent Pocket’s great product line of stylish faraday bags and wallets I highly recommend you check them out at silentpocket.com. Don’t forget because you listen to this podcast you can take 15% off your order using discount code “sharedsecurity”.
Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Last week Apple released iOS 13 to the public which also happened to include a passcode bypass vulnerability which allows you to view the contacts on a locked Apple device. In order to conduct the attack you would need access to someone’s device and go through a series of steps, which by the way, would not be that easy to pull off by someone who had physical access to your device. Steps include replying to an incoming call with a custom message, enabling and disabling the VoiceOver feature, adding a new contact to a custom message, and then viewing the contacts information. This of course is not the first time we’ve seen passcode bypass vulnerabilities in Apple iOS, there were two that were patched in iOS 12 as well. Apple will most likely patch this vulnerability in the first update to iOS 13 which will probably happen in the next few weeks.
Besides this particular issue, the iOS 13 update comes with several new privacy enhancements including the much anticipated “Sign in with Apple” feature which can create an anonymous email address for you when signing up for new apps and services. Also, phone calls from apps like Facebook Messenger and WhatsApp will have more restrictions in the way that they run in the background to prevent them from collecting user data without permission. Speaking of permissions, someone noticed while testing the new iOS update that an unexpected notification popped up on their device stating that Facebook would like to use your Bluetooth wireless. Why on Earth would Facebook need access to your Bluetooth? Well apparently, some apps are tracking your physical location and the proximity you are to other people’s smartphones. Potential uses of this data could include deeper analysis of the people around you and their relationships. Not only that but it could also be used to serve you ads and I could even see the potential use in Facebook’s new dating service in which having location services turned on is a requirement. Now this “feature” has been going on for quite some time and it’s not just Facebook. YouTube just so happens to be doing the same thing.
Do you use the popular peer-to-peer payment app, Venmo? If you are, then you need to be aware of a new text message based phishing scam that directs you to a fake Venmo website. Here’s how it works. You’ll receive a text message saying that your Venmo account is about to be charged and if you want to cancel the withdrawal, you need to login to your account and decline it. When clicking the link, a site that looks just like Venmo will ask you for your phone number and password, then prompt you to enter in your bank card and other personal and financial information.
In another, more advanced variation that is most likely tied to criminal money laundering, you may receive a legitimate text message from Venmo staying that you just received money from someone you don’t know. This is typically a large amount like $1,000. If you accept the payment, later down the road the scammer will ask you for the money back due to an error on their part and even ask you to keep $50 or so for your “trouble”. When you return the money back to the scammer, the scammer will contact Venmo to “correct” their mistake in which Venmo may also reverse the payment again or put you on the hook for accepting a fraudulent transaction.
The best advice, of course, is to never accept money from people you don’t know and to never enter in financial details through a link that comes through a text message. Scams like these that leverage text messages are only going to increase because payment services like Venmo are rapidly growing in popularity. Just in Q1 of this year the number of Venmo users has grown to 40 million people! And as we always say…scammers will always try to target apps that are extremely popular and apps that have the ability to transfer money.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
If you’ve been listening to the podcast for a while you’ve probably heard me talk about “Simjacking” attacks. Simjacking is where someone will call your mobile carrier and attempt to transfer your number to a SIM card and other device under their control. This is how many celebrities and others are getting their social media and other accounts hacked, even with two-factor authentication enabled. Well just last week a new Simjacking attack was announced by researchers from AdaptiveMobile Security that would allow an attacker to “take over” a mobile phone, obtaining information like its location and potentially forcing it to make calls or send texts by simply sending an SMS text message to the device. What’s most concerning about the attack is that its device agnostic, meaning, Apple, Samsung and all brands of mobile phones are affected. And while the researchers did not say who was responsible for this exploit, stating that only that it was a private company that happens to work with governments to monitor individuals, you can pretty much conclude that certain nation states are using this capability to monitor and track individuals of interest. US mobile carriers do not seem to be affected by this attack but that does leave potentially a billion smartphone users across 30 countries vulnerable to attack. The bad news here is only the mobile carriers can fix this vulnerability themselves. The good news? Industry groups such as the SIMalliance issued a new set of security guidelines for cellular carriers. The recommendations include implementing filtering at the network level to intercept and block “illegitimate binary SMS messages” and making changes to the security settings of SIM cards issued to mobile phone customers.
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.