There’s an App for That, But It’s Terrible
Ever since the Snowden leaks of 2013, there has been an increase in awareness of privacy as an issue for users. But matching this rise are hundreds of snake-oil privacy apps that overpromise and underdeliver. The latest of these to hit the headlines are scores of VPN apps in Google’s Play Store.
Researchers examined apps that used Android’s built-in VPN permission and capabilities. Of the 283 examined apps, 18% simply didn’t encrypt traffic at all, 84% leaked IPv6 traffic, 4% likely contained malicious code, and most of the apps that marketed themselves as enhancing privacy used tracking libraries to monitor users. Considering that less than 1% of examined app reviews mention security issues, things aren’t looking good for unguided users who want to install a VPN app.
Here are some things to keep in mind when looking for a mobile VPN setup:
- Be wary of apps that request excessive permissions.
- Stick to trusted and audited VPN service providers.
- Run your own! Algo looks promising, and OpenVPN has been active for years.
The Joy of Printers
Printers are often their own special experience for IT departments, and now there are even more things to consider when managing them. Jens Müller from the Ruhr-Universität Bochum in Germany has published a lot of printer hacking information he’s discovered. This includes various attacks like accessing print jobs, credential disclosure, DoS crashes, remote code execution, and even in some cases the ability to damage NVRAM. Vulnerable printers can be attacked over the network, or through malicious USB devices.
It’s long been known that having printers connected to the internet was a bad idea, and now it’s an even worse idea! Here are some of Müller’s recommendations for defending them, along with a few of our own:
- Where possible, isolate printers on separate network segments, with management features accessible only through hardened servers.
- Use an IDS/IPS to block malicious PJL commands.
- Disable any unnecessary services and, if required, reconfigure services (such as SNMP) so they don’t use default settings.
- Check with your printer manufacturer for any firmware updates, especially if they specifically address the types the issues discussed in Müller’s paper.
HTTPS Reaches Critical Mass
According to Troy Hunt, HTTPS adoption has reached a threshold. The TLS-wrapped HTTP that protects everything from online banking to dank memes is swiftly becoming the rule rather than the exception, meaning stronger privacy and security for the web. Based on Mozilla’s telemetry, over 50% of requests are being served over HTTPS, and the number of large websites that direct users to HTTPS by default is regularly increasing.
We can thank a lot of factors for this; Let’s Encrypt making getting certificates free and easy, browsers being much harsher with describing a site’s connection security to the user, and the real danger of unprotected HTTP traffic being manipulated. Unencrypted HTTP isn’t gone yet, but there’s lots of work being done to banish it for good.
Here are a few steps organizations and website operators can take to protect user traffic:
- Use Let’s Encrypt to quickly get functional certs for HTTP-only services.
- Use HSTS and SNI where applicable to default to HTTPS, and enable HTTPS with different certificates for virtual hosts.
- Verify that remote content, such as scripts or ads, are loaded over HTTPS to avoid potentially leaking sensitive data. Most browsers will alert the user if a site serves mixed HTTP and HTTPS content.
For Quality Control Purposes, This Call May Be Leaked Online
Nearly 400,000 telephone recordings have been leaked by a Florida-based telemarketer, thanks to an unsecured server. Normally a few thousand recordings of being hung up on won’t be a big concern, but many of the recordings include sensitive customer information such as names, billing addresses, and credit card information like numbers, expiration dates, and CVV codes.
This underscores that all customer information that is stored can be a liability. The most secure information is the information you don’t keep. But for the customer information that must be kept for business purposes, sufficient controls must be used to protect it.
Here are some basic tips for protecting customer data:
- Isolate data access to only the networks it’s needed on.
- Always protect fileshares and databases with strong credentials.
- Ensure that backups are stored securely.
Egyptian NGOs Targeted in Phishing Campaign
Citizen Lab of the University of Toronto has just reported on a persistent phishing campaign targeting various Egyptian NGOs, fitting into the widely-reported crackdown on Egyptian human rights organizations. The phishing emails were often very specifically targeted, and sometimes were sent very soon after action by the Egyptian government. For example, one email targeted colleagues of Egyptian lawyer Azza Soliman within hours of her arrest, claiming to be a copy of her arrest warrant.
Phishing emails were often sent from Gmail accounts, initially using case 173-related pretexts involving arrests, panel invitations, and sharing important documents, targeting Gmail and Dropbox credentials. A second phase pivoted to more generic phishing emails with pretexts of account security like invalid login attempts. Interestingly, the attackers used the publicly available gophish framework.
For more information on how to avoid becoming the victim of a phishing attack or scam, check out some tips from StaySafeOnline.org. Additionally, companies looking to raise security awareness inside their organization can use free tools like the aforementioned gophish framework or Duo Insight, by our friends over at Duo Security.