Connect with us

Biz & IT

Most US mobile banking apps have security and privacy flaws, researchers say

Published

on

You might figure the biggest U.S. banks would have some of the most secure mobile apps. Spoiler alert: not so much.

New findings from security firm Zimperium, shared exclusively with TechCrunch, say most of the top banking apps have security flaws that put user data at risk. The security firm, which has a commercial stake in the mobile security business, downloaded the banks’ iOS and Android apps and scanned for security and privacy issues, like data leaks, which put private user data and communications at risk.

The researchers found most of the apps had issues, like failing to adhere to best coding practices and using old open-source libraries that are infrequently updated.

Some of the apps were using open-source code from GitHub from more than three years ago, said Scott King, Zimperium’s director of embedded security.

Worse, more than half of the banking apps are sharing customer data with at least one advertiser, the researchers said.

An unnamed iOS banking app with an 86/100 risk score (Image: Zimperium)

Two unnamed Android banking apps each with an 82/100 risk score (Image: Zimperium)

The researchers, who didn’t name the banks, said one of the worst offending iOS apps scored 86 out of 100 on the risk scale for several privacy lapses, including communicating over an unencrypted HTTP connection. The same app was vulnerable to two known remote bugs dating back to 2015. The researchers said the risk scores for the banks’ corresponding Android apps were far higher. Two of the apps were rated with a risk score of 82 out of 100. Both of the apps were storing data in an insecure way, which third-party apps could access and recover sensitive data on a rooted device, said King.

One of the Android apps wasn’t properly validating HTTPS certificates, making it possible for an attacker to perform a man-in-the-middle attack. Several of the iOS and Android apps were capable of taking screenshots of the app’s display, increasing the risk of data leaking.

Zimperium said two-thirds of the Android banking apps are targeted by several malware campaigns, such as BankBot, which tricks users into downloading fake apps from Google Play and waits until the victim signs in to a banking app on their phone. Using an overlay screen, the malware campaigns steal logins and passwords.

The security firm called on banking apps to do more to bolster their apps’ security.

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Biz & IT

Big data trove dumped after LA Unified School District says no to ransomware crooks

Published

on

A ransomware outfit calling itself Vice Society has dumped nearly 300,000 files belonging to the Los Angeles Unified School District as punishment for rebuffing demands it pay the group a hefty fee to recover data stolen during a recent cyber intrusion.

Ransomware operators breach targets’ networks, encrypt all their data, and then charge victims a ransom for the decryption key. More recently, the groups have moved to a double extortion model, in which they also publish the data on the dark web unless victims pay a ransom to keep it private. Already this year, 27 school districts with 1,735 schools among them have been hacked in ransomware incidents, Brett Callow, a threat analyst with security firm Emsisoft, said.

The Los Angeles Unified School District is the second biggest school district in the US, behind the New York City Department of Education, making it a trophy of sorts for ransomware groups that prey on these organizations.

Vice Society is a Russian-speaking ransomware group that has emerged over the past couple of years to become a menace, mainly to small- and middle-sized companies. The group specializes in human-operated ransomware attacks, as opposed to automated attack techniques favored by many of its peers. Callow said in a direct message that the Vice Society gang attacked at least eight other US school districts, colleges, and universities so far in 2022.

In the past it has used critical vulnerabilities in network devices from SonicWall and the Windows zero-day known as PrintNightmare as an initial entry point into companies it has targeted.

The LAUSD said in early September it suffered a ransomware attack that created districtwide disruptions to email, computer systems, and applications. A couple of days later, the Cybersecurity and Infrastructure Security Administration published an advisory warning that the group had been “disproportionately targeting the education sector.”

On Friday, district officials said they had no intention of paying a ransom to the threat actors.

“Los Angeles Unified remains firm that dollars must be used to fund students and education,” they wrote. “Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate. We continue to make progress toward full operational stability for several core information technology services.”

On Friday, LAUSD superintendent Alberto Carvalho was even more forceful in his rejection of the group’s demands.

“What I can tell you is that the demand—any demand—would be absurd,” he told the Los Angeles Times. “But this level of demand was, quite frankly, insulting. And we’re not about to enter into negotiations with that type of entity.”

Friday’s LAUSD statement warned employees and families that the group was likely to respond by releasing breached data publicly.

Over the weekend, that’s precisely what Vice Society did on its name-and-shame site. The haul, which researchers from security firm Checkpoint said included more than 284,000 files, contains a wide variety of documents, images, and other documentation. One video purports to be part of an incident report and appears to show district personnel monitoring a video feed and responding to other staff members over a two-way radio. Other documents list the names, Social Security numbers, attendance records, unredacted passports, and other sensitive information of school employees and contractors.

Like many municipalities, school districts are particularly vulnerable to ransomware attacks because they frequently use outdated hardware and software.

Continue Reading

Biz & IT

Linux 6.0 arrives with support for newer chips, core fixes, and oddities

Published

on

Enlarge / And there was much rejoicing, as a new Linux kernel version had arrived before its founder ran out of fingers and toes for counting.

Getty Images

A stable version of Linux 6.0 is out, with 15,000 non-merge commits and a notable version number for the kernel. And while major Linux releases only happen when the prior number’s dot numbers start looking too big—”there is literally no other reason”—there are a lot of notable things rolled into this release besides a marking in time.

Most notable among them could be a patch that prevents a nearly two-decade slowdown for AMD chips, based on workaround code for power management in the early 2000s that hung around for far too long. Intel’s Dave Hansen wrote the patch that made it into 6.0, noting in a comment on an Ars post that the issue had become an expensive drain as AMD systems gained higher CPU core counts. The average desktop user won’t see huge gains, but larger systems working on intensive input/output applications should benefit.

Intel’s new Arc GPUs are supported in their discrete laptop form in 6.0 (though still experimental). Linux blog Phoronix notes that Intel’s ARC GPUs all seem to run on open source upstream drivers, so support should show up for future Intel cards and chipsets as they arrive on the market.

Linux 6.0 includes several hardware drivers of note: fourth-generation Intel Xeon server chips, the not-quite-out 13th-generation Raptor Lake and Meteor Lake chips, AMD’s RDNA 3 GPUs, Threadripper CPUs, EPYC systems, and audio drivers for a number of newer AMD systems.

One small, quirky addition points to larger things happening inside Linux. Lenovo’s ThinkPad X13s, based on an ARM-powered Qualcomm Snapdragon chip, get some early support in 6.0. ARM support is something Linux founder Linus Torvalds is eager to see—he recently wrote release notes for kernel versions from his M2-powered MacBook Air and believes that more people using Linux on ARM devices leads to more bug reports, more patches, and more enthusiasm.

Among other changes you can find in Linux 6.0, as compiled by LWN.net (in part one and part two):

  • ACPI and power management improvements for Rapid Sapphire CPUs
  • Support for SMB3 file transfer inside Samba, while SMB1 is further deprecated
  • More work on RISC-V, OpenRISC, and LoongArch technologies
  • Intel Hbana Labs Gaudi2 support, allowing hardware acceleration for machine-learning libraries
  • A “guest vCPU stall detector” that can tell a host when a virtual client is frozen

Not included in 6.0 are Rust enhancements, but those are likely coming in the next point release, 6.1. Rust, a memory-safe language sponsored by the Mozilla project, started out as something Torvalds took a wait-and-see approach toward and is now something he was hoping to see in 6.0. “Unless something odd happens, it will make it into 6.1,” Torvalds told ZDNet’s Steven Vaughan-Nichols in mid-September. Even just having the “core infrastructure” for Rust in 6.1 signifies a big change in Linux, which has long been dominated by C languages (however extended and modified).

It must be noted that in 2022, there are patches in Linux 6.0 to help Atari’s Falcon computers from the early 1990s (or their emulated descendants) better handle VGA modes, color, and other issues.

Continue Reading

Biz & IT

Bruce Willis denies selling deepfake rights to Deepcake

Published

on

Enlarge / The real Bruce Willis at a film premiere in 2019.

On Friday, Ars Technica reported that Bruce Willis had sold his likeness for use in deepfakes, according to The Telegraph. Dozens of news sites repeated the Telegraph’s claim. Over the weekend, the BBC discovered that Bruce Willis has “no partnership or agreement” with the firm Deepcake, which is based in Georgia, the Eurasian republic.

It’s unclear how the inaccurate claim originated at The Telegraph. While reporting last Friday, we attempted to verify some of the claims in the original Telegraph article (such as Willis being the first actor to sell his deepfake rights), but we could not do so, and we noted that in the report. We also noted that Deepcake is doing business in America under a corporation registered in Delaware. However, we failed to follow through with verifying the entire claim, and we apologize for the error and for repeating the erroneous information.

Deepcake's website features Bruce Willis prominently in marketing materials. However, Willis' agent says, "Please know that Bruce has no partnership or agreement with this Deepcake company."
Enlarge / Deepcake’s website features Bruce Willis prominently in marketing materials. However, Willis’ agent says, “Please know that Bruce has no partnership or agreement with this Deepcake company.”

Deepcake

It’s unclear if Deepcake ever had the rights to use Bruce Willis’ likeness on its website or in its marketing materials. Deepcake told the BBC, “What he definitely did is that he gave us his consent (and a lot of materials) to make his Digital Twin.” Deepcake also claims, per the Hollywood Reporter, that the company’s involvement with Willis arrived through the CAA talent agency for use in a 2021 Russian cell phone commercial. However, Willis’ representatives still deny having any involvement with the company.

Continue Reading

Trending