Netizen Cybersecurity Bulletin: 11 July 2018 Edition

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

  • Gmail, and peeping third-party developers
  • USB Restricted Mode issues
  • “Alexa, pay my bills.”
  • How can Netizen Help?

Gmail, and peeping third-party developers.

Given your current personal Gmail settings, third-party developers may be able to read your Google emails. While this may come as a surprise, third-party devs only have access because they are permitted by the end user. For certain applications to function they need access/permission to operate; the issue arises when said applications are unsecured or even malicious, causing a serious threat to privacy. Google responded by admitting that third-party developers are able to view a user’s email; however, they maintain that the only way the dev would be able to is by receiving permission from the user. While it is common to provide permissions among other email providers, the issue arises when not just personal information is involved, but corporate data and intel as well.

While this seems cut and dry, it can easily be overlooked as not everyone realizes that their Gmail accounts are permitted to be viewed by outside parties.

Recommendations

  • Again, this sounds obvious, but do not conduct any company business with your personal email. This should be a standard of the organization.
  • Stop using third-party apps. If not feasible, scrutinize the permissions of the application and limit its access as much as possible.
  • Gmail Security Check-up can be utilized to see which third-party apps are connected to your account and what permissions have been granted. If you find an app that you do not want to have access, you can remove it accordingly.
  • Make use of encrypted email services, and check your current email configurations (even the company’s) to see if there is any outside access given.

“Alexa, pay my bills.”

More and more uses of smart speakers – like Amazon Echo, Apple Siri, & Google Home – are making our lives more connected and perhaps more entertaining. Anyone who has ever enjoyed a science-fiction story where the hero starts a request with “Computer…. ´ has waited to do the same thing in their own home. Smart Speakers can create lists, play games, play media, send and receive audio and video communications, and even order goods and services. But should they also handle purely financial transactions as well?

American Express and Capital One are two credit card issuers who allow users to pay bills through their smart speaker, which poses a small risk to the consumer. But regional banks have introduced using a smart speaker to query account balance inquiries and mortgage and bill payments. While the risk of someone fraudulently paying your bills is minimal, the privacy of your account balances is something to be considered. Financial institutions may encourage a PIN to protect the account information, but if you are overheard speaking the PIN, it is hardly secure.

As advanced as these smart speakers have already become, there are many times when instructions or commands spoken to them are misheard. Should you request a payment to be sent to a friend or relative and the device mishears the name you speak, you may have a headache resolving the matter.

Most importantly, as with any connected device, the opportunity for a vulnerability to be uncovered can lead to a financial catastrophe. As using these devices for financial transactions is still new, the attention hackers pay to them is probably minimal. It won’t be long, however, before the bad guys look to exploit these devices in search of potentially draining your account.

Recommendations

  • Evaluate your need for using a smart speaker to handle your financial data.
  • Always use a strong password and PIN, and never use these on more than one online account.

USB Restricted Mode issues

Apple has recently released iOS 11.4.1 which includes a new security feature in order to protect your phone from malicious USB accessories that connect to its data port. This will make things harder for hackers to break into your device without your permission.
Called USB Restricted Mode, this feature automatically disables the data connection on your iPhone or iPad’s data port after the device has been locked for an hour or longer.

Security researchers, however, have found that connecting a USB accessory, such as lighting port to USB camera adapter to a recently locked device will reset the 1-hour countdown.

While the vulnerability is not extremely severe, it certainly could be a costly mistake if a user was expecting their data connection to be disabled but instead was still active due to using a USB accessory before the lockout window.

This feature comes amid a growing rate of Juice-jacking stations, which are malicious free charging stations setup by hackers in order to gain access to your device and steal personal and sensitive data.

Recommendations

  • Keep your devices charged! When going out for a long time, ensure your device is charged completely. Make it a habit to charge your device when they are not in use.
  • Avoid using public chargers, and if you must, ensure they are only an AC/DC charger and not a USB connection charger.
  • Carry a power bank or charger, so if you must recharge you are doing so from a trusted source.
  • Get a charge-only cable so that you can safely plug into public charging stations.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

ISO

 

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.