Public Wi-Fi: How to optimise the business without compromising security

With free wireless networks readily available in Singapore, it is common to see business professionals working from their work and personal devices in public areas such as cafés.

In fact, those living in this city state will be familiar with the local wireless broadband network, Wireless@SG, available in most public areas island wide. Once registered to this network, users can enjoy seamless wireless broadband service while on the move in such public spaces.

There are plenty of business owners who have made it a point to set up wireless networks in their shops or buildings to enable patrons’ access to free Wi-Fi. But as Sean Duca, Asia Pacific Chief Security Officer for the next-generation security company, Palo Alto Networks points out, while public networks are convenient, it also increases users’ risk of having their laptops and mobile devices hacked or infected with malware.

“Hackers are generally drawn to public networks as they are easy targets; by hacking into the networks, they would easily obtain access to data from hundreds of devices that are connected at any point, says Sean. “Some of this data may be sensitive and contains private company information, and if found in the wrong hands, can result in loss of revenue and business reputation. As such, it is important to ensure that employees who use public Wi-Fi on laptops and mobile devices optimise their security measures for hotspot connectivity to ensure company data is protected at all times”.

According to Sean, there are three ways in which organisations can optimise mobile device security for public Wi-Fi hotspots:

1. Manage the device
Organisations should configure security settings appropriate for public Wi-Fi connectivity on mobile devices. This allows businesses to safely deploy business applications and oversee device usage across the organisation. Enterprise-scale device management capabilities can also be set up in order to simplify the deployment process. This can be done by applying configurations common to all users, such as email account settings.

2. Protect the device
Organisations can use endpoint security, mobile threat prevention technologies and next-generation firewalls to enforce network policies. This prevents mobile devices from being compromised, and attackers from accessing the company’s data.

Businesses should also take note that traditional endpoint security measures may not adequately protect mobile devices against threats. Hackers are constantly using more sophisticated methods which are not easily detectable. Hence, it is crucial that organisations look to investing in the newer next-generation security products.

3. Control the data
Organisations should control data access and movement between applications. This can be achieved by enforcing policies that control network access to applications and data. By isolating and controlling business data and devices, sensitive corporate data can be better protected through blocking unwanted applications and preventing devices connecting to command and control servers.

With the right security products in place, and through proper and precise policy enforcement, organisations can be assured that security isn’t compromised when their employees connect their mobile devices to wireless networks. Employees can also take advantage of free public Wi-Fi without having to worry about sensitive information falling into the wrong hands.

Credits: Sean Duca, Asia Pacific Chief Security Officer at Palo Alto Networks.

Symantec Sacks Staff After Issuing Unauthorized Google Certs

Symantec has been forced to sack several employees after Google spotted that the firm’s CA subsidiary Thawte issued unauthorized certificates last week for several domains. The certificates made it possible to impersonate HTTPS-enabled Google domains.

The Extended Validation (EV) pre-certificate for the domains google.com and www.google.com were issued as part of a Symantec internal testing process, Google claimed in a blog post.

The web giant added:

“This pre-certificate was neither requested nor authorized by Google. We discovered this issuance via Certificate Transparency logs, which Chrome has required for EV certificates starting January 1st of this year. The issuance of this pre-certificate was recorded in both Google-operated and DigiCert-operated logs.”

Symantec revealed in its own blog post on the matter that the “small number” of unauthorized certificates it issued actually linked back to three domains.

It argued that these test certs were “always within our control” and that they were immediately revoked as soon as the issue was discovered.

The security giant added:

“While our processes and approach are based on the industry best practices that we helped create, we have immediately put in place additional processes and technical controls to eliminate the possibility of human error. We will continue to relentlessly evolve these best practices to ensure something like this does not happen again.”

Symantec also revealed that it had “terminated” a few employees after they failed to follow its own internal best practices around issuing certificates.

“Because you rely on us to protect the digital world, we hold ourselves to a ‘no compromise’ bar for such breaches. As a result, it was the only call we could make,” it said.

Google said it has updated Chrome to recognize the “mis-issued” certificate – which was only valid for a day anyway.

In April this year Google took the unprecedented step of ceasing to recognize the CAs of China’s .cn operator, the government-run CNNIC.

It emerged that a CNNIC-approved intermediate certificate authority, Egyptian firm MCS Holdings, had issued unauthorized digital certificates for some Google domains inside its test network.

AT&T says malware secretly unlocked hundreds of thousands of phoneshttp://core0.staticworld.net/images/article/2015/09/20150918-att-logo-100615497-primary.idge.jpg

AT&T said three of its employees secretly installed software on its network so a cellphone unlocking service could surreptitiously funnel hundreds of thousands of requests to its servers to remove software locks on phones.

The locks prevent phones from being used on competing networks and have been an important tool used by cellular carriers to prevent customers from jumping ship. They can be electronically removed, usually after fulfilling a contract obligation, but many websites offer the same service for a small fee with no questions asked.

AT&T's allegations are made in a filing with U.S. District Court for the Western District of Washington in which it accuses two companies, four people and an unknown software developer or developers, of participating in the audacious scheme. AT&T filed its lawsuit on Sept. 11 but it was first reported by Geekwire on Friday.

The carrier first discovered something was amiss in September 2013 when a surge in the number of unlock requests alerted the company to the possible abuse of "Torch," the software used to unlock cellphones, it said in the complaint.

Upon investigation, the company discovered that the logins and passwords of two employees at a center in Washington were responsible for a large number of the requests and those requests happened within milliseconds of each other.

Both employees, Kyra Evans and Marc Sapatin, are named in the lawsuit.

On the computers of Evans and Sapatin, investigators found unauthorized software intended to route unlocking requests from an external source through AT&T's computer system, it said. AT&T says its investigators uncovered numerous iterations of the software, which grew in complexity until it was eventually able to submit the automatic requests.

Investigators later found the software on a computer of a third employee, Nguyen Lam, according to AT&T. All three are no longer working at AT&T.

AT&T says a California-based company called Swift Unlocks and its proprietor, Prashant Vira, were involved in the scheme and paid Evans and Sapatin at least US$20,000 and $10,500 respectively to install the software. But, AT&T concedes that it doesn't know the full extent of Swift Unlocks' involvement.

Swift Unlocks operates a website where people can pay to have the software lock removed from their phones. Charges vary by phone but AT&T users will generally pay $20 or less for the unlocking service.

In all, AT&T says "hundreds of thousands" of phones were unlocked as a result of the scheme. Its charges include computer fraud, breach of loyalty and civil conspiracy and the carrier has asked the court to hear the case in front of a jury.

The defendants could not immediately be reached for comment and are yet to file a reply to the allegations with the court.

Apple’s iOS App Store suffers first major attack

Apple Inc said on Sunday it is cleaning up its iOS App Store to remove malicious iPhone and iPad programs identified in the first large-scale attack on the popular mobile software outlet.

The company disclosed the effort after several cyber security firms reported finding a malicious program dubbed XcodeGhost that was embedded in hundreds of legitimate apps.

It is the first reported case of large numbers of malicious software programs making their way past Apple’s stringent app review process. Prior to this attack, a total of just five malicious apps had ever been found in the App Store, according to cyber security firm Palo Alto Networks Inc.

The hackers embedded the malicious code in these apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple’s software for creating iOS and Mac apps, which is known as Xcode, Apple said.

“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokeswoman Christine Monaghan said in an email. “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”

She did not say what steps iPhone and iPad users could take to determine whether their devices were infected.

Palo Alto Networks Director of Threat Intelligence Ryan Olson said the malware had limited functionality and his firm had uncovered no examples of data theft or other harm as a result of the attack.

Still, he said it was “a pretty big deal” because it showed that the App Store could be compromised if hackers infected machines of software developers writing legitimate apps. Other attackers may copy that approach, which is hard to defend against, he said.

“Developers are now a huge target,” he said.

Researchers said infected apps included Tencent Holdings Ltd’s popular mobile chat app WeChat, car-hailing app Didi Kuaidi and a music app from Internet portal NetEase Inc.

The tainted version of Xcode was downloaded from a server in China that developers may have used because it allowed for faster downloads than using Apple’s U.S. servers, Olson said.

Chinese security firm Qihoo360 Technology Co. said on its blog that it had uncovered 344 apps tainted with XcodeGhost.

Apple declined to say how many apps it had uncovered.

AirDrop vulnerability is an easy avenue for hackers to exploit Apple devices

Recently, an alarming vulnerability has cropped up on iOS devices. This security loophole allows an attacker to overwrite arbitrary files on a targeted device and, when used in combination with other procedures, install a signed app that devices will trust without presenting a warning notification to users.

In a recent article published on Threatpost, it’s noted that the vulnerability is located in a library that lies within both iOS and OS X. In this case, the library in question is AirDrop, the tool featured on Apple devices that allows users to directly send files to fellow Apple device quickly and effortlessly.

The problem lies within the fact that Airdrop doesn’t use a sandboxing mechanism in the same way that many other iOS applications do. When making use of a sandbox, every application has its own container for files that it can’t get beyond the so-called “walls“ of.

AirDrop gives users to the choice to accept file transfers either from only their own contacts or anyone who sends them a request to send files. In the case that a user can receive files from anyone, it’s quite easy for an attacker to exploit their device on their locked iOS device.What’s more, the attacker can even make the attack without the user agreeing to accept a file transferred using AirDrop.

Directory traversal attacks make the exploitation of this vulnerability possibleMark Dowd, the security researcher who discovered the vulnerability, has been able to repeatedly and reliably exploit the security flaw. The vulnerability allows the attacker to execute a directory traversal attack, in which the attacker attempts to access files that are not intended to be accessed. Thus, the attackers are capable of writing files to any location they choose on the file system.

Since sandboxing rules weren’t being strictly enforced on AirDrop, Dowd was able to read/write hidden system resources in combination with his own directory traversal attack. In doing so, he was able to upload his own application into the system and make it appear as trusted.

This bug has been reported to Apple, but a full patch has not yet been released for the recently-launched iOS 9. Therefore, if you’re the owner of one or more Apple devices, make sure that your AirDrop sharing options are set to private and that you’re only able to receive files from your contact list.

Apple passcode increased to 6-digits in new iOS release

Apple rolled out its new iOS 9 operating system Wednesday and with that comes a big security upgrade.

The new operating system will now automatically default to a six digit PIN to unlock your device, instead of just a four digit PIN. While this might seem like a small change, it actually makes breaking into your iPhone a lot more difficult.

With a four digit PIN, there are a possible 10,000 combinations. But with a six digit code, there are 1 million possible combos, making it a lot tougher for someone to crack your security code.

If you are currently using a four digit PIN and update your software, you will need to manually opt in for the six digit PIN.

You can do this in your settings under "Passcode." But if you are just enabling the feature it will automatically prompt you to use six numbers for your PIN.

While the six number passcode is not mandatory, it is highly recommended. If you would rather take your chances, though, and go with a four digit code, you can make that selection in your settings as well.

The tech giant is also rolling out built-in two-factor authentication as part of iOS 9. Once you enroll for the security feature, you will be prompted to enter a verification code each time you log into a new device or browser. The code will appear on your other Apple device or your phone.