App Stores Untrustworthy / Card Giant Hacked / Amazon Taxes / Church Edicts For Social Media / Tech Headlines
Evan Schuman: Message to IT: Trusting Apple and Google for mobile app security is career suicide
Ready for the mobile security news that IT doesn’t want to hear about but needs to? When security firm Positive Technologies started pen-testing various mobile apps, security holes were rampant.
…“High-risk vulnerabilities were found in 38 percent of mobile applications for iOS and in 43 percent of Android applications” and “most cases are caused by weaknesses in security mechanisms — 74 percent and 57 percent for iOS and Android apps, respectively, and 42 percent for server-side components — because such vulnerabilities creep in during the design stage, fixing them requires significant changes to code.”
Here’s the most frightening line and it’s frightening because it means there is no easy enterprise IT fix: “Risks do not necessarily result from any one particular vulnerability on the client or server side. In many cases, they are the product of several seemingly small deficiencies in various parts of the mobile application. Taken together, these oversights can add up to serious consequences.”
As I’ve argued before, enterprise IT — and certainly enterprise CISOs and CSOs — simply can no longer put any trust into an app from either Apple’s App Store or Android’s Google Play. This is a major nightmare, since that is where employees have to go to download apps, whether personal (BYOD) or corporate.
The security holes could be intentional malware, unintentional malware (an ISV developer leverages existing code for a common function, unaware that it includes malware), unintentional security holes or even perfectly fine code that is clean on its own but that accidentally creates problems when interacting with the rest of the mobile environment. That’s the “taken together” hole that Positive referenced.
What this means is that enterprises must hire and deploy their own penetration testing teams — either on staff or contracted — to test every app that they’re going to permit on a corporate device, even a BYOD device. So, yes, that very well might mean also testing every consumer app that some employee wants to download. (Won’t that make you ultra-popular?!)
This gets worse.
Read how over at ComputerWorld.
Danny Bradbury: Cloud computing giant PCM hacked
A hacking group has gained access to the internal infrastructure of large cloud services provider PCM.
California-based PCM provides a mixture of solutions including cloud services and hardware, and made over $2bn in revenues in 2018. According to a report by specialist cybersecurity journalist Brian Krebs, the company discovered the breach in mid-May. Sources told him that the attackers stole administrative credentials for Office 365 accounts, and that they were mostly interested in using stolen data to conduct gift card fraud.
The modus operandi in this case was similar to other attacks on large IT providers we’ve seen, in which the hacking group sends phishing emails to companies including retailers, employee reward programs, customer loyalty and recognition businesses, and other organizations dealing in gift cards.
After compromising a system, the group would use a custom version of a malware strain called Mimikatz, which collects usernames and passwords from memory.
Once the group has access to the infrastructure of companies that deal in gift cards, it would then use money transfer services, payment processing services, and clearing houses to monetize that information. The report added:
“A possible theory for targeting could be that gift cards provide access to liquid assets outside of the traditional western financial system.”
An exit point to crypto? What PII is at risk? Despite California’s strict notification laws there are many questions remaining in this article over at Sophos’ NakedSecurity blog.
Russell Brandom: AMERICA NEEDS TO SEE AMAZON’S TAX RETURNS
Amazon’s taxes have become a campaign issue. In last week’s Democratic debates, two different candidates (Cory Booker and Andrew Yang) called out Amazon for paying $0 in federal income taxes last year, even after listing $4 billion in profits. Joe Biden, Elizabeth Warren, and President Trump himself have brought up the same point at various points on the campaign trail, always directed at Amazon. In a CNN interview after the second debate, Bernie Sanders singled the company out as an example of a broken tax code, saying simply, “I’m going to tax them.”
“We pay every penny we owe in corporate taxes including $2.6 billion over the past three years,” Amazon said when reached for comment. “We’ve invested $270 billion in the US since 2010 and created more than 275,000 jobs.”
But there’s an awkward truth behind the political back-and-forth: we don’t know what Amazon’s tax bill really is. Like every other company in America, Amazon’s tax returns are private, legally considered to be a trade secret. We don’t know which tax breaks they’re taking, or how they’ve structured their finances to avoid various taxes in favor of others. If Amazon says its tax bill was lower because of investments, we simply have to take the company at its word.
Check out this feature article from The Verge for more.
John Oates: What would Jesus tweet? Church of England hands down commandments for Anglicans on social media
The Archbishop of Canterbury has used a Facebook Live interview to launch a “digital charter” to provide guidelines for how Anglicans should use social media.
In the interview, the Most Reverend and Right Honourable Archbishop Justin Welby said it was obvious why the guidelines were needed. “Just look at any article and then look at the comments below, and very quickly you find stuff which is just poison.”…Welby said a good starting point was to treat others as you would like to be treated.
The voluntary pledge calls for people to ensure what they post on social media is true and “fair and factual”. Welby said there was no such thing as an alternative fact and that social media users should go not for the person but the issue.
He also said people should be welcoming not try to shut out others. On its own social media feeds the Anglican church calls on people to take responsibility for what they post and be aware that it can be both public and permanent, whatever your privacy settings.
It notes that personal and professional lives can easily become blurred. The guidelines also call on people to “disagree well”.
There are more guidelines over at The Register.
Other headlines of interest:
Business security in the age of malicious bots HelpNet Security
With the installation of “Supernode 3,” NYC s Mesh DIY Internet network has drastically expanded its coverage in NYC vice.com
SpaceX s Starlink satellites are in position and ready to begin testing digitaltrends.com
Senators propose $5 Billion plan for rural broadband buildout — See six-year timetable for matching funding in unserved areas multichannel.com
Trump’s Offer Of U.S. Tech Lifeline For Huawei Prompts Fierce Political Backlashforbes.com
Verizon vs. AT&T vs. T-Mobile vs. Sprint: 5G speed test battle royale cnet.com
What Verizon Can Learn From Apple About The Power Of A Single Customer Experience forbes.com
Finding a buyer for Boost Mobile is still the key to closing the T-Mobile-Sprint merger phonearena.com
Pai’s FCC Crushes Rules That Brought More Broadband Competition To San Francisco techdirt.com
5G smartphones are on the way: Here s every phone that will support 5Gdigitaltrends.com
Amazon gives Fire TV devices a section devoted to live television engadget.com
Help me out be thumbing this up or giving it claps or telling people or sharing it on social media please…and for goodness sake SUBSCRIBE. It’s free after all.
Politics may be married to technology and big media, but sometimes individuals can make a difference.
Get “The Dirty Deeds Playbook” today for just $2.99 on Kindle or for a few dollars more in paperback.
This satirical field manual uses fools & fanatics to sew chaos in American elections. Tools & techniques, observations & deception I’ve seen in the process over these past few years.
Support this news aggregation service by checking out my website at www.yourtechmoment.com today. Links there show all the places you can listen to the podcast or watch for free. Check out our FireTV app and Amazon Alexa skill for your flash briefing.
Also, find out about my other projects, subscribe to my newsletter and alerts, or buy books, advertise and support this project with some merchandise purchases.