Information Security, SSAE 16, ISO 27001, CISA, Cert-IN
Anything under the umbrella of IT Security, Computer Security, IT Controls
Citi is launching voice biometric verification for customers in Singapore to help to cut user authentication time.
The bank has already implemented voice biometrics for consumer customers in Taiwan, with Singapore, Hong Kong and Australia to follow soon. The service will be available to all 12 of Citi’s consumer banking markets in Asia-Pacific by 2017.
Read the full article here.
As more and more organizations adopt cloud platforms, new shadow IT risk vectors are coming into play in the form of connected third-party apps, according to CloudLock CyberLab’s analysis across 10 million users, 1 billion files, and nearly 160,000 unique applications.
These apps (and by extension, their vendors) are authorized using corporate credentials, have API access to corporate data on multiple SaaS platforms via OAuth connections, and can act on behalf of users to access, delete, store, externalize and exfiltrate data.
The shadow IT dilemma is only becoming more challenging as usage is increasing exponentially year over year. From 2014 to 2016, we’ve seen nearly a 30x increase in apps from 5,500 to nearly 160,000. Each application instance represents a backdoor through which hackers can infiltrate and externalize sensitive corporate assets.
Measuring risk by a combination of access scopes, community-sourced ratings, and expert-driven analytics, the CloudLock CyberLab found that 27% of third-party apps are classified as high risk through which cybercriminals could gain programmatic access to corporate platforms impersonating end users.
Read the full article here.
The Apple ecosystem is well known for very rarely letting any dodgy apps enter it because of the company’s stringent security checks.
But recently, nearly two dozen malicious pieces of software managed to get hosted on the App Store, and subsequently downloaded by Chinese users. This is because attackers found an unorthodox route to exploit: they targeted some versions of the software used by developers to makes apps for iOS and OS X in the first place.
The malware was first highlighted by Chinese developers on Weibo, and was then analyzed by researchers from Alibaba. Security company Palo Alto Networks then verified the results.
The hack all hinges around Xcode, a tool used to create iOS and OS X apps. Typically, Xcode is downloaded directly from Apple for free. However, it is possible to get Xcode from other sources too, such as developer forums. Some versions of Xcode found on Baidu Yunpan, a Chinese file-sharing service, come packaged with extra lines of code. The Alibaba researchers have dubbed these malicious variants “XcodeGhost.”
Apps constructed with XcodeGhost code will collect a bunch of information about a customer’s device once the app has been downloaded. The data siphoned includes the current time, the name of the device, and the network type—none of which is anything a hacker could really use against you.
The malware in the App Store itself is not concerning, but there’s a broader issue here: the way in which it got past Apple’s screening process in the first place.
Read the full article here.
In what seems like a surprising and drastic move, the Singapore government has decided that all computers used by public servants will have their Internet access blocked from May 2017 onwards.
According to The Straits Times, more than 100,000 computers will be cut off, in an effort to minimise security risks.
A spokesperson for the Infocomm Development Authority (IDA) said: "The Singapore government regularly reviews our IT measures to make our network more secure."
Read the full article here.
On the list of things that might be eavesdropping on your day-to-day conversations, the tiny motor that makes your phone buzz isn’t necessarily the first one that comes to mind. But that is exactly what happens with the VibraPhone — a proof-of-concept device created by two researchers from the University of Illinois at Urbana-Champaign to show that the motor in your smartphone or fitness tracker can be re-wired to act as a serviceable microphone.
The concept is fairly simple: the motor uses electric current to change a magnetic field that makes the vibrating mass move, like a clunky, low-frequency speaker. A microphone does the reverse by translating sound wave vibrations into electrical current with a magnetic diaphragm. In their research, Nirupam Roy and Romit Roy Choudhury of the University of Illinois at Urbana-Champaign show that the vibration motor can be similarly affected by sound wave vibrations in the air.
Now, before anybody starts ripping the vibrating motors out of their phones, TechCrunch is quick to point out that this hack currently requires someone physically take apart a phone and rewire the motor to connect it to the phone’s audio system. But, as Roy explained, it may also be possible hack the power controller chip to collect the necessary voltage information to rebuild an audible waveform. And there’s also the possibility of hijacking the feedback motor in other devices like fitness monitors.
Read the full article here.
Some good news, and some bad news. The good news is that Lenovo computers come with a pre-installed program called Accelerator, which helps to speed up certain Windows applications.
The bad news? There’s a serious security vulnerability in Accelerator, which could allow someone to install a program on your computer by disguising it as an updated version of Accelerator.
Lenovo is therefore recommending that you uninstall Accelerator, if it’s present on your PC or laptop.
Read the full article here.
U.S. regulators on Tuesday told banks to review cyber-security protections against fraudulent money transfers in the wake of revelations that a hacking group used such messages to steal $81 million from the Bangladesh central bank. The notice from the Fed and other financial regulators came two weeks after the U.S. Federal Bureau of Investigation privately urged banks to look for signs of possible cyber attacks.
Read the full article here.
The Reserve Bank of India has issued a bulletin to the nation’s banks, advising them of the need to enable their ATM fleets for EMV chip-and-pin cards before the card networks’ liability shift deadline of Oct. 1, 2017.
Read the full article here.
Time Inc. only got the keys to Myspace.com a few months ago, but it’s already having to confirm some bad news: the social network has been the target of a hack. In a press release, the company says that just before the Memorial Day weekend (or Spring Bank Holiday in the UK), its technical teams were notified of someone trying to sell Myspace usernames, passwords and email addresses that were registered before June 2013.
Time Inc. doesn’t say how many accounts are affected, but a blog post on LeakedSource suggests that 360 million records may have been stolen in the breach.
Myspace is already in the process of alerting those affected and is working with the authorities to identify who may be responsible. Given that the person (or people) involved shared an alias with LeakedSource, investigators will have at least something to go on.
Read the full article here.
The PCI Security Standards Council (PCI SSC) published a new version of its data security standard for payment software, the Payment Application Data Security Standard (PA-DSS) version 3.2. The Payment Application Data Security Standard is used by payment application vendors to ensure their software products will protect payment card data from theft. Merchants and other businesses globally use “PA-DSS Validated” software to ensure they can safely accept payments, both in-store and online.
Read the full article here.