Security

September 21, 2016

Enterprises: Only paying attention to big-name hacks? You may be missing the point

6277209256_934f20da10_z

Security professionals are more likely to pay attention to breaches if the companies being breached already have recognizable names.

Seems like common sense. You see a headline that says, “Target point of sale technology hacked,” you’re much more likely to pay attention than, “Hospital in Kentucky suffers from ransomware attack.” Unless you live in Kentucky.

Security teams that do this, however, might be missing the big picture of how broad security incidents are and how they don’t just impact top names — everyone is at risk.

September 16, 2016

Four spyware apps removed from Google Play

image05

We identified the Overseer malware in an application that claimed to provide search capabilities for specific embassies in different geographical locations. 

Through close collaboration with an enterprise customer, Lookout identified Overseer, a piece of spyware we found in four apps live on the Google Play store. One of the apps was an Embassy search tool intended to help travelers find embassies abroad. The malware was also injected as a trojan in Russian and European News applications for Android.

Google promptly removed the four affected apps after Lookout notified the company. All Lookout customers are protected from this threat.

Current variants of Overseer are capable of gathering and exfiltrating the following information:

  • A user’s contacts, including name, phone number, email and times contacted
  • All user accounts on a compromised device
  • Basestation ID, latitude, longitude, network ID, location area code
  • Names of installed packages, their permissions, and whether they were sideloaded
  • Free internal and external memory
  • Device IMEI, IMSI, MCC, MNC, phone type, network operator, network operator name, device manufacturer, device ID, device model, version of Android, Android ID, SDK level and build user
  • Whether a device has been rooted in one of several ways
September 8, 2016

Former CSO of AT&T, Dr. Edward Amoroso, talks mobile attackers and how enterprise security teams should innovate

tagcyber-blog-1x

Ed-Amoroso

Dr. Amoroso is a former SVP and CSO of AT&T. He is currently on the board of M&T Bank and the CEO of TAG Cyber, which has just released the 2017 TAG Cyber Security Annual, a comprehensive reference guide for cyber security professionals.

September 2, 2016

Pegasus and Trident: Your questions answered

Since Lookout first announced our discovery of the Pegasus attack and Trident vulnerabilities in partnership with Citizen Lab, we’ve received many clarifying questions from security professionals. In this series we’re answering the top queries we’ve received to help you better understand the facts around this unprecedented mobile threat.

Pegasus is a highly sophisticated piece of spyware that uses three previously unknown vulnerabilities called “Trident.” When strung together, these three vulnerabilities would allow an attacker to break out of the browser sandbox, jailbreak the device, and install the spyware. From there, the spyware can turn on the camera and mic, intercept text messages, and alter the existing apps on the device to spy on any encrypted or unencrypted data.

This is the most sophisticated mobile attack we’ve seen yet and marks a new era of mobile hacking.

In order to keep you informed about this ongoing, and concerning problem, we’ve pulled together answers to the top questions we’re receiving from security professionals.

Consider this your official hub for all things Pegasus and Trident. Read on.

September 2, 2016

So, you heard about Pegasus and Trident. Here’s what you should do now

Lookout Pegasus Trident WebinarGet an in-depth walk-through of this attack in this webinar by Lookout Vice President of Security Research Mike Murray.

Since Lookout first announced our discovery of the Pegasus attack and Trident vulnerabilities in partnership with Citizen Lab, we’ve received many clarifying questions from security professionals. In this series we’re answering the top queries we’ve received to help you better understand the facts around this unprecedented mobile threat.

Today’s question: What do I need to do next?

The Pegasus attack is the most sophisticated piece of mobile spyware ever seen. With just a single tap on a seemingly important text message it has the capability to cause catastrophic data loss to a targeted individual or organization, completely compromising all communications from a smartphone — messages, calls, emails, passwords, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, Facetime, Calendar, and others. Pegasus can even intercept data from end-to-end encrypted applications.

The relative ease and stealth with which this attack can infect a device, combined with the catastrophic data loss it causes, means that CIOs and CISOs need to be reacting to the Pegasus attack now to prevent further damage.

September 2, 2016

Device already infected with Pegasus? Updating your OS won’t help

Since Lookout first announced our discovery of the Pegasus attack and Trident vulnerabilities in partnership with Citizen Lab, we’ve received many clarifying questions from security professionals. In this series we’re answering the top queries we’ve received to help you better understand the facts around this unprecedented mobile threat.

Today’s question: Why doesn’t the iOS 9.3.5 update fix a previously-infected device?

Get an in-depth walk-through of this attack in this webinar f Lookout Vice President of Security Research Mike Murray.

Get an in-depth walk-through of this attack in this webinar of Lookout Vice President of Security Research Mike Murray.

Updating a device to the latest iOS version will not remove or identify a pre-existing Pegasus infection on a device.

When Apple learned about the Trident iOS vulnerabilities used in the Pegasus attack, a serious form of mobile spyware, the company immediately patched the holes and sent an update out to users.

If an attacker already infected a device with Pegasus, updating to iOS 9.3.5 (the latest version of iOS) would only close the vulnerabilities used by Pegasus, but it does not remove the spyware itself.

September 2, 2016

MDM solutions don’t deliver sufficient protection against Pegasus

Since Lookout first announced our discovery of the Pegasus attack and Trident vulnerabilities in partnership with Citizen Lab, we’ve received many clarifying questions from security professionals. In this series we’re answering the top queries we’ve received to help you better understand the facts around this unprecedented mobile threat.

Today’s question: Why can’t my MDM protect my organization from Pegasus?

A Mobile Device Management (MDM) solution is not by itself a sufficient protection against advanced, targeted threats like the Pegasus spyware.

No existing jailbreak detection technology would have caught this threat before Lookout and Citizen Lab uncovered the techniques. This is because MDMs can only detect known jailbreak techniques and Pegasus used advanced exploits of previously unknown (zero-day) vulnerabilities to jailbreak the device.

Now that these advanced techniques are publicly known, we have not observed any MDM technology that is currently able to detect them.

September 2, 2016

Encryption and VPNs alone do not protect you from Pegasus/Trident

Since Lookout first announced our discovery of the Pegasus attack and Trident vulnerabilities in partnership with Citizen Lab, we’ve received many clarifying questions from security professionals. In this series we’re answering the top queries we’ve received to help you better understand the facts around this unprecedented mobile threat.

Today’s question: Why can’t encryption or VPNs stop this threat?

Encryption and VPNs are excellent tools that protect sensitive data in most situations. Given the extreme sophistication of the Pegasus attack, however, these tools won’t actually protect data in this scenario.

September 2, 2016

Security Alert: Apple just patched Trident in Macs, too

In the process of researching and disclosing the Trident iOS vulnerabilities, Lookout and our partners discovered another detail: these three software holes were present in Apple’s Mac computers, as well.

Mobile devices and PCs are being attacked in similar ways. The devices can have the same vulnerabilities and very similar attacks. As mobile devices become the primary computing device people use for their work, enterprises will need to have the same security protection and incident response measures on both platforms.

We worked directly with Apple to patch the vulnerabilities, and allowed sufficient time for the patch to be distributed before disclosing. You can see Apple’s patch notification here.

August 30, 2016

Congressman urges “congressional hearing” after Trident iOS vulnerability discovery

“I am pleased that Apple was able to quickly address this security breach, but it is clear that Congress must do more to address the issues of mobile security. I believe a congressional hearing is in order and plan to work with my colleagues to examine these critical security concerns.”
-Congressman Ted W. Lieu (D, Los Angeles County)

After news of the Trident vulnerabilities broke, Congressman Ted Lieu issued a statement urging the U.S. government to pay closer attention to mobile security.

Congressman Lieu’s comments follow a trend of individuals and agencies calling for attention on mobile security. The White House Digital Government Strategy, the DoD Mobile Device Strategy, and NIST’s Mobile Device Security for Enterprises Building Block document urge agencies to adopt and secure mobile technology to improve service and enhance effectiveness.