Security

August 30, 2016

Congressman urges “congressional hearing” after Trident iOS vulnerability discovery

“I am pleased that Apple was able to quickly address this security breach, but it is clear that Congress must do more to address the issues of mobile security. I believe a congressional hearing is in order and plan to work with my colleagues to examine these critical security concerns.”
-Congressman Ted W. Lieu (D, Los Angeles County)

After news of the Trident vulnerabilities broke, Congressman Ted Lieu issued a statement urging the U.S. government to pay closer attention to mobile security.

Congressman Lieu’s comments follow a trend of individuals and agencies calling for attention on mobile security. The White House Digital Government Strategy, the DoD Mobile Device Strategy, and NIST’s Mobile Device Security for Enterprises Building Block document urge agencies to adopt and secure mobile technology to improve service and enhance effectiveness.

August 25, 2016

3 things CISOs need to know about the Trident iOS vulnerabilities

Landing page, header - 2500x600_v3

Earlier today, Lookout and Citizen Lab published findings about a sophisticated, targeted, and persistent mobile attack on iOS using three zero-day vulnerabilities we call “Trident.” The attack allows an adversary to silently jailbreak an iOS device and stealthily spy on victims, collecting information from apps including Gmail, Facebook, Skype, WhatsApp, Calendar, FaceTime, Line, Mail.Ru, and others.

This discovery is further proof that mobile platforms are fertile ground for gathering sensitive information from target victims, and well-resourced threat actors are regularly exploiting that mobile environment.

Lookout PegasusRead Lookout’s report here.

August 25, 2016

Sophisticated, persistent mobile attack against high-value targets on iOS

Lookout PegasusPersistent, enterprise-class spyware is an underestimated problem on mobile devices. However, targeted attack scenarios against high-value mobile users are a real threat.

Citizen Lab (Munk School of Global Affairs, University of Toronto) and Lookout have uncovered an active threat using three critical iOS zero-day vulnerabilities that, when exploited, form an attack chain that subverts even Apple’s strong security environment. We call these vulnerabilities “Trident.” Our two organizations have worked directly with Apple’s security team, which was very responsive and immediately fixed all three Trident iOS vulnerabilities in its 9.3.5 patch.

All individuals should update to the latest version of iOS immediately. If you’re unsure what version you’re running, you can check Settings > General > About > Version. Lookout will send an alert to a customer’s phone any time a new update is available. Lookout’s products also detect and alert customers to this threat.

August 15, 2016

Linux flaw that allows anyone to hijack Internet traffic also affects 80% of Android devices

Lookout recently discovered a serious exploit in TCP reported this week also impacts nearly 80% of Android, or around 1.4 billion devices, based on an install base reported by Statista. The vulnerability lets attackers obtain unencrypted traffic and degrade encrypted traffic to spy on victims.

The issue should be concerning to Android users as attackers are able to execute this spying without traditional “man-in-the-middle” attacks through which they must compromise the network in order to intercept the traffic.

Researchers from University of California, Riverside and the U.S. Army Research Laboratory recently revealed a vulnerability in TCP at the USENIX Security 2016 conference, specifically pertaining to Linux systems. The vulnerability allows an attacker to remotely spy on people who are using unencrypted traffic or degrade encrypted connections. While a man in the middle attack is not required here, the attacker still needs to know a source and destination IP address to successfully execute the attack.

We can estimate then that all Android versions running the Linux Kernel 3.6 (approximately Android 4.4 KitKat) to the latest are vulnerable to this attack or 79.9% of the Android ecosystem.

August 5, 2016

Security week-in-review: Bugs be gone, Apple announces bounty program

27766206_0e78247e88_z

It’s hard to keep up with the hundreds of security-specific headlines published every week.

So, we’re rounding up the top news that affect you, your business, and the security and technology industry overall. This week we explore bug bounty programs, bug fixes, and healthcare breaches. Check back every Friday to learn about the latest in security news.

August 5, 2016

August Android Security Bulletin: a year of patches

One year into Google’s monthly patching for Android, the August 2016 bulletin contains 103 patches, just short of the high of 108 from last month. This makes a total of 373 vulnerabilities reported via the monthly Android security bulletin for 2016 and a total of 454 since Google started publicly publishing these monthly reports a year ago.

July 29, 2016

Security week-in-review: President introduces schema for rating cyber incidents

6730231949_1886f71498_z

It’s hard to keep up with the hundreds of security-specific headlines published every week.

So, we’re rounding up the top news that affect you, your business, and the security and technology industry overall. This week we explore a new cybersecurity incident response plan from the U.S. government, the FBI most wanted list for cyber criminals, and more. Check back every Friday to learn about the latest in security news.

July 29, 2016

Black Hat conference updates app to address privacy and social engineering concerns

Update: 2016-07-29 11:00am PT
Black Hat confirmed with Lookout an hour before we published our findings that they have taken measures to disable the social components found within the Black Hat USA 2016 conference app. This addresses the major privacy and social concerns brought to Black Hat by Lookout during the disclosure period. Users of the existing app do not need to do anything as the update is controlled by Black Hat and is pushed out automatically to the app.


The technical details of the issues that were found before the fixes were implemented can be found in the rest of this blog.

“On the Internet, nobody knows you’re a dog” – Peter Steiner

Ahead of this year’s Black Hat conference, Lookout checked out the event’s app and found a concerning flaw. The app, which would allow people to sign up, build a profile, and communicate with other attendees, was set up in such a way that anyone could sign up as anyone else, impersonating that person.

Black-Hat-App-USA-2016

The Black Hat conference app enabled attackers to become anyone or spy on attendees

July 22, 2016

Security week-in-review: The Oracle vulnerability enterprises should know about

3772015_7a4a5c0b73_z

It’s hard to keep up with the hundreds of security-specific headlines published every week.

So, we’re rounding up the top news that affect you, your business, and the security and technology industry overall. This week we explore patches to Oracle’s SDKs, Google’s Chrome browser, Apple’s iOS, and more . Check back every Friday to learn about the latest in security news.

July 20, 2016

A closer look at iOS 9.3.3: Apple patches 43 security vulnerabilities

Apple released the latest version of iOS version 9.3.3 on July 18 including patches for 43 security vulnerabilities. Industry watchers have been anticipating this update as one of the final patch cycles for iOS 9 before iOS 10 is released in the fall.

For enterprises with iOS deployments, regardless if they are corporately- or personally-provided, it’s important to know about the vulnerabilities and the latest patches and encourage users to update their devices.

Since it launched in September 2015, Apple has issued 334 security patches to iOS 9. This is already a little ahead of iOS 8, which only had 273 patches during its lifetime.

Screen Shot 2016-07-20 at 3.19.05 PM