Greetings, online security lovers! It’s mid-February and the world is full of red hearts, but we see an online world full of red alerts:
- The big red alert is stalkerware on phones, see the report you should have read.
- Email security has high miss rates, causing users to see red.
- StockX’s marketplace has many users’ bank accounts in the red.
- I see red over a new WhatsApp “flaw” found on February 4.
- Apple decided not to encrypt iCloud after the FBI said “Come on, no.” Apples are red.
Read to the bottom as a big story was published on Sky ECC this month as we did a penetration test of the BQ Aquaris X2.
1. Stalkerware Highlighted at CTI Summit
The focus was that developers need to either stop deliberately creating stalkerware, or stop creating stalkerware with ‘good intentions’ as it’s often used for nefarious purposes. Sophisticated stalkerware is nearly undetectable, and can steal a wide variety of phone data including GPS locations, reading messages via keyloggers, and tracking web browsing.
2. Email security misses too many risky messages
A BitDam study has shown that Microsoft and Gmail’s email software can take up to 2 days to detect new attacks. This is a pretty bad statistic as it takes considerably less time to send an email, or to send thousands of emails. The main issue is threat databases not being updated.
These issues are exactly why Sky ECC restricts unknown users from messaging you, and why internet access is so restricted. There are too many risks when you should be focused on having trusted conversations.
3. StockX marketplace hack continues
StockX is a sneaker marketplace which was hacked in August of 2019. Why are we looking at this months later? Because users are still feeling the impact of it to this day as StockX’s security measures have been, to put it politely, inadequate.
This is a good reminder to do an audit of every online account which has your payment credentials and really think about whether or not the service needs them or if you need the service. The risk is too high, to leave your payment details out there when they are not necessary.
4. Billions of WhatsApp users at risk…again again
Nearly every newsletter I warn you of another WhatsApp issue (4 of the last 7 now), and this is bad as millions are vulnerable because the flaws could be used by remote attackers to steal files from the WhatsApp Web application.
How does it work? Some insane trickery involving complex actions carried out by moonlight? No. The hacker sends a message with a malicious link that users click. That’s it. Remember what I was saying above about trusted contacts and restricted internet access protecting you? Well, that point applies here as well.
5. Apple decides not to protect you because the FBI wants unstoppable surveillance
Apple was considering offering all users the chance to secure their data on iCloud–which could protects millions from account hacks–but backed down when the FBI said “Hey! We need that for surveillance…of bad guys! Yes. Just bad guys. No mass surveillance agenda here!”
Data backups on servers are a risky business–Jean, Sky ECC’s CEO, wrote about the topic on our blog–and are even more risky without encryption. I have iCloud backups turned off on every device and account I can, and I wouldn’t recommend anyone else use it for anything they want to keep secure either.
Links to stories mentioned:
- StalkerWare in phones report
- Email security issues
- StockX hack issues persist
- WhatsApp Web security issue
- Apple bows to FBI pressure
Posts from Sky ECC this month!
Sky HQ put together a great post for you all this week as Andrew, Sky’s resident pentester, teamed up with our writer Matthew (Hey! That’s me!) to bring you a piece on the BQ Aquaris X2 and its security failures.
There’s also another addition to the Use Case Series, and a piece that was written for Data Privacy Day. Be sure to check in with the Sky ECC blog weekly as there will be something new.
We Did a Security Audit of the BQ Aquaris X2 and it Failed
The BQ Aquaris X2 was tested against the security audit all Sky ECC devices go through. We bought one and quickly broke it as a secure tool. Read how poorly it performed.
Data Privacy Day: Own Your Privacy with Private Chat Apps
For Data Privacy Day we looked at all of the ways which chat apps must secure themselves in order to call themselves truly secure. Nine different ways were found which you can learn about now.
Use Case for Communications and Research Security in Educational Institutions
Research being conducted at universities around the world is under threat as hackers seek to steal data from them, or lock them up with ransomware. Learn about the risks and see how Sky ECC can help.