ATENTIONβΌ New - CVE-2017-18327
π Read
via "National Vulnerability Database".
Security keys are logged when any WCDMA call is configured or reconfigured in snapdragon automobile, snapdragon mobile and snapdragon wear in versions MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDA660, SDX20, SXR1130.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18326
π Read
via "National Vulnerability Database".
Cryptographic keys are printed in modem debug messages in snapdragon mobile and snapdragon wear in versions MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 636, SD 650/52, SD 800, SD 810, SD 820, SD 835, SDA660, SDM630, SDM660, Snapdragon_High_Med_2016.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18324
π Read
via "National Vulnerability Database".
Cryptographic key material leaked in debug messages - GERAN in snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 835, SD 855, SDX24, Snapdragon_High_Med_2016.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18323
π Read
via "National Vulnerability Database".
Cryptographic key material leaked in TDSCDMA RRC debug messages in snapdragon automobile, snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDA660, SDX20, SXR1130.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18322
π Read
via "National Vulnerability Database".
Cryptographic key material leaked in WCDMA debug messages in snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 835, Snapdragon_High_Med_2016.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18321
π Read
via "National Vulnerability Database".
Security keys used by the terminal and NW for a session could be leaked in snapdragon mobile in versions MDM9650, MDM9655, SD 835, SDA660.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18320
π Read
via "National Vulnerability Database".
QSEE unload attempt on a 3rd party TEE without previously loading results in a data abort in snapdragon automobile and snapdragon mobile in versions MSM8996AU, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 810, SD 820, SD 820A, SD 835, SDA660, SDM439, SDM630, SDM660, SDX24, Snapdragon_High_Med_2016, SXR1130.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18319
π Read
via "National Vulnerability Database".
Information leak in UIM API debug messages in snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 835, Snapdragon_High_Med_2016.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18141
π Read
via "National Vulnerability Database".
When a 3rd party TEE has been loaded it is possible for the non-secure world to create a secure monitor call which will give it access to privileged functions meant to only be accessible from the TEE in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear in versions IPQ8074, MDM9206, MDM9607, MDM9635M, MDM9650, MDM9655, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SDA660, SDM439, SDM630, SDM660, SDX24, Snapdragon_High_Med_2016.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-11004
π Read
via "National Vulnerability Database".
A non-secure user may be able to access certain registers in snapdragon automobile, snapdragon mobile and snapdragon wear in versions IPQ8074, MDM9206, MDM9607, MDM9635M, MDM9650, MDM9655, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SDA660, SDM439, SDM630, SDM660, SDX24, Snapdragon_High_Med_2016.π Read
via "National Vulnerability Database".
β MobSTSPY Info-Stealing Trojan Goes Global Via Google Play β
π Read
via "Threatpost | The first stop for security news".
Across six apps, the spyware managed to spread to 196 different countries.π Read
via "Threatpost | The first stop for security news".
Threat Post
MobSTSPY Info-Stealing Trojan Goes Global Via Google Play
Across six apps, the spyware managed to spread to 196 different countries.
β Dual Data Leaks of Blur, Town of Salem Impact Millions β
π Read
via "Threatpost | The first stop for security news".
Password-manager Blur and role-playing game Town of Salem both disclosed data breaches this week that impacted a combined 10 million.π Read
via "Threatpost | The first stop for security news".
Threat Post
Dual Data Leaks of Blur, Town of Salem Impact Millions
Password-manager Blur and role-playing game Town of Salem both disclosed data breaches this week that impacted a combined 10 million.
π Ohio law creates cybersecurity 'safe harbor' for businesses π
π Read
via "Security on TechRepublic".
Businesses showing good faith by modeling their cybersecurity after an approved framework will have legal protection under Ohio's Data Protection Act.π Read
via "Security on TechRepublic".
TechRepublic
Ohio law creates cybersecurity 'safe harbor' for businesses
Businesses showing good faith by modeling their cybersecurity after an approved framework will have legal protection under Ohio's Data Protection Act.
<b>⌨ Apple Phone Phishing Scams Getting Better ⌨</b>
<code>A new phone-based phishing scam that spoofs Apple Inc. is likely to fool quite a few people. It starts with an automated call that displayβs Appleβs logo, address and real phone number, warning about a data breach at the company. The scary part is that if the recipient is an iPhone user who then requests a call back from Appleβs legitimate customer support Web page, the fake call gets indexed in the iPhoneβs βrecent callsβ list as a previous call from the legitimate Apple Support line.</code><code>Jody Westby is the CEO of Global Cyber Risk LLC, a security consulting firm based in Washington, D.C. Westby said earlier today she received an automated call on her iPhone warning that multiple servers containing Apple user IDs had been compromised (the same scammers had called her at 4:34 p.m. the day before, but she didnβt answer that call). The message said she needed to call a 1-866 number before doing anything else with her phone.</code><code>Hereβs what her iPhone displayed about the identity of the caller when they first tried her number at 4:34 p.m. on Jan. 2, 2019:</code><code>Media</code><code>What Westbyβs iPhone displayed as the scam callerβs identity. Note that it lists the correct Apple phone number, street address and Web address (minus the https://).</code><code>Note in the above screen shot that it lists Appleβs actual street address, their real customer support number, and the real Apple.com domain (albeit without the βsβ at the end of βhttp://β). The same caller ID information showed up when she answered the scammersβ call this morning.</code><code>Westby said she immediately went to the Apple.com support page (https://www.support.apple.com) and requested to have a customer support person call her back. The page displayed a βcase IDβ to track her inquiry, and just a few minutes later someone from the real Apple Inc. called her and referenced that case ID number at the start of the call.</code><code>Westby said the Apple agent told her that Apple had not contacted her, that the call was almost certainly a scam, and that Apple would never do that β all of which she already knew. But when Westby looked at her iPhoneβs recent calls list, she saw the legitimate call from Apple had been lumped together with the scam call that spoofed Apple:</code><code>Media</code><code>The fake call spoofing Apple β at 11:44 a.m. β was lumped in the same recent calls list as the legitimate call from Apple. The call at 11:47 was the legitimate call from Apple. The call listed at 11:51 a.m. was the result of Westby accidentally returning the call from the scammers, which she immediately disconnected.</code><code>The call listed at 11:51 a.m. was the result of Westby accidentally returning the call from the scammers, which she immediately disconnected.</code><code>βI told the Apple representative that they ought to be telling people about this, and he said that was a good point,β Westby said. βThis was so convincing Iβd think a lot of other people will be falling for it.β</code><code>KrebsOnSecurity called the number that the scam message asked Westby to contact (866-277-7794). An automated system answered and said Iβd reached Apple Support, and that my expected wait time was about one minute and thirty seconds. About a minute later, a man with an Indian accent answered and inquired as to the reason for my call.</code><code>Playing the part of someone who had received the scam call, I told him Iβd been alerted about a breach at Apple and that I needed to call this number. After asking me to hold for a brief moment, our call was disconnected.</code><code>No doubt this is just another scheme to separate the unwary from their personal and financial details, and to extract some kind of payment (for supposed tech support services or some such). But it is remarkable that Appleβs own devices (or AT&T, which sold her the phone) canβt tell the difference between a call from Appleβ¦
<code>A new phone-based phishing scam that spoofs Apple Inc. is likely to fool quite a few people. It starts with an automated call that displayβs Appleβs logo, address and real phone number, warning about a data breach at the company. The scary part is that if the recipient is an iPhone user who then requests a call back from Appleβs legitimate customer support Web page, the fake call gets indexed in the iPhoneβs βrecent callsβ list as a previous call from the legitimate Apple Support line.</code><code>Jody Westby is the CEO of Global Cyber Risk LLC, a security consulting firm based in Washington, D.C. Westby said earlier today she received an automated call on her iPhone warning that multiple servers containing Apple user IDs had been compromised (the same scammers had called her at 4:34 p.m. the day before, but she didnβt answer that call). The message said she needed to call a 1-866 number before doing anything else with her phone.</code><code>Hereβs what her iPhone displayed about the identity of the caller when they first tried her number at 4:34 p.m. on Jan. 2, 2019:</code><code>Media</code><code>What Westbyβs iPhone displayed as the scam callerβs identity. Note that it lists the correct Apple phone number, street address and Web address (minus the https://).</code><code>Note in the above screen shot that it lists Appleβs actual street address, their real customer support number, and the real Apple.com domain (albeit without the βsβ at the end of βhttp://β). The same caller ID information showed up when she answered the scammersβ call this morning.</code><code>Westby said she immediately went to the Apple.com support page (https://www.support.apple.com) and requested to have a customer support person call her back. The page displayed a βcase IDβ to track her inquiry, and just a few minutes later someone from the real Apple Inc. called her and referenced that case ID number at the start of the call.</code><code>Westby said the Apple agent told her that Apple had not contacted her, that the call was almost certainly a scam, and that Apple would never do that β all of which she already knew. But when Westby looked at her iPhoneβs recent calls list, she saw the legitimate call from Apple had been lumped together with the scam call that spoofed Apple:</code><code>Media</code><code>The fake call spoofing Apple β at 11:44 a.m. β was lumped in the same recent calls list as the legitimate call from Apple. The call at 11:47 was the legitimate call from Apple. The call listed at 11:51 a.m. was the result of Westby accidentally returning the call from the scammers, which she immediately disconnected.</code><code>The call listed at 11:51 a.m. was the result of Westby accidentally returning the call from the scammers, which she immediately disconnected.</code><code>βI told the Apple representative that they ought to be telling people about this, and he said that was a good point,β Westby said. βThis was so convincing Iβd think a lot of other people will be falling for it.β</code><code>KrebsOnSecurity called the number that the scam message asked Westby to contact (866-277-7794). An automated system answered and said Iβd reached Apple Support, and that my expected wait time was about one minute and thirty seconds. About a minute later, a man with an Indian accent answered and inquired as to the reason for my call.</code><code>Playing the part of someone who had received the scam call, I told him Iβd been alerted about a breach at Apple and that I needed to call this number. After asking me to hold for a brief moment, our call was disconnected.</code><code>No doubt this is just another scheme to separate the unwary from their personal and financial details, and to extract some kind of payment (for supposed tech support services or some such). But it is remarkable that Appleβs own devices (or AT&T, which sold her the phone) canβt tell the difference between a call from Appleβ¦
Apple
Official Apple Support
Learn more about popular features and topics, and find resources that will help you with all of your Apple products.
π΄ Taming the Digital Wild West π΄
π Read
via "Dark Reading: ".
Congress must do more to encourage good Samaritan efforts in the cybersecurity community and make it easier for law enforcement to consistently collaborate with them.π Read
via "Dark Reading: ".
Darkreading
Taming the Digital Wild West
Congress must do more to encourage good Samaritan efforts in the cybersecurity community and make it easier for law enforcement to consistently collaborate with them.
π΄ Adobe Issues Emergency Patch Following December Miss π΄
π Read
via "Dark Reading: ".
The company released an out-of-band update to head off vulnerabilities exposed in Acrobat and Reader, one of which had been patched by the company in December.π Read
via "Dark Reading: ".
Dark Reading
Adobe Issues Emergency Patch Following December Miss
The company released an out-of-band update to head off vulnerabilities exposed in Acrobat and Reader, one of which had been patched by the company in December.
π LikeWars: How business leaders can prepare for this growing threat π
π Read
via "Security on TechRepublic".
Authors of the book LikeWar detail how social media can be weaponized. Read the questions they recommend business leaders ask and answer in preparation for a LikeWar.π Read
via "Security on TechRepublic".
TechRepublic
LikeWars: How business leaders can prepare for this growing threat
Authors of the book LikeWar detail how social media can be weaponized. Read the questions they recommend business leaders ask and answer in preparation for a LikeWar.
<b>π³ Benchmarking GDPR Privacy Operations β New IAPP / TrustArc research report reveals how companies are managing compliance (DPIAs) π³</b>
<code>MediaMediaIn partnership with the IAPP, TrustArc recently completed a Survey on Privacy Program Metrics, which looked to establish some baseline metrics by which privacy programs around the world can benchmark themselves. The survey contained 27 questions, including demographic questions, and a total of 496 people took the survey.
Some sample questions we set out to answer with the survey were: How many business processes are organizations mapping? How many reports are they creating in order to comply with Article 30 of the EU General Data Protection Regulation? How many privacy or data protection impact assessments are necessary? How many incidents rise to the level of breach reporting? Are people being overwhelmed by subject access requests?
The largest group of respondents works in the U.S. (39 percent), followed by the European Union, excluding the U.K. (32 percent), the U.K. (12 percent), and Canada (8 percent). Respondents were evenly distributed throughout the range of company sizes, with organizations that employ 25,001 people or more representing 25 percent of survey respondents, followed next by organizations that employ 1-250 people (23 percent).
In this 4 part blog post series we are sharing highlights on the following key takeaways from the report:
Data inventory is becoming a standard privacy management practice Published 12/5/2018DPIAs are the most common type of privacy assessmentsIndividual rights / data subject access rights (DSAR) requests impacting most organizationsData breach notification requirements impacting larger companiesOur last post in this series discussed how data inventory is becoming a standard privacy management practice; in this post we will show that DPIAs are the most common type of privacy assessments.
MediaMany privacy regulations β and the GDPR in particular β take a risk-based approach to data protection. And, of course, risk lurks throughout the data processing life cycle.
While privacy impact assessments, often called data protection impact assessments in the EU, have long been integral parts of effective privacy programs, DPIAs are now legally required in some circumstances by the EU GDPR, which has brought focus to the spectrum of impact assessments, from initial impact assessments and targeted assessments against certain frameworks all the way to formal DPIAs delivered to EU data protection authorities.
Thus, we explored with respondents the types of privacy assessments their organizations currently conduct. A list of 11 different types of assessments, from which respondents could select multiple answers, as well as an open-ended βOtherβ answer choice, were presented.
The results showed that DPIAs were the most common privacy assessment, with 60 percent of respondents reporting that they conduct them. Privacy Impact Assessments (PIAs) were also conducted by about half (48 percent) of respondents.
For those organizations not completing DPIAs, the most common reason was because that organization felt it did not engage in high-risk processing activities.MediaSolution: TrustArc Assessment Manager
MediaAssessment Manager streamlines the end to end assessment process following the proven TrustArc methodology developed and refined through thousands of engagements. Identify gaps, record risks, manage tasks, maintain comprehensive audit trails, and produce compliance reports to meet GDPR Article 35 DPIA, Vendor Risk, International Data Transfer and other regulatory requirements.
The assessments, including the DPIA assessment, are powered by intelligent content and leverage built in logic and automated risk scoring. Skip logic functionality, as well as configurable compliance expressions, enable systematic identification of noncompliant answers and recommendations on how to remediate potential issues.
TrustArc also has a large team of expert consultantsβ¦
<code>MediaMediaIn partnership with the IAPP, TrustArc recently completed a Survey on Privacy Program Metrics, which looked to establish some baseline metrics by which privacy programs around the world can benchmark themselves. The survey contained 27 questions, including demographic questions, and a total of 496 people took the survey.
Some sample questions we set out to answer with the survey were: How many business processes are organizations mapping? How many reports are they creating in order to comply with Article 30 of the EU General Data Protection Regulation? How many privacy or data protection impact assessments are necessary? How many incidents rise to the level of breach reporting? Are people being overwhelmed by subject access requests?
The largest group of respondents works in the U.S. (39 percent), followed by the European Union, excluding the U.K. (32 percent), the U.K. (12 percent), and Canada (8 percent). Respondents were evenly distributed throughout the range of company sizes, with organizations that employ 25,001 people or more representing 25 percent of survey respondents, followed next by organizations that employ 1-250 people (23 percent).
In this 4 part blog post series we are sharing highlights on the following key takeaways from the report:
Data inventory is becoming a standard privacy management practice Published 12/5/2018DPIAs are the most common type of privacy assessmentsIndividual rights / data subject access rights (DSAR) requests impacting most organizationsData breach notification requirements impacting larger companiesOur last post in this series discussed how data inventory is becoming a standard privacy management practice; in this post we will show that DPIAs are the most common type of privacy assessments.
MediaMany privacy regulations β and the GDPR in particular β take a risk-based approach to data protection. And, of course, risk lurks throughout the data processing life cycle.
While privacy impact assessments, often called data protection impact assessments in the EU, have long been integral parts of effective privacy programs, DPIAs are now legally required in some circumstances by the EU GDPR, which has brought focus to the spectrum of impact assessments, from initial impact assessments and targeted assessments against certain frameworks all the way to formal DPIAs delivered to EU data protection authorities.
Thus, we explored with respondents the types of privacy assessments their organizations currently conduct. A list of 11 different types of assessments, from which respondents could select multiple answers, as well as an open-ended βOtherβ answer choice, were presented.
The results showed that DPIAs were the most common privacy assessment, with 60 percent of respondents reporting that they conduct them. Privacy Impact Assessments (PIAs) were also conducted by about half (48 percent) of respondents.
For those organizations not completing DPIAs, the most common reason was because that organization felt it did not engage in high-risk processing activities.MediaSolution: TrustArc Assessment Manager
MediaAssessment Manager streamlines the end to end assessment process following the proven TrustArc methodology developed and refined through thousands of engagements. Identify gaps, record risks, manage tasks, maintain comprehensive audit trails, and produce compliance reports to meet GDPR Article 35 DPIA, Vendor Risk, International Data Transfer and other regulatory requirements.
The assessments, including the DPIA assessment, are powered by intelligent content and leverage built in logic and automated risk scoring. Skip logic functionality, as well as configurable compliance expressions, enable systematic identification of noncompliant answers and recommendations on how to remediate potential issues.
TrustArc also has a large team of expert consultantsβ¦
β A Dozen Flaws in Popular Mac Clean-Up Software Allow Local Root Access β
π Read
via "Threatpost | The first stop for security news".
All of the vulnerabilities arise from improper input validations.π Read
via "Threatpost | The first stop for security news".
Threat Post
A Dozen Flaws in Popular Mac Clean-Up Software Allow Local Root Access
All of them arise from improper input validations.
π How to create a security-focused work culture π
π Read
via "Security on TechRepublic".
Learn how to beef up your company's cyberdefenses by training employees on cybersecurity policies and procedures, password management, and phishing.π Read
via "Security on TechRepublic".
TechRepublic
How to create a security-focused work culture
Learn how to beef up your company's cyberdefenses by training employees on cybersecurity policies and procedures, password management, and phishing.
π΄ Android Malware Hits Victims in 196 Countries π΄
π Read
via "Dark Reading: ".
Malware disguised as games and utilities struck more than 100,000 victims before being taken out of Google Play.π Read
via "Dark Reading: ".
Dark Reading
Vulnerabilities & Threats recent news | Dark Reading
Explore the latest news and expert commentary on Vulnerabilities & Threats, brought to you by the editors of Dark Reading