Monthly Archives: July 2023

News

Mobile Spyware: How Hackers Can Turn Your Phone Into a Stalking Machine

Read Time:6 Minute, 41 Second
Some crooks and shady characters will invade your privacy simply by asking for your permission to snoop—through invasive apps you install on your phone.
Invasive apps look like legitimate apps, yet they have an ulterior motive. They use a phone’s permission settings to spy on its user by accessing the phone’s camera, microphone, and more.
At the heart of any smartphone app you’ll find permissions, which allow apps to use certain features of your phone. A messaging app might ask for access to your camera and microphone to send video and voice messages. It might ask for permission to access your photos if you want to send pictures. Likewise, a navigation or rideshare app will ask for permission to access your phone’s location services.
In short, permissions make apps work. And broadly speaking, most apps out there are legitimate. Yet what about a game that asks for permissions to access your contact list? Or a flashlight app that wants to use your microphone? How about a run-of-the-mill wallpaper app that wants to know your location? These are all examples of invasive apps. And the creators behind them want your personal information and to invade your privacy as well.
Luckily, invasive apps are easy to spot. And remove.

Invasive apps and mobile spyware

Both invasive apps and mobile spyware snoop on you and your phone, yet invasive apps work differently than mobile spyware. Invasive apps use a phone’s built-in functionality to spy and gather information on you. Spyware is malware that can maliciously steal information by working secretly in the background. This can make an invasive app much easier to spot because it asks for broad permissions—permissions it doesn’t need to work.
Invasive apps might ask for permission to:

Use your camera.
Access your microphone.
Track your location.
Access and modify your contacts.
Read your calendar.

Requests for permissions such as these aren’t a sign of an invasive app in and of themselves. Some apps require them to work. The telltale sign of an invasive app is when the app asks for permissions it doesn’t need. Think like the flashlight app that wants access to your microphone.
The tricky bit with invasive apps is that many people quickly click through the user agreements and permission screens when they get a new app. Sometimes without reading carefully. That can particularly be the case with children grabbing a new app.
However, it’s never too late to spot an invasive app. And remove it.

Understanding, and controlling, permissions on your phone

With a quick trip to your phone’s settings, you can spot and remove invasive apps.
On an iOS device …
Go to Settings > Privacy & Security, then tap Safety Check.
Here you can see which apps use the permissions you granted them and make changes to those permissions as needed.You can also run an App Privacy Report, which records data and sensor access on an app-by-app level. Go to Settings > Privacy & Security, then tap App Privacy Report. You can adjust your permissions from there as well.

On an Android device …

On your device, open the Settings app.
Tap Apps. Tap the app you want to change. If you can’t find it, tap See all apps. Then, select your app. Tap Permissions. If you allowed or denied any permissions for the app, you’ll find them here. To change the permission setting, tap it, then select Allow or Don’t allow.
For location, camera, and microphone permissions, you might be able to select:

All the time: For location only. The app can use the permission at any time, even when you’re not using the app.
Allow only while using the app: The app can use the permission only when you’re using that app.
Ask every time: Every time you open the app, it’ll ask to use the permission. It can use the permission until you’re done with the app.
Don’t allow: The app can’t use the permission, even when you’re using the app.

Invasive app? You might just want to delete it.

Rather than pare back permissions on an invasive app, your best and safest bet is to delete the app altogether. Even with excessive permissions turned off, the app might collect other information and send it to the company who developed it. Further, they might share it with others. In short, an invasive app is a bad app all around. Get rid of it and go with something legitimate.

More ways to keep invasive apps off your phone

1. Update your phone’s operating system.

Along with installing security software, keeping your phone’s operating system up to date can greatly improve your security. Updates can fix vulnerabilities that hackers rely on to pull off their malware-based attacks. It’s another tried-and-true method of keeping yourself safe—and for keeping your phone running great too.

2. Avoid third-party app stores.

Google Play and Apple’s App Store have measures in place to review and vet apps to help ensure that they are safe and secure. Third-party sites might very well not, and they might intentionally host malicious apps as part of a front. Further, Google and Apple are quick to remove malicious apps from their stores when discovered, making shopping there safer still.

3. Review apps carefully.

Check out the developer—have they published several other apps with many downloads and good reviews? A legit app typically has quite a few reviews, whereas malicious apps might have only a handful of (phony) five-star reviews. Lastly, look for typos and poor grammar in both the app description and screenshots. They might be a sign that a hacker slapped the app together and quickly deployed it.

4. Go with a strong recommendation.

Yet better than combing through user reviews yourself is getting a recommendation from a trusted source, like a well-known publication or from app store editors themselves. In this case, much of the vetting work has been done for you by an established reviewer. A quick online search like “best fitness apps” or “best apps for travelers” should turn up articles from legitimate sites that can suggest good options and describe them in detail before you download.

5. Protect your phone.

Comprehensive online protection software can secure your phone in the same ways that it secures your laptops and computers. Installing it can protect your privacy, keep you safe from attacks on public Wi-Fi, and automatically block unsafe websites and links, just to name a few things it can do.

Be stingy with your apps and their permissions

Permissions make for powerful apps that can help you hail a ride, get a pizza delivered to your door, and map your afternoon run. In the wrong hands, they can also snoop on your activities. If an app ever feels like it’s asking for too many permissions to do its job, you might have an invasive app on your hands.
Yet the trick is that some invasive apps still slip through and end up on our phones. Quickly accepting terms and permissions is one reason. For extra protection, consider running a quick app audit. Check the apps and permissions on your phone as noted above and delete any suspicious apps.
Be stingy when it comes to giving your permission. Roll back the permissions so that the app works with the bare minimum of permissions. Set location services so that they’re only used when the app is in use. With social and messaging apps, select which photos you allow them to share rather than giving the app blanket access to your entire photo library.
And lastly, if an app seems like it’s asking for too much, it probably is. Avoid it altogether.

 

The post Mobile Spyware: How Hackers Can Turn Your Phone Into a Stalking Machine appeared first on McAfee Blog.

Read More

Advisories

USN-6237-1: curl vulnerabilities

Read Time:31 Second

Hiroki Kurosawa discovered that curl incorrectly handled validating certain
certificate wildcards. A remote attacker could possibly use this issue to
spoof certain website certificates using IDN hosts. (CVE-2023-28321)

Hiroki Kurosawa discovered that curl incorrectly handled callbacks when
certain options are set by applications. This could cause applications
using curl to misbehave, resulting in information disclosure, or a denial
of service. (CVE-2023-28322)

It was discovered that curl incorrectly handled saving cookies to files. A
local attacker could possibly use this issue to create or overwrite files.
This issue only affected Ubuntu 22.10, and Ubuntu 23.04. (CVE-2023-32001)

Read More

Advisories

USN-6236-1: ConnMan vulnerabilities

Read Time:1 Minute, 59 Second

It was discovered that ConnMan could be made to write out of bounds. A
remote attacker could possibly use this issue to cause ConnMan to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2021-26675, CVE-2021-33833)

It was discovered that ConnMan could be made to leak sensitive information
via the gdhcp component. A remote attacker could possibly use this issue
to obtain information for further exploitation. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-26676)

It was discovered that ConnMan could be made to read out of bounds. A
remote attacker could possibly use this issue to case ConnMan to crash,
resulting in a denial of service. This issue only affected Ubuntu 16.04
LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
(CVE-2022-23096, CVE-2022-23097)

It was discovered that ConnMan could be made to run into an infinite loop.
A remote attacker could possibly use this issue to cause ConnMan to
consume resources and to stop operating, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04
LTS, and Ubuntu 22.04 LTS. (CVE-2022-23098)

It was discovered that ConnMan could be made to write out of bounds via
the gweb component. A remote attacker could possibly use this issue to
cause ConnMan to crash, resulting in a denial of service, or possibly
execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-32292)

It was discovered that ConnMan did not properly manage memory under
certain circumstances. A remote attacker could possibly use this issue to
cause ConnMan to crash, resulting in a denial of service, or possibly
execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-32293)

It was discovered that ConnMan could be made to write out of bounds via
the gdhcp component. A remote attacker could possibly use this issue to
cause ConnMan to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2023-28488)

Read More

Advisories

[RT-SA-2023-001] Session Token Enumeration in RWS WorldServer

Read Time:21 Second

Posted by RedTeam Pentesting GmbH on Jul 19

Advisory: Session Token Enumeration in RWS WorldServer

Session tokens in RWS WorldServer have a low entropy and can be
enumerated, leading to unauthorised access to user sessions.

Details
=======

Product: WorldServer
Affected Versions: 11.7.3 and earlier versions
Fixed Version: 11.8.0
Vulnerability Type: Session Token Enumeration
Security Risk: high
Vendor URL: https://www.rws.com/localization/products/additional-solutions/
Vendor Status:…

Read More