Tag Archive for: credentials

1,859 Mobile Apps, Mostly iOS, Found Storing Hard-Coded Credentials for AWS Databases

/in


According to research from Symantec, as many as 1,859 publicly available Android and iOS apps contain hard-coded AWS credentials. The unsafe mobile application development practices are paving the way for such supply chain vulnerabilities.

AWS access tokens are active in around 77% (1,431) of these 1,859 apps, which makes it possible for threat actors to access private AWS cloud services. Additionally, almost half of these apps (873) containing valid AWS access tokens provided access to private databases stored in Amazon S3 containing millions of files and data records.

The scenario is ideally suited for threat actors to breach data and have a far-reaching impact on the privacy of users and the security fabric of the entire mobile software supply chain. Such databases are usually leveraged by mobile app developers to store sensitive data, including but not limited to communication, app logs, private customer/user data, etc.

Case studies undertaken by Symantec Threat Hunter Team researcher Kevin Watkins revealed one such instance contained private authentication data and keys belonging to every banking and financial app. Personal data, including the names, dates of birth, et al., and 300,000 digital biometric fingerprints, were leaked across five mobile banking apps using the SDK.

Watkins also came across 16 online gambling apps that expose the entire infrastructure and cloud services across all AWS cloud services with full read/write root account credentials. As a result, their gaming operations, business data, and customer data are at risk.

Yet another case revealed that a company’s tech stack exposed all files it had on its intranet for more than 15,000 medium-to-large-sized companies, as well as customers’ corporate data, financial records, and employees’ private data.

Each of these cases has one thing in common. Companies exposed in each case leverage vulnerable software development kits (SDKs), libraries, or any other tech stack from its tech provider. For example., the 16 online gambling apps were using a vulnerable library or outsourced their digital and online operations to B2B companies.

Similarly, all banking apps that exposed data were…

Source…

GateHawk Gen3 Video Intercom Replaces Key Fobs With Mobile Credentials

/in


GateHawk’s Gen3 video intercom includes on-smartphone access control, offering a built-in access reader that works with Bluetooth and NFC.

PHOENIX — Responding to the surging multi-dwelling market, GateHawk has introduced its Gen3 Video Intercom.

GateHawk says that its latest product addresses the increasingly important need for video intercom capabilities in multifamily apartments and single-family communities. The new Gen3 Video Intercom is designed to provide these residential environments with a modern, safe and convenient way enter and leave these communities.

“We built this product to solve the frustrations caused by other video intercoms and gate entry systems on the market,” states Jenna Dickensheets, business manager at GateHawk. “Properties are tired of dealing with stagnant features, confusing interfaces, and high replacement costs. We’re giving them a new alternative.”

GateHawk Gen3 Video Intercom Complements Smart Devices

The access control manufacturer points out that its latest product offers residents of multi-dwelling and single-family communities a host of features that complements the products they use everyday.

GateHawk emphasizes that its new video intercom incorporates smartphone access control, including a built-in access reader that works with Bluetooth and NFC. These wireless connectivity options allow residents to open a property gate using their smartphone instead of key fobs.

Some of the other features the new Gen3 Video Intercom provides includes a companion mobile app that offers guest management to allow residents to send temporary guest passes to family and friends, instead of giving them gate codes.

GateHawk explains that all guests need to do is show a QR code to the video intercom and the door or gate will unlock.

GateHawk offers property owners a choice of three Gen3 Video Intercom models:

  • 12-inch touchscreen with a large touchscreen interface
  • 10-inch screen with keypad that provides a screen with a physical keypad
  • 7-inch screen with keypad that is designed for high-risk locations

The West Coast company adds the three Gen3 Video Intercom models employ stainless-steel enclosures that are engineered to…

Source…

FBI reports rise in cybercrimes against higher ed targets; employees must remain vigilant to protect WVU credentials | E-News

/in


A recent FBI report on an uptick in cybercrimes in the higher education sector is a reminder to all employees that protecting University systems and data is a shared responsibility, and everyone has a role to play. While WVU has taken many steps to secure networks, computers and data, the threats are constantly changing, and faculty and staff must remain vigilant.

Here are some ways you can help defend WVU’s data:

  • Never use your WVU Login username and/or password on non-WVU sites. When those credentials are stolen from Netflix or Facebook, cybercriminals can use them to open a door into WVU systems.

  • Secure your WVU Login password. Don’t share it with anyone or write it down for someone to find.

  • Use a strong password or phrase. Ten characters is good, 12 even better. Use these tips to create strong passwords.

  • Be skeptical. Receive a suspicious-looking email? Don’t reply or click any links. Use the Report Message button in Outlook email or forward it as an attachment to [email protected].

WVU has already implemented many of the FBI’s recommended security measures to secure networks, computers and data, including: implementing two-factor authentication systemwide; limiting remote access to WVU systems, devices and data; enabling remote, automatic security updates to all WVU-owned and -managed computers; training and conducting phishing simulations; restricting access for people with administrative privileges on databases and servers; and segmenting networks to prevent unauthorized access.

“Security-related changes to the way WVU works are just part of the modern reality,” says Interim Chief Information Officer Brice Knotts. “Research universities like ours are data-rich targets for bad guys, and the threats are relentless and constantly changing. We need to be proactive in addressing them.”

That’s why developing a comprehensive, long-range Information Security Strategy is one of the foundational projects in the WVU Modernization Program,” Knotts said.

According to the report from the FBI’s Internet Crime Complaint Center (IC3), Russian cybercriminals in January 2022 sold or shared public access to college and university networks across the…

Source…

Voicemail phishing emails steal Microsoft credentials • The Register

/in


Someone is trying to steal people’s Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.

These emails were detected in May and are ongoing, according to researchers at Zscaler’s ThreatLabz, and are similar to a phishing campaign launched a couple of years ago.

This latest wave is aimed at US entities in a broad array of sectors, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain, the researchers wrote this month.

Zscaler has a front-row seat in this campaign; it was one of the targeted organizations.

“Voicemail-themed phishing campaigns continue to be a successful social engineering technique for attackers since they are able to lure the victims to open the email attachments,” the biz’s Sudeep Singh and Rohit Hegde wrote. “This combined with the usage of evasion tactics to bypass automated URL analysis solutions helps the threat actor achieve better success in stealing the users’ credentials.”

The attack starts with an email that tells the targeted user they have a voicemail waiting for them that is contained in an attachment. If the user opens the attachment, they are redirected to a credential-phishing site: a page masquerading as a legit Microsoft sign-in page. The mark is supposed to login to complete the download of the voicemail recording, but in fact will end up handing over their username and password to criminals.

The “from” field of the email is crafted to include the name of the recipient’s company so that it looks at least a little convincing at first glance. JavaScript code in the HTML attachment runs when opened, and takes the user to a page with a URL that has a consistent format: it includes the name of the targeted entity and a domain hijacked or used by the…

Source…