The SIM Swapping Bible: What To Do When SIM-Swapping Happens To You

MyCrypto and CipherBlade have collaborated on this article to help you understand the dangers of a SIM-jacking attack, and how best to defend yourself against and attack, and how to recover from such an event. This article aims to be a “one-stop” article to read, reference, and share with your friends and colleagues. It's not short, but it's thorough. We encourage you to ask questions and leave comments as you read. Whether you are a newcomer to this space or a long-time security expert, your commentary helps make this guide more comprehensive and keep it up-to-date. If you have more in-depth feedback, start a conversation with us. Note: SIM jacking is also commonly referred to as "SIM-swapping," "SIM porting," "port out fraud," "phone porting," and "SIM hijacking." We use these phrases interchangeably in this article. Of course, SIM-swapping isn’t the only risk that exists in this digital world. It’s a good idea to audit your online security overall, and we recommend referencing MyCrypto’s Security Guide For Dummies And Smart People Too. Table of Contents INTRO: What is SIM jacking? How do they get your SIM / phone number? How do you know if you’ve been SIM swapped? What happens once they get your SIM? PART 1: What to do before you get SIM jacked Reduce the chances of an attacker successfully swapping your SIM Separating Concerns Securing your Google Accounts Securing your Apple / iCloud Accounts Securing your Password Manager Securing your Authy Securing your Telegram Securing ALL The Things Last Step: Prepare Yourself Bonus Round! PART 2: What to do if you literally just had your SIM jacked Panic Correctly Call Your Phone Provider Lock Down Your Accounts Access or Return to Any Accounts You Haven’t Pull Logs From Call your phone provider again File a report with law enforcement PART 3: What to do after you’ve been SIM jacked Inform your network Fully audit & secure literally all of your accounts Do not engage with the attacker Decide What Information to Share with People Decide What Information to Share with the Service Providers of Breached Accounts Protect Your KYC & Identity Documents Accept Some Harsh Realities & Work to Move Forward Consider Hiring Professional Help CONCLUSION INTRO: What is SIM-jacking? Sim-jacking is an attack in which your phone number is migrated away from your SIM card / phone to a different SIM card / phone that an attacker controls. The attacker then uses this access to your phone number, usually via text message, to gain access to your other internet accounts. They do this by “recovering” access to an account (e.g., Google) or in conjunction with other information or access they have (e.g., using a previously leaked password + SMS 2FA). “But I'm not famous / wealthy enough to have this happen to me!” If you are reading this article, we guarantee that you are a potential victim of this attack. It doesn't matter how "famous" you are or how well-known or little-known you are. While there are certain actions that may make you a bigger target, we have seen far more people with increasingly smaller profiles falling victim to these attacks lately. Why? The ROI for attackers getting their hands on your crypto is huge. Crypto is very unique — it's decentralized, it can be easily anonymized, and it has real monetary value. This attack is relatively easy, requires no code, and is becoming increasingly reported upon, inspiring more and more attackers to give it a shot. Basically you right now. In addition, your cryptocurrency isn’t the only thing that can be stolen. 2019 saw a transition from stealing crypto to stealing sensitive data, such as business documents, personal information, or other data. The SIM swappers no longer need to rely on directly stealing funds—they can also succeed via extortion. Lastly, all the information an attacker needs in order to socially engineer a mobile phone provider's support representative is readily available via social media or sites like TruthFinder. Because most people (including possibly you) don’t realize the consequences of gaining unauthorized access to one’s phone number, it’s an area that is not secured in the same way other things can be secured. All of the above results in more people attempting more attacks with more success. In turn, it's not just famous people, the "top 100 influencers," or high-profile traders who are under attack. It's anyone and everyone who is involved in crypto. You are at risk. Accept this. Take action now before it is too late. How do they get your SIM / phone number? One of the reasons SIM-swap attacks have been so successful is that many mobile phone carrier representatives are extremely easy to socially engineer. An attacker can call up your phone provider’s support line, pretend to be you or another authorized party, and spin some story to get the support agent to transfer your number to the attacker's SIM. If they run into any friction, the attacker hangs up and immediately tries again with the next support agent. While this shouldn’t be possible, especially if you have a PIN number or other protection enabled, it still is. Unfortunately, there is no fool-proof way to prevent your phone number from being ported. Support agents aren’t trained on this type of attack and are able to migrate your phone number, regardless of the information “you” provide or don’t provide. 99% of their calls are from people who legitimately broke their phone or got a new phone and need this action taken. Support agents are typically paid next to nothing and their performance is judged by computers. There is little incentive for them to protect you from an attack they know nothing about, and a high incentive for them to help "you," keep "you" happy, and keep their average call times down. To make matters worse, any notes on your account are not prominently displayed to support agents and are completely inaccessible to them if you have an additional PIN / password on your account. Yup, that’ll solve it. How do you know if you’ve been SIM-swapped? You may receive a call or text from your phone carrier’s support agent if the attacker disconnects in order to try again. Typically they’ll say something like, “Sorry we got disconnected...” Don’t ignore this! They were just talking to someone who was pretending to be you. You will suddenly and unexpectedly have NO cell reception. None whatsoever. Restarting your phone doesn’t resolve. You may have notifications that came through before your phone lost service or if you still are connected via Wi-Fi, like emails from your phone carrier or password reset emails from various services. You may have a system notification stating that you can no longer access a phone-level account (like your Apple ID or Google account) and need to re-enter your password. On Android, you may have a “this account was added to a new device” notification. On iOS or your Mac computer, you may have a "are you attempting to log in from Los Angeles, California?" pop-up. If you use any non-SMS 2FA mechanisms that have push notifications (e.g., Microsoft Authenticator, Apple), you may have a “here’s the code you requested” or “are you trying to log in?" notification. What happens once they get your SIM? They start “recovering” access to your accounts one-by-one, gathering data, personal information, passwords, and a list of products and services you use as they go. Let’s look at one SIMple example. Keep in mind, this is not a comprehensive look at what an attacker could do to you. An attacker successfully gets your phone number on their device, allowing them to receive all your incoming text messages and phone calls. The attacker attempts to log in to your primary Google account and clicks “Forgot password?” The attacker clicks “Try another way” until they get to the “Get a verification code sent to (XXX) XXX-XXXX” screen. The attacker receives the SMS sent to your phone number that they now control and successfully resets your password and gains access to your Google account. The attacker changes your phone number and recovery email to ones that only they control, ensuring you cannot easily regain access to your account. The attacker looks through your email and sees emails from Coinbase and Kraken. The attacker goes to these exchanges, clicks “Forgot Password?,” and enters your email address (that they now control). The attacker withdraws all your crypto from your exchange account to their own crypto addresses (approving all trades and withdraws because they have access to your email and text messages). The attacker buys more crypto with any USD holdings you have, linked credit/debit cards, or linked bank accounts. If these transactions are processed before you regain access to your Google or exchange accounts, your bank account will be emptied, sold for crypto, and in the attacker’s sole control. Note: because the attacker has access to your email and SMS, they are able to intercept and then delete any emails or texts regarding your new password or withdrawals. This means you may not realize which accounts have been accessed or emptied until much, much later. Needless to say, it is incredibly damaging, especially if a bad actor is able to take over a critical account—think Google, Apple, or your password manager—that allows them to gain access to other accounts. PART 1: What to do before you get SIM-jacked There is no guaranteed way to prevent your SIM from being swapped. Therefore, we must approach this from two angles. Reduce the chances of an attacker successfully swapping your SIM. Reduce the consequences if your SIM is indeed swapped. The actionable items described below should take you three or four hours to complete. Please, take the time to secure yourself and your cryptocurrency. If you don't, perhaps consider that these decentralized, irreversible assets may not be a good fit for you right now. We applaud you for making it this far. You’ve invested more time into educating yourself about personal security than most. This is essential in a space where there is no centralized party, government, or bank to fix things if they go wrong. Reduce the chance of an attacker successfully swapping your SIM Depending on your phone carrier, you will typically have the following options for authorizing the transfer of a phone number to a new device: A numerical passcode, like 1234. Except, please don’t use 1234, nor the last four of your social, nor your birth date. A passphrase, like “password1234.” Except, please don’t use “password1234,” nor your pet’s name, nor a password you use elsewhere. Requiring in-person presence at a store with government issued ID. Obviously, #3 is the best option. We've worked with dozens of people who have been SIM-swapped and we have yet to see an attacker successfully swap a SIM in-store, with ID (although we do know of one case where it was attempted). This makes sense as it requires a lot of risk and effort on the part of the criminal. The downside is that mobile carriers have not established a sterling reputation for adhering to any of these security measures and, even if they do “put a note on your account,” it does not mean that the support agent who handles a call regarding your account will heed the request. Nonetheless, these steps are still worth taking, as it reduces the likelihood of a successful attack, makes it harder and more time-consuming for the attacker, and gives you the ability to prove you took these steps, which can allow you to pursue a civil case against your phone carrier, such as the one Michael Terpin has filed against AT&T. Action Items Log into your mobile phone carrier account and change your password to a strong, unique password. Enable 2FA or an additional PIN or passphrase if you can. In any unused fields, like middle name or address #2, add your own notes. Like: “DO NOT SWAP SIM” or “REQUIRE IN-STORE VISIT FOR ACCT CHANGES!!” or “DON’T YOU DARE PUT MY # ON A NEW PHONE!” If you have multiple people on the account, see if you can remove yourself as a person with authorized access to make account changes. Imagine you are an irresponsible 12-year-old teenager and the other person on the account is your mom

READ ORIGINAL ARTICLE... 

Why Facebook Was Dropped from the S&P 500® ESG Index

Jun. 11 2019 — When the S&P 500 ESG (Environmental, Social, and Governance) Indexunderwent its annual rebalance after markets closed on April 30, 2019, several notable companies were removed, including Wells Fargo, Oracle, and IBM. However, the largest component to be dropped was Facebook.

A day before its exclusion, Facebook held a weight of 2.5% in the S&P 500 ESG Index. At that time, Facebook was the fourth-largest company in the S&P 500, the parent index for the S&P 500 ESG Index, with a weight of 1.9%.

Why was Facebook removed? To better understand, a primer on the S&P ESG Index Series methodology[1] is helpful.

Some ESG indices, like the Dow Jones Sustainability Indices,[2] are narrow in their construction, selecting only a few leading companies in sustainability, industry by industry. Other ESG indices, such as the S&P 500 ESG Index, keep broad exposure but exclude companies lagging in ESG performance or that are involved in certain business activities, such as the production of tobacco or controversial weapons.

To keep alignment with the S&P 500 and to exclude companies underperforming in ESG, companies are ranked within their S&P 500 GICS® industry groups by their S&P DJI ESG Scores. They are then selected, highest to lowest, with the aim of getting as close as possible to a market capitalization threshold of 75% within each industry group.

In the case of Facebook, its overall S&P DJI ESG Score was 21, out of a range of 0 to 100, with 100 being best. This low score resulted in Facebook not being selected as part of the approximately 75% of the Media & Entertainment industry group’s market capitalization included in the S&P 500 ESG Index.



Drilling down further, though its environmental score was strong at 82, this sub-score only carried a 21% weight in determining its aggregate ESG score, as environmental issues tend to be less material for tech companies. More impactful were its social and governance sub-scores, which registered at 22 and 6, respectively. These scores carried weights of 27% and 52%, respectively.

The specific issues resulting in these scores had to do with various privacy concerns, including a lack of transparency as to why Facebook collects and shares certain user information. According to SAM, a unit of RobecoSAM, S&P Dow Jones Indices’ collaborator on the S&P 500 ESG Index, its “Media and Stakeholder (MSA) analysis found that Facebook had experienced many privacy issues over the past 24 months, including allowing more than 150 companies access to more users’ personal data than it had disclosed, misuse of personal information (e.g., Cambridge Analytica) and hacking of almost 50 million accounts. These events have created uncertainty about Facebook’s diligence regarding privacy protection, and the effectiveness of the company risk management processes and how the company enforces them. These issues caused the company to lag behind its peers in terms of ESG performance.”



The good news for Facebook and other members of the S&P 500 is that the composition of the S&P 500 ESG Index is reasonably fluid, rebalancing annually. However, the S&P DJI ESG Scores are relative measures.[3] As Facebook’s peers raise the bar in their ESG performance, Facebook will need to do even more to rejoin the ranks of the S&P 500 ESG Index.

Jun. 04 2019 — Do you ever wonder where environmental, social, and governance (ESG) factors—now used in more than 25%[1] of all assets under management—come from? The short answer is: Mainly from the good-practices checklists maintained by a handful of big ratings agencies.

But where did those agencies get their checklists? Mainly from the fruits of a handful of turn-of-the-millennium sources, including John Elkington’s “Triple Bottom Line,” the “100 Best Companies to Work For” list, and the United Nations Principles for Responsible Investment.

But where did these sources come from?

Sixty-five years ago, Peter Drucker wrote in his landmark book, The Practice of Management,“What is most important is that management realize that it must consider the impact of every business policy and business action upon society.”

While Drucker would have applauded the rise of ESG investing, he would have encouraged it as one piece of a broader, holistic view of “social responsibility.” For Drucker, social responsibility begins with the customer. After all, he wrote, “it is to supply the consumer that society entrusts wealth-producing resources to the business enterprise.” Drucker also held that a corporation must take care of its employees, maintaining that if “worker and work are mismanaged” it is “actually destructive of capital.” He counseled that companies must constantly pursue innovation, not merely to grow revenue but in service of their basic function as society’s “specific organ of growth, expansion and change.” In all of this, Drucker was decades ahead of his time, anticipating an age in which 80% of a company’s value[2] would take the form of intangibles not shown on a balance sheet.

Not that Drucker considered financial strength unimportant. Business’s “first responsibility,” Drucker declared, “is to operate at a profit,” so as to fulfill its role as “the wealth-creating and wealth-producing organ of our society.” Ultimately, Drucker saw that social responsibility would be the highest expression of business purpose rather than a feel-good sideshow—a harbinger of today’s concept of “shared value” and the basis of the S&P/Drucker Institute Corporate Effectiveness Index. “It is management’s…responsibility,” Drucker wrote, “to make whatever is genuinely in the public good become the enterprise’s own self-interest.”

The evidence that investors and executives are still catching up to Drucker’s foresight is, sadly, all around. Pleas to fix capitalism before it breaks beyond repair aren’t only coming from dissatisfied workers and customers or political ideologues; they’re coming from the power elite at Davos and the Milken Institute.[3]

Here again, we find ESG’s roots in Drucker’s philosophy. Sixty-five years before today’s headlines about worried billionaires, Drucker wrote, “capitalism is being attacked not because it is inefficient or misgoverned but because it is cynical. And indeed, a society based on the assertion that private vices become public benefits cannot endure, no matter how impeccable its logic, no matter how great its benefits.”

The rising concern for capitalism’s social viability comes alongside booms in both ESG investing and ESG products and services. That’s no accident. In Peter Drucker, we have the same person to thank for laying ESG’s foundation, sounding the alarm about its importance, and prescribing it as a solution.

[1]   Bernow, Sara, Klempner, Bryce, and Magnin, Clarisse. “From ‘why’ to ‘why not’: Sustainable investing as the new normal.” McKinsey & Company. October 2017.

[2]   EY – The Embankment Project for Inclusive Capitalism Report.

[3]   Jaffe, Greg. “Capitalism in crisis: U.S. billionaires worry about the survival of the system that made them rich.” The Washington Post. April 20, 2019.

READ ORIGINAL ARTICLE...



New SA crypto exchange starts rand-Bitcoin trading

South Africa’s newest crypto-currency exchange VALR today launched rand-Bitcoin trading on its platform. Customers can now buy and sell Bitcoin directly with rands, and also use Bitcoin and Ether to buy and sell over 50 other crypto-currencies.A little over an hour after VALR started rand-Bitcoin trading, CEO Farzam Ehsani said it had already seen millions of rand worth of trades.He attributed this to the platform having the lowest fees on the market, and that, for the first time, there was now international pricing of crypto-currencies for the South African market.The plan is to also launch rand-Ether trading in future.Ehsani told ITWeb that when VALR launched on December 6, 2018, it was very close to the bottom of the price of Bitcoin. Since then, the price has recovered somewhat, to just under $8 000.The platform is backed by United States-based exchange Bittrex and former FNB CEO Michael Jordaan. Aside from Ehsani, there are another three partners, who also contributed to the startup costs.Ehsani said he has a long-term view of crypto-currencies, and that it’s important to look past the day-to-day price movements.“The price will go up and down based on the whims of people, but if you understand the technology and the impact this asset class can have on the world, you take a different perspective.”He said VALR was seeing a ‘ridiculous’ amount of sign-ups at the moment, and that someone new was joining the platform every few minutes. Its customers now number in the thousands, and while they are accepting customers from all over the world, the majority are South Africans.It doesn’t accept customers from North Korea, or from the United States, due to the latter’s `particularly burdensome regulatory environment’.He’s particularly proud of VALR’s onboarding system, which he says is the fastest in the world.At the moment, exchanges in South Africa are not required to verify the identity of clients, a requirement known as KYC, or ‘know your customer’.Ehsani says, however, they’ve spent a significant amount of their R20 million startup money to build a system that automates the sign-on process.Prospective clients are asked for their name, surname, address and a password. They then upload an image of their ID, driver’s licence, or passport, which is then analysed to see if it’s a legitimate document.VALR now needs to tie these pieces of information together with a ‘liveness’ test, and the app will ask you to film a short video of yourself, following instructions, such as looking to the right and left, and repeating a string of numerals.It then compares frames of the video to the ID document, and if this matches, you’re cleared to trade. All this happens in about five minutes, and a staff member will only get involved if the system flags a discrepancy.

Exchange controls: Relic from the past

Bittrex is providing the liquidity for crypto-to-crypto trading.
In South Africa, there are exchange controls for on-shore and off-shore assets. An individual is allowed to move R1 million a year, subject to a valid SARS tax clearance certificate. No one is allowed, however, to buy crypto with rands, which, Ehsani says, is ‘very, very limiting, and why we need some liquidity to grease our operations’.
VALR thus facilitates trade between its customers and those from Bittrex.
Ehsani is a vocal opponent of exchange controls, and says it’s stifling the South African economy.
“It’s a relic from the past. It may have had a purpose during the apartheid regime, but we’ve grown beyond that now.”

READ ORIGINAL ARTICLE...

Types of backup and five backup mistakes to avoid

As humanity’s use of all kinds of technology has grown, terms like backup are no longer unfamiliar to the majority of people. Of course, the concept of a backup existed long before it came to be named as such. Whenever any important document or information was copied and stored in a place separate from the original for the purpose of ensuring the information would not be lost, the process of backing up was taking place. This way, if the original became damaged, it was possible to recover the information it contained by referring to the copy, which was kept in a different, safe location. When this notion was adopted by people and companies within a technological context, its original characteristics did not change – simply, new resources became available to make the backup process easier and faster.
In this article, we will look at the main types of backup operations, as well as at some of the most common mistakes that many of us may make while backing up our data. In short, there are three main types of backup: full, incremental, and differential.
Full backup
As the name suggests, this refers to the process of copying everything that is considered important and that must not be lost. This type of backup is the first copy and generally the most reliable copy, as it can normally be made without any need for additional tools.
Incremental backup
This process requires much more care to be taken over the different phases of the backup, as it involves making copies of the files by taking into account the changes made in them since the previous backup. For example, imagine you have done a full backup. Once you’ve finished, you decide that going forward you will do incremental backups, and you then create two new files. The incremental backup will detect that all the files in the full backup remain the same, and will only make backup copies of the two newly created files. As such, the incremental backup saves time and space, as there will always be fewer files to be backed up than if you were to do a full backup. We recommend that you do not try to employ this type of backup strategy using manual means.
Differential backup
A differential backup has the same basic structure as an incremental backup—in other words, it involves making copies only of new files or of files that underwent some kind of change. However, with this backup model, all the files created since the original full backup will always be copied again. For the same reasons as with incremental backups, we recommend that differential backups are also not carried out manually.
Where to store the backup
Once you have decided which type of backup is best suited to your needs, it is important to consider carefully where to store it. The types of media most commonly used for storing data have changed over the years. Backups have been variously done on punch card, floppy disk, optical media like CD, DVD and Blu-Ray, tape, external hard disk, cloud-based storage services, and more. One of the questions you need to consider when deciding where to save your backup copy is: How long am I going to need to keep this backup? Knowing the answer to that will make it easier to figure out which medium to store your files on.
To answer that question properly it would be necessary to know the specific needs of each individual business or home, so instead let’s look at two fictitious scenarios which will serve as examples of ways in which a backup can be of great value.
  • For businesses

The year is 2017 and the company ‘Fictitious Corp.’ starts its business day at 8 a.m. as usual. At around 11 a.m., one of the IT managers hears a strange sound coming from a nearby area. Just after hearing the noise, his phone rings and he answers it. After finishing the call, he realizes that the workstation is totally paralyzed and reads a message on the screen saying all the data are now encrypted. The same message is displayed on some of the other machines located in this and other areas of the business. Then he discovers that the company’s file server has crashed, caused by the same problem: the WannaCryptor ransomworm.
In this example, the company, which was dependent on its file server in order to be able operate, could have easily avoided its systems being paralyzed by the ransomware attack if it had maintained a full, offline and current backup of its file server.
  • A home-based example

Mr. Easygoing was watching TV from the comfort of his sofa at home when he suddenly felt a surge of nostalgia and got the urge to look at some photos of his wedding and his son’s birth. Just as he was opening the photos a downpour started. Once he finished looking through them, Mr. Easygoing went to the kitchen to fix something to eat, leaving the computer plugged in. Suddenly he heard the crash of a bolt of lightning, and the electricity went off. The next day, when the power was back on, he discovered that the computer’s hard disk was fried and that all the photos capturing his memories were lost.
Here, the incident occurred due to a power surge, but there are a great many other potential causes for data loss, and all of them can be protected against, at least to a great extent, by making regular backups. If you have any information you wouldn’t want to lose, a backup is an effective way to help prevent that from happening.

Common mistakes made while doing a backup
Now that we have looked at some of the issues around the importance of backups, let’s continue with some recommendations as well as some common mistakes made during the process.
  • Not doing a backup

This is without a doubt the most common mistake. Very often a backup was not done either due to not getting around to it or because of thinking the information wasn’t important—until it was lost.
  • Saving the backup copies on the same hardware as the original files

The idea of a backup is to make a copy for safekeeping. That copy must be stored in a location different from where the original files are kept. If they are stored on the same hardware and that hardware is damaged, the backup copies might be lost along with the originals.
  • Not testing the backup

Making a backup involves a series of processes. It isn’t enough to just create a copy – you also need to check the files to verify that the data you saved is actually accessible in case you need it. Indeed, testing your backups is just as important as backing up itself. Depending on the form of the backup, which is often a compressed file, it could become corrupted, in which case a new backup needs to be done.
  • Not running the backup regularly and sufficiently frequently

It is important to make backup copies regularly, especially if the information is frequently updated. Imagine, for example, that you are writing a book in a word processing document and you only make a backup copy on the first of each month. If the file is lost on the 15th of the month, you will only have a copy dating back to two weeks ago and you will have lost all the work you did in the interim.
  • Not labeling the backup files

After running your backups, keep a record of which archive is from which hardware. In case you need to recover the data, it will be essential to do so on the right equipment.
Conclusion
A data loss event can cost any of us dearly, and it goes without saying that backups should be part of everybody’s cyber-hygiene. In a way, backups are intended to protect the investment we make into the data, so let’s think ahead so that we don’t lose that investment.
Do you want to learn more? We have previously covered the issue of backup from several angles, including in a digestible white paper, ‘Options for backing up your computer’, which mainly dealt with the most common hardware and software resources involved in backup operations. We encourage you to give it a read.

Read Original Article...

WhatsApp discovers 'targeted' surveillance attack

Hackers were able to remotely install surveillance software on phones and other devices using a major vulnerability in messaging app WhatsApp, it has been confirmed.

WhatsApp, which is owned by Facebook, said the attack targeted a "select number" of users and was orchestrated by "an advanced cyber-actor".

A fix was rolled out on Friday.

On Monday, WhatsApp urged all of its 1.5 billion users to update their apps as an added precaution.

The surveillance software involved was developed by Israeli firm NSO Group, according to a report in the Financial Times.

Facebook first discovered the flaw in WhatsApp earlier in May.

WhatsApp promotes itself as a "secure" communications app because messages are end-to-end encrypted, meaning they should only be displayed in a legible form on the sender or recipient's device.

However, the surveillance software would have let an attacker read the messages on the target's device.

Some users of the app have questioned why the app store notes associated with the latest update are not explicit about the fix.

"Journalists, lawyers, activists and human rights defenders" are most likely to have been targeted, said Ahmed Zidan from the non-profit Committee to Protect Journalists.

Presentational grey line

How do I update WhatsApp?

Android

  • Open the Google Play store
  • Tap the menu at the top left of the screen
  • Tap My Apps & Games
  • If WhatsApp has recently been updated, it will appear in the list of apps with a button that says Open
  • If WhatsApp has not been automatically updated, the button will say Update. Tap Update to install the new version
  • The latest version of WhatsApp on Android is 2.19.134
iOS

  • Open the App Store
  • At the bottom of the screen, tap Updates
  • If WhatsApp has recently been updated, it will appear in the list of apps with a button that says Open
  • If WhatsApp has not been automatically updated, the button will say Update. Tap Update to install the new version
  • The latest version of WhatsApp on iOS is 2.19.51
Presentational grey line

How was the security flaw used?

It involved attackers using WhatsApp's voice calling function to ring a target's device.

Even if the call was not picked up, the surveillance software could be installed. According to the FT report, the call would often disappear from the device's call log.

WhatsApp told the BBC its security team was the first to identify the flaw. It shared that information with human rights groups, selected security vendors and the US Department of Justice earlier this month.

"The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” the company said on Monday in a briefing document note for journalists.

The firm also published an advisory to security specialists, in which it described the flaw as: "A buffer overflow vulnerability in WhatsApp VOIP [voice over internet protocol] stack allowed remote code execution via specially crafted series of SRTCP [secure real-time transport protocol] packets sent to a target phone number.”

Prof Alan Woodward from the University of Surrey said it was a "pretty old-fashioned" method of attack.

"A buffer overflow is where a program runs into memory it should not have access to. It overflows the memory it should have and hence has access to memory in which malicious code can potentially be run," he explained.

"If you are able to pass some code through the app, you can run your own code in that area.

"In VOIP there is an initial process that dials up and establishes the call, and the flaw was in that bit. Consequently you did not need to answer the call for the attack to work."

Who is behind the software?

The NSO Group is an Israeli company that has been referred to in the past as a "cyber-arms dealer".

While some cyber-security companies report the flaws they find so that they can be fixed, others keep problems to themselves so they can be exploited or sold to law enforcement.

The NSO Group is part-owned by the London-based private equity firm Novalpina Capital, which acquired a stake in February.

NSO's flagship software, Pegasus, has the ability to collect intimate data from a target device, including capturing data through the microphone and camera, and gathering location data.

In a statement, the group said: "NSO's technology is licensed to authorised government agencies for the sole purpose of fighting crime and terror.
"The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.

"Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organisation."

Who has been targeted?

WhatsApp said it was too early to know how many users had been affected by the vulnerability, although it added that suspected attacks were highly-targeted.

According to the New York Times, one of the people targeted was a London-based lawyer involved in a lawsuit against the NSO Group.

Amnesty International, which said it had been targeted by tools created by the NSO Group in the past, said this attack was one human rights groups had long feared was possible.

"They're able to infect your phone without you actually taking an action," said Danna Ingleton, deputy programme director for Amnesty Tech. She said there was mounting evidence that the tools were being used by regimes to keep prominent activists and journalists under surveillance.

"There needs to be some accountability for this, it can't just continue to be a wild west, secretive industry."

On Tuesday, a Tel Aviv court will hear a petition led by Amnesty International that calls for Israel's Ministry of Defence to revoke the NSO Group's licence to export its products.

What are the unanswered questions?

"Using an app as an attack route is limited on iOS as they run apps in very tightly controlled sandboxes," said Prof Woodward. "We're all assuming that the attack was just a corruption of WhatsApp but analysis is still ongoing.

"The nightmare scenario would be if you could get something much more capable onto the device without the user having to do anything," he said.

The BBC has asked WhatsApp for clarification.
Read Original Article...
Apple Repairs and Service
Member of the Internet Defense League

BitcoinCash Accepted

download