Tag: security

Telus partners with Sandvine to enhance its network’s security, speed, and reliability

Post author By Mobile Syrup
Post date 21 January 2022

Waterloo, Ontario, Canada- September 30, 2019: Sign of Sandvine Incorporated

Telecom giant Telus has entered a new contract with network intelligence company Sandvine to assist with future growth across its network.

The “multi-year contract” will see Telus using Sandvine’s application and network intelligence solutions through Google cloud to monitor and manage mobile data and video traffic. Telus will also use Sandvine’s 4G and 5G analytics solutions towards security, customer insights, and enhancing experience.

This isn’t the first time the two companies have worked together. Telus has been a Sandvine customer since 2013.

The new extension will allow Telus to keep up with growing demands for speed, latency, and reliability, a statement from Sandvine states. This is a must if Telus hopes to continue to offer the fastest mobile speeds in Canada.

“Our relationship with Sandvine in their application and network intelligence solutions will play an important role in helping us ensure we deliver high-quality experiences and greater security for our customers as 5G, Cloud and Digital business adoption grows in Canada,” Ibrahim Gedeon, the chief technology officer at Telus, said in a statement.

Details as to how long the contract will last and how much Telus paid are not publicly available.

Image credit: ShutterStock

Source: Sandvine

Tags 4G, 5G, latecy, Sandvine, security, telus

Mobile Syrup

Millions in recent funding make 1Password one of Canada’s most valuable tech companies

Post author By Mobile Syrup
Post date 19 January 2022

Stuttgart, Germany – 08-01-2021: Person holding smartphone with logo of password manager company AgileBits Inc. (1Password) on screen in front of website. Focus on phone display. Unmodified photo.

Toronto-based cyber security company 1Password has grown its net worth into billions.

A statement from the company shows it raised $620 million USD (roughly $774 million CAD) in recent rounds of funding. This is the largest amount raised by a Canadian company.

1Password is now valued at $6.8 billion USD (roughly $8.4 billion CAD).

The company creates technology that helps businesses keep their information safe and focuses its products around human actions. It allows companies to keep track of what apps employees are downloading without permission, breaching possible security guidelines.

“Our mission has always been to ease the tension between security and convenience, and the opportunity to deliver on this has never been bigger for 1Password,” Jeff Shiner, CEO of 1Password, said in a statement.

Investments came from a barrage of people, including celebrities and CEOs. Executives at LinkedIn, General Motors, and Snowflake Computing are also investing.

Over the past 24 months, the company’s customer base grew past 100,000, leading to the hiring of 570 employees.

The company will use the additional funds to develop security solutions that will help companies protect private data and other information. This will focus on improving the company’s existing security measures and creating better habits for employees.

“That way, we can tackle the biggest security threats facing the modern workforce and deliver on the promise of providing a safer life online for families and businesses around the world,” Shiner said.

Image credit: ShutterStock

Source: 1Password

Tags 1password, passwords, privacy, security

Mobile Syrup

BlackBerry introduces new feature to help users working with U.S. government comply with new rules

Post author By Mobile Syrup
Post date 5 January 2022

KAUFBEUREN, GERMANY – June 8, 2021: BlackBerry company logo on a website with blurry stock market developments in the background, seen on a computer screen through a magnifying glass.

BlackBerry is making changes to its software to comply with new cybersecurity rules in the U.S.

President Joe Biden’s executive order on cybersecurity requires any technology solutions provider working with the government to provide a software bill of materials (SBOM). This is a list of components that make up a piece of software.

The requirement is in an effort to ensure any security vulnerabilities in software dealing with the country’s infrastructure are immediately identified and dealt with.

The company’s software composition analysis tool, BlackBerry Jarvis, has a new feature that allows users to easily generate a SBOM that outlines the information required by the government and will lead to a speedy response if any vulnerabilities are found.

According to a press release, the feature will become available sometime in “early 2022.”

“With BlackBerry Jarvis’ new ability to generate an SBOM report in the U.S. government’s mandated format, it’s now become an even more invaluable tool to procurement officers tasked with managing the nation’s cybersecurity and software supply chain risk,” Adam Boulton, chief technology officer at BlackBerry Technology Solutions, said in a statement.

Image credit: ShutterStock

Source: BlackBerry

Tags blackberry, BlackBerry Jarvis, security, U.S. government

Mobile Syrup

Apple patched iCloud against massive Log4Shell vulnerability

Post author By Mobile Syrup
Post date 14 December 2021

Late last week, details emerged about a wide-reaching security vulnerability that affected tons of online services and apps, including Apple’s iCloud service. However, the iPhone-maker has reportedly already patched the flaw.

As a refresher, the vulnerability, dubbed ‘Log4Shell,’ impacts an open-source logging library called ‘log4j’ that’s widely used in online services to log events, errors, activities and more. The Log4Shell flaw effectively allowed an attacker to gain access to and execute remote code on servers running log4j simply by getting the logging system to log a specific string of characters.

Due to the wide use of log4j, several major online services are (or were) vulnerable to Log4Shell. Minecraft was among the first platforms impacted by Log4Shell, which saw attackers post chat messages with the specific string to attack servers. A Minecraft patch released Friday fixed the vulnerability.

Other services impacted by Log4Shell included Steam, Twitter, Amazon, Tesla and more. Apple’s iCloud was on the list, but Apple reportedly patched the service on December 11th.

According to The Eclectic Light Company, a blog about Macs and paintings (via Macworld and 9to5Mac), researchers were able to demonstrate the Log4Shell vulnerability when connecting to iCloud through the web on December 9th and 10th. However, the process no longer worked on December 11th.

Ultimately, it appears Apple patched the security flaw in iCloud rather quickly. That’s good news for any iCloud users out there and should be par for the course with large tech companies. There’s also a log4j patch available that helps mitigate the security vulnerability, which should help with patching vulnerable services.

Unfortunately, thanks to the wide-ranging impact of Log4Shell, it will likely take time for all vulnerable services to issue patches.

Source: The Eclectic Light Company Via: Macworld, 9to5Mac

Tags apple, icloud, log4j, Log4Shell, security, vulnerability

Mobile Syrup

Apple patched iCloud against massive Log4Shell vulnerability

Post author By Mobile Syrup
Post date 14 December 2021

Other services impacted by Log4Shell included Steam, Twitter, Amazon, Tesla and more. Apple’s iCloud was on the list, but Apple reportedly patched the service on December 11th.

Unfortunately, thanks to the wide-ranging impact of Log4Shell, it will likely take time for all vulnerable services to issue patches.

Source: The Eclectic Light Company Via: Macworld, 9to5Mac

Tags apple, icloud, log4j, Log4Shell, security, vulnerability

Mobile Syrup

Security flaw in widely-used logging system impacts Minecraft, iCloud, more

Post author By Mobile Syrup
Post date 11 December 2021

A massive security vulnerability dubbed ‘Log4Shell’ that potentially impacts millions of devices has security teams scrambling to apply patches.

The vulnerability affects an open-source logging library called ‘log4j’ used by apps and services across the internet, according to The Verge. Logging, for those not familiar, is a common process where apps keep a running list of activities they perform that can be reviewed later in case of an error. Nearly every network security system runs some kind of logging process — that gives libraries like log4j significant reach and, by extension, huge impact when there’s a vulnerability like this.

The log4j flaw could allow remote code execution on vulnerable servers if exploited. That could give attackers the ability to import malware that would compromise machines.

Worse, the vulnerability is fairly easy to exploit. Attackers need to make an application save a special string of characters in the log — since apps often log a range of events, covering everything from chat messages to system errors — it’s not hard to inject the string.

For example, the exploit was first spotted on sites hosting Minecraft servers. Those sites discovered that attackers could trigger Log4Shell by posting chat messages. A new version of Minecraft that rolled out Friday includes a patch for the vulnerability.

However, Minecraft is far from the only impacted service. A blog post from security company LunaSec claims that Valve’s popular PC gaming platform Steam and Apple’s iCloud are both vulnerable to Log4Shell. Other vulnerable platforms will likely be discovered in the coming weeks.

The Verge reports that an update released for the log4j library mitigates the vulnerability. However, considering the sheer number of impacted apps and services, and the time it’ll take to update everything, Log4Shell will remain a significant problem.

Source: Ars Technica, The Verge

Tags flaw, icloud, log4j, Log4Shell, logging, Minecraft, security, Steam, vulnerability

Mobile Syrup

Facebook to require users at risk of being hacked to enable 2FA

Post author By Mobile Syrup
Post date 2 December 2021

Meta’s Facebook social media platform will soon require users at risk of being hacked, such as human rights activists, politicians and journalists, to enable two-factor authentication (2FA).

As reported by Engadget, the move comes as part of an update to Facebook’s ‘Protect‘ program, which was designed to offer extra security to at-risk accounts. The Protect program will require participants to turn on 2FA, with U.S. members needing to do so by mid or late February. Presumably, people in other countries will also have a deadline to enable 2FA depending on when Protect rolls out to them.

Facebook told Engadget that it worked to make 2Fa enrollment “as frictionless as possible.” While Facebook is aware it’ll take time for all users to comply with the rule, it seems pleased with results so far.

“So far, it’s actually going very, very well we’re seeing well above 90% of people successfully enabling ahead of that mandatory period,” Meta’s head of security policy, Nathaniel Gleicher, said. Moreover, Gleicher told Engadget that over 1.5 million users enrolled in the program so far, and 950,000 have switched on 2FA. Still, 2FA remains an underutilized security feature on Facebook — only 4 percent of the platform’s monthly active users have it enabled.

2FA, for those not familiar with the term, refers to various secondary methods of authentication for online accounts. If you’ve ever tried to log in to an online account and been asked to type in a code sent to you by email or text message, you’ve used a variant of 2FA. When coupled with a strong password, 2FA can help make online accounts more secure since a hacker would need both your password and a secondary, typically temporary, authentication.

That said, 2FA isn’t perfect. Malicious actors have started using attacks like SIM swapping to gain access to victims’ phone numbers and intercept 2FA codes. Because of this, using a smartphone app or a security key to handle 2FA instead of relying on SMS or email to receive 2FA codes is more secure.

Facebook first started testing Protect in 2018, then offered it to U.S. politicians ahead of the 2020 election. Since then, Facebook has expanded the program and is on track to make it available in over 50 countries by the end of 2021, including the U.S. and India.

You can learn more about Facebook Protect here.

Source: Engadget

Tags 2FA, Facebook, méta, protect, security, two factor authentication

Mobile Syrup

MediaTek fixed chip flaws that could allow apps to eavesdrop on users

Post author By Mobile Syrup
Post date 24 November 2021

Vulnerabilities in the artificial intelligence (AI) and audio processing components of recent MediaTek chips could have allowed eavesdropping on device owners. However, the flaw was reportedly never exploited in the wild.

MediaTek has fixed the vulnerabilities as of October, according to Check Point Research (via Android Police). While resolved, the vulnerabilities were quite serious and impacted a wide range of devices. As of Q2 2021, MediaTek powered about 43 percent of the worldwide smartphone market, making it the number one phone chip manufacturer by volume.

Although a list of impacted devices and/or chipsets wasn’t made available, Android Police reports that it sounds like the vulnerabilities affected modern MediaTek Dimensity chips and other MediaTek chips that use the ‘Tensilica’ APU platform.

In total, Check Point found four vulnerabilities that, when exploited together, could allow an app to pass commands to the audio interface. In other words, a malicious app could interact with the audio interface in ways that it shouldn’t be able to do and, in some cases, could even hide malicious code in the audio chip itself.

Researchers claim that malicious apps could have eavesdropped on customers using the vulnerability. Worse, device manufacturers could have used to create an eavesdropping campaign. However, the vulnerabilities weren’t caught being exploited in the wild.

In a statement to Android Police, MediaTek said:

“Regarding the Audio DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to all OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”

If your phone has a MediaTek chip in it, you should make sure to install the latest security updates if you haven’t already.

Source: Check Point Research Via: Android Police

Tags Audio, chip, flaw, MediaTek, security, smartphones, vulnerability

Mobile Syrup

Apple will send threat notifications to potential spyware targets

Post author By Mobile Syrup
Post date 24 November 2021

Following Apple’s announcement that it will sue NSO for attacking iOS users, the iPhone-maker also revealed its monitoring devices for signs of compromise and will alert users with affected devices.

As a refresher, NSO is an Israel-based company that developed the ‘Pegasus‘ spyware used to compromise iPhones. NSO claims it only sells the tool to governments and law enforcement agencies, but reports show that Pegasus was used against activists, journalists and even Jeff Bezos (just to name a few targets).

According to a new support document from Apple, the company will deliver threat notifications to people potentially targeted by Pegasus in three ways: via iMessage, email and an alert on the Apple ID website (pictured below).

Further, Apple says that these threat notifications will never ask users to click on any links or install anything. If you receive a threat notification and aren’t sure about its validity, Apple suggests you sign into ‘appleid.apple.com’ to check.

However, the company also acknowledges that things can change quickly, and says it cannot guarantee it will detect all attacks. Apple warns that false alarms are possible as well.

Finally, Apple lays out several steps iPhone owners should take to further protect themselves from potential attacks. Steps include updating devices to the latest software and security fices, protecting devices with a passcode, using two-factor authentication (2FA) and a strong password for their Apple ID, only installing apps from the App Store (where else would you get them?), using strong passwords for online services and finally, Apple warns not to click on links or attachments from unknown senders.

That last one is particularly important when it comes to Pegasus. One of the main ways attackers deliver spyware is by sending links or files to targets. When clicked, these links or files can install Pegasus without the target’s knowledge.

It might also be wise to avoid clicking links or files sent by people in your contacts too. It’s entirely possible for attackers to spoof sender details to make it look like something’s coming from a familiar source.

All that said, most people probably don’t need to worry about Pegasus on their phones. The tool is often deployed against journalists, activists, politicians and other public or important figures, not average people. Still, at least now there’s some reassurance that if an attacker used Pegasus against you, Apple might be able to warn you about it.

Those interested can learn more about Apple’s threat notifications here.

Source: Apple Via: 9to5Mac

Tags apple, nso, Pegasus, security, spyware, threat notifications

Mobile Syrup

Up to 25,000 TTC workers may have had info stolen in ransomware attack

Post author By Mobile Syrup
Post date 8 November 2021

Employees who work for the Toronto Transit Commission may have had their personal information stolen in a company-wide cyber attack.

The agency says that up to 25,000 employees might have had their names, addresses and SIN numbers compromised when the transit agency was hacked a few weeks ago. On top of that, the transit authority is also looking into whether any businesses and customers might have also been affected.

The only silver lining that the TTC has provided is that it is “very important to note that, at this time, there is no evidence that any of the personal information that was accessed has been misused.” Do with that what you will.

The TTC was attacked on October 29th, and the hackers began by messing with vehicle tracking systems, online booking portals, internal emails and more. The agency has been working to resolve the issues and has said that it’s been notifying affected individuals. It’s also providing credit monitoring and theft protection as it deems appropriate. This seems like a bit of a weak response from a company whose employees now have to worry about identity theft.

Source: TTC

Tags security, ttc