A smartphone that does not support WhatsApp is as good as a kambudzi (feature phone) to most Zimbabweans. Imagine trying to take over the Zimbabwean market with such a smartphone. It would have some takers if it had solid cameras, batteries, design etc. but most would laugh it off.

Thats increasingly how it feels for smartphone manufacturers trying to take on Apple in the United States. Apple dominates the important US market with a 57% market share.

Thats nothing though compared to the following crazy stat: 87% of American teens use an iPhone with 88% expecting their next phone to be an iPhone too.

You can see how Android is doomed in the US. Gen Xers and older generations are dying off whilst millennials are greying out. Who is going to use Androids in the US in the future?

One major reason why Androids are failing to convince US teens to switch is iMessage. That instant messaging app, which is exclusive to Apple devices is their version of WhatsApp. So, imagine being a teen in the US and not being able to participate because you went for a fancy folding Samsung.

So, that means teens who arent necessarily fans of the iPhone end up using it just so they can be a part of the group chats.

Do note though that non-iPhone users can message their sheep iPhone-toting friends. To understand how, imagine WhatsApp being combined with the SMS app.

That way, if someone does not have WhatsApp their message would get to you and you could respond to them with WhatsApp converting your message to a simple SMS so they can deliver it. I wish WhatsApp had this feature.

Of course, your SMS-using friend would not be able to access some WhatsApp features like blue ticks, typing indicators, the ending of images and videos etc.

Thats how it is for Android users sending messages to iMessage users. They can only send SMS and MMS, meaning that even the videos they send are compressed to a crazy degree and get to the iPhone users all pixellated and low quality.

If youve ever heard these teens talk about Androids taking garbage pictures, its because they really think so because when Androids send those images via iMessage (MMS) they get to the recipients in a terrible state.

This is why Google kept pressing Apple to adopt RCS, which to put it simply, is a new SMS standard that gives SMS some of the features we have come to expect from WhatsApp, iMessage and the competition.

Using RCS, iMessage users can receive pictures and videos in HD quality from their Android-using friends.

This is why we talked about: EU doing the lords work. Apple now bringing RCS support to iMessage.

Nothing is an exciting new Android phone manufacturer. I like their offerings even though I believe they try to model themselves after Apple a little too much for my liking.

Now, Nothing saw this teen iPhone usage in the US and realised it didnt matter how good their phone looked, or how much they innovated, they were not getting the American teen. Which meant losing out on a whole generation and a bleak future.

They decided to bring iMessage to Android by hook and crook. They partnered with a company called Sunbird to make that happen.

Of course, this was not all above board, Tim Cook would never release iMessage on Android. Here is what Sunbird and others do.

It works by combining cloud-based servers and Android software. To start using Sunbird, you need to set up an iCloud account on a cloud server. Once you have done that, Sunbird uses a VPN to connect to the iCloud account. This connection is used to create a virtual iPhone on the server, which allows you to send and receive iMessages on your Android device.

The Android software works by intercepting SMS and MMS messages and then converting them into iMessages. The converted iMessages are then sent to the virtual iPhone on the cloud server, where they are relayed to the intended recipients iPhone.

Nothing decided to skin and rebrand Sunbird as Nothing Chats and announced that they had iMessage on an Android. On this announcement, many people raised privacy concerns but Nothing and Sunbird assured us that all was in order.

Except it wasnt. Sunbird misrepresented the security of their services. Multiple investigators claimed that the full contents of messages sent through Sunbird were accessible in plain text to both Sunbird and any quarter-decent hacker.

Your pics arent safe either. The investigators say All the documents (images, videos, audios, pdfs, vCards) sent through Nothing Chats AND Sunbird are public. Nothing Chats is not end-to-end encrypted.

Sunbird dismissed this and gave their own evidence but those who know this stuff dismantled everything they said.

As a result, Nothing decided to pull Nothing Chats from the Play Store talm bout Weve removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs.

Youre thinking, those are not bugs. Whats great is that the Community Note below that X post by Nothing reads, The bugs are security issues. The app logged every message in plain text and stored unencrypted data like text messages, images and videos.

You gotta love Community Notes.

To top it all off, Sunbird decided to put their service on hold talm bout they are investigating security concerns.

This could be the end for Sunbird and Nothing Chats.

So, dear Android user, you can rest easy knowing that RCS is coming to iMessage and so you wont need to deal with sketchy services like these.

However, do note that Sunbird allowed you to send blue bubble messages. I dont think Apple will change the colour of the bubble just because its RCS but if you care about the colour then thats on you.

Youll be able to send high-quality pics and vids using RCS, who cares if the text bubble is green? I know people care and it is what it is.

In all this I am reminded of how I hate some aspects of how Apple. They actually like the bullying that Android-using teens get. They believe it creates an incentive for teens to choose the iPhone. It does and its just not okay in my book.

They have every right to do this but I dont have to like it. I believe the iPhone can compete on its own merits without artificially restricting access to an app.

Think of a world where Samsung acquires WhatsApp and makes it a Samsung exclusive. Nobody wants that but its what the Americans are living through.

Thank God iMessage is not popular in these parts. Over here we can actually compare it to the competition and make our choices accordingly.

Apples iMessage not bothering with RCS. Android brings iMessage support to Google Messages instead.

EU to force WhatsApp, Facebook Messenger to interoperate with smaller platforms. Sasai must be giddy

Read the rest here:
Nothing tries to bring iMessage to Android, forced to pause all that - Technology Zimbabwe

17.2 is coming soon, including some brilliant new features and fixing several pesky bugs.SOPA Images/LightRocket via Getty Images

Apples iOS 17.1 has only just arrived, but iOS 17.2 is coming soon, and it includes some brilliant new features and fixes several pesky bugs. Among the new features in iOS 17.2 is a very cool update to iMessage, which will be a huge boost to iPhone security.

First unveiled in December last year as part of new iCloud security features and finally appearing in the iOS 17.2 beta now, iMessage Contact Key verification has been a long time coming.

The new iMessage feature in iOS 17.2 prevents attackers from listening to or reading your conversations if theyve managed to breach cloud servers.

If you have Contact Key Verification enabled in iOS 17.2, you will receive a notification if someone is able to eavesdrop on your conversations. As an extra layer of security, the new iPhone feature also allows you to use a Contact Verification Code on FaceTime or in personjust to make sure the person you are speaking to is who they say they are.

Contact Key Verification in iOS 17.2 is designed for people who could be targets for attacks utilizing iPhone malware called spywarewhich can allow adversaries to see everything you write and hear anything you say.

Over the last year or so, Apple has been busy releasing new iPhone features to protect users from spyware attacks as well as patching numerous security holes that could be used in so-called zero click attacks.

However, while it is a security feature akin to the likes of Apples Lockdown setting, Contact Key Verification doesnt reduce your iPhones functionality like Lockdown Mode does, so there is no security-functionality trade off. That makes it more accessible to all security-conscious iPhone users.

With this in mind, Jake Moore, global cybersecurity advisor at ESET, has praised the new iPhone feature. Contact Key Verification works seamlessly without any direct action needed, making it another security-focused feature working tirelessly in the background. Having the ability to use this new iOS 17.2 feature in strict security situations gives users that vital piece of mind that they are conversing with who they think they are.

As AI steps up, offering quality voice cloning techniques and with relatively good deep fakes in the pipeline, this sort of protection is imperative, Moore says.

Apple has described how Contact Key Verification Works in iOS 17.2 in a new technical blog.

Contact Key Verification is designed to detect sophisticated attacks against iMessage servers and allow users to verify that theyre messaging only with whom they intend, Apple says.

The iPhone maker explains how iMessage Contact Key Verification uses a mechanism called Key Transparency. This builds on the ideas of Certificate Transparencyessentially a security standard for monitoring and auditing digital certificates.

Yet as Apple explains, Contact Key Verification uses a verifiable log-backed map data structure, which can provide cryptographic proofs of inclusion and be audited for consistency over time.

These properties allow for higher scalability and better user privacy, Apple says.

Its certainly an exciting new feature, and when it debuts in iOS 17.2, it can be found in your iPhones Settings > your name > Contact Key Verification, where you can toggle it to on. This applies to Beta users as of now.

So when will iOS 17.2 arrive? It looks like the update will be released around November or December, including other new features such as the Journal app, new AirPlay settings for the Apple Vision Pro headset, collaborative Apple music playlists, new weather widgets and enhancements to the Contacts app.

According to Apple-focused site 9to5Mac, iOS 17.2 will also fix the Wi-Fi connectivity issues that have been plaguing some iPhone users since updating to iOS 17.

Its also likely iOS 17.2 will come with a bunch of security fixes, so keep an eye on my Forbes page for updates.

Kate is an award winning and widely-recognized cybersecurity and privacy journalist with well over a decades experience covering the issues that matter to users, businesses and governments. In addition to Forbes, her work can be found in publications including Wired, The Guardian, The Observer, The Times and The Economist.

With a focus on smartphone security including Apple iOS security and privacy, application security, cyberwarfare and data misuse by the big tech firms, Kate reports and analyzes breaking cybersecurity and privacy stories and trending topics.

She is also a recognized industry commentator and has appeared on radio shows including the WVON Morning Show with Attorney Ernest B. Fenton, BBC Radio 5 Live and podcasts such as the Guardians Today in Focus. Kate can be reached atkate.oflaherty@techjournalist.co.uk.

The rest is here:
iOS 17.2Amazing New iPhone Features And Fixes Suddenly Revealed - Forbes

Ransomware attacks can be devastating for organizations, causing significant damage to operations and reputations. Therefore, it's crucial to prepare for such an eventuality with a comprehensive ransomware response plan. However, it's also essential to understand that ransomware readiness assessments aren't a one-size-fits-all solution.

Let's explore why a tailored approach to ransomware readiness assessments is necessary and highlight some scenarios you may encounter during a ransomware attack.

The impact and severity of a ransomware attack can vary depending on the attacker's objectives, the organization's security posture, and other factors. Therefore, a comprehensive response plan must be tailored to the specific circumstances of different types of impacts from an attack.

For example, a ransomware attack may impact servers only within a particular geographic region, cloud environment, or data center. Alternatively, the attack may affect authentication of every user due to compromised Active Directory servers. Or you may not know the viability of backups, or the threat actor may provide a decryption tool.

Preparing for different scenarios requires a thorough ransomware readiness assessment to better understand the current maturity of response and to develop or improve an incident-response plan that considers each potential scenario's unique characteristics. There is definitely value in identifying and resolving what keeps the business up at night and hyperfocusing on that in the assessment's first pass. For instance, prioritizing backup immutability can be a critical step in ensuring the organization's resilience against ransomware attacks. Your assessment could focus solely on immutability or disaster-recovery strategies.

Here are a few questions that can help you think through your ransomware readiness preparations:

If you obtain a decryption tool from the threat actor, do you have a plan in place to safely and effectively decrypt servers?

To prepare for the various scenarios that can arise during a ransomware attack, you can hold workshops on topics such as emergency implementation of containment measures, backup tooling and configurations, critical application assessment, Active Directory and network architecture, coordination processes, and surge resourcing.

Workshops on emergency server, end-user, network, and backup system containment help identify the steps required to contain an attack, minimize malware spread, and isolate affected systems.

Backup tooling and configuration workshops help ensure you have backups available and accessible during a ransomware attack. Identify and address any risks, such as privileged credential misuse, and establish backup restoration times sufficient to recover critical systems.

Assessing critical applications and executive user backup capabilities is another essential workshop topic. It allows you to identify your most critical systems and institute adequate backup capabilities. Addressing any risks identified during the assessment enables you to recover critical applications in the event of an attack.

Active Directory and network architecture workshops are necessary to understand the lateral movement that may occur during a ransomware attack. This knowledge can help minimize the severity of an attack and limit the attacker's ability to move laterally within the network.

Workshops on coordination processes help organizations stay aligned while executing recovery operations. These workshops bring together key technical engineering teams, such as server admins, backup system admins, security teams, outsourced IT providers, and third-party service providers, to make recovery efforts coordinated, efficient, and effective.

Workshops on surge resourcing help you obtain access to the necessary resources to restore servers, build new servers, install and validate apps, provide help desk support, and so on. Identifying potential surge resourcing scenarios in advance can help you respond effectively during a ransomware attack.

Overall, conducting workshops on these topics is critical to help organizations prepare to respond to a ransomware attack. These workshops can help you identify your organization's strengths and weaknesses in terms of readiness and create a response plan that considers your unique circumstances.

Ransomware attacks are a significant threat to organizations, and their impact and severity can vary. Therefore, it's wise to develop a comprehensive ransomware response plan for the specific circumstances of each type of attack. By conducting tailored ransomware readiness assessments and workshops, you can develop a comprehensive response plan that minimizes damage and restores operations quickly.

See the article here:
Ransomware Readiness Assessments: One Size Doesn't Fit All - Dark Reading

A security engineer ensures that an organizations software, networks, hardware, and data are safe from intrusion and theft. Lets first look at the details of what a security engineer does and the skills needed, and then what training and career paths look like.

Security engineers ensure the network and IT engineers are using best security practices, such as keeping firmware and device software up-to-date with the latest security patches and minimizing whats known as an attack surface. For instance, when dealing with software applications that require connectivity to a database server, it's essential to decrease the attack surface by limiting that database servers unnecessary exposure to the internet.

Companies that build their own software also need security engineers to ensure software is secure as its being built; the security engineer will work with the developers on best practices to harden the software against potential attacks. This includes using proper password techniques, as well as ensuring the software doesnt inadvertently provide an intruder with access via backdoors.

Security engineers work full-time. This is not a job that an application developer does a little bit on the side. A security engineer needs to devote his or her entire work to security, becoming an expert in its impact on their company and industry. An organization shouldnt simply trust its security requirements to application developers or project managers who know a little bit of security. They need either an expert on staff full time, or a part-time consultant from a firm that hires full-time security engineers.

Security engineers help test existing systems for vulnerabilities, as well as advise the IT team as theyre building such systems. Here are some skills needed for that:

Penetration testing: This refers to the task of intentionally breaking into a system from the outside. Security engineers typically have a set of software tools that assist in this. The tools will attempt to break into the software through multiple means, including using different software ports. Some tools are run manually by the security engineer; other tools the security engineer must install and configure to run automatically on a regular basis.

Vulnerability and security assessment: Once penetration testing is complete, the security engineer will put together an assessment showing where all the problems are, and what needs to be done to correct the problems.

Intrusion detection: Security engineers install software that detects an active intrusion and immediately notifies the security engineers and other people in the organization, and possibly even the regular security staff or even police. (Note that this could mean being awakened in the night!)

Setting up new systems securely: In addition to testing existing systems, security engineers will help the IT team build networks that are secure. The security engineer meets with the IT team before the network is built and advises them on the steps to build a secure network, the best software and devices to use, and the best way to configure everything. The security engineer will also work with them as the network is being built, doing penetration testing early on to catch problems before the system goes live. After going live, the security engineer will continue doing penetration tests on a regular basis afterwards.

Security policies: Security engineers will help the IT team put together policies to be enforced, such as lists of the only software allowed to be installed on computers; lists of software thats blacklisted; rules on password management, and so on. They will also likely train employees on how to keep their passwords safe and how to not fall for phishing scams.

Compliance: Companies that work with certain organizations such as government agencies typically need to meet regulatory compliance. The security engineer is the one who needs to understand such regulations, how to implement them correctly, and how to report that the system is compliant.

Assisting application developers: For companies that build software, security engineers work in a specialized field called application security engineer, whereby they help the software developers follow best security practices. This requires skills in addition to the above, such as:

There are some steps to landing the first job:

Training. Training is vital. While some IT professions you can learn on your own, security requires as much training as you can stand to get. The reason is liability. Organizations trust the people they hire. An organization can usually survive if their software crashes and restarts. There might be some annoyed users, but if no data is lost, theres likely little financial liability.

Security engineers, on the other hand, need to ensure that intruders wont break in and steal millions of customer records; such an intrusion can result in the company getting sued for tens of millions of dollars or even more. Theres a high risk in hiring the right security engineer.

If you want a recruiter or hiring manager to be totally comfortable with the idea of you as a security engineer, it helps to have a collection of courses, certifications, and degrees on your resume and other application materials. If you already have a bachelors degree in a related field such as computer science, another option is to go back and get a masters degree in security.

People networking. As with most jobs these days, its important to grow your network. Large corporations will typically hire teams of security engineers. A software development firm might hire just one, compared to dozens of software developers. And security firms will typically be hiring multiple people. That means finding these companies, and ideally, meeting people who work there who can get your resume to the top of the list. You can meet people through job networking sites such as LinkedIn, as well as by attending conferences and meetups.

But remember, because competition is tight, youll need to be ready to prove yourself, both with your certification and your skillset. Plan to be the best you can and shine above the others.

As with many tech careers, there are junior, mid-level, and senior level security engineers. In large companies and security consulting firms that hire multiple security engineers, you would be starting out at a junior level working under people with years of experience who can help teach you additional skills beyond your training.

Medium-sized companies that have an opening for one security engineer are likely to go with somebody with more experience than a junior level. When you reach such a position, you would have a great deal of autonomy.

Senior engineers at a large corporation or security firm might not be doing so much hands-on work and might be managing teams of security engineers. Or as you advance in your career, instead of managing, you can become more specialized. You might focus on only cloud security, network security, or the application security we already mentioned.

And as you advance, plan to keep training and learning through your entire career. With every new version of operating systems and software, you need to update your skills to know the new features and security risks of those features. You also need to learn about new methods of attacks and intrusion and how to prevent them, and what to do if an intrusion happens.

Note finally that some security engineers start out as software developers. Such people are in demand as they can take on the job of security application engineer. But again, since security is a full-time job (with very solid pay), this is a full career change, not just a side gig for an application developer.

Security engineering is a difficult field and requires continual training and certification updates. But it can be exciting and rewarding. Plan to work hard, and soon youll find yourself getting your first position.

More here:
How to Become a Security Engineer - Dice Insights

The October 2023 OKTA support system attack that so far has publicly involved Cloudflare, 1Password and BeyondTrust informs us just how fragile and vulnerable our cloud applications are because they are built using access tokens to authenticate counterparties.

If a valid access token is stolen by a threat actor, most systems dont have the internal defenses built-in to detect that a valid token is now being used by a threat actor, leaving them completely vulnerable. To be clear, reliance on access tokens to authenticate counter parties, is NOT unique to Okta and could happen to any of a myriad of cloud services to application functionality such as email, CRM, accounting/finance are just some examples.

What are access tokens and why do they make our cloud infrastructure and applications so vulnerable? Simple, they are what is known as a bearer token, which means that if you possess the token you have the access rights granted to the original possessor of the token. By design the recipient is required to check if the token is still valid and if so, grants access.

Because of their power, access tokens must be protected at all costs from theft. There are four key aspects to protecting tokens:

Deviate from these simple rules and applications (cloud, hybrid and classical) that rely on access tokens are extremely vulnerable.

Looping back to the recent Okta breach, it boils down to stolen access tokens due to 3 out of the 4 rules being breached. The only rule that wasnt fully breached was number 2, which by public reporting does not appear to have been a mutually authenticated connection.

What is an access token?

Think of an access token being similar to a ticket used to get into a sporting event with some notable differences Presenting a valid sporting ticket to a stadium gate agent allows you to enter the venue (authentication). Once inside the stadium gate, you go to your section, row and seat for that ticket (scope/authorization).

Access tokens, technically called OAUTH tokens, work like tickets with two notable differences: reuse and copy protection.

How are access tokens generated and used?

Without getting down into the weeds of how modern Identity Providers (IDPs) and protocols work, the answer is fairly simple in that an Agent (human or system) presents credentials to an IDP and requests access tokens to a resource (e.g. system, application, database, etc,..). The credentials presented to the IDP can be a username/password augmented with multi-factor authentication, a certificate or other types of secrets. If successfully authenticated, the IDP sends the Agent an access token. To protect access tokens, they should only be sent over properly encrypted channels with the valid time period set as short as possible, though the downside to short time durations means the Agent has to re-authenticate to the IDP more often..

Once an Agent has their access tokens, they present them to resources to gain access. The resource validates the tokens with the IDP to see if they have been revoked or expired and if not, grants access based on the authorization rights associated with the Agent.

How do you protect access tokens?

Given how powerful access tokens are, they must be protected at all costs.

Going back to the four methods of protection listed earlier, the first order of business is to never persistently store access tokens. Avoiding persistent storage greatly reduces the attack surface of a threat actor to get a copy of a token. As a side note, ensuring that the original credentials presented to the IDP get the access tokens in the first place should also not be persisted as well. Instead, applications should make use of Key Management Services or Vaults.

The second task is to ensure that tokens are always sent over secure channels which in the majority of cases means using Transport Layer Security (TLS), Using TLS versions older than V1.2 should be avoided as these are no longer considered secure and have been deprecated.

TLS has two modes of operation: One-way (most common) and mutual.

With one-way TLS the channel has only data privacy and data integrity but misses out on authentication due to the fact that only the server providing the resource has a certificate. While many human based use cases can be sufficiently secured using one-way-TLS due to the fact that a human can be asked for additional authentication factors by the IDP as a part of the initial IDP login, it usually leaves open vulnerabilities for machine-to-machine connections where mutual TLS should be used as it serves as a critical second factor for authentication.

Ideally mutual TLS (mTLS) connections should be used, whereby both sides of the connection mutually authenticate each other at the transport layer using certificates or even pre-shared-keys which acts as an additional authentication factor. The use of mTLS ensures the Agent is authenticated with the server to validate that connections are only coming from valid and known sources as opposed to a threat actors machine armed with a stolen access token.

The third task is to ensure access tokens have as short a lifetime as possible such that if they are stolen, their useful lifetime is limited. For human Agents, this translates to having to re-authenticate with the IDP, so many of these use cases tend to have lifetimes set in hours or days. For machine based Agents, the lifetime should be set as short as possible without putting unnecessary burden on the IDP. Often this translates to 15 to 60 minutes.

The four task is to ensure that some means of restricting who can connect to servers (defense-in-depth) is vital in that this serves a very significant hurdle to overcome should an access token be stolen. Servers that require all connections to be mTLS based protects itself with a critical second factor ensuring that only authenticated connections can be used to send access tokens. This second factor significantly reduces the attack surface in which access tokens can be abused. Using mTLS combined with cloud privacy or network security groups or layer 3 segmentation solutions go even further with their defense-in-depth attack surface reductions.

Conclusion:

Applications and infrastructure must ensure they adhere to solid code and implementation practices such as the ones described in this blog when access tokens are used as the center of the authentication strategy. Best practice of short expirations, never persisting tokens and using mTLS for all connections combined with network capabilities such as network or privacy groups or segmentation are all required to ensure sufficient defense-in-depth protective controls are in place.

The post The Cloud has a serious and fragile vulnerability: Access Tokens appeared first on TrustFour: TLS Compliance Monitoring.

*** This is a Security Bloggers Network syndicated blog from | TrustFour: TLS Compliance Monitoring | TrustFour: TLS Compliance Monitoring authored by Robert Levine. Read the original post at: https://trustfour.com/the-cloud-has-a-serious-and-fragile-vulnerability-access-tokens/

Originally posted here:
The Cloud has a serious and fragile vulnerability: Access Tokens - Security Boulevard