Apple prides itself on a strict app review process, but it seems even the strongest measures cant stop scams from slipping under the radar. A recent report from the Washington Post exposed some glaring holes in the App Stores defense. Reporters said nearly 2% of the 1,000 highest-grossing apps were a form of scam.

This news comes after Apple claimed its stopped over $1.5 billion in potentially fraudulent transactions in 2020. Despite its best efforts, Apples store is still vulnerable to app scams and they cost users like you a ton of money. In fact, market research firm Appfigures says fraudulent apps defrauded users out of around $48 million.

The worst part about these apps is how hard they are to spot. They can pop up as fun and exciting apps on entertainment, news, or exercise or they can even claim to boost your cybersecurity (while in reality, theyre just weakening your defenses). Since it seems scammy apps are here to stay, weve got some helpful tips you can use to recognize dangerous ones.

Many of them masquerade as real companies, hoping you wont notice the names are slightly different.

For instance, if you own a Samsung television, you can go to your iPhones App Store to download the remote control app SmartThings. One software engineer named Simon Willison told the Washington Post that he found an app called Smart Things.

Learn the tech tips and tricks only the pros know.

Notice the difference? Two apps popped up: one with a space and one without. The copycat app, Smart Things, will charge you $19. Fall for the trick and youve lost money as well as your faith in Apples review process.

Willison told the Washington Post his trust in Apples review process tricked him into dropping his hard-earned cash. By assuming the App Store was thorough enough to recognize and expel fake apps masquerading as the real deal, he was down $19.

I thought, Wow, Samsung has gone downhill. Theyre nickel and diming me for my remote control?'

Let this be a lesson to you. When youre looking up apps, dont let your eyes glaze over the titles. Many copycat apps rely on you not double-checking the title. Thats an easy way for you to fall into big trouble.

Its similar to the concept of typosquatting. Its also known as URL hijacking when a bad faith actor misspells a popular domain name to garner traffic and scam visitors. Theyre banking on users misspelling URLs and other important information on the web.

Its such a big deal the Better Business Bureau sounded the alarm. But its not just for websites. App store tricksters use typosquatting to trick you into thinking theyre representing a trustworthy brand. That way, its easier for them to snatch your money.

Not all of these scams are this easy to spot, though. Others are confident enough to stand on their own without hiding behind the mask of a reputable company. Some will even buy fake customer reviews to trick users like you into thinking youre buying a good service.

Scammers gravitate towards spying and internet security apps. (Ironic, huh?) They also love to create fake dating apps, which makes sense people are less concerned with security when it comes to matters of the heart.

Many of these apps hide in plain sight. Some will steal your money, while others want to snatch a lot more than that. Here are some more scammy apps youll find:

As you can see, cheap or free VPN apps cant be trusted. Remember, if the service is free, youre most likely the product. Or worse. The app could be malicious and infect your device with malware. Thats why its important to use a VPN that you can trust.

We recommend trying the VPN that Kim trusts and uses. Our sponsor,ExpressVPN.Get 3 months free when you sign up for one year at ExpressVPN.com/Kim.

It looks like Apple has a lot of work on its plate. If it really wants to scrub viruses and scams away for good, its going to need some new techniques.

If you want to boost your iPhones security, weve got you covered. We gathered five tips and tricks for tweaking your iPhones settings in the name of safety. Tap or click here for new ways to secure your iPhone.

Use an iPhone? Best new features coming to iOS 15

Warning: Email promising protection from ransomware is actually malware

See the article here:
These iPhone apps have scammed people out of millions - Komando

MERRILLVILLE, Ind. and EAST GREENBUSH, N.Y., June 8, 2021 /PRNewswire-PRWeb/ -- Cimcor is pleased to announce that it is the recipient of the first-ever Center for Internet Security (CIS) Benchmarks Configuration Certification. The Center for Internet Security has provided this certification for the CimTrak Integrity Suite running on CIS CenOS Linux 7 Benchmark Level 1 and Level 2.

Providing a comprehensive set of security, auditing, and compliance tools to ensure the integrity of an IT infrastructure, the CimTrak Integrity Suite provides a streamlined way to bring Benchmark security to customers without impacting product, service, or system performance. The CIS Configuration Certified program certifies a product or service's configuration is in conformance with or can run in an environment configured to the CIS Benchmarks, which are consensus-based, vendor-agnostic, secure configuration guidelines for the most commonly used systems and technologies.

"We believe that systems that have been hardened in accordance to CIS Benchmarks, are the foundation of a secure infrastructure. We are proud to be the first security company to receive CIS Benchmarks Configuration Certification," said Robert E. Johnson, III, President and CEO of Cimcor, Inc. "This certification validates our commitment to CIS best practices and our commitment to creating world-class security software to deliver integrity, security, and compliance throughout the enterprise."

The new CIS Benchmarks Configuration Certification enables vendors to develop new products with the CIS Benchmarks built-in, tested, and certified at outset. Building this confidence into the products takes the guesswork out of knowing whether or not a CIS Benchmarks-hardened environment will work without impact.

"Cimcor has demonstrated a strong commitment in providing customers with the ability to ensure their assets are secured according to consensus-based best practice standards," said Curtis Dukes, CIS Executive Vice President and General Manager, Security Best Practices. "Their customers won't have to reconfigure anything because the certification has demonstrated it will work straight out of the box."

The new Configuration Certification pilot is open to a number of environments and use cases, including:

Cimcor develops innovative, next-generation, compliance, and system integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. CimTrak helps reduce configuration drift and ensure that systems are in a secure and hardened state. Securing your infrastructure with CimTrak helps you get compliant and stay that way. For more information, visit http://www.cimcor.com/cimtrak.

The Center for Internet Security, Inc. (CIS) makes the connected world a safer place for people, businesses, and governments. We are a community-driven nonprofit, responsible for the CIS Controls and CIS Benchmarks, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously refine these standards to proactively safeguard against emerging threats. Our CIS Hardened Images provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center (MS-ISAC), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) government entities, and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), which supports the cybersecurity needs of U.S. elections offices. To learn more, visit CISecurity.org or follow us on Twitter: @CISecurity.

Read the original:
CIS Awards Cimcor With First-Ever Benchmarks Configuration Certification - pdclarion.com

While working from home has become the norm for many people amid the Covid-19 pandemic, it might have also caused many organisations in Singapore to fall victim to cyber attacks.

About eight in 10 public-and private-sector organisations here attributed such a working arrangement to a rise in cyber attacks across the board, said a report by software company VMware last week.

This is comparable to the global figure across 14 markets.

Nearly seven in 10 here said the attacks were serious enough to report to regulators or to call in an incident response team. Globally, this is higher - at eight in 10.

"Digital transformation programmes advanced rapidly as the cyber-attack surface expanded to include living rooms, kitchens, home networks and personal devices," explained principal cyber-security strategist Rick McElroy of VMware's security business unit.

Mr McElroy added that while remote employees' work laptops are usually well secured, home Wi-Fi networks used to go online can pose serious security risks.

"Updates to home router software are often overlooked, and many home networks do not have a firewall installed. These unsecured and unpatched networks can result in network security gaps," he said, pointing also to issues with the use of other Internet-connected devices on home networks for work.

The remote workforce behaves very differently from the office workforce - its members access the organisation's network at unpredictable hours as they strive to stay productive while caring for their families and following government restrictions.

This means network traffic has "changed beyond recognition", and organisations must adapt monitoring systems or risk leaving an opportunity for hackers to use atypical patterns to mask their infiltration attempts, Mr McElroy said.

What is key is that companies need to understand how people interact with technology, he said. This can include when an employee usually works, the applications he normally uses and the websites he commonly visits.

So for example, when an employee who usually works in California logs in 10 minutes later from Singapore, which is humanly impossible, the company knows something is amiss.

"Knowing this baseline helps better detect a malicious login," said Mr McElroy.

The VMware-commissioned study polled about 250 chief information officers, chief technology officers and chief information security officers here last December.

They came from the financial, healthcare, government, retail, manufacturing and engineering, food and beverage, utilities, professional services, and media and entertainment sectors.

The study found that organisations here reported more cyber attacks in the previous 12 months, with 64 per cent saying so.

About a year ago, the figure was 43 per cent.

More organisations globally saw more cyber attacks than those in Singapore in this year's report, with 76 per cent reporting this.

However, the Republic had more breaches on average per organisation - 3.3 versus 2.35 globally.

The leading cause of breaches reported here was a weakness in processes, with 22 per cent of respondents citing this. One example is companies not deploying patches on a regular basis.

The next top causes of breaches were using out-of-date security (20 per cent) and third-party apps (13 per cent).

Outdated security includes operating systems that are no longer supported by their developers, such as those found in manufacturing systems.

Some cases involved an old critical application that is not updated because doing so might mean taking vital systems offline.

These legacy systems and old apps could remain unpatched for vulnerabilities, and using modern security solutions to protect them is difficult at times.

Third-party apps that can lead to breaches include externally developed ones used for sharing files, which can allow crooks to access sensitive data if hacked.

These top causes of attacks generally boil down to how organisations' information technology and security operations teams interact and work in silos when solving issues, said Mr McElroy.

To address some of these issues, he advised organisations to have security in place "wherever and whenever humans interact with systems", including online programs and applications.

Kenny Chee

Follow this link:
Working from home blamed for rise in cyber hits on organisations - The Straits Times

This 95-page report is the first comprehensive offering from the long list of Senate and House committees that are investigating various matters related to the Capitol insurrection. It's by far one of the most thorough fact-finding efforts and was released Tuesday in a bipartisan fashion.

Two Senate committees on Tuesday released the most comprehensive government report on the security failures leading up to the US Capitol insurrection on January 6, revealing new details about unheeded warnings, critical miscommunications and intelligence shortcomings.

Congressional investigators pored through thousands of documents, received written statements from 50 police officers who defended the Capitol and received testimony from a wide array of current and former officials who played a role in the security preparations and response.

READ: Bipartisan Senate report investigating January 6 Capitol attack

Here are six takeaways from the report and its recommendations, which were released on a bipartisan basis by the Senate Rules Committee and the Senate Homeland Security Committee.

The report concluded that the US Capitol Polices main intelligence unit was aware of the potential for violence in the days and weeks ahead of January 6. Period. Full stop. They were warned.

But not everyone was aware. The inquiry determined that USCPs decentralized intelligence operation meant some people saw these warnings while other officials were left in the dark.

RELATED: Injured Capitol Police officer in emotional statement to court: You have stolen moments away from me that I cant get back

The Metropolitan Police Department in Washington, DC, told Capitol Police that hotel bookings roughly doubled in comparison to pro-Trump rallies in November and December, the Senate report said.

It was becoming clear to security officials and ordinary citizens alike that January 6 would be different. A private citizen emailed USCPs general mailbox on December 28 saying there were tweets from people organizing to storm the Capitol on January 6th, according to the report.

Still, USCP maintained its assessment that January 6 would likely resemble the minor pro-Trump rallies in November and December.

The report said, The USCP Chief has no unilateral authority to request assistance from the National Guard. This is a simple statement, but it explains a lot about the failures that day.

Then-Capitol Police Chief Steven Sund wanted to call in the troops for backup but needed to coordinate with other Hill security officials. When the officials tried to deal with the request, they were unfamiliar with the laws and regulations that needed to be followed, the inquiry found.

The red tape hindered the much-needed National Guard response, according to the report. And thats why one of the first recommendations from the Senate report is to empower the Capitol Police chief to have unilateral authority to request military support in emergency situations.

It seems like a no-brainer, but for this to happen, Congress will need to pass a new law.

The Senate inquiry uncovered some embarrassing failures within the civil disturbance unit of the Capitol Police, which is essentially the forces riot police or emergency response squad.

The Capitol Police activated seven of these special units in advance of January 6, but only four of those platoons were outfitted special protective equipment like helmets and shields, the report said. And when one of the platoons tried to get its equipment, it was on a locked bus.

The senators recommended that the special unit receive better training and more funding.

Plenty of Trump supporters posted plenty of violent threats and dangerous assertions on the internet in the run-up to January 6. The report said these were found on message boards, social media, memes, or hashtags. But intelligence officials struggled with how aggressively to police political speech, and how to differentiate the real threats from typical internet nonsense.

FBI and (Department of Homeland Security) officials stressed the difficulty in discerning constitutionally protected free speech versus actionable, credible threats of violence, the report said, noting that officials have said they need to make improvements and do better in the future.

Weve already heard from many of the brave police officers who risked their lives defending the Capitol, including some who were injured and others who engaged in hand-to-hand combat.

But the report fleshed this out, providing new accounts from the frontlines of the battle.

We did what we could against impossible odds and a volatile crowd which many times threatened us with phrases like Were gonna kill you!' one officer told the committees. I felt at this time a tangible fear that maybe I or some of my colleagues might not make it home alive.

Another officer described how they were called a Nazi. Black officers have spoken out about the racial abuse at the hands of the mob, including being called the N-word. In a previously unreported incident, one officer said they saw someone give a Nazi salute to the Capitol.

This 95-page report is the first comprehensive offering from the long list of Senate and House committees that are investigating various matters related to the Capitol insurrection. Its by far one of the most thorough fact-finding efforts and was released Tuesday in a bipartisan fashion.

But as comprehensive as it is, it only examined one piece of the bigger puzzle. It looked at the security, planning and response failures by law enforcement. But what about efforts by extremist groups to plan for violence in DC? What about former President Donald Trump and the Republican officials who fanned the flames? Congress isnt equipped to probe these issues.

Senate aides said investigators intentionally avoided the most politicized topics like Trumps culpability because they wanted to keep the probe bipartisan. Sources told CNN that to keep Republicans in the fold, the report avoided using the word insurrection to describe the attack.

Apparently, the Senate investigation was significantly watered down before it even started.

This is one the many reasons why so many Democrats, Republicans, former US officials, national security experts, and US Capitol Police officers agree that there should be an independent commission to investigate January 6. Not just to look at narrow questions but to examine the big picture extremism, disinformation, radicalization, incitement, and much more.

Senate Republicans blocked a bill to establish a commission, which now appears to be dead.

Read the original here:
Takeaways from the Senate report on January 6 security failures - WTOP

KrebsOnSecurity recently had occasion to contact the Russian Federal Security Service (FSB), the Russian equivalent of the U.S. Federal Bureau of Investigation (FBI). In the process of doing so, I encountered a small snag: The FSBs website said in order to communicate with them securely, I needed to download and install an encryption and virtual private networking (VPN) appliance that is flagged by at least 20 antivirus products as malware.

The FSB headquarters at Lubyanka Square, Moscow. Image: Wikipedia.

The reason I contacted the FSB one of the successor agencies to the Russian KGB ironically enough had to do with security concerns raised by an infamous Russian hacker about the FSBs own preferred method of being contacted.

KrebsOnSecurity was seeking comment from the FSB about a blog post published by Vladislav BadB Horohorin, a former international stolen credit card trafficker who served seven years in U.S. federal prison for his role in the theft of $9 million from RBS WorldPay in 2009. Horohorin, a citizen of Russia, Israel and Ukraine, is now back where he grew up in Ukraine, running a cybersecurity consulting business.

Horohorins BadB carding store, badb[.]biz, circa 2007. Image: Archive.org.

Visit the FSBs website and you might notice its web address starts with http:// instead of https://, meaning the site is not using an encryption certificate. In practical terms, any information shared between the visitor and the website is sent in plain text and will be visible to anyone who has access to that traffic.

This appears to be the case regardless of which Russian government site you visit. According to Russian search giant Yandex, the laws of the Russian Federation demand that encrypted connections be installed according to the Russian GOST cryptographic algorithm.

That means those who have a reason to send encrypted communications to a Russian government organization including ordinary things like making a payment for a government license or fine, or filing legal documents need to first install CryptoPro, a Windows-only application that loads the GOST encryption libraries on a users computer.

But if you want to talk directly to the FSB over an encrypted connection, you can just install their own client, which bundles the CryptoPro code. Visit the FSBs site and select the option to transfer meaningful information to operational units, and youll see a prompt to install a random number generation application that is needed before a specific contact form on the FSBs website will load properly.

Mind you, Im not suggesting anyone go do that: Horohorin pointed out that this random number generator was flagged by 20 different antivirus and security products as malicious.

Think well before contacting the FSB for any questions or dealing with them, and if you nevertheless decide to do this, it is better to use a virtual machine, Horohorin wrote. And a spacesuit. And, preferably, while in another country.

Antivirus product detections on the FSBs VPN software. Image: VirusTotal.

Its probably worth mentioning that the FSB is the same agency thats been sanctioned for malicious cyber activity by the U.S. government on multiple occasions over the past five years. According to the most recent sanctions by the U.S. Treasury Department, the FSB is known for recruiting criminal hackers from underground forums and offering them legal cover for their actions.

To bolster its malicious cyber operations, the FSB cultivates and co-opts criminal hackers, including the previously designated Evil Corp., enabling them to engage in disruptive ransomware attacks and phishing campaigns, reads a Treasury assessment from April 2021.

While Horohorin seems convinced the FSB is disseminating malware, it is not unusual for a large number of security tools used by VirusTotal or other similar malware sandbox services to incorrectly flag safe files as bad or suspicious an all-too-common condition known as a false positive.

Late last year I warned my followers on Twitter to put off installing updates for their Dell products until the company could explain why a bunch of its software drivers were being detected as malware by two dozen antivirus tools. Those all turned out to be false positives.

To really figure out what this FSB software was doing, I turned to Lance James, the founder of Unit221B, a New York City based cybersecurity firm. James said each download request generates a new executable program. That is because the uniqueness of the file itself is part of what makes the one-to-one encrypted connection possible.

Essentially it is like a temporary, one-time-use VPN, using a separate key for each download James said. The executable is the handshake with you to exchange keys, as it stores the key for that session in the exe. Its a terrible approach. But its what it is.

James said the FSBs program does not appear to be malware, at least in terms of the actions it takes on a users computer.

Theres no sign of actual trojan activity here except the fact it self deletes, James said. It uses GOST encryption, and [the antivirus products] may be thinking that those properties look like ransomware.

James says he suspects the antivirus false-positives were triggered by certain behaviors which could be construed as malware-like. The screenshot below from VirusTotal says some of the files contents align with detection rules made to find instances of ransomware.

Some of the malware detection rules triggered by the FSBs software. Source: VirusTotal.

Other detection rules tripped by this file include program routines that erase event logs from the users system a behavior often seen in malware that is trying to hide its tracks.

On a hunch that just including the GOST encryption routine in a test program might be enough to trigger false positives in VirusTotal, James wrote and compiled a short program in C++ that invoked the GOST cipher but otherwise had no networking components. He then uploaded the file for scanning at VirusTotal.

Even though James test program did nothing untoward or malicious, it was flagged by six antivirus engines as potentially hostile. Symantecs machine learning engine seemed particularly certain that James file might be bad, awarding it the threat name ML.Attribute.HighConfidence the same designation it assigned to the FSBs program.

KrebsOnSecurity installed the FSBs software on a test computer using a separate VPN, and straight away it connected to an Internet address currently assigned to the FSB (213.24.76.xxx).

The program prompted me to click on various parts of the screen to generate randomness for an encryption key, and when that was done it left a small window which explained in Russian that the connection was established and that I should visit a specific link on the FSBs site.

The FSBs random number generator in action.

Doing so opened up a page where I could leave a message for the FSB. I asked them if they had any response to their program being broadly flagged as malware.

The contact form that ultimately appeared after installing the FSBs software and clicking a specific link at fsb[.]ru.

After all the effort, Im disappointed to report that I have not yet received a reply. Nor did I hear back from S-Terra CSP, the company that makes the VPN software offered by the FSB.

James said that given their position, he could see why many antivirus products might think its malware.

Since they wont use our crypto and we wont use theirs, James said. Its a great explanation on political weirdness with crypto.

Still, James said, a number of things just dont make sense about the way the FSB has chosen to deploy its one-time VPN software.

The way they have set this up to suddenly trust a dynamically changing exe is still very concerning. Also, why would you send me a 256 random number generator seed in an exe when the computer has a perfectly valid and tested random number generator built in? Youre sending an exe to me with a key you decide over a non-secure environment. Why the fuck if youre a top intelligence agency would you do that?

Why indeed. I wonder how many people would share information about federal crimes with the FBI if the agency required everyone to install an executable file first to say nothing of one that looks a lot like ransomware to antivirus firms?

After doing this research, I learned the FSB recently launched a website that is only reachable via Tor, software that protects users anonymity by bouncing their traffic between different servers and encrypting the traffic at every step of the way. Unlike the FSBs clear web site, the agencys Tor site does not ask visitors to download some dodgy software before contacting them.

The application is running for a limited time to ensure your safety, the instructions for the FSBs random number generator assure, with just a gentle nudge of urgency. Do not forget to close the application when finished.

Yes, dont forget that. Also, do not forget to incinerate your computer when finished.

Excerpt from:
Adventures in Contacting the Russian FSB Krebs on Security - Krebs on Security