Tag Archives: technology

Billions Of Apple iPhones May Be Vulnerable To Attack: Check Point

Billions of Apple ( AAPL ) iPhones and iPads could be exposed in an iOS 9 vulnerability, Check Point Software Technology ( CHKP ) researchers were slated to announce Thursday morning at Singapore’s Black Hat Asia 2016 conference. Enterprise applications installed via Mobile Device Management (MDM) software are exempt from Apple’s latest security changes, which means that an attacker can hijack legitimate communications to install malicious apps, says the security firm. It’s still theoretical, Avi Rembaum, Check Point vice president of security solutions, told IBD on Wednesday. Black Hat gives researchers an opportunity to discuss hypothetical threat vectors, including this new so-called “Sidestepper” vulnerability. “Unfortunately, a lot of those things we talk about that might happen often end up happening,” he said. Few Barriers To Entry Apple recognized a key piece of the Sidestepper vulnerability in iOS 8. For $299 a year, an enterprise can purchase an Apple certificate to upload a private app via the Apple Developer Enterprise Program. “But if someone is going to be malicious, they don’t really care about signing a (certificate) agreement, plus it’s $299 per year to get that certificate,” Rembaum said. “There weren’t many barriers to entry.” Enterprises are headily embracing the “Bring Your Own Device” trend and, in one case study of a Fortune 100 company, Check Point found 318 private apps and 116 unique certificates on employees’ devices. Those numbers were suspiciously high, Rembaum said. “When we looked deeper … they were on the sketchier side and were from parts of the world that could be problematic,” he said. “We saw a very small number of them that would be considered white-listed (trustworthy).” So in iOS 9, Apple upped the challenges to installation, says Check Point. But the new challenges don’t cover MDM-pushed updates to employees’ devices. Of the 1.2 billion installed iPhones and iPads, 79% have iOS installed and are therefore vulnerable. Intercepting Legit Connections Enterprises often rely on MDM services like those by BlackBerry ( BBRY ) (via its Good Technology acquisition),  VMWare ( VMW ) and MobileIron ( MOBL ) to push updates onto employees’ devices, thereby avoiding the “headache” of ensuring that every app has identical settings, Rembaum said. That MDM-device connection, however, is also a powerful portal for Man-in-the-Middle (MitM) attacks, he said. A hacker can, theoretically, intercept the communications between MDM and device to install a certificate and then a malicious app. Often, the interception relies on social engineering, he said. “An attacker would send a text message to the target with a link to download the configuration file,” he said. “It would install a certificate and configuration instructions in the phone. The only thing the user has to do is say yes to installing.” Then the attacker is in — with access to a user’s address book, microphone, photos, GPS, apps and, possibly, company data. Education Alone Isn’t Enough Rembaum recommends that MDM users take a “multilayer approach” to mobile security. Because hackers often rely on social engineering to launch phishing attacks — by email, text message or social media — enterprises should train employees on red flags. Phishing attacks cost businesses more than $215 million between October 2013 and December 2014, according to a January report by the FBI. This month, Seagate Technology ( STX ) discovered that it had been duped into handing out nearly 10,000 W-2 forms belonging to former and current employees. The Seagate revelation came on the heels of a similar attack on privately held Snapchat. Scammers often change a single letter in an email address or impersonate a CEO’s email address, Barracuda Networks ’ ( CUDA ) Slawek Ligier and Proofpoint ’s ( PFPT ) Ryan Kalember told IBD. Outside education, an enterprise can install Check Point’s Mobile Threat Prevention (MTP) software and have its employees install the ZoneAlarm app, Rembaum said. FireEye ( FEYE ), Symantec ( SYMC ), Intel ’s ( INTC ) McAfee, Palo Alto Networks ( PANW ) and Proofpoint also compete in the mobile security space. A MitM attacker creates an encrypted tunnel — typically through a virtual private network (VPN) — to its own site, directing a user away from the legitimate MDM. Check Point’s MTP solution hunts down that encrypted tunnel. “The user would have received the text, clicked on the link and installed the certificate,” Rembaum said. “Then (Check Point’s software) would reach out and block the connection.” He added: “The actual installation of the malware wouldn’t have succeeded.”

SunEdison Bankruptcy Watch: YieldCos’ CEO Abruptly Exits

Brian Wuebbels late Wednesday stepped down as CEO of TerraForm Power ( TERP ) and TerraForm Global ( GLBL ), as parent company SunEdison ( SUNE ) is on the brink of default. Both TerraForm Power and TerraForm Global said the respective board of directors had formed an “office of the chairman” to run the concerns on an interim basis. Meanwhile, David Tepper’s hedge fund, Appaloosa Management, which owns 9.5% of Terraform Power, sued the yieldco and SunEdison in Delaware’s Chancery Court, demanding that TerraForm overhaul its Conflicts Committee, claiming controlling shareholder SunEdison has breached its fiduciary duties. Appaloosa Management in January sued SunEdison, saying it violated its fiduciary duties as it pursed its now-defunct effort to acquire Vivint Solar ( VSLR ). Also late Wednesday, S&P Dow Jones Indices said that WebMD Health ( WBMD ) will replace SunEdison the S&P MidCap 400, saying SunEdison no longer has a market cap to qualify for the index. Earlier, JPMorgan downgraded TerraForm Global, while FBR suspended coverage of the “unpredictable” SunEdison. SunEdison hasn’t released financials for beyond Sept. 30 and is in danger of default. Late Tuesday, TerraForm Power said there was “substantial risk” of a SunEdison bankruptcy, which might make its own talks with creditors “more difficult.” SunEdison stock plunged as low as 45 cents on Wednesday, but closed up 2 cents to 59 cents. TerraForm Power fell 2.7% to 8.38 but rose 3% late. TerraForm Global climbed 7.4% to 2.18, then advanced 7% in late trade. Vivint Solar rose 6 cents to 2.62.