Cyber Security - NEWS POLITE

Microsoft Finds Major Security Flaw ‘Dirty Stream’ in Android Apps Totalling Billions of Downloads

Microsoft discovered a major security vulnerability in multiple Android apps last week that could be exploited to gain unauthorised access to apps and sensitive data on the device. Interestingly, this security flaw does not come from the system codes, but an improper usage of a particular system by developers that can lead to loopholes prone to exploitation. Notably, the flaw has been highlighted to Google, and the tech giant has taken steps to make the Android app developer community aware of the issue.

In a post on its Security Blog, the Microsoft Threat Intelligence team stated, “Microsoft discovered a path traversal-affiliated vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application’s home directory.” The researchers also highlighted that the vulnerability was spotted in several apps in the Google Play Store that had a combined total of more than four billion installations.

This vulnerability emerges when a developer incorrectly uses Android’s content provider system, which is designed to secure data exchange between different apps on a device. This includes data isolation, URI permissions, path validation and other security measures to stop unauthorised access by the apps or anyone else breaking into the app. However, improper implementation of the system affects a component called custom intents. These are the messaging objects that conduct two-way communication between different apps. When this vulnerability exists the apps can ignore the security measures and let other apps (or hackers controlling them) access sensitive data stored in them.

In case of an attack on the device, hackers can manipulate this vulnerability by accessing just one app, they can enter all such apps that contain this loophole. This enables the bad actors to gain complete control over the device or steal sensitive data including financial information. Notably, the vulnerability was found in the Xiaomi File Manager and WPS Office apps. Microsoft stated in its report that developers behind both the apps have investigated and fixed the issue.

Google has also taken cognisance of the issue and published a post on its Android Developers blog. The company has highlighted the common errors and ways to fix them. It is expected that developers of affected apps will be fixing the issues in the coming days and release a fix. While end users cannot do much to avoid this vulnerability, it is recommended that they remain proactive in updating the apps on their devices and avoid downloading apps from third-party sources for a while.

Affiliate links may be automatically generated – see our ethics statement for details.

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who’sThat360 on Instagram and YouTube.

Sony Walks Back Helldivers 2 PSN Account Linking Requirement on Steam After Widespread Backlash

Check out our Latest News and Follow us at Facebook

Original Source

SBI MD Encourages MFIs to Enhance Data Privacy, Cyber Security

State Bank of India (SBI) managing director Alok Kumar Choudhary on Wednesday said there is a need for micro finance institutions (MFIs) to pay attention to data privacy and cyber security as they deal with data of a large number of customers.

Speaking at a conference organised by Sa-Dhan, he said, MFIs should also focus on capacity building to deal with the challenges of the future.

“The second thing which is very important is the integration with the evolving regulation particularly when you have data privacy law. The enormous amount of data which has been handled by all the MFIs, this particular aspect (data privacy) requires attention and some kind of action plan needs to be in place,” he said.

Financial institutions need to focus on improving ease of transaction through digital means, he said, adding, the need of the customers in the changing time has to be addressed as per their convenience and ease.

“For this segment of (bottom of the pyramid) customers, we need to understand what they want and ease with which their desire can be fulfilled,” he said.

SBI has a significant credit line to MFIs as well as to NBFCs that are trying to foster financial inclusion.

Talking about participation of SBI in the government’s financial inclusion drive, Choudhary said, the bank alone has opened 36 per cent of the total account opened under PM Jan Dhan Yojana.

More than 50 crore bank accounts have been opened under the PM Jan Dhan Yojana in the last nine years and the deposit balance swelled to over Rs. 2.03 lakh crore.

With regard to Atal Pension Yojana, he said, SBI has enrolled 32 percent of total subscribers under the scheme.

Speaking at the event, SIDBI Chairman and Managing Director S Ramann said MFIs should not be complacent about their customer base as there is so much digital disruption happening around.

New players would enter the financial space and can drive traditional players out if the sector does not keep pace with time, he said.

Samsung launched the Galaxy Z Fold 5 and Galaxy Z Flip 5 alongside the Galaxy Tab S9 series and Galaxy Watch 6 series at its first Galaxy Unpacked event in South Korea. We discuss the company’s new devices and more on the latest episode of Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Affiliate links may be automatically generated – see our ethics statement for details.

Check out our Latest News and Follow us at Facebook

Original Source

Google, Apple Representatives to Meet Parliamentary Panel to Discuss Cyber Security

The Parliamentary Standing Committee on Finance has called representatives of several banks such as the Punjab National Bank as well as global and national tech majors, including Google, Apple and Paytm, next week to discuss issues related to cyber security and rising cases of cyber crimes.

The committee, headed by BJP’s Jayant Sinha, has called the representatives of the Punjab National Bank (PNB), Bank of India, Yes Bank and Indian Computer Emergency Response Team (CERT-In) on July 4 to take oral evidence on “cyber security and rising incidence of cyber/white collar crimes”. On the same day, it has separately called representatives of tech majors One97 Communications (Paytm), Flipkart, Google and Apple on the same issue.

Cyber crimes have become an increasing threat with savvy online operators resorting to various tricks to defraud people of their money. The issue of cyber security and rising incidence of cyber crimes was at the centre of deliberations at a meeting of the panel held earlier this month too as experts from the industry were quizzed by lawmakers about various facets of unlawful activities, including fraud loan applications. The issue of fraud lending apps, which have been hitting headlines with rising complaints of people being swindled or forced to pay exorbitant interest rates, was also discussed at the meeting.

The firms represented at the earlier meeting included Chase India, Razorpay, PhonePe, CRED and QNu Labs as well as Nasscom, a premier trade body and chamber of commerce of the tech industry in India.

The parliamentary committee includes P Chidambaram, Sougata Roy, Sushil Modi, Amar Patnaik, among others.

Affiliate links may be automatically generated – see our ethics statement for details.

Check out our Latest News and Follow us at Facebook

Original Source

Kaspersky Appoints Jaydeep Singh as Head for India Operations

Cyber security company Kaspersky on Wednesday said it has appointed Jaydeep Singh as its general manager for India to head operations in the country.

Singh will be responsible for leading Kaspersky’s business operations and driving growth across the country, especially in the enterprise segment, in his role as General Manager for India, the company said in a statement.

“I am delighted to welcome Jaydeep to the team. His expertise in the enterprise segments and our targeted industry domains will ensure that Kaspersky adopts resilient strategies to guide our sales and marketing efforts in India,” Kaspersky Managing Director for Asia Pacific Adrian Hia said.

Before his appointment at Kaspersky, Singh held senior leadership roles in companies like Citrix as sales director. He has also worked with Oracle as senior sales director.

“With cyberattacks on the rise, organisations need reliable cybersecurity solutions. I look forward to bringing my frontline operational and strategic experience to Kaspersky’s customers and partners in India,” Singh said.

A few days back, Kaspersky discovered a new cyberattack threat that targets iPhone models running older versions of iOS via iMessage application. The malware, found when the company was monitoring its own Wi-Fi network for mobile devices, infects the phone via a received iMessage, which contains a malicious attachment. The threat doesn’t require the iPhone user to do anything and utilises iOS vulnerability to install a spyware that takes complete control of device and user data.

Kaspersky said that the malware was found on the iPhones of dozens of employees and could target other iPhone users as well.

Google I/O 2023 saw the search giant repeatedly tell us that it cares about AI, alongside the launch of its first foldable phone and Pixel-branded tablet. This year, the company is going to supercharge its apps, services, and Android operating system with AI technology. We discuss this and more on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Affiliate links may be automatically generated – see our ethics statement for details.

Check out our Latest News and Follow us at Facebook

Original Source

TikTok Banned From Government Devices in Two US States Over Security Concerns; Huawei, Tencent Also Barred

The governors of Wisconsin and North Carolina on Thursday signed orders banning TikTok on government devices due to cyber security concerns, joining other US states and the federal government in prohibiting the use of the popular video app.

In addition to banning Chinese-owned TikTok from state devices, Wisconsin Governor Tony Evers said he was banning vendors, products and services from other Chinese companies including Huawei Technologies, Hikvision, Tencent Holdings – the owner of WeChat, ZTE Corp as well as Russian-based Kaspersky Lab.

“In the digital age, defending our state’s technology and cybersecurity infrastructure and protecting digital privacy have to be a top priority for us as a state,” Evers said.

North Carolina Governor Roy Cooper signed an order directing officials to develop a policy within 14 days that prohibits the use of TikTok, WeChat and “potentially other applications” that present cybersecurity risks on state devices.

More than 20 other states have also banned TikTok, owned by Chinese technology conglomerate ByteDance, from state devices including Ohio, New Jersey and Arkansas earlier this week.

TikTok said it was “disappointed that so many states are jumping on the political bandwagon to enact policies that will do nothing to advance cybersecurity in their states and are based on unfounded falsehoods about TikTok.”

The Democratic governors of Wisconsin and North Carolina joined mostly Republican governors who have led the charge to ban TikTok from state devices.

Calls to ban TikTok from government devices gained steam after US FBI Director Christopher Wray said in November it poses national security risks.

Wray flagged the threat that the Chinese government could harness the app to influence users or control their devices.

For three years, TikTok – which has more than 100 million users – has been seeking to assure Washington that the personal data of US citizens cannot be accessed and its content cannot be manipulated by China’s Communist Party or any other entity under Beijing’s influence.

Last month, US President Joe Biden signed into law a government funding bill that included a ban on federal employees from using or downloading TikTok on government-owned devices.

The law gives the White House Office of Management and Budget (OMB) 60 days “to develop standards and guidelines for executive agencies requiring the removal” of TikTok from federal devices. OMB declined to comment Thursday.

Affiliate links may be automatically generated – see our ethics statement for details.

Check out our Latest News and Follow us at Facebook

Original Source

Cloudflare Manages to Block Massive DDoS Attack on Unnamed Crypto Platform

Cloudflare, a company that specialises in web security has confirmed that they have successfully stopped what they believe to be one of the largest distributed denial-of-service or DDoS attacks on record, which targeted an unnamed cryptocurrency company. The attack was detected and mitigated automatically by Cloudflare’s defense systems, which were set up for one of its customers on a paid plan. At its peak, the attack reached a massive 15.3 million requests-per-second (rps) which, according to Cloudflare, makes it the largest HTTPS DDoS attack ever mitigated by the company.

The attack reportedly lasted less than 15 seconds and targeted a crypto launchpad, which Cloudflare analysts in a blog post said are “used to surface Decentralised Finance (DeFi) projects to potential investors.”

The blog post adds that the botnet used by the attacker comprised of about 6,000 unique bots that originated from more than 1,300 different networks in 112 countries around the world, with about 15 percent of the traffic coming from Indonesia. Other countries generating the most traffic included Russia, Brazil, India, Colombia and the US.

Cloudflare researchers didn’t name the botnet but said it was one that they’ve been watching and had seen attacks as large as 10 million rps that matched the same fingerprint.

As described by Cloudflare, a distributed denial-of-service (DDoS) attack is essentially an attempt to “maliciously disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.”

“DDoS attacks achieve effectiveness by utilising multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices,” adds Cloudflare.

In an HTTPS attack – such as the one used this time to target the crypto platform, the botnet attempts to overwhelm the target’s server with a massive number of requests, with an attempt to consume compute power and memory with the same goal of making it near impossible for legitimate users to access the website.

“HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection,” the Cloudflare threat-hunters wrote. “Therefore, it costs the attacker more to launch the attack, and for the victim to mitigate it. We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale.”

Check out our Latest News and Follow us at Facebook

Original Source

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.