Information Security News |
TechNewsWorld | Firm Wins Patent for Novel Way to Detect Spearphishing TechNewsWorld However, more than one in two (52 percent) infosec pros didn't believe execs in their organizations could spot a phishing scam, according to a survey released last week by Tripwire of 200 attendees at the RSA conference in San Francisco in February ... |
Business Wire (press release) | Bomgar to Discuss Securing Vendor Access at InfoSec World 2016 Business Wire (press release) Bomgar will demonstrate the importance of securing vendor access with a live hack exemplifying how third parties can unwittingly leave your network vulnerable to a cyberattack. Bomgar will exhibit at booth No. 217. Bomgar connects people and technology ... |
by Sean Gallagher
A slide from Check Point's presentation on "SideStepper" showing a malicious server pushing a fraudulent application to an iOS 9 device—all thanks to MDM hacking and Apple enterprise developer certificates. (credit: Check Point Software Technologies Ltd.)
Security researchers at Check Point Software claim to have found a weakness in Apple's mobile device management (MDM) interface for iOS devices that could be exploited to gain complete access to devices. Dubbed "SideStepper," the approach could allow an attacker to hijack enterprise management functions and bypass Apple's application security.
By sending a link to a victim's device, someone could take control of the MDM software on the phone and push potentially malicious applications to the device as well as perform other configuration changes as a remote administrator. While Apple's security screening for the applications it allows into its App Store is rigorous, there is a backdoor left in the screening process: enterprise app stores. And new research by Check Point being presented at Black Hat Asia 2016 shows that even with security improvements in iOS 9, attackers can kick that backdoor in by hijacking the enterprise management connection.
As long as they've registered with Apple's enterprise developer program to get a software signing certificate, attackers can social engineer victims into consenting to install applications that expose nearly every aspect of their phone's settings and data simply by abusing enterprise policy settings.
Read 7 remaining paragraphs | Comments
>
Peerlyst Blogger Explores a Recently Exposed Apple iMessage Vulnerability—and Its Implications for the Privacy-vs ... Virtual-Strategy Magazine As the go-to platform for information security professionals, a big part of Peerlyst's mission is providing inside perspective on cybersecurity news. For instance, Houmann's recent blog shares his own analysis, as well as perspective from respected ... |