Archive for the ‘Security’ Category

SCDF’s “I Am Safe” e-learning programme

December 13, 2016

This is a 15-minute e-learning programme that will equip residents with skills and knowledge on what to do if you were caught in a fire, and how to administer improvised first aid skills. I encourage all of you to sign up for SCDF’s hands-on learning programmes that will equip you with more advanced lifesaving skillsets. Such lifesaving skills will be of great benefit during any emergency situation, as you will be able to help those in need prior to the arrival of the SCDF officers. – Mr Amrin Amin, Parliamentary Secretary for Home Affairs

Malware Gooligan breaches more than 1 million Google accounts on Android OS

December 2, 2016

Here’s the list of infected apps and more information about the Gooligan malware.

Am I affected?
Go to this URL to check if your Google account has been breached by entering the e-mail address associated to your Android OS device.

Currently, the only option for breached users is to flash the operating system on their infected device. Check Point recommends unfortunate users to seek out a certified technician to do a clean OS installation on the phone, and to change Google account passwords after the flashing process.

Source: Check Point (blog), BGR

iOS 9.3.5 to fix a critical security vulnerability

September 1, 2016

Apple last week (25 Aug 2016) released a patch for three bugs that could allow hackers to remotely jailbreak iPhones and steal messages, call information, emails, logs, and more—a dangerous threat for enterprises with sensitive data.

If you value your privacy, and you should, it would be a good idea to move to the iOS 9.3.5 update right now.

How to update the iOS Version (iPhones & iPads)

Open the Settings → General → Software Update → Download and Install

Top 10 Privacy Risks

April 23, 2016

Top 10 Privacy Risks (OWASP)
P1 Web Application Vulnerabilities
P2 Operator-sided Data Leakage
P3 Insufficient Data Breach Response
P4 Insufficient Deletion of personal data
P5 Non-transparent Policies, Terms and Conditions
P6 Collection of data not required for the primary purpose
P7 Sharing of data with third party
P8 Outdated personal data
P9 Missing or Insufficient Session Expiration
P10 Insecure Data Transfer

Top 10 Privacy Risks Countermeasures v1.0 (PDF)
Top 10 Privacy Risks Presentation (PPTX)

Enforcement and breach details

April 23, 2016

Enforcement and breach details, ST 23/04/2016

K BOX ENTERTAINMENT GROUP

The karaoke chain received the heaviest fine of $50,000 and was directed to appoint a data protection officer, a must-have under the law. The enforcement was for a data breach involving 317,000 customers, resulting in their names, contact numbers and home addresses being posted on file-sharing website pastebin.com in September 2014.

Lax security measures caused the breach. For instance, access to its computers was protected by weak passwords comprising only one letter of the alphabet.

FINANTECH HOLDING

K Box’s IT vendor was fined $10,000 for failing to update K Box’s systems with the latest, most secure software and for lax security procedures. For instance, the system administrator’s account password was simply “admin”.

(more…)

StageFright – How to Protect Yourself from it

July 28, 2015

Experts Found a Unicorn in the Heart of Android

Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices.
Android and derivative devices after and including version 2.2 are vulnerable.

Disable MMS Auto-Retrieve to Prevent Attacks

Since the exploit works by sending an MMS that is automatically downloaded by your phone, the only way to prevent this attack is to set your phone to not automatically download MMS messages. The drawback here is that you’ll have to tap future MMS messages to download them manually, but it’s a small price to pay for security.

How to Protect Your Android Device From StageFright Exploit

Tell Your Friends: How to Protect Yourself from Android’s Biggest Security Flaw in Years

Check If Your Wi-Fi Network Router Is Hacked

March 31, 2015

Router Checker from F-Secure, a Web based tool that will quickly scan your router to see if the DNS requests being sent from your device are routed exactly as they should be or are those requests being sent off to some third party. No app to download, no plugins to install.

 

Is that your name, address, phone number in the dump?

March 16, 2015

Is that your name, address, phone number in the dump?
Grace Chng, The Straits Times, Sunday, Mar 15, 2015

{Extract}

What reporter found in trash bins.

The Sunday Times went to a number of high-rise office buildings in Raffles Place on a weekday afternoon, and found it easy to gain access to garbage bins which were kept in unlocked enclosures.

In the trash were many clean, printed documents and e-mail, including the following:

– A law firm’s business expansion plan, with personal details of lawyers it hoped to get on board, including their photographs, educational background and work history.

Under the Personal Data Protection Act, this is potential infringement because photos, names and professional information were disposed of improperly.

(more…)

Lenovo Superfish vulnerability

February 23, 2015

Lenovo installing dangerous, invasive “Superfish” adware on new PCs that hijacks all secure HTTPS connections on affected PCs.

The biggest problem with Superfish isn’t the adware itself but the way it hijacks legitimate SSL traffic. It does so by installing a self-generated root certificate in the Windows certificate store and then resigns all SSL certificates presented by HTTPS sites with its own certificate.

In other words, Superfish conducts a man-in-the-middle attack and breaks the sanctity of HTTPS encryption. And simply removing the adware itself doesn’t remove the rogue root certificate.

Microsoft’s Windows Defender update (20 Feb) removes the adware and the rogue certificate from the Windows certificate manager, but not Firefox’s certificate manager.

Note: ThinkPad, ThinkCentre, Lenovo Desktop, ThinkStation, ThinkServer and System x products are not impacted.

Checks to see if your computer is infected with Superfish

Which Lenovo PCs have Superfish preinstalled?

Lenovo Superfish uninstall instructions

PCWorld’s guide to completely eradicating Superfish

General Advisory For Scams

October 29, 2014

Scams (Singapore Police Force)
Scammers are always coming up with new and innovative scams to cheat victims. Scammers use various communication platforms such as telephone calls, SMSes or online websites to reach out to their victims. Scammers will usually try to convince their victims into believing that they are trustworthy. Scammers will also manipulate their victims’ emotions such as fear or greed.

General Advisory For Scams
• Always be wary if approached directly by strangers or through telephone or emails;
• Always check on the credibility of information or messages that you are receiving. For instance you can check with friends or family members;
• Do not disclose your user account IDs, passwords, PINs and credit card details over email. No email service providers, banks, financial institutions, companies or website administrators would email their customers to request for or verify their user account information, passwords or PIN for security reasons;
• Do not transfer any money via remittance agencies, banks or any other means to anyone whom you do not know;
• Remember that offers that are too good to be true are probably not; and
• Call the Police immediately at ‘999’ to report the scam.