There are three versions of GhostCtrl. The first stole information and controlled some of the device’s functionalities without obfuscation, while the second added more device features to hijack. The third iteration combines the best of the earlier versions’ features—and then some. Based on the techniques each employed, we can only expect it to further evolve.

What can it do to your android?

• Clearing/resetting the password of an account specified by the attacker
• Getting the phone to play different sound effects
• Specify the content in the Clipboard
• Customize the notification and shortcut link, including the style and content
• Control the Bluetooth to search and connect to another device
• Set the accessibility to TRUE and terminate an ongoing phone call

The data GhostCtrl steals is extensive, compared to other Android info-stealers. Besides the aforementioned information types, GhostCtrl can also pilfer information like Android OS version, username, Wi-Fi, battery, Bluetooth, and audio states, UiMode, sensor, data from camera, browser, and searches, service processes, activity information, and wallpaper.

It can also intercept text messages from phone numbers specified by the attacker. Its most daunting capability is how it can surreptitiously record voice or audio, then upload it to the C&C server at a certain time. All the stolen content will be encrypted before they’re uploaded to the C&C server.

GhostCtrl’s first version has a framework that enables it to gain admin-level privilege. While it had no function codes at the time, the second version did. The features to be hijacked also incrementally increased as the malware evolved into its second and third iterations.

GhostCtrl’s second version can also be a mobile ransomware. It can lock the device’s screen and reset its password, and also root the infected device. It can also hijack the camera, create a scheduled task of taking pictures or recording video, then surreptitiously upload them to the C&C server as mp4 files.

Mitigation

GhostCtrl’s combination with an information-stealing worm, while potent, is also telling. The attackers tried to cover their bases, and made sure that they didn’t just infect endpoints. And with the ubiquity of mobile devices among corporate and everyday end users, GhostCtrl’s capabilities can indeed deliver the scares.

But more than its impact, GhostCtrl underscores the importance of defense in depth. Multilayered security mechanisms should be deployed so that the risks to data are better managed. Some of the best practices that information security professionals and IT/system administrators can adopt to secure bring-your-own devices (BYOD) include:

• Keep the device updated; Android patching is fragmented and organizations may have custom requirements or configurations needed to keep the device updated, so enterprises need to balance productivity and security
• Apply the principle of least privilege—restrict user permissions for BYOD devices to prevent unauthorized access and installation of dubious apps
• Implement an app reputation system that can detect and block malicious and suspicious apps
• Deploy firewalls, intrusion detection, and prevention systems at both the endpoint and mobile device levels to preempt the malware’s malicious network activities
• Enforce and strengthen your mobile device management policies to further reduce potential security risks
• Employ encryption, network segmentation and data segregation to limit further exposure or damage to data
• Regularly back up data in case of device loss, theft, or malicious encryption

Source: Trend Micro

In 2012, Swedish pest control company Anticimex began a period of rapid expansion into 18 countries and now reaps revenues of $474 million thanks in part to an aggressive new technology plan that hinges in part on the Internet of Things. Anticimex’s embrace of IoT goes back to a regional manager in central Europe reading a story about rat infestations in Copenhagen and inventing a motion-detector-based rat trap for use in sewers, according to company’s CIO Daniel Spahr.

IoT Target: Rats The basic system Anticimex uses for its main industrial customers used to be totally manual – a worker would have to stop by once a week or once a month to check if any rats had been unlucky enough to be caught in a given trap.

“What happens during that other 29 days of the month? Do you really know that nothing’s happening? With the digital traps, you do know,” said Spahr.

Anticimex’s smart traps send real-time data back to the company, detailing whether they’re detecting nearby motion, and whether the trap has been activated. The units are powered by rechargeable batteries of various size, and can also send warnings when they’re low on power or otherwise need maintenance.

The networking is based on SIM cards, sending SMS messages via 2G and 3G networks to a central hub located in Denmark, keeping the team in the loop on what’s happening with its traps around the clock. The comparatively low-tech method of communication has the added bonus of being highly secure - it's hard to hack a system with just a text message

The Data

When the system started out, Spahr said, it wasn’t particularly sophisticated in the way it handled the information sent back to headquarters.

“[The original] system has some basic reporting, but it’s more of a straightforward, dumb database,” he told Network World.

That’s changed since then, thanks to new technology from software company IFS. In the past year, the two companies have worked to create a more meaningful IoT platform, getting data into a more useful repository.

Spahr said that Anticimex has been using the new platform since April – the initial trial run is taking place in Finland – and is just now starting to really crunch the numbers to make the business more efficient. Identifying battery life trends – including bad cells that should be replaced – can help with resource planning.

“It’s like if you walked up to a whiteboard and you pick up a pen, and it’s not working, the thing that everybody does is they put on the cap and they put it back and they grab another pen – what they should do is throw away that pen,” he said.

Anticimex also hopes to be able to track pest trends globally, letting the company’s sales and marketing departments target their efforts more precisely. But in the longer-term, Spahr said that the idea is to make some of the information easily available to customers, giving them a look into pest control efforts taking place on their premises.

Source: Network World

The Hack

Security researcher Leigh-Anne Galloway notified Myspace about the flaw in April, and published details about it on Monday after failing to receive a substantive response.

The problem stems from Myspace not being, you know, the most widely-used service anymore. As such, it has extensive mechanisms and advice available for recovering accounts when you’ve lost the password, no longer have access to the email address associated with the account, or don’t remember your Myspace username.

Galloway discovered that the Account Recovery form doesn't actually require very much information to validate ownership of an account and take control of it. Since the name and username associated with an account show up on its public profile, Myspace’s account recovery setup was such that you really only needed someone’s date of birth to complete an account takeover. The form claimed that other fields like the account email address were "required," but it wasn't actually validating these fields in practice.

“This is indicative of the landscape we live in,” Galloway says. “Everything is done online, which means there is more and more code online. Web applications are the front door to an organization. The consequences of getting access can be catastrophic.”

Who’s Affected?

Who can say! Myspace has been cagey for years about how many users it still has, and it's unclear how long this account recovery form was live. “I haven't had a response from MySpace,” Galloway says. A lot of Myspace user data got scrubbed in its redesign a few years ago, but the mass exodus away from the service when social networks like Facebook were on the rise definitely left a number of forgotten accounts that are still live in some form and could be exploited.

Myspace's decision on Monday to revoke public access to the page indicated that the company was aware of the situation and investigating. It later said in a somewhat forlorn statement, "In response to some recent concerns raised regarding Myspace user account reactivation, we have enhanced our process by adding an additional verification step to avoid improper access. We take data security very seriously at Myspace. We plan to continue to refine and improve this process over time."

How Serious Is This?

Last year some estimates said that Myspace, which was purchased by Time Inc. last year and lives on as a music and entertainment-focused site, was still hanging on to 20 million to 50 million unique views per month. But legacy technologies can still potentially hold valuable data, and Myspace of all services should know this after it disclosed its massive breach in 2016.

"I think the public is just waking up to the realities of living a connected life," Galloway says. "This is a good thing and will put more pressure on organizations to implement smarter security."

This flaw may not be the worst digital threat facing consumers right now, but each small erosion of consumer trust adds up. If you still have a Myspace account kicking around, the time has come to rediscover its existence, and delete it.

Source: Wired

It’s not too early to start basic planning of how 5G might benefit IT

The next step in the evolution of wireless WAN communications - known as 5G - is about to hit the front pages, and for good reason: it will complete the evolution of cellular from wireline augmentation to wireline replacement, and strategically from mobile-first to mobile-only.

Even though at its core 5G is more about evolution than revolution, it’s not too early to start least basic planning to understanding how 5G will fit into and benefit IT plans across organizations of all sizes, industries and missions.

5G will of course provide end-users with the additional throughput, capacity, and other elements to address the continuing and dramatic growth in geographic availability, user base, range of subscriber devices, demand for capacity, and application requirements, but will also and equally importantly enable carriers, operators, and service providers to benefit from new opportunities in overall strategy, service offerings, and broadened marketplace presence.

• Enhanced throughput – As is the case with Wi-Fi, major advances in cellular are first and foremost defined by new upper-bound throughput numbers. The magic number here for 5G is in fact a floor of 1 Gbps, with numbers as high as 10 Gbps mentioned by some. However, and again as is the case with Wi-Fi, it’s important to think more in terms of overall individual-cell and system-wide capacity. We believe, then, that per-user throughput of 50 Mbps is a more reasonable – but clearly still remarkable – working assumption, with up to 300 Mbps peak throughput realized in some deployments over the next five years. The possibility of reaching higher throughput than that exceeds our planning horizon, but such is, well, possible.

• Reduced latency – Perhaps even more important than throughput, though, is a reduction in the round-trip time for each packet. Reducing latency is important for voice, which will most certainly be all-IP in 5G implementations, video, and, again, in improving overall capacity. The over-the-air latency goal for 5G is less than 10ms, with 1ms possible in some defined classes of service.

• Advances in management and OSS – Operators are always seeking to reduce overhead and operating expense, so enhancements to both system management and operational support systems (OSS) yielding improvements in reliability, availability, serviceability, resilience, consistency, analytics capabilities, and operational efficiency, are all expected. The benefits of these will, in most cases, however, be transparent to end-users.

• Increased mobility – Very-high-speed user mobility, to as much as hundreds of kilometers per hour, will be supported, thus serving users on all modes of transportation. Regulatory and situation-dependent restrictions – most notably, on aircraft – however, will still apply.

• Improved security – As security remains the one aspect of IT where no one is ever done, enhancements to encryption, authentication, and privacy are expected. It would not be surprising to see identity management (IDM) solutions along the lines of those now at work in many organizations available from at least a few carriers. Current IDM suppliers as well might be more than mildly interested in extending their capabilities to 5G services purchased by enterprises.

• New spectrum – It is expected that frequencies in the so-called millimeter-wave bands above 30GHz will see service in at least some 5G deployments. Both licensed and unlicensed spectrum at these frequencies is available in many parts of the world. MM wave frequencies are often appropriate to small cells since they require smaller and less obtrusive antennas, and the inherent signal directionality can multiply spectral efficiency. The core disadvantages for MM waves are less applicability to traditional larger cells along with poor object (e.g., buildings) penetration, but such can again be advantages in terms of frequency reuse. Regardless, more spectrum is required given the throughput and capacity objectives that justify 5G development and deployment – present spectral allocations will most certainly not suffice even with the ability to aggregate smaller blocks of spectrum.

• New enabling technologies – We expect to see higher-order MIMO implementations, sometimes described as “massive” with, for example, 16-64 streams, more aggressive modulation and channel coding, improved power-utilization efficiency, and related advances. Small cells will see frequent application, and the days of large cell towers may be numbered in more densely populated areas. Current trends otherwise at work in networks today, include SDN and NFV, will also see application in 5G, with much infrastructure implemented within cloud-based services. 5G will likely require no major advances in chip or manufacturing technologies, and device power consumption will likely benefit from more limited geographic range even as higher clock rates take a small toll here. Still, much work remains in terms of both technical and feasibility analysis as well as cost, but we see no showstoppers on the horizon. There is no danger of producing another WiMAX that offers marketing hype with no clear advantages over the previous generation, and the overall level of technical risk is low. Perhaps the greatest challenge is schedule slip, as the complex nature of the systems engineering that is required needs more time than many expect.

• Universal application support – 5G as a wireline replacement will have to support every class of traffic and every conceivable device, from broadcast-quality video distribution to telemetry, implantable medical devices, augmented and virtual reality, and advanced interactivity and graphics – and not just for gaming. The list also includes connected and autonomous cars, remotely-piloted vehicles (drones), public safety, building and municipal automation/monitoring/control, and disaster relief. including relocatable infrastructure with moving cells and support for dynamic wireless meshing. Also in the mix are robotics and IoT devices tolerant of limited data throughput and highly-variable latency. We expect literally tens of billions of 5G devices to be deployed over the next decade or so, so the scale of both the challenge and the demand is clear.

• Industry growth – Finally, carriers, operators, and equipment vendors of both infrastructure and subscriber devices simply require the deployment of new technologies with quantifiable end-user-visible benefits from time to time in order to continue to grow their businesses. New subscriber units alone cannot accomplish this goal.

In short, 5G is a business opportunity being designed and implemented to provide all of the communication capabilities and performance we expect from a wireline network. Getting to that point, given all of the requirements above, won’t be easy, quick, or inexpensive.

Source: Network World

We must stay vigilant about security.

During the past few years, the Internet of Things (IoT) has become one of the hottest movements of our time. Although many technology trends and buzzwords come and go overnight, it’s clear that the IoT is here to stay. Almost half of the world's population is online, and technology is a deeply integrated part of our lives. Smart thermostats regulate our business and household temperatures, connected cameras watch over our homes and pets, online TVs and speakers respond to our every need, and intelligent devices constantly monitor our health.

According to Gartner, the number of world-wide Internet connected devices will grow to 11.4 billion by 2018. It’s a phenomenal trend that will continue to spread until human and machine connectivity becomes ubiquitous and unavoidably present.

Of course, anything that develops this rapidly will bring a lot of growing pains, and the IoT is no exception. Security hazards are one of the largest concerns. The market has emerged so quickly that manufacturers have hastily created insecure products in their rush to bring goods to market. Security has received very little, if any attention. Despite this lack of security and the inherent dangers it brings, we continue to buy and deploy these smart gadgets. As Amy Webb, futurist and CEO at the Future Today Institute proclaims: "Technology can be like junk food. We'll consume it, even when we know it's bad for us.”

There’s little doubt that the growth of insecure IoT devices will increase fraud. We’ve already seen numerous attacks against point of sales terminals and ATM machines. Recently, we witnessed how self-propagating malware can infect IoT devices in mass. In October 2016, nearly 150,000 smart security cameras were infected with malware as part of the Marai attack. In that particular assault, the compromised cameras launched a denial of service attack against the internet’s backbone, but the target could just as easily have been financial service organizations.

Today’s cybercriminals are organized, smart, and well equipped. They have the funding and resources to infect millions of IoT gadgets with disruptive mechanisms, spyware, password snatchers, legitimate device imitators, and a host of other nasty contraptions.

The only way to effectively protect ourselves is to stay continually vigilant and stay up to date with the latest knowledge and the most advanced security and fraud prevention tools.  The threats are dramatically changing, and if we want to minimize our risks of being attacked, we must be willing to change and adapt as well.

Source: Network World