cover of episode Slave Labor in China - Apple Moves Out - Spyware posing as VPN apps - Darknet markets generate millions in revenue by selling stolen personal data - Voice-scamming site “iSpoof” seized

Slave Labor in China - Apple Moves Out - Spyware posing as VPN apps - Darknet markets generate millions in revenue by selling stolen personal data - Voice-scamming site “iSpoof” seized

2022/12/10
logo of podcast Craig Peterson - Secure Your Business, Your Privacy, and Save Your Sanity

Craig Peterson - Secure Your Business, Your Privacy, and Save Your Sanity

Frequently requested episodes will be transcribed first

Shownotes Transcript

Craig Peterson 

Insider Show NotesDecember 5 to December 11, 2022 China… Apple Makes Plans to Move Production Out of China https://www.wsj.com/articles/apple-china-factory-protests-foxconn-manufacturing-production-supply-chain-11670023099)

In recent weeks, Apple Inc. has accelerated plans to shift some of its production outside China, long the dominant country in the supply chain that built the world’s most valuable company, say people involved in the discussions. It is telling suppliers to plan more actively for assembling Apple products elsewhere in Asia, particularly India and Vietnam, they say and looking to reduce dependence on Taiwanese assemblers led by Foxconn Technology Group.

After a year of events that weakened China’s status as a stable manufacturing center, the upheaval means Apple no longer feels comfortable having so much of its business tied up in one place, according to analysts and people in the Apple supply chain. Cybercrime… Spyware posing as VPN apps https://www.welivesecurity.com/videos/spyware-posing-vpn-apps-week-security-tony-anscombe/)

Bahamut APT group targets Android users via trojanized versions of two legitimate VPN apps – SoftVPN and OpenVPN. Since January 2022, Bahamut has distributed at least eight malicious apps to pilfer sensitive user data and actively spy on victims’ messaging apps. These apps were never available for download from Google Play; instead, they were distributed through a fake SecureVPN website.

++++++++ Darknet markets generate millions in revenue by selling stolen personal data https://arstechnica.com/tech-policy/2022/12/darknet-markets-generate-millions-in-revenue-selling-stolen-personal-data/)

Stolen data products flow through a supply chain consisting of producers, wholesalers, and consumers. 

The stolen data supply chain begins with producers—hackers who exploit vulnerable systems and steal sensitive information such as credit card numbers, bank account information, and Social Security numbers. Next, the stolen data is advertised by wholesalers and distributors who sell the data. Finally, the data is purchased by consumers who use it to commit various forms of fraud, including fraudulent credit card transactions, identity theft, and phishing attacks.

++++++++ Voice-scamming site “iSpoof” seized, 100s arrested in a massive crackdown https://nakedsecurity.sophos.com/2022/11/25/voice-scamming-site-ispoof-seized-100s-arrested-in-massive-crackdown/)

Whether you call it Caller ID or CLI, it’s no more use in identifying the caller’s actual phone number than the “From:” header in an email is in identifying the sender of an email.

As a cybersecurity measure to help you identify callers you do trust, [Caller-ID] has an extreme false negative problem, meaning that if a call pops up from Dad, or Auntie Gladys, or perhaps more significantly, from Your Bank…

…then there’s a significant risk that it’s a scam call that’s deliberately been manipulated to get past your “do I know the caller?” test.

++++++++ U.S. Govt. Apps Bundled Russian Code With Ties to Mobile Malware Developer https://krebsonsecurity.com/2022/11/u-s-govt-apps-bundled-russian-code-with-ties-to-mobile-malware-developer/)

A recent scoop by Reuters revealed that mobile apps for the U.S. Army and the Centers for Disease Control and Prevention (CDC) were integrating software that sends visitor data to a Russian company called Pushwoosh, which claims to be based in the United States. But that story omitted a crucial historical detail about Pushwoosh: In 2013, one of its developers admitted to authoring the Pincer Trojan, malware designed to intercept and forward text messages from Android mobile devices surreptitiously.

Reuters also learned that the company’s address in California does not exist and that two LinkedIn accounts for Pushwoosh employees in Washington, D.C. were fake. Android… Samsung’s Android app-signing key has leaked and is being used to sign malware https://arstechnica.com/gadgets/2022/12/samsungs-android-app-signing-key-has-leaked-is-being-used-to-sign-malware/)

A developer's cryptographic signing key is one of the major linchpins of Android security. Any time Android updates an app, the old app's signing key on your phone must match the key of the update you're installing.

If a developer's signing key leaked, anyone could distribute malicious app updates, and Android would happily install them, thinking they are legit.

On Android, the app-updating process isn't just for apps downloaded from an app store; you can also update bundled-in system apps made by Google, your device manufacturer, and any other bundled apps. ZeroTrust… Cloud security starts with zero trust https://www.helpnetsecurity.com/2022/11/28/cloud-zero-trust/)

Most organizations have outdated security systems that are generally based on-premises. These outdated systems often add an extra layer of complexity to shifting to the cloud, but this complexity does not mean organizations should hold off on this shift.