Scale Your Business with Freshservice® ITSM Learn how Freshservice has helped businesses grow efficiently by modernizing IT and other business functions with a refreshingly easy-to-use, simple-to-configure, feature loaded, cost effective, secure and ITIL ready IT Service Management solution on the cloud.
Many users of Facebook's WhatsApp messaging software were scrambling to patch the program on Tuesday, in response to news of a flaw that allowed spyware to be installed on mobile phones running Android and iOS.
"This new type of attack is deeply worrying and shows how even the most trusted mobile apps and platforms can be vulnerable," said Mike Campin, vice president of engineering at Wandera, a mobile security provider based in San Francisco.
"While this attack is based on a previously identified exploit known as Pegasus, the fact that it has been repackaged into a form that can be delivered via a simple WhatsApp call has shocked many," he continued.
WhatsApp, which is used by 1.5 billion people worldwide, typically is not deployed as an official corporate messaging application, Campin noted, but it is used widely internationally, both on employees' personal devices and on corporate-issued devices.
That can be problematic for organizations, he said, because once exploited via this new attack, the attacker has complete control and visibility of all data on the phone.
WhatsApp on Monday advised users to patch the software as soon as possible to avoid any potential infections.
"WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices," the company said in a statement.
Affected versions of the program are as follows:
- WhatsApp for Android prior to v2.19.134
- WhatsApp Business for Android prior to v2.19.44
- WhatsApp for iOS prior to v2.19.51
- WhatsApp Business for iOS prior to v2.19.51
- WhatsApp for Windows Phone prior to v2.18.348
- WhatsApp for Tizen prior to v2.18.15
As with every creation in the universe, there has to be a humble beginning for everything and VR technology was no exception. Although it’s hard to pinpoint the father of this amazing technology, history suggests that it could have been the innovation of not one but five key individuals. First, Morton Heilig for giving users the very first interactive film experience which can be take the credit as the beginning of 3D content. Then, there’s Jaron Lanier, the first person to credit the term “Virtual Reality”; Douglas Engelbart, who invented the computer mouse and laid the foundation for the modern user interface; Ivan Sutherland, inventor of the first head mounted display (HMD); and Myron Krueger, a computer graphics and audio wiz.
Once it was made aware of the vulnerability, the company acted relatively quickly to issue a patch. It fixed the app's infrastructure in 10 days, and it released a secure version of the software last Friday. It also notified law enforcement authorities in the United States and United Kingdom.
"It seems that they acted quickly on fixing the vulnerability and notifying the public and the government," said Joseph A. Turner, chief Intelligence officer of Proventus Cybersecurity, a computer and network security company in Aliso Viejo, California.
That nimble response may benefit both WhatsApp and its parent, Facebook.
"With the way WhatsApp dealt with this vulnerability, and since it seems that an outside attacker is involved, there are no fingers pointed at Facebook or WhatsApp at this time," Turner told TechNewsWorld.
"However, we are seeing users move to other messaging apps due to privacy concerns," he added.
By exploiting the flaw in WhatsApp, an attacker could insert malicious code into a phone by simply placing a WhatsApp call, even if the call went unanswered.
The exploit should be of particular concern for iPhone users, noted Rusty Carter, vice president for product management at Arxan Technologies, an application protection company in San Francisco.
"Apple's ecosystem has this reputation of safety, and sandboxing applications to prevent one from interfering with another," he told TechNewsWorld.
"This event blows that apart," Carter continued, "because here we have a vulnerability in a single app allowing someone to install software that affects the entire device and all the software running on it. This is a scary development."
Human Rights Lawyer Targeted
The malicious code's digital footprint is similar to spyware tools marketed by the NSO Group, an Israeli maker of military grade hacking tools, according to security researchers who examined it..
One of the targets of the spyware, according to a New York Times report, was a London lawyer who has been involved in a number of lawsuits involving NSO. The complaints accuse NSO Group of providing tools to hack the phones of Omar Abdulaziz, a Saudi dissident in Canada; a Qatari citizen; and a group of Mexican journalists and activists.
"NSO's technology is licensed to authorized government agencies for the sole purpose of fighting crime and terror," the company said in a statement.
"The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions," it continued.
"We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system," the company maintained. "Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies."
The Biggest Concerns. Despite the positives, there are some concerns about virtual reality. For example, some critics point out health and safety issues. If the technology is not used properly, users might suffer from health issues like seizures and other major discomfort. Some people could also trip and fall. There are also major privacy concerns with virtual reality. Some people fear that the headsets could lead to government surveillance, although there is no proof of that as of yet.
"NSO would not or could not use its technology in its own right to target any personal organization, including this individual," it added.
Better Management of Dangerous Weapons
The WhatsApp hack is an example of military cyberweapons getting out "into the wild" and being used by criminals, much like the WannaCry attack on the UK's National Health System two years ago, said Mark Skilton, a professor with digital communications expertise at the Warwick Business School in Coventry, UK.
"It is a reminder of how much trust we put in these social media platforms to protect our privacy," he said. "In this case we might not detect this attack to install spyware on our messages, like a phishing email, until it's too late."
It will never be possible for systems to be 100 percent safe, he acknowledged, but at the end of the day, large public platforms like Facebook, Google and Twitter should be more accountable for management of their platforms.
"We need the systems they use to be tested constantly, but the bigger issue here is about the proper management of these types of weapons," Skilton said.
"Firms like NSO, who reportedly developed the spyware used on WhatsApp, have a responsibility to prevent them from getting into the wrong hands, and used on targets such as Amnesty International and the NHS, where it can have disastrous consequences for vulnerable people," he continued.
"These new cyber weapons must be classified as very dangerous in the wrong hands and managed as such," Skilton added.
Move to Block Export License
Meanwhile, Amnesty International on Monday moved to block the export of military grade cyberweapons at their source, through a lawsuit filed in the District Court of Tel Aviv, which aims to revoke NSO's export license.
In its complaint, Amnesty alleges one of its employees came under attack from NSO software.
"NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics," said Danna Ingleton, deputy director of Amnesty Tech.
We've also seen a rise in digital credit card skimming attacks against popular e-commerce software such as Magento. This seemingly innocuous design characteristic is what allows attackers to run their programs, such as cryptominers, on your servers. This completely prevents attackers from running their programs on your server.
"The attack on Amnesty International was the final straw," she observed.
Israel's Ministry of Defense has ignored mounting evidence linking NSO to attacks on human rights defenders, Ingleton maintained.
"As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International's staff and that of other activists, journalists and dissidents around the world is at risk," she added.
The legal action is supported by Amnesty International as part of a joint project with the New York University School of Law's Bernstein Institute for Human Rights and Global Justice Clinic.
Endless Possibilities with Virtual Reality. Ever wanted to play a tennis match with the likes of Maria Sharapova, or save the world with the Avengers? VR technology has made the impossible possible, thanks to amazing content now available to let users virtually experience stuff they could only dream of. With the help of add-on features or accessories, such as a surround sound audio system or gloves with attached sensors detecting hand movements along with wands and treadmills, VR enthusiasts can enjoy an alternate reality and an entirely different world.
"The targeting of human rights defenders for their work, using invasive digital surveillance tools, is not permissible under human rights law," said Margaret Satterthwaite, the institute's faculty director.
"Without stronger legal checks, the spyware industry enables governments to trample on the rights to privacy, freedom of opinion and expression," she added. "The Israeli government needs to revoke NSO Group's export license and stop it profiting from state-sponsored repression."