UK Government Call For Tougher Protections Against Malicious Apps | Apple, Google, and Microsoft Team Up on Passwordless | NHS Phishing Campaign
Article by Christopher Lauder, Delegate Relationship Executive, Rela8 Group
UK Government Call For Tougher Protections Against Malicious Apps
In a new report published by the UK National Cyber Security Centre (NCSC), they found that people’s data and money are at risk because of fraudulent apps containing malicious malware created by cybercriminals or poorly developed apps which can be compromised by hackers exploiting weaknesses in software.
The study conducted a review into the app store ecosystem from December 2020 to March 2022. To highlight the extent of the potential attack surface, they noted how 87% of UK citizens now own a smartphone.
The NCSC have said:
“Malicious and poorly developed apps continue to be accessible to users, therefore it is evident that some developers are not following best practice when creating apps.”
They also note how prominent app store operators are not adequately signposting app requirements to developers and providing detailed feedback if an app or update is rejected.
In response to the findings, the government is calling views from the technology industry on enhanced security and privacy requirements for firms running app stores and developers making apps.
Under new proposals, app stores for smartphones, game consoles, TVs and other smart devices could be asked to commit to a new code of practice setting out baseline security and privacy requirements, which the UK says, “would be the first such measure in the world”.
The proposed policy would require stores to have a vulnerability reporting process for each app available. They would also be required to share more security and privacy information, including giving consumers information on matters such as why an app would need access to users’ contacts and location.
NCSC Technical Director Ian Levy commented:
“Our threat report shows there is more for app stores to do, with cybercriminals currently using weaknesses in app stores on all types of connected devices to cause harm. I support the proposed code of practice, which demonstrates the UK’s continued intent to fix systemic cybersecurity issues.”
Source - Tougher Protections Against Malicious Apps - Port Swigger
Source - Tougher Protections Against Malicious Apps - UK Government
Source - Tougher Protections Against Malicious Apps - Digit.FYI
Apple, Google, and Microsoft Team Up on Passwordless
If you didn’t know, last week on May 5th it was World Password Day. To mark the occasion, tech giant Apple, Google, and Microsoft announced that we may be coming closer to making passwords a thing of the past.
Apple, Google, and Microsoft announced that they have committed to building support for passwordless sign-in across all their mobile, desktop, and browser platforms that they control in the coming year. Effectively, this means that passwordless authentication will come to all major device platforms in the not too distant future. Android and iOS mobile operating systems; Chrome, Edge, and Safari browsers; and the Windows and macOS desktop environments. What does a passwordless login process look like?
A passwordless login process will let users choose their phones as the main authentication device for apps, websites, and other digital services. Unlocking the phone with whatever is set as the default action — entering a PIN, drawing a pattern, or using fingerprint unlock — will then be enough to sign in to web services without the need to ever enter a password. Google said that this is possible with a unique cryptographic token called a passkey that is shared between the phone and the website.
“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, Apple’s Senior Director of Platform Product Marketing. “Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.”
Apple, Google, and Microsoft have all said that they expect the new sign-in capabilities to become available across platforms in the next year, although a more specific roadmap has not been announced.
Source - Apple, Google, and Microsoft Team Up on Passwordless - InfoSec Magazine
Source - Apple, Google, and Microsoft Team Up on Passwordless - Apple Newsroom
Source - Apple, Google, and Microsoft Team Up on Passwordless - The Verge
NHS Phishing Campaign
Over a period that began last autumn and continued into this April, the NHS here in the UK fell prey to a large phishing operation. What had been a sporadic use of legitimate NHS accounts to send phishing emails to unsuspecting third parties became a massive campaign in March.
INKY has reported that the true scope of the attack could have been much larger, as they only detected attempts made against their own customers. But given how many they found, “it’s safe to say that the total iceberg was much bigger than the tip we saw”.
Starting in October 2021 and escalating dramatically in March 2022, they detected 1,157 phishing emails originating from NHSMail, the NHS email system for employees based in England and Scotland. They reported their initial findings to the NHS on April 13th. The following day, on April 14th, the volume of attacks decreased as the NHS took steps to combat the situation.
When INKY shared its findings with the NHS, they sent the following response:
“We have processes in place to continuously monitor and identify these risks. We address them in collaboration with our partners who support and deliver the national NHSmail service. NHS organisations running their own email systems will have similar processes and protections in place to identify and coordinate their responses and call upon NHS Digital assistance if required."
Between background statements by the NHS and INKY investigations, they were able to determine that the breach was not a compromised mail server but rather individually hijacked accounts.
Source - NHS Phishing Campaign - INKY
Source - NHS Phishing Campaign - Computer Weekly
Source - NHS Phishing Campaign - Bleeping Computer