An app for everything.

The ability to talk to family and friends hundreds of miles away with the mere push of a button or to get everything done without having to talk to a soul at all. And the means we use to get it all done – web browsers and cell phones, always assuming we have privacy and security. We all now use these every day with little thought to how much easier, overall, they’ve made our lives. As individuals, these are also the things we tend to take for granted.

The things we use the most can also leave us the most vulnerable because we take for granted that they’re secure. Web browsers and cell phones – we literally can no longer get through life without them.

But privacy and security are not necessarily just an individual’s concern. In fact, these can quickly and easily become a major concern for an organization’s network as well, as acceptable-use lines blur with policies such as BYOD and users utilizing work computers for personal email, banking, and social media. This means we are often mixing work and personal use, and, when not properly secured, each of these vulnerable entry points into a network can affect both the individual and the organization.

The March 2019 GTIC Monthly Threat Report looks into some of these issues, including web browser vulnerabilities and underlying flaws in the protocols on which we rely for cell phone coverage: 4G and the forthcoming 5G networks. In reality, flaws in LTE mobile protocols have been known for quite some time, and researchers recently discovered three new attack methods which affect both 4G and 5G protocols – on nearly all major cell providers.

These flaws come at very little cost to attackers, no less. 

ToRPEDO, an attack based on the paging protocol, leverages all available phone data to track location, to send fake notifications and even to deny service to the device. To add insult to injury, ToRPEDO enables two additional attacks on the networks which could allow attackers to intercept calls, breaking security and privacy in both the 4G and 5G mobile protocols.

And researchers continue to discover additional flaws in LTE. 

In this Monthly report, NTT Security GTIC researchers take a deeper look into popular browser usage and associated vulnerabilities, along with the progression of change in browsers and their security as they have evolved. GTIC researchers explored, from a statistical standpoint, the web browser threat landscape.

In the wake of Google releasing a patch for the recent Stable Channel zero-day CVE-2019-5786, and since it now has over half of internet browser usage, the analysis focused on Google Chrome.

From a security perspective, individuals could take the web browser for granted, see the normal rendering of a website and not realize what is actually going on behind-the-scenes in their browser, subjecting their computer – or even an enterprise network – to possible compromise.

And attackers, knowing that over half of internet browsing occurs on Chrome, can affect more succinct targeting. Sophisticated (and not so sophisticated) attackers have already done their homework; they know what browsers are most often used in enterprise environments. Really good attackers know the layout of a network – or at least how to find out details about the layout of a targeted network. Attackers leverage the weakest link in the chain: the human being, often via phishing emails.

The March 2019 edition of the GTIC Monthly Threat Report looks into some of these everyday ‘things’ that users may take for granted – and the issues they will continue to present – and how we, as individuals and organizations, can make them more secure.