The HP study focused purely on custom business apps, but there’s no reason to believe the issue doesn’t extend to commercial apps you find in the Apple App Store or Google Play. Many apps have access to data or permission to perform functions they shouldn’t.
If you want to play a game like Angry Birds, there’s no reason that it needs to have access to your contacts, and A a weather app probably doesn’t need to be able to send email on your behalf. The security risks in apps go beyond permissions, though. There are issues in how the apps integrate with core functions of the mobile operating system, as well as how they interact with and share information with one another.
In the HP study, 97 percent of the apps contained some sort of privacy issue. HP also found that 86 percent of the apps lack basic security defenses, and 75 percent fail to properly encrypt data. Assuming similar percentages across the hundreds of thousands of consumer apps in the app stores, it’s likely that you have a few security or privacy concerns floating around your smartphone or tablet.
But this isn’t about malicious apps designed to steal your data. It’s mostly a function of lazy coding. Developers write apps that access everything because it’s easier than writing more specific code, and it also paves the way for any future enhancements that might actually need it.
In a BYOD scenario these security and privacy risks are exaggerated for both the employer and the employee. In most cases, the line between business and personal is not clearly defined, and apps can easily blur that line and put both company and personal data at risk. The problem is exacerbated by the fact that apps are impulse purchases for many users, thanks to low prices and easy installation.
The mobile operating systems have improved in terms notifying users about the permissions an app is requesting and providing the user with more control to allow or block access to specific functions. But the system still puts too much burden on the user, both to know those controls exist and how to use them, as well as to understand the implications and security concerns of the apps.
The better solution is for developers to build security and privacy into the apps from square one. Developers should be aware of the potential implications of how their apps access data and interact with other apps, and design them to be secure by default.
Via: Network World
Two million logins and passwords from services such as Facebook, Google and Twitter have been found on a Netherlands-based server, part of a large botnet using controller software nicknamed “Pony.”
Another company whose users’ login credentials showed up on the server was ADP, which specializes in payroll and human resources software, wrote Daniel Chechik, a security researcher with Trustwave’s SpiderLabs.
It’s expected that cybercriminals will go after main online services, but “payroll services accounts could actually have direct financial repercussions,” he wrote.
ADP moved US$1.4 trillion in fiscal 2013 within the U.S., paying one in six workers in the country, according to its website.
Facebook had the most stolen credentials, at 318,121, followed by Yahoo at 59,549 and Google at 54,437. Other companies whose login credentials showed up on the command-and-control server included LinkedIn and two Russian social networking services, VKontakte and Odnoklassniki. The botnet also stole thousands of FTP, remote desktop and secure shell account details.
It wasn’t clear what kind of malware infected victims’ computers and sent the information to the command-and-control server.
Trustwave found the credentials after gaining access to an administrator control panel for the botnet. The source code for the control panel software, called “Pony,” was leaked at some point, Chechik wrote.
The server storing the credentials received the information from a single IP address in the Netherlands, which suggests the attackers are using a gateway or reverse proxy in between infected computers and the command-and-control server, he wrote.
“This technique of using a reverse proxy is commonly used by attackers in order to prevent the command-and-control server from being discovered and shut down — outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down,” Chechik wrote.
Information on the server indicated the captured login credentials may have come from as many as 102 countries, “indicating that the attack is fairly global,” he wrote.
Source: Network World
Bitcoin is vulnerable to an attack that could have devastating effects on the virtual currency, but it can be fixed with a software update, according to researchers from Cornell University.
The attack involves “miners,” or people running computers that verify Bitcoin transactions, said Ittay Eyal, a post doctoral fellow at Cornell University’s Department of Computer Science, who co-authored the study with Emin Gun Sire, a Cornell professor.
Every 10 minutes, miners — who usually collaborate in mining pools — are rewarded with 25 bitcoins for lending their computing power to Bitcoin if they solve a cryptographic puzzle first. Miners process Bitcoin’s transactions, which are recorded in its “blockchain,” or public ledger.
It has long been known that if a mining group controlled more than 50 percent of Bitcoin’s processing power, the network could be subject to a variety of attacks if the group wanted to act maliciously. But the researchers show that small miners may unwittingly join a malicious group.
Miners are supposed to follow Bitcoin’s software protocol. But Eyal and Sire found that Bitcoin could be significantly disrupted if a small group comprising less than 10 percent of Bitcoin’s mining power decided to not follow it.
A malicious mining group, or “selfish miners” as termed in the research paper, could “fork” the blockchain, or split it into a competing chain by only selectively revealing some of the transactions they’ve processed. If the malicious group’s blockchain fork grows larger than the legitimate one, it would begin to collect a greater share of the 25-bitcoin rewards.
Miners, seeing the malicious group gain higher revenue, would join the successful pool, even if it was unaware of its intentions. Eventually, the malicious group could control the transaction chain, Eyal said.
“The discovery here is a mining pool of any size can initiate this attack and are better off doing selfish mining,” Eyal said in a phone interview.
A variety of attacks are then possible, including spending the same bitcoin twice, which the network is currently designed to prevent. If a merchant received a payment in bitcoins, the miners could “roll back” the transaction to allow the bitcoins to be spent again, Eyal said.
“They could also prevent you from ever using your bitcoins” by not allowing certain transactions into the blockchain, Eyal said.
Fortunately, Bitcoin’s protocol can be updated. Eyal said he and Sire have suggested a fix for Bitcoin’s algorithm that would limit mining pools to no more than 25 percent of the total number of nodes on the network.
Some mining pools today already exceed 25 percent, Eyal said. “Obviously, we believe that these pools are honest and they don’t have any incentive to break the protocol, but like I said before, technically they can and we believe this is not a healthy situation for bitcoin, which we believe is destined for great things,” he said.
Gavin Andresen, chief scientist for The Bitcoin Foundation and lead developer for the Bitcoin-QT client, said developers are still digesting the research paper. But he said the consensus in the end will likely be that the attack is not practical.
Although Bitcoin is not controlled by an entity, a team of developers work on its core protocol. Updates to the protocol are periodically released and adopted by the community, although there is no way to force people to upgrade their software.
The update would give people greater confidence in the Bitcoin economy and ensure that people don’t have to count on miners’ “good intentions,” Eyal said.
Source: Network World
HTTP Request Hijacking attack said to be simple to do against Apple IOS apps
Network World - Many Apple iOS applications are vulnerable to a man-in-the-middle attack that can result in permanent manipulation by the attacker, according to start-up Skycure, which released its research findings on this today during the RSA Europe conference.
Skycure CTO Yair Amit says many mobile iOS apps are vulnerable to a “very simple attack that relies on the 301 HTTP Response, a permanent re-direction.” If an Apple iOS app can cache these so-called 301 HTTP Re-Direct Response requests — and many popular iOS apps do, according to Skycure — then the app is vulnerable to being repeatedly hijacked via re-direction to the attacker’s server.
While this general type of man-in-the-middle attack has been known on the Web for many years, for mobile applications the result is worse in that it “persistently changes the URL” of the server and lets the attacker take dynamic control over the app, says Amit. In the information that Skycure is publishing today, the company notes the impact of the attack is basically that instead of loading data from the real site that the user wants to visit, the attacker can make the app permanently load the data from the attacker’s site.
Skycure isn’t releasing the names of the vulnerable iOS apps because this issue hasn’t necessarily been fixed. Amit says according to Skycure’s research, a significant portion of apps available through the official Apple App Store could be attacked this way. The problem is not a vulnerability in iOS itself but a coding weakness on the part of the developer.
Skycure says “HTTP Request Hijacking” of Apple iOS mobile devices such as iPhones and iPads starts with a man-in-the-middle attack, which would typically commence in a public WiFi zone, such as in a coffee shop. While a type of attack like this has been known to happen on the Web between computer-based Web browsers and Web servers for quite some time, the way a similar attack works on mobile devices hasn’t yet been subject to much scrutiny, says Amit.
He adds the implication of such an attack on news or financial information received through iOS devices is troubling.
“In a mobile application, it changes the application,” he says, adding “there’s no easy way to remove the problem.” But Skycure believes there are a number of steps that app developers can take to remediate or mitigate against it.
Among them are making sure the app doesn’t cache a 301 HTTP Re-Direct Response for re-direction. Another is to make sure the mobile device interacts with a designated server via an encrypted protocol, such as HTTPS, instead of HTTP. “If you want your application to behave differently with a server, just release an update,” he suggests. Making changes to apps to correct for this may be somewhat disruptive to the end-user, he adds.
The HTTP Request Hijacking attack on iOS that Skycure has identified may also exist in Android or other mobile-device platforms, but Skycure currently puts its focus primarily on Apple iOS. Skycure believes one danger in this type of man-in-the-middle attack on mobile devices is that it is much less visible to the victimized end-user than the more traditional computer-based form of the attack.
Source: Network World
Security researcher Brian Krebs has uncovered the involvement of credit bureau Experian in an ID theft operation.
Through research, Krebs demonstrated that Court Ventures had sold data to Superget.info, a “fraudster-friendly” site which marketed the ability to look up personally-identifiable information on millions of Americans.
Krebs cites an interview with Marc Martin, the CEO of another information services company which had a relationship with Court Ventures. Martin tells of a US Secret Service investigation of Experian related to ID theft and the data sold to Superget.info.
Individuals at Superget.info had presented themselves to Court Ventures as US-based investigators and gained access to Experian data. In fact, they were based in Vietnam, and the individuals have a history of involvement in ID theft.
Experian has also been in the news recently as the agency which performs credit history checks for the troubled government site healthcare.gov.
Healthcare.gov, the new government website designed to help Americans find and apply for health insurance plans across 36 of the 50 states (14 states have their own health insurance exchanges) hasn’t had a smooth rollout. Troubles have dogged the site from Day 1, and a recent discovery isn’t going to help matters, even if it’s just an embarrassing faux pas. British developer SpryMedia has found its own code being used on Healthcare.gov. There’s nothing intrinsically wrong with that, since the code in question is licensed under the GPL, as shown below.
But on Healthcare.gov, the aforementioned section of sript states only:
Comparisons of comments within the DataTables script by SpryMedia and the Healthcare.gov have turned up multiple instances of exact comments, so the government’s work is clearly based on SpryMedia’s. But why remove the code attribution? It turns out, there’s reason to think this may have been a genuine accident. The company that developed the website front-end, Development Seed, is devoted to open source work and passionate about giving back to both the larger world community and the programming world in particular. Companies devoted to promoting open data and universal access do not, as a rule, run about ripping off other open source contributors.
Until this week, the entire front-end of the government website was available for download on GitHub, and while it’s not clear why that repository has vanished, a great many eyeballs have been pointed at it for several weeks. The general consensus is that Healthcare.gov’s various problems and glitches have been driven by issues with the backend of the website, which was developed by other contractors, like Oracle.
Sprymedia is less-than thrilled about the discovery and has yet to receive a response, but it’s not clear who has even been manning the phones during the shutdown. Hopefully with the government reactivating, this kind of issue gets fixed immediately. It might seem a small thing, given the range of other problems, but the fact that it is a small issue means it’s also quickly and easily fixed. Proper acknowledgment of the GPL2 has proven to have teeth in court before, but this should be addressed long before that point.
Source: Hot Hardware
Even foreign governments are no match for the NSA’s reach, with documents now showing that it could read the Mexican president’s email.
The US has been snooping on the inbox belonging to former Mexican President Felipe Calderon, according to documents leaked to Der Spiegel.
The documents were leaked by whistleblower Edward Snowden and, according to Der Spiegel, reveal that in May 2010, the National Security Agency’s (NSA) Tailored Access Operations division was successful in compromising an email server within the Mexican presidential network. This would provide the NSA with access to emails from the president’s own email account, as well as those of Cabinet members who also use the same server.
The NSA is alleged to boast about the achievement in the documents, noting that it now has access to “diplomatic, economic and leadership communications”.
The issue of spying on Mexico reaches further back than the presidential office. Further documents obtained by Der Spiegel show that the department responsible for regulating drug trade and human trafficking, the Public Security Secretariat, had been similarly compromised in August 2009.
Documents as recent as April 2013 show that Mexico’s leaders were a priority target for surveillance, as well as Brazil.
Brazil’s recent announcement over the security of its email may indicate that it is aware of the US surveillance campaign against its communications, however.
The country’s President Dilma Rousseff has tasked one of its departments with creating a system to ensure its email is free from espionage attempts. She previously lashed out at the US after earlier leaked documents showed that her country was being spied on.
NSA director Keith Alexander and his deputy John Inglis are soon expected to leave the US spy agency, but the NSA denies that their departures have anything to do with the recent media attention.