STE WILLIAMS

Controversial photosharing site Snapchat is back in the news again, opening the New Year as the victim of a data breach that it really ought to have predicted, and probably should have headed off at the pass.

Here’s the story so far.

Last week, we wrote about a vulnerability reported in Snapchat’s find_friends interface.

That’s a feature that is supposed to let you locate your friends on Snapchat, assuming you know their name and phone number.

Services of that sort are always moderately risky from a privacy point of view, because when they succeed (e.g. when you find that the user John Smith does indeed match up with 555-555-5555) they effectively verify an individual’s phone number.

However, the risk is usually managed by some sort of rate limit, restricting how many lookups you can do each minute, or hour, or day, so that you have to have some idea of John Smith’s phone number to start with.

Remove the rate limit, of course, and you could simply try to match John Smith against every number with a particular prefix – starting, say, at 555-555-0000 and carrying on until you reach 555-555-9999 or hit the jackpot.

According to the hackers who published last week’s vulnerability, Snapchat had left off the rate limit, making it feasible to try every number from 555-555-0000 to 555-555-9999 in about two minutes from a single computer with a decent internet connection.

→ Bring a modestly-sized botnet into the equation – 1000 infected PCs on home-user ADSL lines, for instance – and you could almost certainly churn through a whole North American area code (e.g. 604-xxx-xxxx, the code for Vancouver and the surrounding parts of British Columbia) in well under an hour.

Snapchat’s response to the find_friends vulnerability report was lukewarm:

Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.

The paragraph above doesn’t dismiss the problem entirely, which is a good thing, but the word “theoretically” certainly came back to haunt Snapchat.

Apparently, unknown hackers took matters from the theoretical to the practical by extracting a database of about 4,600,000 Snapchat usernames and phone numbers, and dumping the list online.

In a small concession to decency, the hackers thoughtfully chopped off the last two digits of every phone number, which took some of the edge off the breach.

But they openly offered to disclose those chopped-off digits, provided that you asked nicely:

This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.

The dumped data was published on a server at snapchatdb.info, though that domain has now been taken off the air, producing an “account suspended” message from the hosting provider if you try to go there.

Snapchat has never been much of a darling to computer security practitioners, not least because its business was loosely founded on the bogus promise of “safe sexting.”

The idea was that you could send sexy photos of yourself to other people; they could view the pics for a few seconds (ooooh!) but then that would be that: the images would simply disappear, never to be seen again (aaaah).

Risque without risk was the basic idea.

Except that if you took a photo of your phone while the risky image was on screen, or took a screenshot, or dumped your phone’s graphics RAM, or used basic forensic data recovery techniques to retrieve the “deleted” files after viewing them, or fetched the image through a session-logging web proxy…

…then you’d quickly have realised that Snapchat’s promises of “disappearing images” were fanciful.

It certainly looks as though Snapchat’s protection of its users’ phone numbers has been a bit fanciful, too.

We’d be willing to bet that there are some coders at Snapchat working flat out on API (application programming interface) rate limiting, even as you read this article!

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RrjJ-sDFtDU/

It would appear that 2014 is starting off on a sour note for the folks in Microsoft’s social media team.

The Syrian Electronic Army (SEA) appears to have compromised Skype’s Twitter account. Skype was acquired by Microsoft in 2011.

There is evidence to suggest the attackers were able to gain access to Skype’s Facebook and WordPress blogs as well, likely indicating either shared passwords or perhaps compromise of Skype employees’ email accounts.

This isn’t entirely surprising as the FBI had issued a warning on Christmas Eve to media organizations about a new wave of phishing attacks associated with the infamous SEA.

Skype has more than three million followers on Twitter, which indicates that, had the attackers wanted to send out malicious links or other dangerous content, this could have been a whole lot worse.

What I would like to know is why on earth a company social media profile with over three million followers would not be using two-factor authentication.

Earlier this year Twitter rolled out an improved two-factor solution seemingly in response to previous attacks by the SEA.

WordPress offers two-factor authentication and Facebook has supported two-factor authentication for a couple of years now, all in an attempt to prevent this exact type of attack.

Microsoft, would you care to explain why you apparently are not using it?

I believe it is the responsibility of organizations with a large number of followers to do whatever they can to secure their profiles.

I suppose this can be a lesson to the rest of us. Take advantage of the safety net of two-factor authentication whenever possible. While it may be less than perfect, so are you.

Follow @chetwisniewski

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/N7cRtjmG2Qo/

2014 predictions: Top technology trends

Entities claiming to represent the Syrian Electronic Army (SEA) have hacked Skype’s social media presences and used them to post anti-Microsoft messages.

Here’s one of the defacements, from Skype’s Twitter account.

Hi! Microsoft here. Don’t use our stuff. Really. Take our word for it.

Skype’s blog was also accessed and quickly became host to posts calling for Skype to stop allowing the NSA to access its back end, as has recently been alleged Edward Snowden.

The fun lasted a few hours before Skype wrestled control of its social media properties back from the alleged SEA members. The VoIP service has since posted the following all-clear to Twitter.

You may have noticed our social media properties were targeted today. No user info was compromised. We’re sorry for the inconvenience.

— Skype (@Skype) January 2, 2014

That the Skype blog was accessed makes the incident considerably embarrassing to Skype and therefore to Microsoft, as it shows neither is drinking strong password kool-aid. With Skype being baked into all manner of Redmondware, questions about just how it was possible for the company blog to be accessed may well be worth asking before adopting the service in-house. ®

2014 predictions: Top technology trends

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/02/skype_social_media_hacked_to_spread_antimicrosoft_messages/

Controversial photosharing site Snapchat is back in the news again, opening the New Year as the victim of a data breach that it really ought to have predicted, and probably should have headed off at the pass.

Here’s the story so far.

Last week, we wrote about a vulnerability reported in Snapchat’s find_friends interface.

That’s a feature that is supposed to let you locate your friends on Snapchat, assuming you know their name and phone number.

Services of that sort are always moderately risky from a privacy point of view, because when they succeed (e.g. when you find that the user John Smith does indeed match up with 555-555-5555) they effectively verify an individual’s phone number.

However, the risk is usually managed by some sort of rate limit, restricting how many lookups you can do each minute, or hour, or day, so that you have to have some idea of John Smith’s phone number to start with.

Remove the rate limit, of course, and you could simply try to match John Smith against every number with a particular prefix – starting, say, at 555-555-0000 and carrying on until you reach 555-555-9999 or hit the jackpot.

According to the hackers who published last week’s vulnerability, Snapchat had left off the rate limit, making it feasible to try every number from 555-555-0000 to 555-555-9999 in about two minutes from a single computer with a decent internet connection.

→ Bring a modestly-sized botnet into the equation – 1000 infected PCs on home-user ADSL lines, for instance – and you could almost certainly churn through a whole North American area code (e.g. 604-xxx-xxxx, the code for Vancouver and the surrounding parts of British Columbia) in well under an hour.

Snapchat’s response to the find_friends vulnerability report was lukewarm:

Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.

The paragraph above doesn’t dismiss the problem entirely, which is a good thing, but the word “theoretically” certainly came back to haunt Snapchat.

Apparently, unknown hackers took matters from the theoretical to the practical by extracting a database of about 4,600,000 Snapchat usernames and phone numbers, and dumping the list online.

In a small concession to decency, the hackers thoughtfully chopped off the last two digits of every phone number, which took some of the edge off the breach.

But they openly offered to disclose those chopped-off digits, provided that you asked nicely:

This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.

The dumped data was published on a server at snapchatdb.info, though that domain has now been taken off the air, producing an “account suspended” message from the hosting provider if you try to go there.

Snapchat has never been much of a darling to computer security practitioners, not least because its business was loosely founded on the bogus promise of “safe sexting.”

The idea was that you could send sexy photos of yourself to other people; they could view the pics for a few seconds (ooooh!) but then that would be that: the images would simply disappear, never to be seen again (aaaah).

Risque without risk was the basic idea.

Except that if you took a photo of your phone while the risky image was on screen, or took a screenshot, or dumped your phone’s graphics RAM, or used basic forensic data recovery techniques to retrieve the “deleted” files after viewing them, or fetched the image through a session-logging web proxy…

…then you’d quickly have realised that Snapchat’s promises of “disappearing images” were fanciful.

It certainly looks as though Snapchat’s protection of its users’ phone numbers has been a bit fanciful, too.

We’d be willing to bet that there are some coders at Snapchat working flat out on API (application programming interface) rate limiting, even as you read this article!

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/b5JTQWZCopY/

It would appear that 2014 is starting off on a sour note for the folks in Microsoft’s social media team.

The Syrian Electronic Army (SEA) appears to have compromised Skype’s Twitter account. Skype was acquired by Microsoft in 2011.

There is evidence to suggest they were able to gain access to Skype’s Facebook and WordPress blogs as well, likely indicating either shared passwords or perhaps compromise of Skype employees’ email accounts.

This isn’t entirely surprising as the FBI had issued a warning on Christmas eve to media organizations about a new wave of phishing attacks associated with the infamous SEA.

Skype has more than 3 million followers on Twitter, which indicates that, had the attackers wanted to send out malicious links or other dangerous content, this could have been a whole lot worse.

What I would like to know is why on earth a company social media profile with over 3 million followers would not be using two-factor authentication.

Earlier this year Twitter rolled out an improved two-factor solution seemingly in response to previous attacks by the SEA.

WordPress offers two-factor authentication and Facebook has supported two-factor authentication for a couple of years now, all in an attempt to prevent this exact type of attack.

Microsoft, would you care to explain why you apparently are not using it?

I believe it is the responsibility of organizations with a large number of followers to do whatever they can to secure their profiles.

I suppose this can be a lesson to the rest of us. Take advantage of the safety net of two-factor authentication whenever possible. While it may be less than perfect, so are you.

Follow @chetwisniewski

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cAfM5WnklkQ/

Tags: 2013, Adobe, Android, APK, backup, chet chat, cryptolocker, Cupid Media, data breach, EC-DRBG, elliptic curve, nist, one time pad, openssl, password hints, PRISM, randomness, ransomware, review, Snowden, sophos security chet chat, sscc, target, two time pad, unhashed passwords, vulnerability, WhatsApp, XP, Zero Day, ZIP exploit

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OJ3jnVeOUgI/

You’re no doubt familiar with Pluto, the planet that got relegated.

If you’re an adult, you probably learned at school that Pluto was the ninth, and smallest, and faintest, planet in the solar system.

(It wasn’t always the most distant, as Neptune is sometimes further from the sun, but Pluto was very much the far-flung baby of the solar system.)

Indeed, Pluto was the ninth planet, until a kerfuffle broke out when a larger object, known as Eris, was found to be orbiting the sun about three times further out than tiny Pluto.

Eris, as it happened, only made it to dwarf planet status, which seemed anomalous.

Either Eris had to get promoted to the Premiership and become the tenth planet, or Pluto had to be dropped to the lower leagues – as, in the end, it was, leaving just eight planets for today’s schoolchildren to memorise.

But that’s not the most interesting thing about Pluto.

What’s interesting (at least, it’s interesting because it happens to fit neatly into this article, but bear with me) is how Pluto was found.

In the 1930s, the state of the art celestial body finder was the blink comparator, which is how astronomers looked for subtle changes between images in the days before CCD cameras and digital image processing.

Two images of the same piece of sky, taken some time apart, were presented in turn to an eagle-eyed astronomer, whose job was to identify points of light that seemed to flick back and forth as the comparator flipped between the carefully-aligned photographic plates.

Distant objects like stars would not move perceptibly in images separated by a matter of days or weeks, but closer objects in space – comets, for example, and hitherto unknown planets and dwarf planets – would have moved between exposures, giving an observer a fighting chance of spotting them as they “blinked” before their eyes in the comparator.

The actual plates from which discoverer Clyde Tombaugh spotted the tiny dot of Pluto, flicking across the field of space, are shown above.

Blink comparison revisited

According to Wired magazine, reporting on a paper delivered yesterday at the famous Chaos Computer Congress in Berlin, Germany, the blink comparator inspired researchers Eric Michaud and Ryan Lackey to propose a fascinatingly low-tech solution to tamper detection.

The idea is simple, even though it sounds complicated when described in generic terms:

Physically Unclonable Functions (PUFs), combined with a trusted mobile device and a network service, can be used to mitigate [the risks of covert tampering]. We present a novel open-source mobile client and network service which can protect arbitrary hardware from many forms of covert modification and attack, and which when integrated with software, firmware, and policy defenses, can provide greater protection to users and limit potential attack surface.

Loosely put, if you are on the road with your laptop, especially overseas where you don’t know the ropes too well, you’d probably like some way to tell whether local law enforcement, intelligence services, hotel staff, cybercrooks, or any other inquisitive individuals, have been digging around inside your computer.

After all, if they’ve opened up the case, who knows what secret surveillance systems they may have hidden inside?

So you need a PUF: some characteristic measurement you can easily take of your device that would almost certainly change if someone fiddled with it intrusively.

What we’re talking about is something like one of those WARRANTY VOID IF REMOVED stickers, but much harder to clone and replace.

Ideally, you want some product – a laquer, or paint, for example – that has all sorts of unpredictable disorder all of its own (but immutable, once the paint has dried), and that can easily be used to coat key parts of your devices.

The unpredictability means that if an attacker disturbs the original marker – for example, a tell-tale coating that detects whether a screw has been turned or a clip opened – then a photograph of the replacement marker will fail a modern-day blink comparison with the original.

Coating? Laquer? Paint?

What to use?

According to Michaud and Lackey, there’s an excellent product on the market that can be deployed for just this purpose.

It’s cheap, and easy to obtain, even if it isn’t the sort of decoration you’d usually associate with laptops.

Glitter nail polish.

Choose your security look today!

Follow @duckblog

Image of nail polish bottles courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3jpQr8MX3Vk/

Ever since Barnaby Jack leapt on stage at Blackhat USA and had ATMs spew money like it was going out of style, hackers around the globe have been busy trying to replicate the research before the banks and ATM vendors get the vulnerabilities fixed. You’d have thought that, after three and a half years, both the vendors and banks would have fixed the bugs and dealt with the physical attack vectors long ago. Unfortunately, that doesn’t seem to be the case.

A pair of security researchers speaking in Hamburg at last week’s Chaos Communication Congress provided new insight and demonstrated some USB-based malware that had been crafted by criminals and used earlier in the year to siphon money from several unpatched ATM’s. The original malware authors had taken steps to remove many of the installation traces that forensic investigators would have found useful, so the researchers had to piece together many parts of a complex puzzle.

While it hasn’t been disclosed which type of ATM were targeted (nor which bank was affected), it seems that the criminals had uncovered physical flaws in the bank’s ATM devices that allowed them to cut access holes through which they could slip in their infector USB device. Once the USB device was in place, the ATM’s could be rebooted and the malware automatically installed.

I’d have thought that with all the hoopla that followed Blackhat in 2010 and the personal visits that Barnaby Jack (and IOActive – the consulting company he worked for at the time) made to the ATM manufacturers and high-street banking organizations at the time, that everyone would have at least disabled the “boot from USB” functionality. Apparently this particular bank hadn’t acted on the memo.

The ATM malware appears to have had a number of interesting features designed to protect it from both investigators and fellow criminals or mules. After supplying a 12-digit magic number to bring up a built-in menu, the money mules were provided direct manual access to the machines money-dispensing functions. However, before money could be extracted, a second code was required… a challenge-response code… most likely added to prevent mules from operating independently of the malware authors.

Given the relative sophistication of the malware and the efforts involved in protecting it from both bank investigators and other criminals, I wouldn’t be surprised to learn that the malware is already in use by other organized crime gangs around the world. It would be a rare occurrence for any bank targeted by this malware to openly disclose they were a victim – as it’s not good for business and customer confidence.

While the attack vector – booting from an infected USB stick – will have many security veterans rolling their eyes in disbelief that the targeted bank hadn’t already mitigated the threat, I’ve heard several people argue that writing code (malicious or otherwise) for ATMs is difficult. Unfortunately it’s simpler than most realize. Anyone with an understanding of CEN/XFS, or the time to peruse the online manuals, will quickly master the fundamentals.

This USB infector process is the low hanging fruit for criminals targeting ATM machines. Banks that haven’t already mitigated the attack vector are, for want of a better word, “negligent”. There can be no excuses for not disabling the “boot from USB” functionality – especially now with the public disclosure of criminal abuse.

— Gunter Ollmann, CTO, IOActive Inc.

Article source: http://www.darkreading.com/attacks-breaches/sticking-it-to-the-atm/240165074

Vulnerabilities are an ever-present problem, but each year the trends in vulnerabilities are somewhat different. In 2013, slightly fewer vulnerabilities were reported than in the previous year, but because of the expansion of bounty programs, more researchers got paid for their research than in previous years.

This coming year, a number of nascent trends will likely become more pronounced. Researchers will have a broader market for their research and more vulnerability research will be focused on embedded devices, popular libraries, and security software, say experts.

“A lot of the vulnerabilities that came out this year are issues that are not going to go away any time soon,” says HD Moore, chief research officer for vulnerability management firm Rapid7.

In 2014, Microsoft will also bring the end of support for Windows XP, one of the most popular OSes targeted for exploitation. By the time people pay their taxes, Microsoft’s support for the venerable operating system–originally released in October 2001–will have ended. That will likely shift the effort that researchers, and attackers, put into finding vulnerabilities, Moore says.

While finding and fixing vulnerabilities are important tasks–not to mention, preventing vulnerabilities by adding secure programming techniques to development processes–companies should expect that attackers will find vulnerabilities in the software that they use and take appropriate measures.

“If you are a valuable target, you have to assume that you are already compromised and that you will get compromised again,” Stefan Frei, director of research for security-information firm NSS Labs, said in an interview earlier this month.

As 2013, comes to a close, vulnerability experts identified the trends they expect to continue in the coming year.

1. More pay for researchers
Most vulnerability researchers can now get paid for the effort they put into finding vulnerabilities. Third-party bounty programs are seeing renewed interest. Hewlett-Packard’s Zero Day Initiative (ZDI), which pays a modest bounty for vulnerabilities in enterprise software products, has accepted almost 290 vulnerabilities from researchers this year, up from the 203 issues that the company paid for last year.

“We are seeing a steady increase in researchers in our program, especially from the Pac-Asia region, Russia and the United Kingdom,” says Brian Gorenc, manager of vulnerability research for ZDI.

[Companies need to focus on not just fixing known vulnerabilities, but closing potential attack vectors. See Securing More Vulnerabilities By Patching Less.]

Google has led software makers in offering a wide variety of bounties for any security issues found in its products. Yet, they are not alone: At least 50 vendors offer bounty programs, according to the list maintained by BugCrowd.com.

Microsoft was the biggest addition to the group this year. The company offered rewards to researchers that found vulnerabilities in its beta products and offered a hefty $100,000 for anyone that found exploits that bypassed the defenses the company built into the latest version of Windows. But Microsoft should do more, says Rapid7’s Moore.

“They are getting credit for running a bounty program that is not really relevant,” Moore says. “The program does not apply to the software that people are actually exploiting; it applies to the software under development.”

2. Exploiting the guards
Researchers have found vulnerabilities in most major security software, and that will continue in 2014, according to ZDI’s Gorenc. While most upcoming vulnerabilities focus on Microsoft, Adobe, Oracle and other major enterprise software vendors, a few reports include the software the companies rely on to secure their systems. In ZDI’s upcoming vulnerabilities list, for example, antivirus firm Sophos and security information and event management (SIEM) firm SolarWinds are both included.

“Toward the end of 2013, we saw researchers looking for a lot more vulnerabilities in security products themselves,” says Gorenc.

The trend pairs with a similar focus of attackers, who have, over the past four years, focused on attacking companies who supply security products to enterprises. RSA, Bit9, and Symantec are among the companies that have had their systems breached.

3. Embedded devices mean flaws live longer
From vulnerabilities in Android to problems with universal plug-and-play to security issues in industrial control and medical systems, vulnerabilities in embedded devices are an increasingly focus for researchers. Such security issues are a problem for users because most devices are not easily patched and often manufacturers take months to years to update their device software.

A big part of that is the resurgence of Linux as a target for research, says Rapid7’s Moore. In the past, a vulnerability in Linux meant that companies had to patch their Web and database servers, but increasingly those vulnerabilities are found in embedded devices.

“Any time you have a Linux kernel vulnerability, the scary thing is that those don’t go away,” Moore says. “They get baked into every Android phone and embedded box that is out there.”

4. Libraries under attack
Along with embedded systems, attackers will continue their focus on the popular libraries and frameworks used by developers. Graphics library, such as LibTIFF, are popular targets of vulnerability research. Rapid7 found that issues in the universal plug and play library, LibPNP, continued to be widespread.

“Library bugs tend to stick around for awhile because they apply to more and more software going forward” as developers build the libraries into more products, Moore says.

Because developers do not usually issue an update to fix vulnerabilities libraries, software reliant on vulnerable library versions continues to exist. “There is a multi-year tail on those issues,” he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/4-trends-in-vulnerabilities-that-will-co/240165067

Agile Service Desk: Keeping Pace or Getting out Paced by New Technology?

WinXP at the 11th Hour

Innovations in Integration: Achieving Holistic Rapid Detection and Response

Big Customer Data Analytics with a 360-Degree View

How to Really Put Big Data to Work

Article source: http://www.darkreading.com/slide-show-8-effective-data-visualizatio/240165066