STE WILLIAMS

Snapchat, the popular photo messaging service, got a visit from the privacy Grinch this Christmas season after researchers released details of an exploit that abuses Snapchat’s “Find My Friends” feature.

The visit was the work of Gibson Security, which first notified Snapchat of this and other security issues back in August. According to the group, Snapchat did not respond, compelling Gibson Security to publicly release more details and some proof-of-concept code on Christmas Eve. The first target: Snapchat’s Find My Friends feature.

Typically, Find My Friends enables users to look up their friends’ usernames by uploading the phone numbers in their devices’ address book and searching for accounts that match those numbers. The researchers, however, were able to abuse that capability to do that on a massive scale.

“We did some back-of-the-envelope calculations based on some number crunching we did (on an unused range of numbers),” the researchers state in their advisory. “We were able to crunch through 10 thousand phone numbers (an entire sub-range in the American number format (XXX) YYY-ZZZZ – we did the Z’s) in approximately 7 minutes on a gigabit line on a virtual server. Given some asynchronous optimizations, we believe that you could potentially crunch through that many in as little as a minute and a half (or, as a worst case, two minutes). This means you’d be railing through as many as 6666 phone numbers a minute (or, in our worst case, 5000!).”

Gibson Security did not immediately respond to a request for comment from Dark Reading. However, in an email with ZDNet, researchers say an attacker could use the Snapchat API to write an automated program that generates phone numbers and searches them against the Snapchat database as a step toward building a database of social networking profiles that could be sold to others.

“Hopping through the particularly ‘rich’ area codes of America, potential malicious entities could create large databases of phone numbers and corresponding Snapchat accounts in minutes,” the researchers wrote.

The researchers also presented proof-of-concept code for the bulk registration of accounts. The issue takes advantage of what the researchers say in their advisory is “lax registration functionality.”

“The mass registration exploit could be used to create thousands of accounts, which could be used for speeding up the above process, or possibly for spam,” Gibson Security told ZDNet.

Snapchat did not respond to a request for comment from Dark Reading.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/researchers-reveal-snapchat-security-iss/240165041

For a bit of festive season fun, we thought we’d look at some spam.

Long-term readers will know that we have a tongue-in-cheek list of spam categories, taking us well beyond just unsolicited email.

Over the years, we’ve added the following spam variants to our menagerie:

• SPIT – spam using internet telephony
• SPIM – spam over instant messaging
• SPASMS – spam via SMS
• SPATTER – spam via Twitter
• SPEWS – spam through electronic web submissions

SPEWS, of course, often end up converted into emails and directed inwards by the form submission page on your webserver.

→ It’s generally a good idea to treat your web server as an untrusted email sender, even if it is inside your network, and to put any emails that it generates (especially if they might contain content entered online by someone outside your network) through your usual email filtering process.

SPEWS are also common on blogs and and forums where commenting is allowed, not least because many forums allow web links to be entered into comments.

A site that can easily be tricked into re-publishing clickable links for free is a useful resource to spammers (or to bots working on their behalf).

That’s what the spammer was trying to do in the examples below.

We’re saying “spammer,” even though numerous IP addresses were used and a range of topics covered, because the “comments” we’ve chosen in this case all follow a very similar pattern.

The formula is pretty simple.

There’s a short, generic and not terribly grammatical burst of praise, like this:

An interesting discussion is worth comment. I think that you simply really should write a lot more on this topic, it could possibly not be a taboo topic but normally people aren’t sufficient to speak on such topics. To the next. Cheers.

Then there’s a URL.

It’s hard to imagine why anyone (except perhaps another spammer wanting to see what the competition was up to) would click on any of the URLs we’ve seen in this campaign, as the links have no relevance to computer security at all, let alone to the article on which they claim to be commenting.

Nevertheless, this spammer has been quite persistent in his or her flattery.

We “made certain nice points,” apparently:

There is noticeably a bundle to know about this. I assume you made certain nice points in features also.

And we received “a huge thumbs up,” too:

Hello! I just would like to give a huge thumbs up for the great info you have here on this post. I will be coming back to your blog for more soon.

Occasionally, the spammer gets rather caught up in it all, and bigs us up enormously:

Youre so cool! I dont suppose Ive read anything like this before. So nice to find somebody with some original thoughts on this subject. realy thank you for starting this up. this website is something that is needed on the web, someone with a little originality. useful job for bringing something new to the internet!

But once in a while, the flattery stops and we are confronted with criticism instead:

The next time I read a blog, I hope that it doesnt disappoint me as much as this 1. I mean, I know it was my option to read, but I really thought youd have some thing intriguing to say. All I hear is often a bunch of whining about something that you could fix if you happen to werent too busy looking for attention.

Ouch! Take that, Naked Security!

Perhaps the spammer hopes to be taken more seriously by unleashing some tough love in amongst the todaying remarks?

But what if we had approved the comment anyway, and retained the suspicious-looking URL it contained?

The URL that was added to this comment included the text string rolexwatches in its domain name, while the path part of the URL mentioned Air Jordan footwear.

That might seem a curious combination, but it was the footwear that was the the sales goal this time.

Clicking the URL takes you to an astonishing piece of prose on a free blog hosting service:

Possibly me and my teammates aloof bought pairs from a abnormal shipment? One guy alternate them and exchanged them for the atramentous and blah colorway and had no troubles.

If you end up motivated to click through by the admittedly confusing text above you will indeed be offered Air Jordans for sale:

And if you’ve had any misgivings about how you got this far, you can relax!

You’re on a secure site, at least according to the site itself:

And there you have it.

It seems that flattery alone doesn’t get you everywhere, after all.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/kROsJ-REa1U/

Tags: 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, Backdoor, Bug, bust, data leakage, DDoS, EC-DRBG, freebie, Manchester, NSA, openssl, Poland, Privacy, PRNG, security guide, Snapchat, Threatsaurus

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7csRazqQga8/

Tags: 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, Backdoor, Bug, bust, data leakage, DDoS, EC-DRBG, freebie, Manchester, NSA, openssl, Poland, Privacy, PRNG, security guide, Snapchat, Threatsaurus

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FaWSkul_nKg/

Snapchat, the popular photo messaging service, got a visit from the privacy Grinch this Christmas season after researchers released details of an exploit that abuses Snapchat’s “Find My Friends” feature.

The visit was the work of Gibson Security, which first notified Snapchat of this and other security issues back in August. According to the group, Snapchat did not respond, compelling Gibson Security to publicly release more details and some proof-of-concept code on Christmas Eve. The first target: Snapchat’s Find My Friends feature.

Normally, Find My Friends enables users to look up their friends’ usernames by uploading the phone numbers in their device’s address book and searching for accounts that match those numbers. The researchers, however, were able to abuse that capability to do that on a massive scale.

“We did some back-of-the-envelope calculations based on some number crunching we did (on an unused range of numbers),” the researchers state in their advisory. “We were able to crunch through 10 thousand phone numbers (an entire sub-range in the American number format (XXX) YYY-ZZZZ – we did the Z’s) in approximately 7 minutes on a gigabit line on a virtual server. Given some asynchronous optimizations, we believe that you could potentially crunch through that many in as little as a minute and a half (or, as a worst case, two minutes). This means you’d be railing through as many as 6666 phone numbers a minute (or, in our worst case, 5000!).”

Gibson Security did not immediately respond to a request for comment from Dark Reading. However, in an email with ZDNet, researchers say an attacker could use the Snapchat API to write an automated program that generates phone numbers and searches them against the Snapchat database as a step towards building a database of social networking profiles that could be sold to others.

“Hopping through the particularly ‘rich’ area codes of America, potential malicious entities could create large databases of phone numbers and corresponding Snapchat accounts in minutes,” the researchers write.

The researchers also presented proof-of-concept code for the bulk registration of accounts. The issue takes advantage of what the researchers say in their advisory is “lax registration functionality.”

“The mass registration exploit could be used to create thousands of accounts, which cloud be used for speeding up the above process, or possibly for spam,” Gibson Security tells ZDNet.

Snapchat did not respond to a request for comment from Dark Reading.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/snapchat-security-issues-revealed-by-res/240165041

Snapchat is a hip and happening mobile app, and you’ve probably heard of it, though not necessarily in flattering terms if you are interested in security.

Snapchat’s primary purpose seems to be to suck you into thinking that it is safe to share risky (or risque) photos of yourself, provided that you do so via the Snapchat app, rather than via email or a regular photo-sharing service.

That’s because the Snapchat app gives recipients only a few seconds to look at your picture – just long enough for them to mouth the words, “My goodness, look who’s in the background…that must be…”

And before they can remember whether it was Monica or Mary (or Daniel or Dave)…

…poof!

The photo vanishes, and can’t be downloaded or opened again.

But security experts have laughed from Day Zero at the idea that Snapchat images could truly be said to disappear after viewing.

Even Snapchat managed to confuse itself, as we reported earlier this year, making the unlikely claim in Google’s Play Store that:

Snapchat is the fastest way to share a moment with friends. You control how long your friends can view your message – simply set the timer up to ten seconds and send. They’ll have that long to view your message and then it disappears forever.

The next sentence, however, boasted that;

We’ll let you know if they take a screenshot!

In which case, of course, it wouldn’t have disappeared at all, let alone forever.

(As Naked Security asked more than a year ago, “what action are you going to take if you share a photo in confidence, only to discover that someone has chosen to keep a permanent record?”)

So the idea of making an absolute claim about the concept of a message that “disappears forever” was impertinent nonsense from Snapchat to start with.

And that’s before you take into account that:

• You can use a mobile phone to snap a pretty decent snapshot of a snapshot displayed of the screen of a mobile phone, and the sender will be none the wiser.
• When Snapchat was still openly promising disappearing photos, its app wasn’t even trying to delete snapshots from your phone after you viewed them: images were merely renamed so that most (but not all) image viewers would ignore them.
• Snapchat has admitted sharing images with law enforcement – something it must have known it would need to do to comply with regulations – who, we assume, did not delete those photos after they’d been viewed.
• Snapchat’s image encryption apparently uses a symmetric cipher with hardwired keys, so any user or server who has intercepted a web request (admittedly an HTTPS-protected one) in which you fetched an image can decode it later at their leisure, no matter whether you or Snapchat want them to.

Snapchat’s liberal attitude to technical accuracy didn’t stop Facebook from offering recently to write a cheque for $3,000,000,000 to buy it outright – with other potential investors apparently thinking of paying $4 billion for that privilege.

(Even more dramatically, Snapchat’s 23-year-old founder and CEO, Evan Spiegel, turned up his nose at both offers.)

To be fair, the company has now backed off from its “disappears forever” claims.

The Play Store promotional text now says:

Please note: even though snaps are are deleted from our servers after they are viewed, we cannot prevent the recipient(s) from capturing and saving the message by taking a screenshot or using an image capture device.

But a new round of criticism has arisen, with a group of hackers who identify themselves only as Gibsonsec publishing proof-of-concept code for exploiting two vulnerabilities they claim Snapchat has failed to fix since August 2013.

The first exploitable vulnerability is that you can use the Snapchat API (Application Programming Interface) to perform apparently unlimited phone number lookups.

Once you login with an active username and password, says Gibsonsec, you can make web requests to the Snapchat find_friends API function to check whether there is a user X with phone number Y.

The idea sounds reasonable enough: if you know someone’s phone number, you can use it to help find whether they’re on Snapchat.

But the Gibsonsec researchers claim that in their tests, they were able to check about 1500 numbers per minute using a single cloud-based virtual server; they further estimate that 5000 number lookups per minute ought to be fairly easy to do with some improvements to their code.

That would let you get through 7,000,000 lookups a day from a single server.

That’s the sort of request volume it would be prudent for Snapchat to limit, in order to prevent stalkers and crooks from easily searching entire telephone area codes for otherwise-unlisted individuals.

Of course, one way for Snapchat to restrict the number-finding power of unscrupulous users would be to lock out any accounts that make too many requests.

But Gibsonsec’s second exploitable vulnerability would circumvent that sort of protection: apparently unlimited registration of new accounts.

Many web services put one or more speed-bumps in the way of account creation, for example by sending an email containing a URL that needs to be visited to activate a new account, or by asking the applicant to solve a CAPTCHA.

Spammers, scammers and other miscreants love services that make it easy to automate the creation of new users, and to recover information abour existing users.

Snapchat really ought to do something about automated account registration and over-zealous phone number searches.

Mind you, when you’ve just turned down $3 billion in cash from Facebook, slowing anything down probably sounds like a bad idea.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/VJAPqyiRqys/

Email delivery: Hate phishing emails? You’ll love DMARC

A US federal judge has ruled that the NSA is within its rights to harvest millions of innocent Americans’ telephone call records under Section 215 of the Patriot Act – and that the dragnet is fine under the Fourth Amendment since the data was collected by a third-party telco, not the government.

The decision kicks the debate over the legality of the intelligence agency’s controversial mass-surveillance operations closer to the Supreme Court.

“Robust discussions are underway across the nation, in Congress, and at the White House, the question for this court is whether the government’s bulk telephony metadata program is lawful. This court finds it is,” said US District Judge William Pauley in his ruling today.

The court case was filed by civil-rights campaigners the ACLU in June, less than a week after the first document released by NSA whistleblower Edward Snowden showed that Verizon was supplying metadata on US mobile phone calls. As Verizon subscribers, the ACLU sued to get the snooping stopped with an injunction.

“We are extremely disappointed with this decision, which misinterprets the relevant statutes, understates the privacy implications of the government’s surveillance and misapplies a narrow and outdated precedent to read away core constitutional protections,” said ACLU deputy legal director Jameel Jaffer.

“As another federal judge and the president’s own review group concluded last week, the National Security Agency’s bulk collection of telephony data constitutes a serious invasion of Americans’ privacy. We intend to appeal and look forward to making our case in the Second Circuit.”

In his ruling Judge Pauley said that surveillance techniques such as those deployed by the NSA were necessary to stop terrorism, citing three cases where such data had been used to stop bomb attacks on the New York subway system, stock exchange, and other targets.

“Like the 911 Commission observed: the choice between liberty and security is a false one, as nothing is more apt to imperil civil liberties than the success of a terrorist attack on American soil,” he wrote.

“A court’s solemn duty is ‘to reject as false, claims in the name of civil liberty which, if granted, would paralyze or impair authority to defend [the] existence of our society, and to reject as false, claims in the name of security which would undermine our freedoms and open the way to oppression.”

Judge Pauley’s reasoning contrasts sharply with the December 16 ruling from District of Columbia Judge Richard J Leon, also on the legality of the Verizon data slurp. The judge described the NSA’s systems as “almost Orwellian,” and said he wasn’t convinced about the government’s claims that such data was needed for rapid-response anti-terrorism. Judge Leon was ruling in a lawsuit brought against the Obama administration by lawyer Larry Klayman and other privacy campaigners.

In both cases the judges gave leave to appeal, and it now looks certain that the Supreme Court will have to rule on the matter. How quickly it does so is largely up to the nine-person panel itself, but it seems likely that the court will rule sooner rather than later. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/27/slurp_away_nsa_mass_phone_data_collection_is_legal_rules_federal_judge/

5 questions to answer about your DR plan

Top-secret documents leaked by NSA whistleblower Edward Snowden have been plastered across our screens and front-pages for months by Glenn Greenwald and his team.

And on Friday the journalist couldn’t help but leak a few details about a forthcoming wave of fresh revelations regarding the US and UK governments’ mass surveillance operations.

In a keynote speech to this year’s Chaos Communication Congress in Hamburg, Germany, Greenwald claimed NSA and GCHQ analysts are infuriated that they cannot easily track or monitor airline passengers’ smartphones and other electronic gadgets mid-flight – implying that may be about to change.

Conveniently, US comms watchdog the FCC has given a thumbs up to in-flight mobile broadband, and the European Aviation Safety Agency is relaxing its rules on the use of electronics before and during flights – in theory, granting spies a pathway to personal computers and handhelds tens of thousands of feet above ground.

Addressing the hackers’ conference via Skype from his home in São Paulo, Greenwald – who used to break his NSA stories in UK daily newspaper the Guardian but has since moved on – spent most of his allotted hour praising Snowden and condemning corporate media giants.

Greenwald then turned his ire onto the NSA and GCHQ’s long-running quest for total awareness of the world’s communications networks:

The NSA and GCHQ … are obsessed with searching out any small little crevice on the planet where some forms of communication may be taking place without them being able to invade it.

One of the stories we’re working on now – I used to get in trouble at the Guardian for pre-announcing my stories, but I’m not at the Guardian so I’m just going to do it anyway – the NSA and GCHQ are being driven crazy by this idea that you can go on an airplane and use certain cellphone devices or internet services and be away from their prying eyes for a few hours at a time.

They are obsessed with finding ways to invade the systems of online, onboard internet services and mobile phone services, because the very idea that human beings can communicate even for a few moments without them being able to collect and store and analyze and monitor what it is that we’re saying is simply intolerable.

Meanwhile, scrutiny of the NSA’s spying programs by the US Supreme Court edged closer to reality today after one federal judge ruled the agency’s phone records dragnet is lawful despite another slamming it as “almost Orwellian.” While just hours ago US District Judge William Pauley said the NSA’s operations had thwarted bomb attacks on US soil, Judge Richard J Leon remarked this month that he was not convinced the agency’s databases on Americans could be used to rapidly swoop on terrorists.

Continuing his speech this evening, Greenwald said Blighty’s GCHQ and Uncle Sam’s NSA “target every form of communication that they can possibly get their hands on.”

“And if you think about what individual privacy does for us as human beings, let alone what it does for us on a political level, it really is the thing that lets us explore boundaries and engage in creativity and use the mechanisms of dissent without fear,” he told the hackers’ conference, now in its 30th year.

“A surveillance state breeds conformity, because if human beings know they are susceptible to being watched, even if they’re not being watched, they cling far more closely to orthodoxy.”

Greenwald gets onto the subject of airlines about 39 minutes into his speech, which was recorded and published online here:

“NSA conducts all of its activities in accordance with applicable laws, regulations, and policies – and assertions to the contrary do a grave disservice to the nation, its allies and partners, and the men and women who make up the National Security Agency,” the NSA stated during the height of this year’s Snowden-sourced revelations.

“Terrorists, weapons proliferators, and other valid foreign intelligence targets make use of commercial infrastructure and services. When a validated foreign intelligence target uses one of those means to send or receive their communications, we work to find, collect, and report on the communication.” ®

2014 predictions: Top technology trends

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/27/greenwald_30c3/

The PIN question has been answered: Target today confirmed that customer PIN numbers were pilfered in the massive breach that affected some 40 million credit and debit cards in its stores between Nov. 27 and Dec. 15.

Target initially had said only that encrypted data was stolen, and speculation was high over whether PINs, indeed, were exposed in the massive hack. A company spokesperson told news outlets earlier this week that it did not believe PIN data was affected in the attack. Customer names, credit and debit card numbers, card expiration dates, and embedded code on the magnetic strips on the backs of the cards also were exposed in the attack.

But Target maintains that the PINs are safe because they are encrypted at the keypads with Triple DES encryption.

“While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems,” the retailer said in a statement today.

The retailer says it neither has access to, nor does it store, the encryption key in its systems. “The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.
The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken,” the company said today.

But security experts say Triple DES encryption won’t necessarily stop a determined and sophisticated attacker. Gunter Ollmann, CTO of IOActive, says attackers can recover PIN data and then make physical copies of stolen cards in order to withdraw funds from ATM machines. And Triple DES is “broken,” with tools available to crack it, he says.

“Triple DES should have been replaced 5-plus years ago,” Ollmann says. “I’d be surprised if past security assessments and PCI tests hadn’t already flagged this as a security flaw.”

The question, he says, is why Target would not have remedied this. “Was it an ‘acceptable risk’ business decision?” he says.

[Target’s massive cardholder breach is a prime example for why security pros have pushed for improved POS and payment application security. See Target Breach Should Spur POS Security, PCI 3.0 Awareness.]

Hints that PINs had been hit in the breach emerged earlier this week, as Reuters reported that JP Morgan Chase Co. and Spain’s Santander Bank had lowered their customers’ withdrawal limits from ATMs as well as total card transaction amounts.

Meanwhile, Target has seen “limited incidents of phishing” in the wake of the breach, the company says, and it is now posting all official communications it sends to customers on its website so they can confirm legitimate information from the retailer.

Target is working with the U.S. Secret Service and the Department of Justice on an investigation into the breach.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/pins-stolen-in-target-breach/240165038

Snapchat, the popular photo messaging service, got a visit from the privacy Grinch this Christmas season after researchers released details of an exploit that abuses Snapchat’s ‘Find My Friends’ feature.

The visit was the work of Gibson Security, which first notified Snapchat of this and other security issues back in August. According to the group, Snapchat did not respond, compelling Gibson Security to publicly release more details and some proof-of-concept code on Christmas Eve. The first target – Snapchat’s ‘Find My Friends’ feature.

Normally, the Find My Friends feature enables users to look up their friends’ usernames by uploading the phone numbers in their device’s address book and searching for accounts that match those numbers. The researchers however were able to abuse that capability to do that on a massive scale.

“We did some back-of-the-envelope calculations based on some number crunching we did (on an unused range of numbers),” the researchers state in their advisory. “We were able to crunch through 10 thousand phone numbers (an entire sub-range in the American number format (XXX) YYY-ZZZZ – we did the Z’s) in approximately 7 minutes on a gigabit line on a virtual server. Given some asynchronous optimizations, we believe that you could potentially crunch through that many in as little as a minute and a half (or, as a worst case, two minutes). This means you’d be railing through as many as 6666 phone numbers a minute (or, in our worst case, 5000!).”

Gibson Security did not immediately respond to a request for comment from Dark Reading. However, in an email with ZDNet, researchers say an attacker could use the Snapchat API to write an automated program that generates phone numbers and searches them against the Snapchat database as a step towards building a database of social networking profiles that could be sold to others.

“Hopping through the particularly ‘rich’ area codes of America, potential malicious entities could create large databases of phone numbers and corresponding Snapchat accounts in minutes,” the researchers write.

The researchers also presented proof-of-concept code for the bulk registration of accounts. The issue takes advantage of what the researchers say in their advisory is “lax registration functionality.”

“The mass registration exploit could be used to create thousands of accounts, which cloud be used for speeding up the above process, or possibly for spam,” Gibson Security tells ZDNet.

Snapchat did not respond to a request for comment from Dark Reading.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/snapchat-security-issues-revealed-by-res/240165041