Skip to content

Security News

User data plundering by Android and iOS apps is as rampant as you suspected

Quote

Apps in both Google Play and the Apple App Store frequently send users’ highly personal information to third parties, often with little or no notice, according to recently published research that studied 110 apps.

The researchers analyzed 55 of the most popular apps from each market and found that a significant percentage of them regularly provided Google, Apple, and other third parties with user e-mail addresses, names, and physical locations. On average, Android apps sent potentially sensitive data to 3.1 third-party domains while the average iOS app sent it to 2.6 third-party domains. In some cases, health apps sent searches including words such as “herpes” and “interferon” to no fewer than five domains with no notification that it was happening.

“The results of this study point out that the current permissions systems on iOS and Android are limited in how comprehensively they inform users about the degree of data sharing that occurs,” the authors of the study, titled Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps, wrote. “Apps on Android and iOS today do not need to have permission request notifications for user inputs like PII and behavioral data.”

The personal information most commonly transmitted by Android apps was a user’s e-mail address, with 73 percent of the apps studied sending that data. In total, 49 percent of Android apps sent users’ names, 33 percent transmitted users’ current GPS coordinates, 25 percent sent addresses, and 24 percent sent a phone’s IMEI or other details. An app from Drugs.com, meanwhile, sent the medical search terms “herpes” and “interferon” to five domains, including doubleclick.net, googlesyndication.com, intellitxt.com, quantserve.com, and scorecardresearch.com, although those domains didn’t receive other personal information.

Also concerning were Android apps that sent third parties potentially sensitive combinations of data. Facebook, for example, received users’ names and locations from seven of the apps analyzed in the study—American Well, Groupon, Pinterest, RunKeeper, Tango, Text Free, and Timehop. The domain Appboy.com received the data from an app called Glide.

And you pay for this wholesale rape your privacy!

Comcast resets 200k cleartext passwords,

Quote

Zimbra mail server exploit claimed as source of dump

A hacker has tried to sell 200,000 valid cleartext Comcast credentials he claims he stole in 2013 from the telco’s then-vulnerable mailserver.

The telco has reset passwords for the affected accounts after news surfaced of the credentials being sold on the Python Market hidden marketplace.

Of the total pool of 590,000 accounts for sale for US$1,000, the company says around a third were accurate.

It told the Chicago Tribune the data was probably obtained through phishing, malware, or a breach of a third party site.

But the hacker responsible for the selling of the credentials, known as Orion, told Vulture South he obtained the credentials when he popped a Comcast mail server in December 2013.

He said the breach yielded 800,000 Comcast credentials of which 590,000 contained cleartext passwords.

Comcast has been contacted for comment.

“So in 2013 December the f****s at NullCrew came across an exploit for Zimbra which Comcast used at this domain *****.comcast.net ,” Orion says.

“NullCrew only got [about] 27k emails with no passwords lol while I got 800k with only 590k users with plaintext passwords.”

I do not whether to laugh or cry at all the businesses that think they are secure using the likes of Comcast and Verizon email. What is even worse is the firewalls these outfits provide. They are as bad as no firewall at all.

China Unable To Recruit Hackers Fast Enough

……To Keep Up With Vulnerabilities In U.S. Security Systems
Quote

BEIJING—Despite devoting countless resources toward rectifying the issue, Chinese government officials announced Monday that the country has struggled to recruit hackers fast enough to keep pace with vulnerabilities in U.S. security systems. “With new weaknesses in U.S. networks popping up every day, we simply don’t have the manpower to effectively exploit every single loophole in their security protocols,” said security minister Liu Xiang, who confirmed that the thousands of Chinese computer experts employed to expose flaws in American data systems are just no match for the United States’ increasingly ineffective digital safeguards. “We can’t keep track of all of the glaring deficiencies in their firewall protections, let alone hire and train enough hackers to attack each one. And now, they’re failing to address them at a rate that shows no sign of slowing down anytime soon. The gaps in the State Department security systems alone take up almost half my workforce.” At press time, Liu confirmed that an inadequate labor pool had forced China to outsource some of its hacker work to Russia.

Check the quote source…but as usual, the parody is closer to the truth. Why is the U.S. Gov so far behind in Cyber Security? Well one reason is that the number of hoops one needs to go through to land a gov Cyber Security job are hard to fathom. So much of it is very unrelated to the tasks at hand. It is easier to go to the private sector. All that said, in my experience, the private sector companies that really take Cyber Security seriously are few and far between.

AVG – You’re the Product!

No Free Lunch
Well it seems like the Free Anti-Malware outfit AVG is ready to cash in

Quote

Security software firm AVG has defended changes in its privacy policy, due to come into effect on Thursday (15 October), allowing it to collect and resell users’ anonymised web browsing and search history.

AVG is not selling data to advertisers – yet – but if and when it does so it will “cleanse” the data so users can’t be individually targeted, according to Anscombe.

The security software firm says it will not sell personal information such as names, emails, addresses, or payment card details, and will try to “anonymize the data we collect and store it in a manner that does not identify you.”

However, effectively anonymising user data is a difficult task – especially in the era of big data, correlation and user behaviour. For example, researchers from Harvard University recently achieved a 100 per cent success rate in de-anonymising patients from their supposedly anonymised healthcare data in South Korea.

Furthermore, even if AVG can fully anonymise the data being sold to advertisers and affiliated brands, the issue remains that it’s uncomfortable (at best) for a security company to collect data on users before selling it off to third parties.

There is no free lunch. Like Gmail and other freebies – you’re the product!

Card Breach Hits America’s Thrift Stores

Quote

America’s Thrift Stores, which operates 18 donation-based thrift stores across five states, is the latest organization to discover it has been hit by a cyberattack.

The company recently learned it was a victim of a data breach that originated through software used by a third-party service provider.

America’s Thrift Stores confirmed it has been working with an independent external forensic expert, as well as the U.S. Secret Service, to investigate the breach, which it believes affected sales transactions between Sept. 1, 2015 and Sept. 27, 2015.

The malware-driven security breach resulted in the theft of customers’ payment card numbers and expiration dates, but America’s Thrift Stores confirmed the U.S. Secret Service does not believe customer names, phone numbers, addresses or email addresses were compromised in the attack.

“This breach allowed criminals from Eastern Europe unauthorized access to some payment card numbers,” the company’s CEO, Kenneth Sobaski, said in a statement.

“This virus/malware is one of several infecting retailers across North America.”

According to security blogger Brian Krebs, sources at several banks reported a pattern of fraud on payment cards used to make purchases at America’s Thrift Stores, meaning the cybercriminals may have used “data stolen from the compromised point-of-sale devices to counterfeit new cards.”

As PYMNTS reported yesterday (Oct. 12), the costs of cybercrime for businesses is rising at an alarming rate, with U.S. companies feeling the brunt of the financial burden.

In the latest report on the true costs of cybercrime, Hewlett-Packard issued a report in tandem with Ponemon via the latter’s Institute on Cyber Crime earlier this month. The report states that the U.S. is especially hard hit by hacking, as cyberattacks cost U.S. firms, on average, $15.4 million annually, which is double the $7.7 million global average (which is a bump of 1.9 percent over last year, after adjusting for currency changes). For the U.S., the latest average costs represent a significant jump from the $12.7 million seen in 2014.

Google Malvertising App

Quote

Android apps that should be innocuous are pimping smut by way of slack supervision of their advertising networks, with two app authors complaining to The Register that the root of the problem lies with The Chocolate Factory.

The authors of two popular Sydney public transport apps told us Google’s app monetisation service AdMob is failing to catch disallowed advertisements that should be easy to spot for the world-dominating ad-and-click network.

Malvertising is a rising problem because users are turning to ad blockers as a security precaution, both to protect against malware and to keep material they deem inappropriate out of their eyeballs. The latter outcome is made necessary by ads like those below, which The Register has observed in the Arrivo and TripView public transport timetable apps, both of which are likely to pop up on minors’ phones.

If, as it seems to this untutored eye, the ad got past filters by presenting its text as an image with extra space to defeat character recognition, Google deserves its backside kicked through all the letters of its Alphabet. Twice per letter, once per language.

Let’s get physical…

Almost everyone worries about computer security in one way or another.  Much is written about network security, of course, and lots of attention is payed to file and operating system security, often as it relates to viruses.

Security of your physical computing assets, however, is just as important, and perhaps more important.  If someone has physical access to one of your assets, say a desktop computer, laptop, server or router, then, given enough time, they can compromise that asset.  Without sufficient physical security, all of the time, attention and resources spent on other security matters can be wasted.

For example, someone who has physical access to a device that uses a hard drive can, in a sometimes surprisingly short period of time, clone a hard disk of your device, and then study that at their leisure at another location.  You might not even know anyone was there.   As another example, they could replace your passwords, giving the perpetrator access to all or a portion of your environment while locking you out at the same time.

It is a truism that you cannot hold out forever against someone who can gain physical access to your environment, and someone who has access can of course do untold damage simply by destroying computing assets.  However that does not mean that you cannot or should not take steps to protect your computing environment.  On the other hand, as with all things computer security, there is a risk/cost trade off (more on that in another upcoming blog).

So, if you haven’t done so in a while, it might be a good idea to take stock of the physical security of your computing environment, with respect to access and damage.

For access, you should consider questions like: Who has access to each device? Should the device protected by some sort of physical barrier to prevent access?  Are there multiple levels of physical security?   For example, if you are in a large corporation, your first layer of physical security might be a locked building with a guard. A second layer might be locating critical computing assets on a floor whose elevator requires a key to access that floor.  Finally, you might put particularly critical devices in a room whose door uses a keypad, fingerprint or even a retinal scanner, and log all access.

And don’t forget to consider that dropped ceiling or raised floor as you think about a high security area.  A locked door might not be as secure as you thought if someone can go over it via a dropped ceiling or under it via a raised floor.

Regarding damage, aside from a beserker with a sledge hammer, one big risk is fire. Of course, if the entire building burns down it isn’t likely that your computing assets will survive.  However, what if a smaller fire triggers the sprinkler system?  What will happen to your computers?

Naturally, the list of things that good physical security might entail is a lot longer than a short article can cover.  But this article can perhaps serve as a jumping off point to a review of the physical security of your computing assets.

What’s in a Boarding Pass Barcode? A Lot

Quote

The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account.

Earlier this year, I heard from a longtime KrebsOnSecurity reader named Cory who said he began to get curious about the data stored inside a boarding pass barcode after a friend put a picture of his boarding pass up on Facebook. Cory took a screen shot of the boarding pass, enlarged it, and quickly found a site online that could read the data.

“I found a website that could decode the data and instantly had lots of info about his trip,” Cory said, showing this author step-by-step exactly how he was able to find this information.

“Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” Cory said. “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”

The information contained in the boarding pass could make it easier for an attacker to reset the PIN number used to secure his friend’s Star Alliance frequent flyer account. For example, that information gets you past the early process of resetting a Star Alliance account PIN at United Airline’s “forgot PIN” Web site.

More Stuff for the shredder!

Cisco security disable big distributor of “ransomware”

Quote

Cisco Systems Inc (CSCO.O) said it had managed to disrupt the spread of one of the most pernicious systems for infecting Internet users with malicious software such as so-called ransomware, which demands payment for decrypting users’ data.

The investigators from Cisco’s Talos security unit were looking at the Angler Exploit Kit, which analysts at several companies say has been the most effective of several kits at capturing control of personal computers in the past year, infecting up to 40 percent of those it targeted.

They found that about half of computers infected with Angler were connecting to servers at a hosting provider in Dallas, which had been hired by criminals with stolen credit cards. The provider, Limestone Networks, pulled the plug on the servers and turned over data that helped show how Angler worked.

The research effort, aided by carrier Level 3 Communications (LVLT.N), allowed Cisco to copy the authentication protocols the Angler criminals use to interact with their prey. Knowing these protocols will allow security companies to cut off infected computers.

“It’s going to be really damaging to the attacker’s network,” Talos manager Craig Williams told Reuters ahead of the release of the report.

Cisco said that since Limestone pulled the plug on the servers, new Angler infections had fallen off dramatically.

Limestone’s client relations manager told Reuters his company had unwittingly helped the spread of Angler before the Cisco investigation.

Often sold in clandestine Internet forums or in one-to-one deals, exploit kits combine many small programs that take advantage of flaws in Web browsers and other common pieces of software. Buyers of those kits must also arrange a way to reach their targets, typically by sending spoof emails, hacking into websites or distributing malicious advertisements.

Once they win control of a target’s computer, exploit kit buyers can install whatever they want, including so-called ransomware. This includes a number of branded programs, also sold online, that encrypt users’ computer files and demand payment to release them.

Talos estimated that if three percent of infected users paid the ransom averaging $300, the criminals that had used the Limestone servers to spread Angler could have made about $30 million a year.

Good job Cisco!