Archive

Archive for the ‘Cybersecurity’ Category

Clever Hack Makes In-App Purchases Free

July 13, 2012 Comments off

A Russian site today published a report that a simple and clever hack can allow Apple iOS in-app purchases to be made at no cost. The hack does not require the phone to be jailbroken.

To exploit the weakness in the in-app purchase, only two primary steps are required. First, an additional SSL certificate is installed on the device itself, which involves downloading the file and a couple of screen taps. The second and more difficult part requires control over the local network to create a custom DNS entry. (Stratigos Security researchers are looking at a way to simplify this.) When the iOS app then attempts to connect to Apple’s servers to make the purchase, the connection is redirected to a different server which provides a fraudulent authorization, which unlocks the in-game content. this poses a clear threat to Apple’s and game makers’ revenue.

But this could pose a risk to phone owners as well. If the app update mechanism or any other communication goes through this third-party server, it opens the possibility of introducing malicious code to the device. This is similar to other man-in-the-middle attacks facilitated by tools such as The Middler and Evilgrade. So device owners should consider these risks before carrying out these procedures.

At this time it is not yet possible to validate the Russian site’s story because the servers enabling it have been under heavy load and have apparently at least one has been taken down by the hosting provider from an Apple legal request. However, Stratigos Security researchers are working to independently confirm the issue in our lab.

UPDATE: A post on 9-to-5 Mac all but confirms the ability to circumvent the iOS App Store for in-app purchases. Other potential security issues have not yet been confirmed.

UPDATE: Macworld reports that both username and password are sent in plaintext to the server. This means that the server, or any attacker who successfully executes a man-in-the-middle-attack can access the victim’s credentials. These credentials are not just valid at the iOS App Store, but typically across multiple Apple properties and usually many others, due to password reuse. Instead, Apple should be protecting credentials on the device and sending the hash to the servers.

Categories: Cybersecurity Tags: , , , , ,

Preventing Security Issues from Acquisitions

July 13, 2012 Comments off

Yahoo Voices – a 2010 acquisition by the search company – was breached, and an attacker compromised 450,000 accounts, including email addresses and passwords. This is the latest in a series of similar breaches, affecting eHarmony, LinkedIn and last.fm. However, unlike these companies, Yahoo Voices was using poor security practices when storing the data at rest. How did this 2010 acquisition cause security problems for the Internet giant, and how can you avoid having the same thing happen?

Over the last month, several online companies have suffered account credential breaches. And these companies were chastised for practicing poor web application security, as well as poor data protection. In most of the previous cases, the passwords were stored encrypted, but in a way that most passwords could be deciphered within a matter of hours. Exceptionally strong passwords, such as those recommended by most security practitioners, however remained relatively safe because the time to decipher them would be a matter of months. So people whose accounts were compromised have time to change them before any abuse can take place. In the case of Yahoo Voices, passwords were stored in plaintext, without any encryption. This means that even strong passwords have been compromised.

But the Yahoo Voices breach is interesting for a number of reasons. Analysis of the compromised accounts reveals that only 30% use Yahoo email addresses, and Yahoo reports that only 5% of the passwords for those corresponding email accounts are correct. This is a lower than expected number in both cases. In a Yahoo service, you’d expect to see nearly all accounts linked to Yahoo email addresses. And people don’t tend to change their personal email passwords very often, so you’d expect that the number of valid credentials would be much higher, as well. Yahoo themselves say the data is old. My guess is that the data is from pre-acquisition, was no longer used and may even have been somewhat corrupted.

That makes me wonder what pre and post acquisition assessments Yahoo did. Acquisitions can be a weak link in a security program for many reasons, even if the acquired company has an equivalent level of security. The Yahoo Voices problem could have been identified by talking to the developers, reading over policy documents and performing assessments on the company’s technical and data security. Any weaknesses would be identified and could be tracked until remediated.

So how could Yahoo have prevented this situation, and how can you avoid the same problem?

  • Use and enforce strong encryption practices for data at rest. Yahoo says this is their policy and that the Voices incident was an outlier. Always use strong password protection mechanisms, such as salted hashes or methods better yet, use something like bcrypt.
  • Use good data retention and destruction practices. If this was old and unused data, it should have been purged. Old data should be cleaned up properly and quickly.
  • Practice good data security diligence before, during and after an acquisition. Most organizations are coming to realize that potential information security issues can affect the diligence process. And although these issues should rarely halt an acquisition, foreknowledge of them certainly helps set expectations efforts to integrate new groups in a secure manner. That saves money and reduces risk, which is what the diligence process is all about.