China is often pointed to as the home base for bad actors in the world of cybercrime and alleged to be a participant in undeclared cyberwarfare. But China’s computer networks are not immune from attack. The government revealed the extent of its concern over cybercrime when it announced that President Xi Jinping is chairing a new working group on cybersecurity and information security. Though Xi will have a direct hand in drafting national policies aimed at improving cyberdefenses, the announcement offered no details about what its cybersecurity efforts would entail.
“Efforts should be made to build our country into a cyberpower,” Xi said in a statement released after the first meeting of the group on Thursday, according to the official Xinhua News Agency. “No Internet safety means no national security,” Xi said.
App Released by Security Conference Is Insecure
The most ironic (and obviously embarrassing) occurrence of the week took place at the RSA Conference in San Francisco. Security researchers from IOActive reported that the official mobile app for the leading computer security conferences is riddled with security vulnerabilities. Worst among the security flaws is one that makes man-in-the-middle attacks possible. A hacker could use the vulnerability to inject malicious code, masquerade as a legitimate website, and steal login credentials.
IOActive says a separate security hole, though not as dangerous, is actually more interesting. According to Kaspersky Lab’s Threatpost, “The application apparently downloads a SQLite database file that is then used to populate the app’s user interface with various conference information, like speaker profiles and schedules. Seems innocuous enough, but that database—for reasons that remain a mystery to [IOActive]—contains the first and last names, employers, and titles of every user that has downloaded and registered with the application.”
Apple Patches Major Security Flaw
Last Friday, Apple released iOS 7.0.6, which it tried to characterize as a fix to a minor security flaw. Despite the company’s nothing-to-see-here take on the update, observers immediately sniffed out that it must have been important. Why else would the company put out a standalone fix now when iOS 7.1, a large update to iOS 7 that is currently in beta, is likely to be released in the next week or so? The security community’s instincts were right on point.
The patch was for Apple's SecureTransport platform, which appears in OS X 10.9 for desktop and in all versions of iOS going back to iOS 6. A seemingly small coding error that went unaddressed for years made it so that machines’ SSL connections failed to properly check the certificates that serve as websites’ proof of identity. The vulnerability made the task of masquerading as a user’s banking site or e-mail provider or pretending to be Facebook, LinkedIn, the App Store (or now that it’s tax time in the United States, the IRS website), much easier. That lowered bar left people open to man-in-the-middle attacks—most likely by attackers intercepting signals at public Wi-Fi hotspots. Even though the little padlock icon in their browser windows was delivering the message that their connections were secure, they weren't.
The Verge reports that, according to researcher Ashkan Soltani, "the vulnerability extended to every application built on Apple's SSL library, including FaceTime, Mail, and Calendar.” These and similar apps, says Soltani, have been exposed on iOS because of the flaw since September of 2012. That was when iOS 6 was first introduced. Soltani says the exploit is "one of the most significant security vulnerabilities from a major company we've seen in a while,"
The just-released OS X 10.9.2 patched the security hole. The update patched 32 other vulnerabilities in various versions of OS X, including four flaws that could be used to bypass the application "sandbox."
The fallout may be limited, though, by the fact that taking advantage of the disabled SSL connection and other security holes is easier said than done. As Columbia cryptographer Steve Bellovin tells The Verge, "Man-in-the-middle attacks aren't that easy to launch, and they don't scale well." For most attacks, the hacker would need to be within Wi-Fi distance, which fits with reports about the flaw having been exploited in isolated incidents where someone’s information was stolen at a public hotspot.
The security flaw has been attributed to sloppy coding such as an inadvertently repeated "goto fail" line that managed to slip through Apple’s code coverage testing and remain in place because of an if-it-ain’t-broke-don’t-fix-it philosophy that kept the error hidden in plain sight.
The Odds Are Against Us
A reminder that security in our electronic transactions is likely almost always illusory came this week when analysts with cybersecurity firm Hold Security reported that they have obtained a list containing 360 million stolen online account credentials. The information, they surmise, was most likely the spoils of multiple data breaches. They say they stumbled upon the list while studying underground marketplaces where pilfered data is bought and sold. Alex Holden, Hold Security’s CIO, told Computer World that, February has been very fruitful for hackers, explaining that “one batch of 105 million details, discovered about 10 days ago by the company, included email addresses and corresponding passwords, but it isn't clear what Web services the credentials unlock.” The company’s researchers are still trying to piece together that part of the puzzle.
Hold Security, which offers a paid service that notifies companies when their stolen data is spotted online, says it has also found 1.25 billion e-mail addresses circulating among hackers. Address lists, important information for spammers, are regularly sold on underground forums.
Cybercrook Talks His Way Into Prison
A British national was indicted this week in the U.S. District Court for the Southern District of New York on charges that he hacked into several Federal Reserve Bank servers and stole names, e-mail addresses, and other personal information of the bank's staffers. The hacker, who was already facing charges in New Jersey and Virginia, for the server break-ins, is his own worst enemy. It seems that the authorities got wind of what he was up to only after he told other hackers in an IRC chat room that he had gained control of a server for the Federal Reserve Bank in Chicago. In other self-aggrandizing moments on IRC forums, says the criminal complaint, the hacker revealed that he’d also gained access to a Federal Reserve Bank server in New York. The indictment alleges that he also took to a chat room to announce his intention to post personal information of Federal Reserve employees.
“Lauri Love is a sophisticated hacker who broke into Federal Reserve computers, stole sensitive personal information, and made it widely available, leaving people vulnerable to malicious use of that information,” said the prosecuting attorney in a statement. “We place a high priority on the investigation and prosecution of hackers who intrude into our infrastructure and threaten the personal security of our citizens.”
So it should be just a matter of time before the perpetrators of the hacks that have led to millions of consumers’ credit card information being swiped are brought to justice. Perhaps those criminals will brag about their exploits in chat rooms too.
In Other Cybercrime News…
- The source code for the iBanking Android mobile banking Trojan app was released on an underground forum this week, putting it in the hands of a larger cohort of cybercriminals.
- A security feature on Amazon.com’s mobile iOS and Android apps, designed to prevent automated programs from rapidly guessing account holders’ passwords, failed to kick in as it was designed to. Amazon’s implementation of CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is supposed to make someone decipher and type in a series of characters after 10 failed login attempts. FireEye reported the hole in Amazon’s security a week after it was notified by the online retailer that the problem had been fixed.