Categories
Compliance>Privacy

Apple iOS and OS X Critical Vulnerability

Recently Apple released updates that contain a critical security patches that address flaws with SSL encryption which could allow attackers to intercept email and other communications that are meant to be encrypted in iPhone, iPad and Mac computers.

Apple released a “security advisory” in which they provide vague statements regarding said security issues:  ‘For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.‘

Apple did not say when or how it learned of the vulnerability, but the bug appears to exist in some versions of iOS 6, iOS7, Mac OS X, and Apple TV.  iOS 6.1.6 and 7.0.6 were recently released to fix the issue.  The bug appears to also have been introduced in OS X 10.9.  OS X 10.91 is still affected.

This flaw affects the basic security that Apple uses to implement SSL connection.  The main risk is when using an affected device in untrusted environments where someone could be eavesdropping – free unsecured wifi such as coffee shops, airports and hotels.  According to the post by Brian Krebs, For now, it may be wise to avoid using Safari on OS X systems. As Dan Goodin at Ars Technica writes, “because the Google Chrome and Mozilla Firefox browsers appear to be unaffected by the flaw, people should also consider using those browsers when possible, although they shouldn’t be considered a panacea.”

Sources:

http://www.digitalmunition.net/?p=823

https://www.imperialviolet.org/2014/02/22/applebug.html

Categories
Computer & Network Security|Compliance>PCI|Research

The Switch to Chip and PIN. Will it change anything?

Chip & PIN, the future of credit cards

Late next year the U.S. will finally catch upto the rest of the world when it comes to credit card transactions.  Customers will no longer be signing credit card receipts, instead they will enter a PIN, similar to making a debit transaction.  The U.S. is the last major market to still use the old-fashions signature system, which is the primary reason why about half of the world’s credit fraud happens in the U.S.

What is Chip & PIN?

Basically, we are replacing our signature with a PIN code.  Each card will include a microchip that is matched to a PIN code. When inserted into the POS system, the Chip is read and the PIN code authenticates the card.  Already flaws in the system have been reported since 2010, not to mention how incredibly vulnerable 4 digit PINs are to social hacking as discussed in this article.  If most of the fraud occurs in the US where we don’t use this system, is it logical to think that most of the effort to commit fraud is not focused on finding flaws in the Chip & PIN system?  A British research firm has released a paper detailing a new vulnerability with Chip & PIN.  According to the paper, “EMV did not cut fraud as its proponents predicted. While using counterfeit and stolen cards did become more difficult, criminals adapted…”  According to their research, it does not appear that Chip & PIN technology reduced cyber-related fraud.

Will this really make our information safer?

Let’s take the Target breach for example.  This data was compromised because of malware installed on their POS system which gathered information as it was in transit.  Would having a chip & pin system in place have prevented the loss of the information?  It doesn’t appear that way.  So the question is, then, will the new system, in the event of data loss, prevent the abuse of that information and protect consumers from fraud?

The problem in the Target breach was not a result of fraud; that was the outcome.  The result was the lack of comprehensive security policies and programs at place in the organization or at the very least the lack of diligence in enforcing them.  This is an issue that is not unique to Target or retail or any other industry.  If the problem is not fraud, but broken security why are we poised to spend billions as a total economy to shift to a solution that doesn’t solve the problem?  Is it really to protect consumers from fraud?

UPDATED: PayPal President’s credit card was stolen and used fraudulently.  “Marcus noted that his credit card had EMV chip technology, a more secure system currently in use in Europe. But that didn’t stop the data from being stolen and used for a “ton of fraudulent” transactions, according to the PayPal chief.” Source: USAToday

What does the Chip & PIN system solve?

The WSJ article announcing the shift says it best, Part of the October 2015 deadline in our roadmap is what’s known as the ‘liability shift.’ Whenever card fraud happens, we need to determine who is liable for the costs…So if a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable.

The new system is not about protecting consumers, it’s about protecting credit card companies and shifting the liability to the merchant and the consumer.  There are benefits to the consumer, and it will reduce fraud.  It will require a higher level of sophistication to commit fraud with any data that is gathered.  That is just it though, there are still ways to commit fraud and we know there are ways to get the data, its just a matter of time.

So should we be spending the effort and the capital to invest in this new system while creating a false sense of security?  This system should not be touted as the be all and end all of credit card fraud.  It is a step to mitigating the risk.

Where should we start?

As I was writing this, I discovered this article, by CSOOnline.  This articles takes a very strategic approach to analyzing the situation I am discussing. I strongly suggest reading it.

Companies should stop trying to only meet compliance requirements and instead focus on comprehensive security.  Many industry standard compliance requirements focus so much on privacy they often neglect general security, such as segregation of networks like environment and protected data.  Organizations must focus on general, overall security, and data will become protected within, otherwise, regardless of the protections we put in place at the point of sale, breaches will continue to happen.

Why is it hard to do this?  It’s often not visible and it’s expensive.  Consumers don’t see the results of a secure network, they only see the results of an insecure network or of changes at the POS.  This is a difficult position for CISOs and CIOs to compete in, and in the end the consumer loses.

 

Categories
Information Security>Data Breach|Compliance>Privacy|Social Engineering|Computer & Network Security>Vulnerabilities

NBC Sochi Hack Report Fraudulent

UPDATED: Kyle Wilhoit, Senior Trend Micro Researcher, further confirmed that NBC misrepresented the ‘hacks’ in their video in his blog posts here and here and his whitepaper.  Wilhoit is quoted in his blog as saying, “First, all the attacks required some kind of user interaction….Second, these attacks could happen anywhere. They would not just happen in Moscow, nor did it require us to be in Moscow….Third, the infections occurred on newly unboxed hardware. Had basic security precautions such as updating the operating system or not opening emails from unrecognized sources been done, these attacks could have been prevented.”

UPDATED: We originally re-posted the story from NBC.  As security researchers have charged, this could be the work of media bias and manipulation.  It seems as though, as usual, standard security best practices are all that are needed.

Tweet from Kyle Wilhoit, security researcher in the NBC video in reference to the white paper he is writing describing his trip to Moscow (not even Sochi): “Agreed. A line from the paper: “In this case, he would have been hit in Russia; just the same way he would if in Philadelphia”

So in short, the video was made to sound like Moscow was more dangerous than say a coffee shop in America.  As it turns out according to Kyle’s Twitter feed, its no more dangerous if you follow standard security.  They purposely downloaded malicious files, and navigated to malware infested Russian websites.  According to Erratasec’s blog:

That leaves us with the same advice that we always give people:
  1. don’t click on stuff
  2. patch your stuff (browser, Flash, PDF)
  3. get rid of the really bad stuff (Oracle’s Java)
  4. don’t click on stuff
  5. oh, and if you really are in Sochi, use VPN over the public WiFi

Source: http://blog.erratasec.com/2014/02/that-nbc-story-100-fraudulent.html

Visit NBCNews.com for breaking news, world news, and news about the economy

According to NBC, visitors “can expect to be hacked.”  The State Dept warns that “travelers should have no expectation of privacy, even in their hotel rooms.”  From the point of logging onto their computer and connecting to the internet, the computer was attacked within less than a minute and fully compromised in less than 24 hours.  This could become one of the largest data breaches ever if visitors do not heed these warnings.  There will be high profile celebrities, athletes, heads of state, foreign dignitaries and more, all with information that attackers would love to exploit.

The advice according to NBC is to leave your electronic devices at home if they are unnecessary.  If they are necessary do not connect to public wifi, and remove any private information such as photos, financial information, or similar data.

Categories
Computer & Network Security>Adobe|Computer & Network Security>Patches

Adobe Flash Player Critical Update

Adobe has released a critical patch to address a vulnerability that could allow an attacker to take control of an affected system.

Release date: February 4, 2014

Vulnerability identifier: APSB14-04

CVE number: CVE-2014-0497

Platform: All Platforms

Source: http://helpx.adobe.com/security/products/flash-player/apsb14-04.html