iStock_000031576982Small-300x219

This Week in AppSec: December 23–29, 2013

Dec 29, 2013 By Sarah Vonnegut

Christmas week did not exactly bring out the best in some this year – especially when it came to breaches and vulnerabilities. Between Target’s mess of 40M customer records breached, Snapchat’s security fail, Samsung’s vulnerability and Dogecoin’s first hack on Christmas Day, the last full week of 2013 was not Application Security’s best. Let’s take a look, shall we?

Target Customer PIN Codes Were Comprised In Breach, Company Says

After first claiming that customers need not worry about their debit card details being compromised, Target has backtracked, now claiming that strongly-encrypted debit card PIN data was taken in the breach that affected over 40 million customers who shopped at the Retail giant between Black Friday and December 16th. Target is claiming, however, that the PIN’s were always kept strongly encrypted and those customers still need not worry about fraud.

As much as Target would love it to, this story is not going to go away so fast. As Brian Krebs reported last week, black online markets have recently been flooded with credit and debit card details from the Target breach. In fact, whole new ‘bases’ (collections of cards grouped together and taken from the same merchant, in this case, Target) have sprung up in the past few weeks with only Target cards for sale. Additionally, Krebs reported, the card bases include localized details about where the rightful cardholder lives so that fraudsters can more easily avoid being flagged by the bank as fraudulent users, since they’re still shopping in the original card-owners neighborhood.

Read More from Brian Krebs: Cards Stolen in Target Breach Flood Underground Markets

 

Security Firm Publishes Snapchat API

Though Snapchat, the trendy photo messaging app sells itself on its’ supposed ‘privacy’ – the privacy to choose who you send pictures to, the ability to decide how long they’ll be able to see your Snapchat, the fact that the company claims your Snapchat is permanently deleted after your intended viewer sees it, etc. – the app is, in fact, not all that private or secure.

Four months ago, Gibson Security reported on various issues it found within the apps’ Android version. Last week, the team at Gibson decided to take a second look at the numerous issues they had reported to Snapchat to see if they’d been remedied. Not one of the exploits discovered by the team in August had been fixed by their second time around. So the GibSec team published Snapchat’s API and two pretty serious exploits – “find_friends” and Bulk Registration – they discovered in their research.

The “find_friends” exploit allows a user to associate a specific phone number with the Snapchat users’ name, account privacy level and more, while the Bulk Registration exploit allows the ability to create malicious accounts that could spread spam and malware. Even if the user’s account is private, their nickname, phone number and more can be harvested via both the Android and iOS API. Steve Gibson, GibSec’s founder, told ZDNet that the metadata retrieved from the find_friends exploit could be jointly used with other API’s to basically build user profiles that could be sold to 3rd parties.

Since the company is turning down billion dollar offers left and right, they might want to take extra consideration to make sure that the app they believe is worth over $4B holds the highest standards in privacy and security, especially given that the app is so prevalent with teenagers and even younger kids.

Read More at ZDNet:  Researchers publish Snapchat code allowing phone number matching after exploit disclosures ignored

 

The Doge’s Have Their Day: Dogecoin Users Raising 30M Coins to Reimburse Theft Victims

Christmas Day was a bummer for many a Dogecoin-investor, who woke up on the 25th to find fewer Dogecoins in their accounts than they had gone to sleep with. One of the biggest Dogecoin digital wallets, Dogewallet.com, was hacked on Christmas by a man-in-the-middle attack. The hacker apparently gained access to the server and filesystem and re-routed the send and receive page so that transactions ended up in his account. All in all, the hacker got away with 30 million Dogecoins, which translates to around $13,500.

The currency had gained popularity after becoming an easy way to ‘tip’ online, be it to blogs, certain bloggers or even to fellow commenters on community sites and forums like Reddit. Following with the community mentality of sites like Reddit, many Dogecoin users are now raising funds for those affected by the Christmas Day heist. To date, over 4 million Dogecoins have been raised on the site SaveDogemas.com, with a goal of getting all 30 million coins collected in 12 days.

While the theft was not a resounding vote in support of the security of these new cryptocurrencies, it may at least be good news for the human race!

Read more from the Checkmarx blog: The Grinch Who Stole Christmas – And 30 Million Dogecoins

 

Samsung’s Security Platform Vulnerabilities Exposed By Researchers

A security researcher from Israeli Ben-Gurion University’s Cyber Security Lab discovered a serious flaw within the Android-based security platform Samsung Knox. The platform apparently contains a vulnerability that would allow malicious software to monitor and record communications.

Mordechai Guri, the Israeli Ph.D. student who first came across the issue, told the Wall Street Journal that the vulnerability would allow a hacker to easily intercept secure data of a Knox-enabled Android phone like the popular Galaxy S4. In a worst case scenario, Guri explained, the vulnerability would allow an attacker to alter data and insert malicious code.

If the Ben-Gurion University researchers are in fact correct about the vulnerability in the Knox systems, the issue would be considered a serious one. Considering the Samsung Galaxy S4 is currently being tested to see if it’s secure enough for the U.S. Pentagon, the vulnerability should be eradicated – and fast. Samsung responded to the researcher’s vulnerability claims saying that the company “takes all security vulnerability claims very seriously” and promised to look into the possible issue.

Read more from The Wall Street Journal: Samsung Phone Studied for Possible Security Gap

 

Seriously, AppSec?!

Have all these vulnerabilities, hackings and bad security practices got you down? Start your week off laughing with our Seriously, AppSec Tumblr posts like this one and make sure you spread the joy!

When the developers and security teams come together on a project:

500

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.