iStock_000019829938Small-300x199

This Week in AppSec News: January 6-12th, 2014

Jan 12, 2014 By Sarah Vonnegut

Between more big-name breaches, iOS mobile banking apps found insecure, Microsoft getting hacked by the SEA (again), and Yahoo’s HTTPS service being deemed ‘too little, too late’, the security industry hasn’t had the best beginning to 2014. Will the Personal Data Privacy and Security Act save the year? Senator Patrick Leahy thinks so. Here’s a look at the past week’s top AppSec stories:

Target Breach Estimate Nearly Triples to 110 Million At Risk

Target significantly raised its estimate of the number of customers affected by the breach that occurred throughout its’ 1,800 retails stores across the US between Black Friday and December 15th. The update includes a revision in the type of data stolen, in addition to the number of customers at risk. The expansive data trove taken includes mailing and email addresses, numbers and personal names, information ripe for hackers to take advantage of in phishing scams or various forms of identity theft.

Target has been hush-hush about possible causes for the data breach, but has been working closely with the Secret Service and the Verizon security firm, and with inquiries from several state Attorney Generals, Target will need to answer for the breach at some point in the coming weeks.

Read more about the update from The New York Times.

Personal Data Privacy and Security Act Reintroduced In Wake of Target Breach

Senate Judiciary Committee Chairman Patrick Leahy (D-Vermont) reintroduced an updated piece of legislation that is aimed at protecting American’s personal information and ensuring their privacy.  The new proposal would impose stricter penalties and punishments for both businesses with unsecured practices as well as hackers, hacktivists and other malicious actors. This is the fifth time in nine years that Senator Leahy has proposed the bill.

“The recent data breach at Target involving the debit and credit card data of as many as 40 million customers during the Christmas holidays is a reminder that developing a comprehensive national strategy to protect  data privacy and cybersecurity remains one of the most challenging and important issues facing our Nation,” Senator Leahy said of the proposal. He added that “the Personal Data Privacy and Security Act will help to meet this challenge, by better protecting Americans from the growing threats of data breaches and identity theft.”

Key changes in Senator Leahy’s proposal are tougher criminal penalties for those who intentionally conceal a potentially-damaging security breach and a tougher requirement for companies that maintain personal data to protect privacy and security. The new bill would also raise the prison sentence for convicted hackers from 10 to 20 years and make attempted hacking as well as the conspiracy to commit computer hacking punishable under the same criminal penalties.

Read the Fact Sheet on The Personal Data Privacy and Security Act here.

 

Microsoft Hacked By Syrian Electronic Army For Second Time In Two Weeks

One week after Skype’s blog and Twitter accounts were hacked, the Syrian Electronic Army hijacked the Official Microsoft Blog, their Twitter account, as well as the Twitter account for the Xbox support team. Both attacks appear to be in retaliation to the group’s belief that Microsoft is selling personal data to the government and monitoring user’s accounts, amidst revelations about the NSA placing backdoors in Microsoft products.

The group posted several messages echoing the statements from last week. One Tweet read, ‘Leak: The top two visited links from Internet Explorer: google.com/chrome and Mozilla.org/firefox’, while another simply read ‘The Syrian Electronic Army was here’. A representative for the SEA told The Verge that the hacks were designed to be a distraction, adding “we are making some distraction for Microsoft employees so we can succeed in our main mission”. Make of that what you will, but I will venture to say that the Syrian Electronic Army will be making its rounds in the news again soon.

Read more from The Verge.

 

Neiman Marcus, Other Businesses Hit By Breach

At least one other major retailer is now investigating a breach that took place in late 2013. Neiman Marcus confirmed to Brian Krebs on Friday that they were dealing with an incident affecting an unknown number of shoppers at the high-end stores. Like the Target incident, Neiman Marcus believes that the hackers were only able to access information from customers who shopped in-store and not online shoppers, indicating a similar approach to both attacks.

Besides Neiman Marcus, Reuters published an article on Saturday claiming that several other retailers, as-of-yet undisclosed publically, were affected by similar breaches. It is believed that the same people were behind each of the attacks, but as the culprits are still being hunted down, it’s not yet been determined.

Read more about Neiman Marcus on Brian Kreb’s blog.

Read more about other possible retailers affected on Reuters.

 

New Yahoo HTTPS Encryption May Be Too Little, Too Late For Some Security Experts

Yahoo has finally implemented HTTPS encryption as the default when using the Yahoo email client. The company posted a statement on Tumblr stating that now, “any time you use Yahoo Mail – whether it’s on the web, mobile web, mobile apps, or via IMAP, POP or SMTP- it is 100% encrypted by default and protected with 2,048 bit certificates.” Furthermore, the post wrote, “the encryption extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail.” The news comes a week after some of Yahoo’s homepages in Europe were found to have been serving malicious ads.

But Yahoo may not be getting the pat on the back they seemingly expected. Security experts have called the move too little, too late, and were confused at the lack of Perfect Forward Secrecy, which encrypts sessions with single-use keys and is already in use by most of Yahoo’s competitors including Twitter, Facebook and Google. It seems strange that Yahoo wouldn’t want to use the same security standards that their competition is, favoring the less secure solution while boasting the upgrade. Other security experts have found that the company is using a variety of SSL configurations on its different sites, so it seems there is a lot that Yahoo needs to fix before being on the same level as the Facebook, Google and Twitter.

Read the Yahoo blog post here.

 

iOS Banking Apps Prove Woefully Insecure

Ariel Sanchez, a security researcher from IOActive analyzed 40 iOS banking apps from the top 60 most influential banks in the world and found that the majority of them had at least some major security flaws, especially surrounding JavaScript vulnerabilities. Sanchez was interested in researching how the apps connect with servers, how they store data, whether they were designed with security properties, what data is exposed through logs and whether vulnerabilities are present in the code. He didn’t list the banks in his blog post, but said he had notified some of them of his findings.

Of the 40 apps he analyzed, here are Sanchez’s best findings:

  • 90% contain several non-SSL links throughout the app, allowing easier hacking scams with arbitrary JavaScript/HTML code.
  • 50% are vulnerable to XSS through JavaScript injections, which could allow a hacker to send texts or emails from the victim’s device.
  • 40% of the apps Sanchez analyzed did not validate SSL certificate authenticity, opening them up to Man in the Middle attacks.
  • In addition, 70% didn’t have two-step or multi-factor authentication standards in place, allowing for easier attacks on identity.

Sanchez ended his findings with solid conclusions on how banks can design apps built to mitigate the most common flaws based on his findings. You can read Sanchez’s full report, including recommendations for safer bank apps, here.

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.