The Hacking of the Fridge & Other AppSec Stories This Week

Jan 19, 2014 By Sarah Vonnegut

This week saw some interesting developments in the AppSec department. For starters, in what’s been already been widely reported to be the year of the ‘Internet of Things‘, the first botnet that included internet-connected refrigerators and TV’s was discovered. We also found out that the malware stealing data off of Target’s POS systems was designed by a ‘nearly 17-year-old’ in Russia – and it isn’t especially complicated. Here’s a deeper look at the top stories of the week:

First Internet of Things Devices Hacked

It was an attack of the fridge: The first recorded attack of the fridge, to be exact. This week, security researchers at Proofpoint documented the first botnet and cyberattack to come from the internet of things. The security firm is saying that the botnet, which they’re cleverly calling ‘ThingBot,’ consisted of over 100,000 consumer gadgets, including home-networking routers, smart TV’s and at least one refrigerator. The devices were then used to send hundreds of thousands of emails containing malicious links to individuals and companies around the world.

This will not be the last home appliance attack, especially considering the relative ease with which the hackers were able to gain access to the devices, made considerably easier when the owners didn’t set them up properly and/or used the default username and password. And with Google’s big acquisition of Nest, the home automation company that sells connected thermostats, the Internet of Things will become mainstream in 2014 – and therefore more lucrative for hackers.

Read more from Business Insider here.


BlackPOS & The 17 Year Old Behind the Target & Neiman Marcus Breaches

A Russian high-schooler working under the name “Ree4” may have been the brains behind the malware wreaking havoc on Target and possibly other retailers, having created a piece of “off the shelf” malware that costs just $2,000 “or by receiving 50% from selling of all intercepted credit cards by his customer.”  IntelCrawler, the security firm who’s been studying the malware, has discovered that the Point-of-Sale (POS) malware used on Target’s systems was first created in March 2013

Another security firm, Seculert, learned how the malware worked. First, the POS systems were infected and credit card data and personal details were extracted in clear text, grabbing the data between encryptions.  After going undetected for six days, the infected systems began sending the stolen data to an external FTP server. There the data was stored, still within the Target network.  The hackers then worked to download the data using a virtual private server.

Finding the malware’s creator doesn’t exactly solve the problem, though, nor does the problem end here. As Dan Clements, President of IntelCrawler noted that “the real bad actors responsible for the attacks on retailers such as Target…were just [the creators’] customers,” with at least 40 people purchasing the malware. InterCrawler has also detected that at least six other small to medium sized retailers have been hit with the same malware, though their names have not yet been released.  

Read all about the teen hacker discovered by InterCarawler here.


Blackphone: The Mobile Device of the Moment

There’s a new kind of smart phone in town. Designed to outwit snoopers and hackers, the Blackphone was created by secure communications firm Silent Circle and is set to be released next month at the Mobile Word Congress in Barcelona. The company has previously released apps allowing mobile and PC users to send encrypted messages, photos and videos, and the Blackphone evolved from there. The phone features a modified Android version called PrivatOS and will be sold at prices lower than the iPhone 5s and Samsung Galaxy S4.

Silent Circle had been working on the prototype since even before Edward Snowden blew the whistle on the NSA, but the idea fits perfectly in the zeitgeist of the moment. As an added measure of security, the company is incorporated in Switzerland with a Swiss data center and minimal retention of data, only keeping a username and 10-digit phone number for each customer.

The Blackphone has a lot of potential, if only because of the people behind it: CEO Mike Janke, a former Navy SEAL, Phil Zimmermann, the creator of the PGP (Pretty Good Privacy) standard, as well as former cryptographic expert at Apple, Jon Callas.

Here’s an Introduction to Blackphone.


Starbucks Updates iOS App After Vulnerability Was Published

Those Starbucks customers that use their iOS app to make their drink and food purchases at the coffee chain should update their apps after Daniel Wood, a security researcher and pen tester found that the older app version stored credential details and GPS data in plain text on their phones.

As a Starbucks customer himself, Wood was interested in knowing how secure his data was when using the Starbucks app, which connects a user’s Starbucks card to their smartphone and enables them to treat their device like the card. Wood found several instances of the app storing clear-text credentials that could be recovered if the user’s phone were to be taken. Though unlikely, the vulnerability would allow a hacker access to the Starbuck’s customer’s money on the account.

As Starbucks wrote in a post, “a research report identified theoretical vulnerabilities associated with the Starbucks Mobile App for iOS in the event a customer’s iPhone were to be physically stolen and hacked.” In response, the coffee company released an app update adding additional protection layers. “Starbucks has taken additional steps to safeguard any sensitive info that may have been transmitted this way,” spokesperson Linda Mills said in a statement.

Read Daniel Wood’s full report here. Still Highly Hackable, Experts Tell Congress

Over three months after its’ issue-ridden launch, the website remains flawed, a group of security researchers, headed by David Kennedy,  CEO of security consulting firm TrustedSec, testified to Congress last week.  They reported that the site not only had not taken steps to close 17 vulnerabilities that had been found, closing only half of one, but that researchers had, in fact, identified an additional 20+ flaws in the site.

In his review, Kennedy collaborated with security experts including Kevin Mitnick, Ed Skoudis, Chris Nickerson, and Eric Smith, among others, asking, “that they simply give their professional opinion on what they thought of the exposures and if they think best practices were followed on the website,” Kennedy wrote in his post. “The results were unanimous and unified — it’s bad.”

The group offered suggestions to congress that the website is thoroughly assessed, with continued regular assessments once the site is fully repaired. In his blog post, Kennedy rightly asserted: “a government that focuses on security will inherently provide a much better service while protecting the information that needs protecting.”

Read Kennedy’s post on his testimony to Congress.


‘SnapSpam’ Increase After ‘SnapHack’

Weeks after security researchers published two flaws in Snapchat’s API that enabled hackers to expose 4.6 million users and their phone numbers, Snapchat users are complaining about a major increase in spam messages. Claiming the uptick in spam has nothing to do with the fact that anyone can match users with phone numbers, Snapchat attributed it to “the consequence of a quickly growing service” in a blog post. The blog recommends adjusting your settings to control who can send Snapchats to you.

Read more on Snapchat Spam from ReadWrite.

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.