We’re starting something new today: An AppSec news story roundup that you can either read or watch via our Whiteboard Roundup below! We look forward to helping our readers stay up-to-date with all they need to know about AppSec – so please let us know what you think below and if we’ve missed any good security stories.
Whiteboard Roundup for April: All the Top AppSec News in April in Under 5 Minutes
‘Hacking Your Phone’
A 60 Minutes piece on mobile hacking has brought light to a little-known global network used by phone carriers around the world – and the many serious security issues connected to it. The gist is that the protocol allows anyone (or at least knowledgeable hackers) to eavesdrop on and monitor the movements of someone – using nothing more than their cell number. Scary, indeed.
The report, which aired Sunday night, centered on the Signalling System No. 7 – or SS7 for short. It’s a network protocol at the heart of the mobile network system – and it’s got a vulnerability that allows hackers (both the white-hat and black-hat varieties) to track a cell phone’s use just by knowing the victim’s number.
The big deal behind the issues highlighted in the 60 Minutes piece is that every cellular network and mobile device can be affected by vulnerabilities in the SS7 protocol, so nobody is safe from being hacked. It’s up to the mobile carriers to secure the network, and while some carriers appear to have more security protocols in place, all carriers can get hacked.
The second half of the program focused on another major mobile security issue: Spoofing Wi-Fi. Lookout Mobile Security founder John Hering hacked the iPhone of Sharyn Alfonsi, the shows’ host – by spoofing a public hotel Wi-Fi network. The hack allowed Herring and his team to track Sharyn Alfonsi’s whereabouts, listen to her calls, and after tricking her into downloading malware on her iPhone, they could even watch her through her phone camera.
- 60 Minutes: Hacking Your Phone, from ABC News
- How Hackers Eavesdropped on a US Congressman Using Only His Phone Number, from Ars Technica
Fallout from the Panama Papers
Since the release of the Panama Papers on April 3rd, the fallout from the trove of documents has been pretty massive, with twelve former and current heads of state having been implicated in scandals. In addition, hundreds of other celebrities and politicians have had their offshore activities brought to light.
But the real story for the AppSec is how an organization with as many high-profile clients – and the sensitive financial and corporate secrets they were using the company to keep – could have had such poor security as was discovered in the case of Mossack Fonseca, the law firm at the center of the Panama Papers Scandal.
While the cause of the breach is still undetermined, initial investigations uncovered old, out of date platforms and applications that could have easily been the source of the breach. The Drupal CMS running the firm’s’ client-side portal hadn’t been updated for over three years and included a deadly SQL injection that would have allowed anyone to execute commands remotely. In addition, their webmail system was 6 years out of date, didn’t encrypt their emails and their backend was vulnerable to the DROWN attack. Their main WordPress site hadn’t been updated in three months, either.
The irony of the whole story is that if only Mossack Fonseca had used the kind of secure, encrypted communications the journalists working on the Panama Papers and the whistle-blower used, along with keeping their systems and platforms up to date, the chances of such a huge leak would have been made much more difficult.
- The Security Flaws at the Heart of the Panama Papers, from WIRED UK
- The Massive Panama Papers Data Leak, Explained, from ComputerWorld
- The Panama Papers Signal a New Kind of Cyber Attack, from Fortune
U.S. Government ‘Worse Than All Major Industries’ on Cybersecurity
A scathing report was released this week, giving various U.S. Government agencies poor grades on their cybersecurity effectiveness. The analysis, released by SecurityScorecard, measured various industries in terms of their cyber security health across ten categories, from social engineering and vulnerabilities to network security and exposure of passwords. U.S. Government agencies were found to be especially lacking in network security and software patches.
The Office of Personnel Management data breach, discovered in June of last year, saw nearly 22 million records of government employees leaked, with others believing the hack also exposed highly sensitive documents. The records included full names, addresses, social security numbers and most likely confidential security-clearance background info, as well. The OPM hack put the U.S. Government in the spotlight in terms of increasing their cybersecurity defenses. Yet it appears there’s still a long way to go.
Apple OS Messages App Fixed Bug That Allowed XSS Attacks to Steal Message Contents
An application layer-bug that was fixed by apple in March would have allowed remote disclosure of the contents and attachments contained within the Messages for OS X application.
- Apple Bug Exposed Chat History with a Single Click, from The Intercept
WordPress opens up SSL availability for all
With nearly 27% of all content management systems running on WordPress, security is a major concern. And while many security vulnerabilities on WordPress sites can be traced back to vulnerable or out-of-date plugins, there are plenty of security issues that continue to plague the CMS itself. HTTPS has been supported on WordPress.com sub-domains for the last two years, but custom domains still needed to purchase and install the certificates themselves – if they even knew to do it.
Now, WordPress.com custom domains will automatically be fitted with an SSL certificate, and HTTPS will be activated by WordPress in the coming days. WordPress parent company Automattic systems engineer Barry Abrahamson announced on the WordPress blog that the SSL certificates will be given by the Let’s Encrypt Initiative. The project of adding SSL certificates to each WordPress hosted site began in January. Soon, all WordPress CMS owners will be able to see the green icon in their site’s address bar!
- WordPress Deploys HTTPS Encryption for all of its Websites, from Dark Reading
Open Source Vulnerability Database shut down permanently
The Open-Sourced Vulnerability Database or the OSVDB, a project dedicated to providing information on the biggest security flaws, was shut down last week after years of issues between the site founders, owner and security vendors.
The database was created in response to Symantec acquiring the company that ran the famous Bugtraq database. In an interview with Network World, OSVDB co-founder HD Moore (@hdmoore), said “the irony is that Bugtraq under Symantec has now outlived OSVDB.”
Since many organizations reference OSVDB vulnerabilities, some of which have no identifier besides the one created by the OSVDB, businesses are left in the dark for now as to when a replacement for OSVDB will emerge – if ever.
- OSVDB co-founder HD Moore discusses demise of open-source project, from Network World
Apple Quicktime for Windows Discontinues Support, Uninstall ASAP
US-CERT announced this week that Apple is reportedly ending support for Quicktime on the Microsoft Windows platform. The announcement follows a report from Trend Micro that two new security vulnerabilities found in the Quicktime platform will most likely not be fixed in upcoming versions. Any Window user with Apple Quicktime on their computers is advised to uninstall as soon as possible.
- US-CERT to Windows Users: Dump Apple Quicktime, from Krebs on Security
Don’t use URL Shorteners to share your sensitive documents
Last week, researchers at Cornell released a report detailing their findings – that the URL shortening services offered by Microsoft, Google and Bit.ly are susceptible to brute force attacks that can uncover documents that are supposed to be private. The random six-letter characters can be parsed to determine the original URL of sensitive documents that were shared with the shortened URLs, enabling hackers to get their hands on information they weren’t supposed to be able to get. Convenience over security at it’s best.
The attack would even allow malicious actors to upload malware to the cloud drives they’ve accessed, meaning that the next time one of the original owners visits the URL they can be forced into downloading malware, and maybe not even know it.
Google took immediate action by lengthening the shortened URLs from six characters to 11 or 12 for sharing documents. Microsoft initially denied the issue and then later removed the URL shortener, though all the OneDrive document links created before then are still vulnerable.
- Gone in Six Characters: Short URLs Considered Harmful to Cloud Services, from Freedom to Tinker
- Researchers Cracked Microsoft & Google’s Shortened URLS to Spy on People, from WIRED
- Guess What? URL Shorteners Short-Circuit Cloud Security, from Ars Technica
Samsung Galaxy USB Hacks Continue to Pop-Up
For Android, the story of the week is that many Samsung Galaxy devices were found vulnerable to hacking via USB. USB attacks have been around for years – see USB Rubber Ducky and BadUSB attacks for previous USB vulnerabilities – but the problem persists. In the newest USB attack, discovered by Roberto Paleari (@rpaleari) and Aristide Fattori (@joystick) older models of Samsung can be plugged into a Linux host via USB to connect to the modem. Once connection occurs, the device can then be hacked into making calls and sending messages, without the victim’s knowledge, even when the phone is locked.
- Modem Interface Exposed via USB, the Advisory & POC on GitHub
- Galaxy Devices Can Be Made to Make Calls & Send Messages, Even When Locked, from Help Net Security
Nothing Found on Syed Farook’s iPhone
The FBI is getting significant pushback after nothing significant was found on the iPhone owned by Syed Farook, one of the San Bernadino terrorists. Following a heated legal battle between the FBI and Apple and a worldwide debate on how many , the FBI eventually hired hackers to break into the terrorists phone.
While they’re saying the investigation is still ongoing, it’s become obvious to many that the investigation was fruitless, as an investigation like this wouldn’t take more than a few days at most. Now, security and privacy experts are accusing the FBI of using the incident to set a precedent for requiring tech companies to comply with similar requests. The fact that Apple didn’t bend to the FBI’s demands hopefully set a precedent against those kinds of requests.
But if the government can get hackers for hire to help them in such situations, willful participation from the tech companies will be of little help for incidents like this in the future.
- FBI Paid Hackers to Help Unlock San Bernadino Shooter’s iPhone, from Dark Reading
- Source: Nothing Significant found on San Bernadino iPhone So Far, from CBS News