This week we take a look at Android malware stealing Google credentials, Paypal's OAuth bug, rate limiting, social engineering, and a great set of slides from a talk by Chris Eng.
Security firm Check Point Software Technologies has uncovered a family of Android-based malware which they claim has compromised more than 1 million Google accounts. Dubbed "Gooligan", it's a variant of an older bug called "Ghost Push" and has been found in at least 86 apps available in third-party marketplaces. Once installed it gets root on the device, downloads some malware, and steals authentication tokens to Google products. Google has stated that no data has been accessed, and they have revoked the tokens of affected users. A good defensive step IT administrators can take is to keep on top of Shadow IT by blocking third-party marketplaces, reviewing and revoking permissions for untrusted apps installed on work-provided devices, and continuing employee education efforts.
Chris Eng, VP of Research at Veracode, gave the closing keynote at Countermeasure 2016. The video isn't out yet, but Chris' slides are worth a read. His talk "Time to Grow Up: Counterproductive Security Behaviors That Must End", explores areas where IT folk can improve the security of ourselves and others. He shines a light on some areas where the language we use and attitudes we have are counterproductive, and looks at the various priorities people have to balance.
PayPal fixed an issue that could have allowed an attacker to hijack OAuth tokens associated with any PayPal OAuth application. The vulnerability was publicly disclosed by Antonio Sanso, a senior software engineer at Adobe, after he came across the issue while testing his own OAuth client. The root cause seemed to be that Paypal would validate that the
redirect_uri argument pointed to the creator's website, but would also allow any arbitrary URL that contained "localhost". The researcher claims he could’ve made an OAuth request using a URL like "localhost.hacker.com" and the client id of any application to get an app’s authorization token sent to his server.
In my opinion the bug's discovery and Paypal's swift response show the benefit of bug bounty programs. Having many fresh sets of (hopefully) friendly eyes is a real security win, and helps you fix issues before they become a problem.
Researchers at the UK’s Newcastle University have developed what they say is an almost absurdly easy way to get the card number, security code, and expiration date of any Visa credit or debit card using regular old brute forcing techniques. They describe their "Distributed Guess Attack" in a paper published this week in the IEEE Security & Privacy Journal. In short: find online merchants who don't require CVV, and brute-force the expiry date in 60 attempts. Then brute-force the 10,000 combinations for the CVV. Visa downplayed the severity in a statement, but the researchers speculate this method led to Tesco Bank thefts. For my part the key takeaways are this: treat all aspects of credit card data as super sensitive, and enforce rate limiting / captchas where possible.
Social engineering is having a notable impact on organizations across a range of industrial sectors in the US. 60 percent of surveyed security leaders say their organizations were or may have been victim of at least one targeted social engineering attack in the past year, and 65 percent of those who were attacked say that employees’ credentials were compromised as a result of the attacks. The study was released by email security firm Agari in their 2016 Social Engineering Report and canvassed more than 200 respondents, from the healthcare, government, financial services and education sectors.
- How WeChat uses one censorship policy in China and another internationally
- "Avalanche" botnet taken down by international policing agencies
- Mozilla and Tor patch critical Firefox 0-day which was being actively exploited to deanonymize people
- Mozilla audits cURL file transfer toolkit, give it a tick for security
- "Most cybercriminals" earn $1,000 to $3,000 a month
That's all for this week. Feel free to send through any feedback or links, and forward this to your friends and colleagues!
Sign Up For Cloud Security Weekly