December 06, 2016

Cloud Security Weekly #43

This week we take a look at Android malware stealing Google credentials, Paypal's OAuth bug, rate limiting, social engineering, and a great set of slides from a talk by Chris Eng.

More Than 1 Million Google Accounts Breached by Gooligan

Security firm Check Point Software Technologies has uncovered a family of Android-based malware which they claim has compromised more than 1 million Google accounts. Dubbed "Gooligan", it's a variant of an older bug called "Ghost Push" and has been found in at least 86 apps available in third-party marketplaces. Once installed it gets root on the device, downloads some malware, and steals authentication tokens to Google products. Google has stated that no data has been accessed, and they have revoked the tokens of affected users. A good defensive step IT administrators can take is to keep on top of Shadow IT by blocking third-party marketplaces, reviewing and revoking permissions for untrusted apps installed on work-provided devices, and continuing employee education efforts.

Slide deck: "Counterproductive Security Behaviors That Must End"

Chris Eng, VP of Research at Veracode, gave the closing keynote at Countermeasure 2016. The video isn't out yet, but Chris' slides are worth a read. His talk "Time to Grow Up: Counterproductive Security Behaviors That Must End", explores areas where IT folk can improve the security of ourselves and others. He shines a light on some areas where the language we use and attitudes we have are counterproductive, and looks at the various priorities people have to balance.

Paypal OAuth bug fixed

PayPal fixed an issue that could have allowed an attacker to hijack OAuth tokens associated with any PayPal OAuth application. The vulnerability was publicly disclosed by Antonio Sanso, a senior software engineer at Adobe, after he came across the issue while testing his own OAuth client. The root cause seemed to be that Paypal would validate that the redirect_uri argument pointed to the creator's website, but would also allow any arbitrary URL that contained "localhost". The researcher claims he could’ve made an OAuth request using a URL like "" and the client id of any application to get an app’s authorization token sent to his server.
In my opinion the bug's discovery and Paypal's swift response show the benefit of bug bounty programs. Having many fresh sets of (hopefully) friendly eyes is a real security win, and helps you fix issues before they become a problem.

Was lack of rate-limiting behind Tesco credit card breach?

Researchers at the UK’s Newcastle University have developed what they say is an almost absurdly easy way to get the card number, security code, and expiration date of any Visa credit or debit card using regular old brute forcing techniques. They describe their "Distributed Guess Attack" in a paper published this week in the IEEE Security & Privacy Journal. In short: find online merchants who don't require CVV, and brute-force the expiry date in 60 attempts. Then brute-force the 10,000 combinations for the CVV. Visa downplayed the severity in a statement, but the researchers speculate this method led to Tesco Bank thefts. For my part the key takeaways are this: treat all aspects of credit card data as super sensitive, and enforce rate limiting / captchas where possible.

65% of social engineering attacks compromised employee credentials

Social engineering is having a notable impact on organizations across a range of industrial sectors in the US. 60 percent of surveyed security leaders say their organizations were or may have been victim of at least one targeted social engineering attack in the past year, and 65 percent of those who were attacked say that employees’ credentials were compromised as a result of the attacks. The study was released by email security firm Agari in their 2016 Social Engineering Report and canvassed more than 200 respondents, from the healthcare, government, financial services and education sectors.

In Brief

That's all for this week. Feel free to send through any feedback or links, and forward this to your friends and colleagues!


If you want to get this news delivered weekly to you inbox sign up here:
Sign Up For Cloud Security Weekly

The future of authentication

Today I’m excited to announce a deal that we have been working on for the past few months and how that will impact the future of contextual ...

Introducing custom security rules

For the past few years we’ve been working hard to create a plug and play adaptive risk engine. We designed our core service using a mix of b ...