To entice security researchers to look for holes in the Chrome browser, Google has announced it will pay $500 for bugs found in the code. But several experts say that's not enough money to motivate skilled vulnerability researchers.
"I think it's ridiculous," Charlie Miller, a senior security researcher at Independent Security Evaluators, said when asked Monday for his opinion of Google's new bug bounty program. "It's insulting. It's so low."
Under Google's new "experimental" incentive program announced last week people will get paid $500 for select interesting and original security vulnerabilities discovered in Chrome, or $1,337 for particularly severe or clever bugs. That figure refers to the geek term for elite, or "leet," which can be spelled out using the numbers.
Mozilla pays $500 to researchers who find valid security bugs in the Firefox browser, the Thunderbird e-mail client or the Mozilla suite.
You would think Google would be roundly praised for offering to pay researchers for work they often do for free. But not everyone is impressed.
"It's probably better to pay professional QA [quality assurance] people and pen [penetration] testers than to expect the public to do your testing for you on the cheap," said Gary McGraw, chief technology officer at Cigital and a specialist in secure code writing processes. "No excellent professional tester I know would be attracted by a bounty like that--perhaps adolescents would do it for beer money (or rather red bull and vodka money)."
Miller's criticism might be particularly stinging, given that he announced a campaign called "No More Free Bugs," about a year ago. He argued that vendors should pay when outside researchers discover vulnerabilities in their commercial software instead of freeloading on the efforts of volunteer bug hunters whose work ends up making the products safer.
"In some senses this is my dream come true," Miller said. "I've been begging vendors for this. And then when it happens I'm bitter and critical," because it's so much lower than what researchers can make from bounty programs at VeriSign iDefense's Vulnerability Contributor Program and the Zero Day Initiative run by 3Com's TippingPoint.
"If I did find a bug in Chrome, I could sell it to the Zero Day Initiative and make $2,000 and it still gets reported to Google eventually, so why would I give it to Google for $500? It doesn't make sense," he said.
Pedram Amini, who runs the Zero Day Initiative, wouldn't say how much the program pays for bugs but said "on average it's over 10 times what Google's offering."
"Google is the first huge company to create a bug bounty. I'm happy they're doing it. It's a step in the right direction," he said. "But pricing-wise, they're not going to be able to compete with other bug bounty programs."
Granted, it might be easier to find bugs in beta software, than in products that have been released to the public, which the Zero Day Initiative focuses on, according to Amini. And it's wise for Google to do something to attract the attention of researchers to its browser, which is much newer and has fewer users than the other major browsers, he said.
"I think there is going to be a subset of people who will use the Google program," he said. "One thing that is certain--vulnerabilities do have value."
Google's pay scheme is at the low end of what iDefense pays, according to Rick Howard, director of iDefense Intelligence.
"Google has always shown that it is willing to take on large and complex projects for which it has no past experience and make a success of it. I see no reason why they should not succeed in this one," Howard said.
Jeremiah Grossman, chief technology officer and co-founder of WhiteHat Security, said Google's plan could be the start of an interesting trend.
"If a researcher is purely interested in the dollar reward, then by all means he should go where the dollar is highest. But if you happen to find one because it's fun and interesting to you, then you'll get paid too," he said. "I've been suggesting Microsoft should do this for a long time but they have a moral issue with it." Microsoft is sticking with its no-bounty stance.
"Microsoft does not offer compensation for information regarding security vulnerabilities. We do not believe that offering compensation for vulnerability information is the best way we can help protect our customers," said Dave Forstrom, group manager of Microsoft Trustworthy Computing. "We also do not think it fosters the growth of a healthy ecosystem."
Last July, Google paid more than $8,000 to a team of researchers that won a Native Client Security Contest.
Asked to comment on complaints that $500 is too little compensation for bug hunters, Chris Evans of the Google Security Team wrote in an e-mail: "We took care to design the program to allow for a wide variety of bugs to qualify for payment and to make it easier for researchers to participate--for example, we don't necessarily need a working exploit (which is often much more difficult than finding a bug) and we're interested in bugs even if they manifest within the Chromium sandbox."
Chromium is the open-source project for Google's Chrome browser and unreleased Chrome operating system. Evans said it was too early to say whether Chrome OS would be included in the bounty program after it launches.
"Chromium has already benefited from collaboration with security researchers, and we expect they will continue to scrutinize the Chromium code and help us improve it regardless of any action we take," he said. "To them, this reward can be seen as a token of appreciation. To others, we hope the addition of a reward may encourage new people to participate beyond how they might have otherwise."
Verizon temporarily blocked traffic from some Web sites affiliated with the 4chan online forum on Monday after finding that some affiliate sites were apparently launching network attacks.
"Our network security system found traffic from some 4Chan Web sites that had strong potential to disrupt the Verizon Wireless network, affecting our customers' use of their services," Verizon spokesman Jeffrey Nelson wrote in an e-mail to CNET. "With continuing investigation, and ensuring no current risk of harm, we are giving the green-light to all 4Chan traffic. We will continue to monitor for any possibility of network harm."
He also posted an explanation on Twitter: "Never a block on 4Chan but some of its other sites were launching network attacks."
It was unclear which sites were affected and exactly what the trouble was. The sites appear to have been "explicitly blocked" for as long as three days, according to the 4chan status page.
In July, AT&T blocked a 4chan server after another site launched a denial-of-service type of attack called a SYN Flood attack on the site. 4chan users, notorious for their Internet pranks, responded angrily by posting a fake story on CNN's iReport citizen journalism site alleging that AT&T CEO Randall Stephenson had died.
Update 1:51 p.m. PST: Verizon posted this statement on the company's policy blog:
"Recently, Verizon Wireless security and external experts detected attacks from an IP address associated with the 4Chan family of web sites that was disruptive to our customers and our network. To protect both, we eliminated connectivity to the IP address. At no time was 4Chan itself blocked. Ongoing network security team monitoring has now determined there is no longer an immediate threat. Connectivity to those sites is being restored later today.
"Typically, these attacks involve someone sending hundreds of thousands of messages to wireless devices to round up active customer addresses for follow-up activity including hacker attacks. These 'sweeps' can jam our network and deliver unwanted electronic messages that also can drain customer devices' battery life and slow their operation.
"We take being the nation's most reliable wireless network seriously. Seriously enough to protect our customers and our network from malicious attacks, even if we get dinged in the blogosphere. It's easy to complain about 'blocking' when your wireless data connection is stable, fast and reliable. But try connecting to the web from your Droid or Blackberry when attacks slow - and potentially block - use of our network all together.
"We monitor against attacks and potential attacks to ensure the integrity of the Verizon Wireless network. Our customers expect nothing less."
Some 4chan affiliate sites were temporarily blocked by Verizon over the weekend.
(Credit: 4chan)
Bob Russo, general manager of the PCI Security Standards Council.
(Credit: PCI Security Standards Council)If you own a bank account or use credit cards, chances are you've heard the term "PCI compliant." But you probably don't know what it means.
The term is heard more and more frequently these days as data breaches at merchants like TJX, parent of TJMaxx, and payment processors Heartland Payment Systems and RBS WorldPay land millions of card records in the hands of hackers. Criminals are using the data to make purchases and withdraw money from accounts of unsuspecting victims who did nothing wrong; they just owned a card.
It's a huge and growing problem. More than 80 percent of data stolen in breaches is payment card data, according to the 2009 Verizon Business Data Breach Report.
CNET asked Bob Russo, general manager of the PCI Security Standards Council, to explain what is being done to keep criminals from accessing consumer payment card data.
Q: So, what does the PCI Security Standards Council do?
Russo: The council was formed in September 2006 by the five major credit card brands, Visa, MasterCard, American Express, Discover, and JCB [Japanese Credit Bureau]. It was formed because each one of the brands has their own compliance programs and they still do, but they all use this standard as the foundation for their programs. There was a time when you could pick up the phone and call one brand and ask a security question and get one answer and call another brand and ask the same question and get a different answer. They all now use these standards that we manage as the foundation for those compliance questions.
What is the standard exactly?
Russo: It's the PCI, which stands for Payment Card Industry, data security standard. It's a set of 12 specific requirements that cover six different goals. It's very prescriptive. It says not only that you need to be secure but it tells you how to become secure. It's more about security than compliance. The goals are things like build and maintain a secure network, protect card holder data and regularly monitor and test the networks. That's the main standard. We manage three different standards. The first one covers everything from the physical security to logical security.
The second standard is PADSS, Payment Application Data Security Standard. These are for payment applications a merchant would buy off the shelf. For example, if you went to a restaurant and you ordered your meal and the waiter used a touch-screen terminal, that puts the order in the kitchen and it's tied to an ordering database. The application also takes the credit card at the end of the meal. We make sure these applications aren't storing prohibitive data, such as data on the magnetic strip on the card. If they stored that data and someone got a hold of it then they would be able to clone credit cards. There are literally thousands of applications out there and when it's compliant with the standard it gets listed on our Web site.
The last piece we manage is called PTS, PIN Transaction System. Anytime you enter a PIN number, for example, this standard would take effect. It looks at those PIN entry devices so when you go to a large department store and you buy something and you use a debit card they'll hand you a PIN pad and you key in your number. We certify those devices as well as unattended payment terminals, such as those used at gas station [islands], ticket kiosks, and transit systems, like the Boston underground.
There have been a number of big data breaches lately. Were the companies PCI compliant or not in those cases?
Russo: It's been our experience that none of the breaches that occurred have been compliant at the time of the breach. Becoming compliant with the standard is pretty much a snapshot in time. An assessment company would come in and go through all those requirements and check that this stuff is in place. If everything is in place they issue a report on compliance. It is then your responsibility as a merchant to maintain that compliance. If there are new patches to come out for the operating system you have to install those. One piece we ask for is that you turn the logging on. Forensics find all the information in the logs so we insist you turn the logging on. Except, if nobody ever looks at these logs and they're sending out alerts, what good is it? It's up to the merchant to make sure they stay in compliance and that they are secure. For each of those [big public] breaches credit card companies looked at the logs [and found] that none of them was compliant at the time of the breach.
But I thought Heartland executives said they were compliant.
Russo: They had that piece of paper that said they were compliant but they weren't. What happened at Heartland was a SQL injection attack [in which an attacker injects commands to a back end database using input fields on a Web site]. That's an old exploit and there are myriad ways to prevent that outlined in the standards. As it turns out they were not complaint at the time of the breach. [Heartland CEO Robert Carr eventually disclosed that the assessors had incorrectly informed the company that it was PCI compliant.]
But even if the merchant is PCI compliant that doesn't necessarily mean the shop is secure, right?
Russo: Exactly. That's why we say it's about security not compliance.
If that's the case, shouldn't the standard be improved so it is more effective?
Russo: That wasn't the case here. We have seen no evidence that if someone were compliant that they would have been breached. The standard is working. You only read about the one or two or four big breaches that happen. You don't hear about the thousands of merchants who aren't getting breached because they are compliant.
If a merchant is found to be not PCI compliant, what are the consequences?
Russo: Ninety percent of consumers don't understand the difference between credit card fraud and identity theft. If they hear that their credit card has been stolen, like at Heartland or TJX, many of them believe their identity is at risk. If that's the case many of your customers won't shop with you anymore because they are afraid you are not protecting their data and someone is going to steal their identity. That's the worst thing that can happen. The biggest problem would be if your customers walk away. There are reputational damages they have to deal with, which nine times out of 10 cannot be measured in terms of dollars.
There are also fines levied by card brands. There are lawsuits coming out of the woodwork when something like this happens, like shareholder lawsuits and class action customer lawsuits. They are paying to issuing banks for reissuing cards. And the government might now get involved. They're looking to find if stolen credit card information is being used to finance terrorism. You've got myriad people on your back if you suffer a breach. You may have FTC involved, and they require 20 years of audits. Every other year you would have to go through a complete audit. It's very expensive to suffer a breach. It's much better to be compliant and secure and not have to worry about this.
How much are the fines?
Russo: The brands set those; we're not responsible for the fines. We just set the standards and they are enforced by the brands and the federal agencies.
What part of the standard is mandatory and what is voluntary?
Russo: It's all mandatory. Nothing is voluntary. The rule is if you store, process, or transmit credit card data you must be compliant with the PCI standards. And that's a global rule.
What can consumers do to protect themselves?
Russo: Consumers need to take a little bit of responsibility now. You can watch your credit card activity online. I can watch all my credit cards online to see what I'm spending, and what my wife and my kids are spending. You really should be monitoring your credit card statements. If you have to, do it when the statement comes in the mail. If you do it online you can do it more often and set up alerts via email. Consumers by and large don't have a lot of liability when it comes to credit cards. A lot of credit cards are zero-liability. You just call the company and say this was not my charge and they won't hold you responsible for it.
Debit cards are treated differently than credit cards, right?
Russo: Debit cards are somewhat different. With a debit card you're actually using your own money coming out of your own checking account. The liability will vary depending on the card and the bank.
What are the biggest challenges for the industry?
Russo: Education is a big issue. Some of the smaller merchants that just come into the business don't really know what their responsibilities are with regard to handling credit cards.
Why do entire databases continue to get stolen?
Russo: All the information is contained in the logs so alerts are being set off to let you know something is going on, and if you're not looking at the logs on a regular basis somebody could be in there for weeks or even months stealing this data and you're not aware of it. There was a big merchant that got breached but they caught it immediately in their logs and they only lost four or five credit cards. So they did suffer a breach, but it was contained to only a few cards.
Is that the biggest problem? Ignoring the logs?
Russo: That's one of the things they're doing. In one case mentioned earlier if they were complaint there would have been no way for somebody to get in and get that data.
So it's a matter of failing to follow standard security policies?
Russo: Yes. They're not following basic security practices.
With the rise of credit card attacks being harvested via browsers, will PCI ever get into the business of certifying that the browser is secure? If you can certify what it takes to secure a Web site, why not the browser?
Russo: We're concerned about where credit card data is being collected and stored, not so much how you can get to see it. My browser does not need to be secure; the server holding the data does [for PCI compliance purposes].
If someone suspects a vendor is violating PCI requirements, how can that be reported?
Russo: Consumers can call the toll-free number on the back of their credit card.
What is your ultimate take-away message for readers?
Russo: Ultimately they need to make sure the merchants they're dealing with are PCI compliant. And if you're a merchant you really have to be careful because consumers are getting smarter and smarter and if they find out you are not protecting their data, credit card data or personal data, they're going to walk away. And that's going to be the downfall of your business.
Tyler Shields, senior researcher for the Veracode Research Lab.
(Credit: Veracode)We've heard a lot about security issues with the iPhone, but the BlackBerry isn't immune to threats from malicious apps.
Tyler Shields, a senior researcher at the Veracode Research Lab, has written a piece of spyware that allowed me to shoot an SMS command to his phone and have his contact list forwarded to my e-mail address in a demonstration. With another short text command, I was able to get his BlackBerry to e-mail me any SMS messages he sends.
And if I had wanted--and he had allowed me--I could have seen a log of all his calls, monitored his inbound text messages, tracked his location in real-time based on the GPS (Global Positioning System) in his device and turned his microphone on to listen to conversations in the room and record them.
"It's trivial to write this type of code using the mobile provider's own API [application programming interface] they provide to any developer," Shields said in an interview in advance of his talk on the spyware scheduled for the ShmooCon security show on Sunday.
He calls his program "TXSBBSpy" and is releasing the source code but not an executable version of it. "My goal is to show how easy it is to create mobile spyware," he said.
TXSBBSpy "can take data from the phone, both in real-time and in snapshots, and send it off via SMS or e-mail to any Web server or TCP [Transmission Control Protocol] or UDP [User Diagram Protocol] network connections," Shields said.
While I was able to control the spyware using text messages sent from my mobile phone, the spyware had to be first installed on his BlackBerry for the snooping to work. This can be done by sending the target victim an e-mail or text with a link to a Web page where the spyware is surreptitiously installed. Or it can be hidden inside a legitimate-looking app downloaded from the App Store.
The risks are similar to those posed by Swiss researcher Nicolas Seriot in his iPhone spyware demo at the Black Hat DC security conference on Wednesday.
"These types of behaviors we're demonstrating will be universal across all mobile platforms," Shields said.
The BlackBerry platform has a "significant number" of security mechanisms in place that could be used to mitigate against these types of attacks, he said. For instance, the user can set the options to limit what access to specific types of data a particular app can have, he said.
However, many smartphone users either don't know about the security risks, don't think the risks are serious or don't know how to be more secure with their devices. A Trend Micro survey from last August found that only 23 percent of smartphone owners use the security software already installed on their device.
App stores also need to do more to vet the apps, Shields said--the same message Seriot had for Apple.
In the meantime BlackBerry users should be more cautious about what apps they download and what rights they give them. "Users should not hit the 'I trust this app' button," Shields said. "That will give it access to all your personal information."
Users should go into the app security configuration within the BlackBerry option screen and tell it specifically what information the app can access or set it to prompt if the app tries to access certain data, he said.
"The security models are inadequate because they trust by default," he added. "Sandboxing [techniques] only protect one app from another app; not from accessing user data. App stores give users a false sense of security."
Shields said he has contacted Research in Motion about the issues and the company's official comment was: "We won't make any comment on how the security of the App Center operates."
Shields has also created a video demonstration of his spyware.
A Research In Motion representative provided this comment: "Applications containing spyware cannot be installed on a BlackBerry smartphone without the user's explicit consent unless of course someone else gains physical possession of the user's device along with knowledge of any enabled password...the spyware app cannot simply install itself stealthily on to a user's device. Further, a user can review and confirm the list of installed apps on their device by looking in the 'Options' area at any time."
Updated 9:11 a.m. PST February 8 with RIM comment.
Although the amended settlement agreement for Google's Book Search addressed some concerns the U.S. Justice Department had, it still could give the company anticompetitive advantages in the digital book marketplace, the agency said on Thursday.
The Department of Justice advised the U.S. District Court for the Southern District of New York that "class certification, copyright, and antitrust issues remain" in a court filing.
The settlement--reached between Google and the Authors Guild and Association of America Publishers--would allow Google to partially display in-copyright but out-of-print books alongside books authorized by publishers and public domain works in Google Books. It was weeks away from being approved by the court when the Justice Department intervened in September, citing a host of concerns.
The agency suggested that the agreement should impose limitations on the most open-ended provisions for future licensing so it would eliminate potential conflicts among authors and publishers, provide additional protections for unidentified rights holders, address concerns voiced by foreign authors and publishers, eliminate the joint-pricing mechanisms among publishers and authors, and provide a way for Google rivals to gain comparable access to the digital works.
The sides offered up an amended agreement in November, which still drew complaints from critics.
Now the Justice Department has weighed in again, concluding that the modified agreement still faces the same core problem as the original agreement did: "it is an attempt to use the class action mechanism to implement forward-looking business arrangements that go far beyond the dispute before the court in this litigation."
"The proposed amended settlement agreement eliminates certain open-ended provisions that would have allowed Google to engage in certain unspecified future uses, appoints a fiduciary to protect rights holders of unclaimed works, reduces the number of foreign works in the settlement class, and eliminates the most-favored nation provision that would have guaranteed Google optimal license terms into the future," the agency said.
However, the amended settlement agreement "still confers significant and possibly anticompetitive advantages on Google as a single entity, thereby enabling the company to be the only competitor in the digital marketplace with the rights to distribute and otherwise exploit a vast array of works in multiple formats," the agency added.
The agreement retains Google's ability to sell full access to books in a variety of ways, which grants Google "sweeping control over the digital commercialization of millions and millions of books," the filing said.
The amended agreement gives Google defacto exclusivity to rights to the digital books because the company has a huge lead over competing efforts at Amazon and the Internet Archive, who in order to catch up would have to scan books without permission from rights holders, as Google has been doing, the agency said in its filing.
The exclusive access to the books that Google will get is likely to benefit Google's existing online search business and further entrench its dominance in that market, according to the filing.
Meanwhile, by requiring that rights holders opt out of the program, the amended agreement seeks what would be an exception to normal rules under the Copyright Act that rights holders must affirmatively grant permission for uses of their work, the document said.
If an opt-out provision is maintained, the court should require a waiting period before Google can commercially exploit out-of-print works without getting rights holder permission, such as two years from the time the book is publicly listed in the online registry to be created under the agreement, the filing suggests.
The Justice Department said it is still committed to working with Google and the Authors Guild on the settlement agreement, particularly to "develop solutions through which copyright holders could allow for digital use of their works by Google and others, whether through legislative or market-based activities."
The agency said it believes that a "properly structured" agreement could provide "important societal benefits."
A Google spokesperson provided this comment: "The Department of Justice's filing recognizes the progress made with the revised settlement, and it once again reinforces the value the agreement can provide in unlocking access to millions of books in the U.S. We look forward to Judge Chin's review of the statement of interest from the Department and the comments from the many supporters who have filed submissions with the court in the last months. If approved by the court, the settlement will significantly expand online access to works through Google Books, while giving authors and publishers new ways to distribute their works."
The nonprofit advocacy group Consumer Watchdog praised the Justice Department's stance.
"The settlement still abuses the class-action mechanism and purports to enroll absent class members automatically into new business 'opportunities,' in violation of current copyright laws," Consumer Watchdog reiterated from its friend-of-the-court brief opposing the agreement as modified. "This scheme acts to the disadvantage of absent class members and would result in unfair competitive advantages to Google in the search engine, electronic book sales, and other markets, to the detriment of the public interest. Along the way, the settlement raises significant international law and privacy concerns."
Updated 6:30 p.m. PST with more details from the DOJ filing and 6:07 p.m. PST with Google comment and 5:22 p.m. PST with Consumer Watchdog comment.
Microsoft will patch 26 holes next week, including critical ones in Windows, one affecting the kernel of 32-bit versions, and several holes in Office, the company said Thursday in a preview of its Patch Tuesday.
Five of the 13 bulletins affect vulnerabilities that could lead to remote code execution and they are rated critical. The bulletins affect Windows 2000, XP, Vista, and Windows 7, as well as Server 2003 and 2008, Office XP, Office 2003 and Office 2004 for Mac, according to the advisory.
"The Office-related bulletins are both rated Important and would require user action to be exploited (usually in the form of convincing a user to open a specially crafted file)," Jerry Bryant, a senior security communications manager at Microsoft, wrote in a blog post. "The vulnerabilities only affect older versions of Office so customers on Office 2007 or Office 2008 for Mac will have no actions this month."
Included in the bulletins will be a fix for a hole in the kernel of 32-bit versions of Windows that Microsoft disclosed two weeks ago, Bryant said.
Meanwhile, Microsoft will not have fixes ready by Tuesday for two other issues--a hole in Internet Explorer that could lead to data leakage and which was disclosed on Wednesday, and a hole in the Server Message Block file-sharing protocol that was disclosed in November.
"We are not aware of any attacks on these vulnerabilities and continue to encourage customers to implement the mitigations and workarounds outlined in the advisories," Bryant wrote.
This chart shows the number of bulletins affecting the different versions of Windows and their rating of importance.
(Credit: Microsoft)
The U.S. House of Representatives overwhelmingly approved a cybersecurity bill that calls for beefing up training, research, and coordination so the government can be better prepared to deal with cyberattacks.
The Cyber Security Research and Development Act of 2009, which passed by a vote of 422 to 5, authorizes the National Institute of Standards and Technology (NIST) to develop a cybersecurity education program that can help consumers, businesses, and government workers keep their computers secure.
It also creates cybersecurity scholarship programs for college students and research centers, and asks NIST to boost development of identity management systems used to control access to buildings, computer networks, and data.
Federal agencies spend $6 billion a year on cybersecurity to protect the government's IT infrastructure and $356 million on research, according to the Office of Management and Budget. Despite that funding, a government review of its cybersecurity efforts last year concluded that they are not adequate to prepare the country against cyberattacks.
Under the measure, if it becomes law, NIST would have one year to deliver a plan to Congress detailing its plans to participate in international cybersecurity technical standards development and 90 days to deliver a plan describing a cybersecurity awareness and education program.
Alan Paller, director of research at the SANS Institute computer security training organization, said the bill is vital to improving the country's cybersecurity defenses, but said the Appropriations Committee needs to provide for the necessary funding for it to have impact. Funding could be affected if schools don't upgrade their security programs and graduate students with key technical skills, and if NIST doesn't prove it can be a good partner with the agencies that have the necessary skills.
"NIST has 'grasped defeat from the jaws of victory' once too often (because of their lack of operational knowledge) to give that agency sole responsibility for something as important as the first line of defense (configuration standards, et al)," Paller wrote in an e-mail.
"This bill will help improve the security of cyberspace by ensuring federal investments in cybersecurity are better focused, more effective, and that research into innovative, transformative security technologies is fully supported," said Symantec CTO Mark Bregman. "HR 4061 represents a major step forward towards defining a clear research agenda that is necessary to stimulate investment in both the private and academic worlds, resulting in the creation of jobs in a badly understaffed industry."
The vote comes two days after Dennis Blair, White House director of national intelligence, warned the Senate that the U.S. is under severe threat from cyberattacks, and a week after nearly 50 House and Senate Web sites were defaced.
There has been a heightened level of interest in cybersecurity since Google announced last month that its network had been attacked and intellectual property stolen. More than 20 (now more than 30) other companies were also targeted and the attacks appeared to come from China, Google said. Separately, Gmail users who are human rights activists were targeted. As a result of the attacks, Google said it would stop censoring its Web search results in China as it has been doing and may even stop doing business in the country.
Updated 3:54 p.m. PST with SANS Institute comment.
Nicolas Seriot created a proof-of-concept "SpyPhone" app to show how easy it is to snoop on iPhone users.
(Credit: Pierrick Terrettaz)Lax security screening at Apple's App Store and a design flaw are putting iPhone users at risk of downloading malicious applications that could steal data and spy on them, a Swiss researcher warns.
Apple's iPhone app review process is inadequate to stop malicious apps from getting distributed to millions of users, according to Nicolas Seriot, a software engineer and scientific collaborator at the Swiss University of Applied Sciences (HEIG-VD). Once they are downloaded, iPhone apps have unfettered access to a wide range of privacy-invasive information about the user's device, location, activities, interests, and friends, he said in an interview Tuesday.
In a talk scheduled for Wednesday at the Black Hat DC security conference, Seriot will explain how an innocent-looking app could be designed to harvest personal data and send it to a remote server without the user knowing it.
The rogue app could be hidden within an innocent-looking app, such as a game. Low-hanging fruit for rogue apps includes the mobile-phone number, address book data, and a notes section of the address book, where some people store bank account and other sensitive information, he said.
"It turns out that the full Address Book is readable without the user's knowledge or consent," Seriot wrote in a white paper (PDF) on the subject.
In addition, a sandboxing technique limits access to other applications' data but leaves exposed data in the iPhone file system, including some personal information, he said.
To make his point, Seriot has created open-source proof-of-concept spyware dubbed "SpyPhone" that can access the 20 most recent Safari searches, YouTube history, and e-mail account parameters like username, e-mail address, host, and login, as well as detailed information on the phone itself that can be used to track users, even when they change devices.
SpyPhone can be used to track the user's whereabouts and activities. It offers access to the keyboard cache, which contains all the words ever typed on the keyboard, except for words entered in password fields, effectively acting as a keylogger, he said. It accesses photos, which can be tagged with the date and location via the GPS coordinates. And a log showing the device's Wi-Fi connections also is accessible.
"Safari recent searches, YouTube history, and your keyboard cache give clues about your current interests," he writes. "These interests are linked with your name and your e-mail addresses, your phone number, and your area. Harvested from large numbers of users, such data have a huge value in the underground market of personal data, and it must be assumed that Trojans are, in fact, exploiting this on the App Store."
The screen shots show a list of the date and location of geotagged photos (left) and the coordinates displayed on a map (right), types of information that his SpyPhone proof-of-concept spyware was able to access from an iPhone.
(Credit: Nicolas Seriot)It's not difficult to get iPhone apps approved, Seriot said. To get an app distributed through Apple's App Store, developers need to be enrolled in the iPhone Developer Program and provide an executable file, but not the source code, to Apple for vetting. The approval process mainly looks for user interface inconsistencies, but also undocumented function calls and malware, he said.
But with Apple having to scrutinize as many as 10,000 binaries that are submitted each week, some malware is bound to sneak in, Seriot said. He acknowledged that he doesn't know exactly what process Apple uses to review apps but said it likely uses common static and dynamic analysis, both of which can be circumvented with the right programming tricks, he said.
The threat is not theoretical. Several iPhone apps have been pulled from the App Store after being found to be harvesting user data, intentionally or unintentionally. A game called Aurora Feint was uploading all the user contacts to the developer's server, and salespeople from Swiss road traffic information app MogoRoad were calling customers who downloaded the app. Game app Storm8 was sued last fall for allegedly harvesting customer phone numbers without permission, but it later stopped that practice. And users also complained that Pinch Media, an analytics framework used by developers, was collecting data about customer phones.
"Consumers should be aware that iPhone security is far from perfect and that a piece of software downloaded from the App Store may still be harmful," Seriot wrote. "As a basic precaution, users should regularly clean the browser's recent searches and the keyboard cache in Settings. They should also change or delete the declared phone number, also in Settings."
Meanwhile, professional users should avoid running untrusted applications, especially if they are required by law to protect data confidentiality," he wrote. This includes groups such as bankers, attorneys, medical staffers, law enforcement officers, and so on. Also, legal departments should be aware that confidential data may already have leaked."
Seriot said he thought Apple might address the issue in its latest security update, released on Tuesday, but that it didn't.
"This is one more piece of evidence that the issues are more like a design flaw than simple bugs which could be fixed in a minor security update," he said.
Seriot said he contacted Apple about the issues more than a year ago, and it subsequently issued a partial fix.
Apple representatives did not respond to e-mails seeking comment.
Update, 11:04 a.m. PST: Added comment from Seriot about contacting Apple more than a year ago about the issues.
Three of the vulnerabilities could allow someone to run code remotely, if an iPhone or iPod Touch user opened malicious audio or image files, or accessed a malicious FTP (File Transfer Protocol) server, Apple said.
Another vulnerability could allow someone with physical access to one of the devices to bypass the passcode on a locked device and access the data.
The patch affects iPhone OS 3.1.3 and iPhone OS 3.1.3 for iPod Touch. More information is on the Apple security Web page.
(Credit:
Twitter)
Twitter reset passwords for an unknown number of users on Tuesday whose accounts appeared to have been compromised via phishing.
"As part of Twitter's ongoing security efforts, we reset passwords for a small number of accounts that we believe may have been compromised offsite," the company said in a statement.
Some Twitter users apparently "used their Twitter username and password to sign up for an untrusted third-party application which then posted Tweets to their account," a spokeswoman said.
"While we're still investigating and ensuring that the appropriate parties are notified, we do believe that the steps we've taken should ensure user safety," the statement said. "We'll continue to provide updates as warranted at @safety and @spam."
Users who want information on what to do if their accounts have been compromised can visit this page and learn how to use Twitter safely here.
Update 12:05 p.m. PST: In response to a reader e-mail suggesting that there may have been a breach at Twitter, Del Harvey, trust and safety director at Twitter, said there was no data breach at the company.
"We've noticed a high correlation of users with accounts on third-party Torrent sites and users' accounts that we believe are compromised. It's possible that this person falls into this category. It's not a result of a data breach on Twitter."
