Researchers Discover Many iOS Apps Vulnerable to HTTP Request Hijacking

Researchers at mobile security vendor Skycure have discovered many iPhone apps are vulnerable to HTTP request hijacking attacks that could permit a hacker to use the app to load malicious content.

The company Skycure stated, “"While the problem is generic and can occur in any application that interacts with a server, the implications of HRH [HTTP request hijacking] for news and stock-exchange apps are particularly interesting," blogged CTO Yair Amit.  "It is commonplace for people to read the news through their smartphones and tablets, and trust what they read. If a victim’s app is successfully attacked, she is no longer reading the news from a genuine news provider, but instead phoney news supplied by the attacker’s server."

After they tested a variety of high-profile apps, the firm realized that there are many apps that are vulnerable to attack.  The problem centers on the impact of HTTP redirections.  The attack starts with a classic man-in-the-middle attack in which the vulnerable app sends a legitimate request to a server.  The request is then captures by the attacker, who return a 301 HTTP redirection to a server controlled by the attacker.  If the attack is successful, the 301 HTTP redirection issued by the attacker is kept in the app’s cache and changes it behavior’s that instead of retrieving data from its designated server, the app loads data from the attacker’s server after the man-in-the-middle attack is over.

A 301 HTTP redirection could allow a malicious attacker to persistently alter and remotely control the way the application functions, without any reasonable way for the victim to know anything about it.

Blog Summary

Over the last ten weeks, I chose to blog on a variety of topics because I wanted to keep my readers abreast on different Information Security topics.  I didn’t want anyone to get bored by looking at the same material every week so I made a point to post information from a variety of websites.

The resources that I used for my blog came from a variety of websites such as McAfee Threat Intelligence, CNET Security and Privacy, and Identity Theft Resource Center.  These are just a few websites that I received information on for my blogs.  They had useful articles about a number of incidents that happened throughout the week in various parts of the world.  I wanted my readers to understand that cyber-attacks come in a variety of ways and platforms.

I believe this blog is useful to information security professionals because it keeps them abreast of the information that’s being put out to the public.  It also gives them the knowledge to understand where cyber-attacks are happening and how they can be prepared to stop them.  This can hopefully give them a foot ahead of the hackers.

The lessons that I learned while blogging are:

• To use make sure that your posts are of good length
• To post information that will keep your audience interested
• Post on good topics

Android App Contains Windows Worm

There’s a curious case of an Android application on Google Play that contains some traces of malware that poses no security danger for Android devices.  But this application is dangerous to other mobile and PC platforms.  The virus is embedded inside the APK file.  McAfee labs found a Windows worm called GenericMalware.og!ats that reproduces itself in the network shares and a user could run the malicious application by opening the APK in a zip format while running the program.  This malware exists in every Android device that has installed the KFC WOW@25 Menu application.

When an application contains a malicious file it’s usually from the neglect on part of the developer.  The developer possibly used outdated antimalware software and without realizing that the computer was infected, the source code contained a copy of a worm.  From that point on the worm was packaged, signed, and deployed on Google Play without the developer knowing about the infected file.  Even when the infected application is removed from Google Play it still poses a risk to consumers.

When creating an apps, developers should remember to secure their computer, maintain updated antimalware software especially if they intend to distribute the app for others to use.

Five Charged in Largest Hacking Scheme Ever Prosecuted in US

The U.S. Attorney's Office today unsealed an indictment charging four Russians and a Ukrainian with a multi-million hacking scheme that netted 160 million credit card numbers from several major American and international corporations.

The charges stem from hacking attacks dating back to 2005 against several global brands, including the NASDAQ exchange, 7-Eleven, JC Penney, Hannaford, Heartland, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.

The five men that are being indicted are Vladimir Drinkman, 32, of Syktyykar and Moscow, Russia, and Alexandr Kalinin, 26, of St. Petersburg, Russia, each allegedly specialized in penetrating networks and gaining access to the corporate victims' systems.

- Roman Kotov, 32, of Moscow, allegedly specialized in mining the networks compromised by Drinkman and Kalinin to steal valuable data.

- Mikhail Rytikov, 26, of Odessa, Ukraine, allegedly offered anonymous web-hosting services for the others to hide their illegal activities.

- Dmitriy Smilianets, 29, of Moscow, allegedly sold the information stolen by the other conspirators and distributed the proceeds of the scheme to the participants.

Two of the five men Drinkman and Smilianets  have been captured while traveling in the Netherlands last year and they have been extradited to the United States to face charges while the other three men remain at large.  Court documents show the men took user names and passwords, identification, credit and debit card numbers that correspond to personal identification information of cardholders.

The men gained access to systems by using an SQL injection attack as their initial entry point.  Once the networks were breached, they used malware to create a back door to maintain their access to these systems.  The men also used sniffers to identify, collect, and steal data from victims and used the stolen data and sold it to others.  As their punishment, they face a five year prison sentence for conspiracy to gain unauthorized access to computers; 30 years in prison for conspiracy to commit wire fraud; five years in prison for unauthorized access to computers; and 30 years in prison for wire fraud.

Social network to let you set passwords for apps on Facebook and enlist friends to help log into blocked account

Facebook is set to announce new security features that will let people set passwords for third-party apps and get help from friends when they can’t access their accounts.

When your Facebook account is hijacked and you can’t get in, the new Trusted Friends feature lets you select three to five friends who can be trusted to help you get access to your account.

Facebook is also bulking up security for in-system apps by allowing you to create a password to access certain apps.  To use App passwords, click on Account Settings, then select Security Tab and the “App passwords” section.  This will generate a password that you don’t need to remember, just enter it along with your email when logging into an application.

Five Factors InfoSec Teams Should Consider When Deploying to the Cloud

A recent survey of cloud users ranging from cloud beginners to the more experienced cloud users report that the challenges of cloud such as security, governance, and compliance declined as cloud maturity increased.  They also brought to mention that there are five factors that all InfoSec departments should consider when thinking about cloud deployments:

Clear organizational policies: have a clear policy about the security responsibilities.

Access controls: know the details around access controls in the cloud.

Protect data in transit: ask detailed questions about data in transit.

Data protection in a database: how does your cloud vendor handle data protection?

System monitoring: leverage a system that implements fill logging, monitoring, archiving, and retention of operational and service data through multiple channels for both system event logs and custom monitoring parameters.

European Union Increases Penalties for Cybercriminals and Hackers

The European Union has decided to raise prison sentences for people found guilty of hacking, data breaches, and cyber-attacks.  Lawmakers from 28 nations have decided to assign harsher penalties to include increased prison sentences.  A person will receive two years for illegally accessing information systems and at least five years for cyber-attacks against infrastructure such as power plants, water systems, and transportation networks.

Other cybercrimes that receive penalty increases were the illegal interception of communications or the creation of tools for this purpose.  Also, any company that’s found guilty of using these tools or hires hackers to steal data will also be liable under the new law.

The only country that didn’t sign onto the new rules was Denmark because they want to keep their own sentences.  This is the first update to such laws since 2011 when lawmakers agreed to tougher penalties for cybercrimes.  The U.S. is working hard to clamp down on cybercriminals also.  Last month, members of the U.S. House of Representatives Intelligence Committee proposed a new cyber theft law that would target hackers based in other countries.  Back in May, a group of senators proposed a similar bill call the “Deter Cyber Theft Act” to protect commercial data from foreign hackers and governments.

Protecting Children While They Are Online

Now that kids are on summer vacation, it’s highly likely that they will be on the computer, smartphone, or tablet a lot more than usual.  As parents, it’s our jobs to keep them safe and to protect their privacy.  When your child downloads a new app, please review the app and ask yourself the following questions:

1. Who decides which apps your child downloads?

Consider using parental control apps and restriction setting on the devices.  To find parental control apps, search for “parental control” in the app store to find an app that meets your needs.  On the computer, smartphone, or tablet the parental control option is usually in the settings menu.

2. Is he app legitimate? If so, what information does the app collect, and what does it do with that information?

There’s a couple of ways this can be accomplished.  First, research the app to see how many people downloaded it and check the user’s rating.  If it looks suspicious then don’t download the app.  Second, read the privacy policies, terms of use, and permissions to familiarize yourself with the data’s policy to help you feel comfortable letting your child download the app.

3. Is the app complying with the Children’s Online Privacy Protection Act (COPPA)?

COPPA requires the app to get parental consent before they collect or share certain information from children under the age of 13.  The Federal Trade Commission enforces COPPA, and encourages parents to report apps that are breaking the rules.

4. How does the app make money?

Some app developers make money by charging users when they download the app while other apps are free to download but cost money while using the app.  If the app is a game and your child needs money to unlock the next level, more than likely you will be paying to use what you thought was a free app.

5. Are you familiar with the device’s security settings, online safety basics, and cyberbullying?

To keep you up to date on all these topics by researching the following:

Privacy Rights Clearinghouse Fact Sheets:

-   Privacy in the Age of the Smartphone

-   Online Privacy: Using the Internet Safely

-   Social Networking Privacy: How to be Safe, Secure and Social

-   Securing Your Computer to Maintain Your Privacy

Common Sense Media

-   Cyberbullying

-   Internet Safety

Federal Trade Commission:

-   Kids and Mobile Phones

Researcher at Symantec have detected a new type of Ransomware

Ransomware is now targeting mobile devices and it looks like an anti-virus application.  Once the application has been installed, some users may see the following results:

1) many users will not have the capability to uninstall the malicious app because the malware will attempt to prevent other apps from being launched

2) the threat will also change the setting of the operating system which can lead some users with the inability to perform a factory data reset

Ransomware is a pay per install program from many criminals. It scams people out of money and for every install the criminals earn a double payday.  Ransomware encrypts valuable data such as images, music, documents, and passwords.  Even though this program is poorly created, it prevents legit security application from working properly and limiting Web access.

Cybercriminals Use Zeus Trojan to Target Job Seekers With Mule Recruitment Ads

Researchers have found a version of Zeus using man-in-the-browser techniques to present visitors to job hunting site CareerBuilder.com with an ad user should ignore because it's a mule for recruitment site.

These ads are made to entice descriptions of easy money from a simple work-at-home jobs that lure job seekers to contact the employer to unknowingly serve as the money laundering component of a cyber crime gang.  This week, federal authorities have charges wight people for being part of a money laundering operation that was involved in the attempt to theft over $15 million from banking customer in the U.S.

Employment website noticed that they were being used for this type of operations, they are offering easy ways for users to report suspicious ads.  They have also created security teams to detect and remove these ads from their websites.

Hello Everyone,

My name is Monica Batts.  I've been in the U.S. Military for 17 years now and I have been all around the world.  I'm currently stationed in Guam.  I'm in the process of achieving my immediate goal of obtaining a Master's degree in Cyberspace Security.  When I retire, I'm planning on moving to Houston, Texas.