Wednesday, 2 May 2012

Want someone else’s Hotmail account

A software bug can often lead to a vulnerability that can be exploited with sophisticated exploit code. Or sometimes you can just instal a free add-on that lets you do the same thing with no effort.

A few days ago, Whitec0de reported on a newly found vulnerability in Hotmail’s passwords. It enabled a hacker to take complete control of a user’s Hotmail account – not merely accessing the user’s mail, but preventing access for the legitimate account holder. It effectively stole the user’s entire Hotmail email database – and all the confidential and sensitive data it contains.

The methodology leaked out – it wasn’t difficult. “All hell broke loose,” said Whitec0de, “when a member from a very popular hacking forum offered his service that he can hacked ‘any’ email accounts within a minute.” The going rate was as low as $20 per account.

Yet again a great example why we need more than static passwords. When are we going to learn?????

Monday, 9 April 2012

Your Facebook credentials at risk

Facebook allows its authentication credentials to be stored in plain text within the Apple iOS version of its mobile app, allowing an attacker complete control over your Facebook account if he knows where to look.

Security researcher Gareth Wright noted the vulnerability and alerted Facebook. Wright wrote on his blog that he discovered the issue while exploring the application directories in his iPhone with a free tool and came across a Facebook access token in the Draw Something game on his phone.

The simple ‘hack’ allows a user to copy a plain text file off of the device and onto another one. This effectively gives another user access to your account, profile and all on that iOS device.

Facebook’s native apps for the two platforms not encrypting your login credentials, meaning they can be easily swiped over a USB connection, or more likely, via malicious apps. Facebook has responded that this issue only applies to compromised or jailbroken devices.

Thursday, 19 January 2012

The never-ending saga of passwords. When is enough enough?

It’s not even the end of January and already we’ve seen some pretty big security humdingers. From the Facebook worm through to Zappos, it would appear the hackers are constantly one step ahead. But even though Zappos affected 24 million customers, the biggest security talking point of 2012 to date has to be the Stratfor database

For hackers, it was simply the Christmas gift that kept on giving. Having hacked the Texan-based database over the festive break, those responsible saw a seemingly never-ending run of headlines dominate the national agenda. For the UK, the game-changer was when The Guardian revealed that 221 British defence staff had been exposed as part of the hack. There were red faces all around. For whilst it is believed that staff would have different passwords to access more sensitive Whitehall information, it once again showed how easily static passwords can be snaffled, exposed and someone’s identity potentially stolen.

Yet passwords aren’t a new security ‘phenomenon.’ Indeed they’ve been around since the advent of the PC. The problem is that people don’t take them seriously enough. With headlines dominated by cyber crime, companies have invested in protecting their firewall. Put simply they’ve locked their houses, but left the windows open. It doesn’t matter how sophisticated your antivirus is, if a hacker has passwords then they can assume an authorised identity to wreak untold damage.

You might be reading this, thinking really are passwords all that important? Well, let me ask you a few questions. How do you secure users access to corporate information? How do you secure your IT systems? How do you check who is authorised to access what information? How do remote workers access the network? Yes, you guessed it – passwords. The reason that passwords are such a vulnerability is because human nature dictates that not only will the password not be selected at random but have a personal connection to the user (something that any hacker can deduce within seconds), but that for ‘ease’ they will use the same password and log-in for every application. Once you have one password, the entire corporate network opens up before you. And who is going to stop you? As far as the system is concerned you’ve been authenticated.

The advent of tablet PCs and smartphones is only exacerbating the situation. Most users store email and company sensitive information on mobile devices without giving it a second’s thought. Access to this data allows them to work on the move and keep pace with their colleagues during the working day. But what many people don’t realise is that most smartphones will automatically log you on to free Wi-Fi. Brilliant, who doesn’t love free Wi-Fi? You might think it’s easy and convenient, but for hackers free Wi-Fi spots make accessing sensitive information like taking candy from a baby. They can set up a rogue spot and within seconds of you logging on have not only users corporate passwords, but also passwords for their mobile banking and Face Book account, amongst others.
In a world where hackers are scoring big-wins, companies cannot afford to secure access to their systems with static passwords. And neither can they afford to be exposed by third parties they work with that have less than robust security policies in place. At the time of the hack Stratfor defended itself and stated that the passwords had been encrypted but clearly this posed no obstacle for the hackers responsible. The only way to protect against such attacks is to implement one-time passwords and strong user authentication.

In the past many companies have dismissed two-factor authentication as too expensive to implement and manage or that it interferes with the user experience. Yet, that is no longer the case. The barriers of cost, complexity and management have been removed and now companies of any size can use it. For the price of a cup of coffee, businesses can now secure unlimited users, via multiple channels, whether that is through the cloud, smartphone apps or key fobs.

Stratfor once again demonstrates that despite all the hype of cyber security, passwords are a real threat to businesses around the world. How many more incidents must we read about before businesses move away from static passwords and start to better protect themselves and their customers against hackers?

Tuesday, 22 November 2011

Smartphones in the enterprise: A false sense of security

Security has been about evolution. First came the PC, big and clunky it taught us about the importance of keeping the good guys in and the bad guys out. Then came the era of laptops and, well, losing them which showed – at the expense of some very red faces - the importance of ensuring secure remote access. And now comes the new generation; the smartphone. Surely by now we’ve learnt our lessons from the past and are well prepared for the next iteration of security challenges that the move to mobility will bring with it?

Well, not quite. In many ways, it feels like Groundhog Day, with the same mistakes being played out. The 2011 Get Safe Online campaign kicked off with a warning aimed at educating consumers about the security scams out there targeting their smartphone. But with more and more smartphones being deployed in the corporate environment, arguably it is businesses that have the most to lose.

Smartphones have become the bedrock of any remote access strategy. Easy to use and intuitive they enable staff to access email, download and work on attachments as well as access corporate weband cloud-based applications such as Salesforcewhilst on the move. But it is this very ease of use that lulls people into a false sense of security. Would you like it to remember your password for next time? Yes please. Would you like to enable automatic log on? Yes please. All these quirks designed to make our lives easier, only hasten the speed with which a hacker - or even someone that has found your lost device - can get into sensitive files or the corporate network and do damage.

For example, most mobile devices from tablet PCs to smartphones are set up to automatically search for and log onto the nearest WiFi hotspot. And who says no to free WiFi? But with some cheap equipment from a high street electrical store a hacker can set up a ‘fake’ WiFi spot and snaffle all the passwords they need to break into the corporate network using someone else’s identity in a matter of seconds. And as the lines between personal and professional use of smartphones start to blur, it is becoming even harder to mitigate the risks.

Most IT departments and security chiefs know that if their company rolls out iPhones, staff will download applications from the App Store. Until last week they were probably quite relaxed about this as Apple has a ‘quality control’ process in place before apps can be sold and downloaded. But the discovery of a rogue app has shown that Apple’s processes are foolproof. What looked like a harmless appwas actually designed to unleash chaos. And what of Android? Predicted by Ovum to gobble up a 25 per cent share of the enterprise market in next five years. Yet its Market Place has no rules or any way of governing what applications are uploaded onto its Market Place and made available to an unsuspecting public.

These are just two examples of how thecommercially valuable information sitting on smartphones is vulnerable to attack from different angles. Like it or not, if your organisation has smartphones you’ve also got some serious security blind spots. It’s hard to think that one small device could have big security consequences, but it does.In many ways it is like embarking on security education all over again. The trend towards bring your own device (BYOD) is further muddying the water, but businesses should make no mistake - it is their responsibility to secure their data.

Right now, companies can’t validate if people accessing the network are who they say they are. Instead they rely on static passwords to authenticate the person rather than one time use passwords which are unique and can’t be stolen. Traditional approaches to passwords are the weakest link in any security policy; companies shouldn’t continue to make the same mistake in the mobile world.

Monday, 31 October 2011

Spy Smartphone Software Tracks 'Every Move'

Click for video

Tax rebates stolen by Revenue and Customs hackers – from today’s Sunday Times

Fraudsters have found a way to hack into government tax records and divert refunds meant for others into their own bank accounts.

An investigation by The Sunday Times has revealed that criminals are secretly examining HM Revenue & Customs’ records looking for anyone who has paid too much tax. They then change the details of the bank accounts into which the repayments are to be made.

Alternatively, the hackers file fictitious tax returns showing large overpayments directly into the HMRC computer in the names of genuine taxpayers, then ask for refunds.

Victims become aware of the scam only when they are officially contacted by HMRC and told an overpayment is being transferred into their account.

HMRC is now facing questions over its security procedures and how the hackers are able to infiltrate its records. Experts claim it has failed to react as promptly as the banks to the risk of online fraud.

Roger Symes, 53, a ship broker from Surbiton, in south-west London, received a letter last month from HMRC advising him of a refund. He said: “They gave details of a bank account into which they were paying the money, but it wasn’t my bank account.

“My accountant said he had the same problem with 18 other clients.” The refunds applied for were between £100 and £4,000.

The hackers are accessing the tax files using the sign-on and passcodes assigned to accountants who file clients’ tax returns online. How they are obtaining these security details is unclear. It is not known whether it is via computer attacks on individual accountancy firms or by breaching HMRC’s own systems.

One hacker who spoke to The Sunday Times this year said he had accessed HMRC’s systems and had been able to obtain details of agent sign-ons and passcodes. A security expert said the claim was credible but HMRC denied its systems had been compromised.

Once a hacker has an agent sign-in, he can read the tax records of all the accountant’s clients, amend them and change the bank account details. Accountants who have spoken to this newspaper said hackers have been accessing taxpayer records for at least two years.

Claire Savage, a chartered accountant in Milton Keynes, Buckinghamshire, spotted irregularities in one of her clients’ files in June last year.

She said: “I called him up to ask about his new bank account, which turned out not to be his at all. When I realised that security had been breached I went through all of my clients’ files. A fair chunk of them — around 10 — were affected, and repayments of up to £3,000 had been requested in each case.” None of Savage’s clients lost money to the fraudsters.

Ralph Hayden, a chartered accountant at GW Cox & Co in Frinton-on-Sea, Essex, said 41 of his clients had been affected by a similar scam, which was first noticed in November 2009.

He said: “HMRC said that it must be our systems that had been breached but we called in computer experts who confirmed that it definitely wasn’t.

“In most cases, a tax return had not yet been filed, so a false return was submitted. In others, their returns had been edited, so that a repayment was now due. HMRC were not advising their frontline staff in case it was an inside job.”

On, a blog about the HMRC, one taxpayer reveals that his accountant was also targeted. The posting states: “We recently returned from holiday to the news that 91 of our accountant’s client accounts had been hacked at the HMRC government gateway website.

“Hackers had accessed information on 91 individuals or organisations and had entered false end-of-year accounts in order to claim self-assessment refunds.

“We then received a letter from HMRC to advise us that the refunds were on their way to what we knew were false accounts. They actually paid out. HMRC now apparently know what they have done but to add insult to injury they have now started to send demands for repayment to the people [whose] accounts had been hacked.”

Unlike HMRC, the big banks ask customers conducting transactions online to provide additional passcodes for each financial transaction. These are generated by inserting a bank card into a hand-held reader provided by the bank.

Jason Hart, managing director of Cryptocard, a computer security company, said: “If you just had a static passcode, then once it’s compromised, you’re going to be a massive target for the fraudsters. It’s an invisible threat because they can get into your system at any time and you don’t even realise.”

Copyright 2009 Jason Hart. Powered by Blogger Blogger Templates create by Deluxe Templates. WP by Masterplan