Category Archives: Software Development

Is Your Mobile Phone App Secure? Probably Not!

More than three-fourths of mobile banking vulnerabilities can be exploited without physical access to the phone.

A new report from Positive Technologies has a number of sobering facts:

  • 100 percent of mobile banking apps contain code vulnerabilities due to a lack of code obfuscation.
  • NONE of the mobile banking apps tested had an acceptable level of protection
  • Attackers can access user data on almost all tested apps
  • In 13 out of 14 apps, hackers can access data from the client side
  • Half of the banking apps studied were vulnerable to fraud and funds theft
  • Hackers were able to steal user credentials from five out of seven banks tested

And the list goes on.

From the perspective of being a user of apps, this is a bit disconcerting.

From the point of view of being a company who may be developing apps, this is a bit of a wake-up call.

If you think about the amount of developer support that big banks have and they are still not developing secure apps, what does that mean for small to medium size companies that do not have that infrastructure?

As a user you are kind of dependent on the developers to do it right and it does not appear that the developers are doing such a good job at that. You can look at reviews, but that is of limited value.

If you are using the apps for your company, you can and should test the application’s security and if the app contains sensitive data or acts as an interface to sensitive data, that is probably not optional.

If you are writing apps or, just as importantly, paying others to write apps on your behalf, there are, at least, two things to do.

Make sure the development team has a well implemented secure software development lifecycle (SSDL) program. Don’t just trust the developers when they say sure, we do. Verify that. If you need help either developing or testing a secure software development lifecycle, give us a call.

Second, if you are not already conducting application penetration tests for every major release of applications that you develop or have developed for you, you need to start doing that. Yes, that costs money. But so does having a breach. If your app accesses data of California residents, remember that they can now sue you for $750 per record compromised without showing that they were damaged.

A 1,000 record breach equals a $750,000 liability. Not counting attorney’s fees and reputation damage. You can do a lot of testing for that amount. 1,000 records is a tiny breach. You are not Capital One, but their breach exposed 105 million records. You do the math.

The maturity level of developing apps today is similar to the maturity level of developing web software in around the year 2000. That alone should scare you.

Some questions you can ask your development team:

  • Do you have a dedicated software testing staff?
  • Are they trained to test software for SECURITY FLAWS or only for functionality?
  • Are you using automated testing tools?
  • Are your developers trained to develop software securely?
  • Does the development team have a security development manual? Something that is written down and part of their business process?
  • Who signs off on the security of apps before release? What is their security expertise?

The evidence is that app security is not so great. What are you doing to improve it? Credit: SC Magazine

Security News for the Week Ending June 19, 2020

Akamai Sees Largest DDoS Attack Ever

Cloudflare says that one of its customers was hit with a 1.44 terabit per second denial of service attack. A second attack topped 500 megabits per second. The used a variety of amplification techniques that required some custom coding on Akamai’s part to control, but the client was able to weather the attack. Credit: Dark Reading

Vulnerability in Trump Campaign App Revealed Secret Keys

Trump’s mobile campaign app exposed Twitter application keys, Google apps and maps keys and Branch.io keys. The vulnerability did not expose user accounts, it would have allowed an attacker to impersonate the app and cause significant campaign embarrassment. This could be due to sloppy coding practices or the lack of a secure development lifecycle. Credit: SC Magazine

FBI and Homeland Use Military-Style Drones to Surveil Protesters

Homeland Security has been using a variety of techniques, all likely completely legal, to keep track of what is going on during the recent protests.

Customs (part of DHS) has Predator drones, for example. Predator drones have been used in Iraq and other places. Some versions carry large weapons such as missiles. These DHS drones likely only carry high resolution spy cameras (that can, reportedly, read a license plate from 20,000 feet up) and cell phone interception equipment such as Stingrays and Crossbows. Different folks have different opinions as to whether using the same type of equipment that we use to hunt down terrorists is appropriate to use on U.S. soil, but that is a conversation for some other place. Credit: The Register

Hint: If You Plan to Commit Arson, Wear a Plain T-Shirt

A TV news chopper captured video of a masked protester setting a police car on fire. Two weeks later, they knocked on her door and arrested her for arson.

How? She was wearing a distinctive T-Shirt, sold on Etsy, which led investigators to her LinkedIn page and from there to her profile on Poshmark. While some are saying that is an invasion of privacy, I would say that the Feds are conducting open source intelligence (OSINT). The simple solution is to wear a plain T-Shirt. If you are committing a felony, don’t call attention to yourself. Credit: The Philly Inquirer

Ad-Tech Firm BlueKai has a bit of a Problem

BlueKai, owned by Oracle, had billions of records exposed on the Internet due to an unprotected database. This data is collected from an amazing array of sources from tracking beacons on web pages and emails to data that they buy from a variety of sources. Apparently the source of the breach is not Oracle it self but rather two companies Oracle does business with. They have not said whether those companies were customers, partners or suppliers and they haven’t publicly announced the breach. If there were California or EU residents in the mix, it could get expensive. The California AG has refused to say whether Oracle has told them, but this will not go away quietly or quickly. Credit: Tech Crunch

Bug in Git Software Could Make Software Repositories Vulnerable

Git, the software used by millions of software developers to manage their source code – the crown jewels of most corporations – is vulnerable to two different attacks.

The first bug would allow a malicious attacker to overwrite code in folders where they should not be.

The second bug allows an attacker to read arbitrary memory and applies across development platforms.

How much damage can be done is unknown, but what is the likely scenario is that a large percentage of responsible development teams will update their Git software, but a surprisingly large number will not and that is where the attackers will head.

So, what should you do?

There is a patch for multiple versions of Git.  We are starting to see more of this as serious bugs appear and the developers know that people have not updated to the current version.

Patches are available for versions 2.13(.7), 2.14(.4), 2.15(.4), 2.16(.4) and 2.17.1 (2).

Microsoft is telling developers to download 2.17.1 (2) and has blocked malicious repositories from being uploaded to Visual Studio Team Services.  How, exactly, they know what is malicious they are not saying.  They also say that they will be releasing a patch “shortly” for Visual Studio.  Hopefully shortly is just a few days.

Linux platforms like Debian are updating their software to use the new version of Git and are telling folks to upgrade.

Bottom line, if you are a software developer and use Git, it is time to upgrade.

Information for this post came from The Register.

Application Security – The Neglected Threat

When companies like Microsoft or Oracle develop software, they have massive teams who’s only job is to try and find bugs in the software.  They also have made significant investments automated tools to help with software quality assurance.  Still Microsoft usually patches 10-20 new bugs month after month.  Oracle often patches 100 bugs a quarter.

Given these example company’s results in spite of major investments in technology and people, what does that mean for the average software development shop that doesn’t have the tools, personnel or budget that these major software shops have.

Security Compass, a Canadian company that assists Fortune 500 companies with software security issues, conducted a study of financial institutions application security practices.

Here are some of the findings of the report:

  • While most financial institutions have created security development lifecycle practices, very few of them can actually validate how well they are doing at following them.
  • Three out of four rate application security as a critical or high priority
  • 89% use the BSIMM (Building Security In Maturity Model) while almost all of the others use some form of framework or standard.
  • When it comes to metrics to measure how effective these frameworks are, most do not have a robust KPI measurement process.  Many measure raw vulnerability counts (77%),  which is a very basic measurement.
  • Less than half measure how long it takes to fix bugs.
  • Only a little more than a third track whether developers actually use the security tools called for in the policies.
  • The study showed that 58% of the banks use some third party software, but less than half of the financial institutions require their vendors to have a security development lifecycle process or even an application security policy.

These results are from financial institutions where security and process are usually front and center.  If this is the reality for organizations which have a high security awareness profile, how does the average organization rank on security process and practices.  Likely, those organizations don’t rank very well.

Smaller development shops – say with less than 50 developers likely don’t have a security development lifecycle (SDLC) process at all.  The likely don’t have automated tools to detect bad coding practices and they likely have a small (to no) quality assurance department.  If they do have a software QA department, that department is likely looking for functionality problems and not security issues and is not trained to find security problems.

If the software is developed under a development contract, that contract likely does not specify the requirements for an SDLC process or for any of the the other security processes that large software development shops have.

In addition, they likely do not conduct third party, independent, penetration tests to attempt to find those security issues.

As a result, it is likely that those custom applications are a hacker’s dream gateway into your organization and you likely will never know.

Companies that develop their own, or contract for the development of, custom software development – including web sites – need to up their game if they want to keep hackers out.  If they don’t, the hackers will continue to quietly thank them.

Information for this post came from Dark Reading.

Symantec Anti Virus Security Problems Exposed

Anti Virus software has long been a concern of the security community.  While it endeavors to protect the user’s workstation, in order to do it’s job, it requires a lot of system level permissions.  This week, at least with Symantec, that came home to roost.

Tavis Ormandy a researcher from Google announced that he’d found numerous critical security vulnerabilities in Symantec’s suite of anti-virus software.  That suite covers 17 enterprise software products and 8 consumer and small business products.

While some of the bugs are simple, others are quite fatal and would allow an attacker to remotely control the user’s computer.

One bug would allow the attacker to take over an entire enterprise by just sending an infected file or malicious link – without the user ever doing anything.  This is because the anti-virus software has to open files and links when they arrive to see if they are malicious and that code has the flaws in it.

Ormandy says these flaws are “as bad as it gets“.  He is the guy who has made a career out of finding security holes in security software. His previous finds include FireEye, Kaspersky, McAfee, Sophos and Trend Micro – pretty much everyone in the anti-virus business and then some.

While we do not know how actively hackers and foreign governments are exploiting these vulnerabilities, they probably will now if they have not been doing so in the past.

What is not clear is how come these vulnerabilities exist.  After all, security companies, more than anyone else, should understand the problem of vulnerable software.  Yet, apparently, they do not.

Chris Wysopal of software testing vendor Veracode had a number of comments to make about the situation.  He thinks that at least some of these vulnerabilities would have been detected by the software testing products his company makes.

Symantec has now patched these vulnerabilities, but that doesn’t mean that customers have applied these patches.  It also doesn’t mean that there aren’t other vulnerabilities not yet detected.

And since most of this code from Symantec and other vendors like them runs with very high privileges, this software is more likely to put your system at risk than, say, a word processor.

At a minimum, everyone needs to make sure that their anti-virus software is patched as soon as the patches are released.  When they are released to you, they will be released to the hackers as well.

Ormandy says that maybe the anti-virus vendors did not understand that they had a problem, but I have a hard time believing that.  More likely, they figured that they could get away with not spending too much effort at testing their software.  Mr. Ormandy is on a  mission to prove that theory wrong and I think he is doing pretty good at that mission.

Information for this post came from Wired.

Newly Discovered Windows Bad Tunnel Attack Has Been Around For 20 Years

A Chinese researcher has “discovered” a Windows flaw which affects all versions of Windows released in the last 20 years.  It does not require installing malware and it can be executed silently with near perfect success.

While no one seems to be saying this, I wonder if the Chinese have known about this attack for years or decades and just now, for some reason, are making it public.

Yu says BadTunnel is basically a technique for NetBIOS-spoofing across networks: the attacker can get access to network traffic without being on the victim’s network, and also bypass firewall and Network Address Translation (NAT) devices.

It can be exploited via Office, Edge, Internet Explorer and some third party apps.

Without going into a lot of details, here is how it works.  The researcher is going to present a paper on the attack at Black Hat.

BadTunnel exploits a series of security weaknesses, including how Windows resolves network names and accepts responses; how  IE and Edge browsers support webpages with embedded content; how Windows handles network paths via an IP address; how NetBIOS Name Service NB and NBSTAT queries handle transactions; and how Windows handles queries on the same UDP port (137) — all of which when lumped together make the network vulnerable to a BadTunnel attack.

Since it affects all versions of Windows released in the last 20 years, including desktops and servers, installing the patch ranks as “pretty important”.

If for some reason you cannot install the patch, make sure you disable all Netbios traffic through your firewall.

The interesting thing about this is that this bug has been around for 20 years.  Which means that the code that is affected, including that in Windows 10, is 20 years old.  This goes back to my soap box conversation of software supply chain security.  This is just another example of how the software libraries that you integrate into your new code (like the old Netbios libraries into Windows 10) can come back to haunt you in a serious way.

Information for this post came from Dark Reading.