PBS Logo grey for Mojave dark mode

Security Bits – 3 May 2019


  • Marcus Hutchins, the young security researcher who shot to fame by killing the WannaCry malware and then to infamy when he was arrested and charged with cyber crimes while traveling to the US to present at a security conference, has pleaded guilty to writing and selling banking malware. The offences pre-date his work as a security researcher, so it does appear he did turn over a new leaf and switch has black hat for a white one, but not quickly enough — krebsonsecurity.com/… & nakedsecurity.sophos.com/…
  • 🇺🇸 The NY attorney general is investigating Facebook over their ‘inadvertent’ stealing of users’ address books when they inappropriately asked them for their email usernames and passwords when creating a Facebook account (as discussed in the previous Security Bits) — nakedsecurity.sophos.com/…
  • Details stolen in the Microsoft email data leak reported in the previous Security Bits are being used to steal cryptocurrency — nakedsecurity.sophos.com/…

Security Medium 1 — 3rd-Party Parental Control Apps on iOS

We recently saw the dangers of corporations abusing iOS features intended for internal company use being used in consumer apps when Facebook and Google abused Apple’s Enterprise Developer Program to give their analytics apps staggering power to spy on users who agreed to side-load the apps and install their matching configuration profile. When news broke of the dodgy apps, Apple responded by revoking the developer certs and cracking down on inappropriate users of enterprise developer certs in general.

It turns out the Enterprise Developer Program was not the only enterprise feature being abused.

Mobile Device Management, or MDM, is a suite of APIs that is starting to standardise across OSes which is designed to allow enrolled devices to be centrally controlled. MDM is designed to allow organisations to manage fleets of mobile devices they own. When a device is enrolled in an organisation’s MDM service that organisation’s IT department effectively get total control over that device. They can impose security requirements above and beyond what the OS requires by default, like requiring a long alphanumeric password. They can push settings to the devices, including settings for specific apps, and they can even push apps to the devices. They can also impose restrictions on feature and app usage, perhaps disabling the camera, or restricting browsing to certain well-trusted sites. A device enrolled in an organisation’s MDM service can even be remotely wiped by the IT department.

It’s difficult to overstate the amount of power an MDM service operator has over-enrolled devices.

So, a corporate context, MDM is a sensible and necessary tool. But it has no place in a consumer app! The fact that MDM APIs allow control over apps means some developers have used MDM to implement non-standard parental control features. Users of these consumer apps must enroll them into an MDM service operated by the software vendor, effectively giving that vendor total control over thousands of devices they do not own.

To say this is open to potential abuse is putting it mildly!

Apple became aware of this behaviour some time ago, and have been quietly working to remove these abuses of MDM from the app store.

Why talk about this now? Because the NYT wrote a click-bait article that tried to spin this story into a scandal about Apple prioritising their own apps over third-party apps. The article is deeply flawed journalistically, and commits the cardinal sin of excerpting a statement from Apple for the piece so it omitted key points.

Basically, Apple took pro-active action to nip a potentially very dangerous privacy and security problem in the bud, and the NYT tried to turn it into a scandal. Of course, had Apple not taken action to protect users, they would have been rightly pilloried in the press for not protecting children!


Security Medium 2 — Understanding Today’s CyberCrime Economy

The Black Market for Credit Cards is Changing

One of my favourite catch phrases is ‘follow the money’. If you want to understand human behaviour, figure out who getting paid by who for what!

Two stories broke this week that shed light on how cybercriminals are making money in 2019, and what that means for us.

Firstly, the fact that the US is finally moving away from mag stripe credit cards to chip and pin is having massive effects on the stolen credit card markets. Card skimming is becoming much less lucrative, because it only works in places that will accept a mag stripe card. This is driving a resurgence in so-called ‘card not present’ credit card fraud. What this means in practical terms is that there is much less money to be made from compromising credit card terminals in physical stores (like Target), and much more money to be made in stealthy long-term compromises at online organisations that take card payments (like hotels).

You can read more about this change at Krebs on Security — krebsonsecurity.com/…

Password Reuse Now Powers a Mature Cybercrime Industry

Secondly, security researchers have described in detail the underground market place for username and password combinations. The picture that emerges is of a well developed and mature industry which uses leaked passwords as its raw materials.

This black-market economy works something like this. Firstly, password breaches are so ubiquitous that anyone can trivially get their hands on a database of millions of username/email and password combinations. Using these as their raw material, attackers automate bulk-testing of these credentials against high-value sites in the knowledge that many people re-use passwords. Whenever they find a match they immediately log out, leaving as. few digital footprints as they can. These known-good logins are then sold on black market places.

This kind of mass-testing of leaked credentials from other sites against popular sites has been named credential stuffing.

You can read more about this impressively resourced and lucrative underground industry in this report — The Economy of Credential Stuffing Attacks — www.recordedfuture.com/…. Security Now Episode 712 goes through this same report in some detail — www.grc.com/…

The bottom line is that password re-use is absolutely not conscionable anymore in 2019 — if you’re still doing it you’re putting yourself a great risk, and you’re helping fund dangerous cybercriminals, which is bad for our entire global society.

Security Medium 3 — Facebook Rolls Out a New Look with a New Privacy Focus

Mark Zuckerberg revealed a new design for Facebook’s interface at this year’s F8 Facebook developer conference. The new interface aims to steer users towards using private group chats rather than making public postings. Zuckerberg’s presentation was entirely themed around privacy, and he repeatedly stressed that private chats will be end-to-end encrypted so Facebook will not be able to see the content of the conversations.

Clearly, Facebook have realised that they are losing the PR battle when it comes to privacy and that they have to make changes. But what does this really mean?

Does it mean Facebook are fundamentally changing their business model? If they can’t read everything their users type into the service, can they maintain their profile-building and ad-selling business model? Yes, absolutely!

The actual content of communications is not actually all that valuable when it comes to building out user profiles, what’s really valuable is the context, and Facebook are losing none of that. They will know who you are talking to, when, and for how long. They know what humans you have relationships with, what organisations you have relationships with, and they are still following you all over the web at all times thanks to their ubiquitous ‘like’ buttons and tracking cookies.

You can even argue that moving conversations from public to private is a big win for Facebook, because they can’t be expected to police or moderate end-to-end encrypted communications they can’t even see! Policing a virtual town square is proving to be a challenge, but there’s no expectation on Facebook to police virtual homes.

When you follow the money, what you find is that nothing has really changed. Facebook is still FreePI — their customers continue to be advertisers, and their product continues to be their users’ profiles and attention.

Speaking of money — Facebook’s earnings were released this week, and despite all the recent scandals, their earnings are up! Clearly, we cannot rely on market forces to protect users by punishing Facebook financially for bad behaviour. If you think about how Facebook make their money, that actually makes perfect sense. Invading users privacy does not make Facebook less valuable to advertisers, it makes them more valuable!


Notable News

Suggested Reading

Palate Cleansers

  • 🎦 Watch the great computing pioneer Grace Hopper explain her famous portable nanosecond – www.loopinsight.com/…
  • 🔈 A thoughtful discussion of the effect social media is having on elections around the world on BBC World’s The Real Story podcast — overcast.fm/…
  • 🔈 The fascinating story of the CAPTCHA explained on the great Planet Money podcast — overcast.fm/…

Note: When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top