ZebrAttack Creates Data Breach via Mobile OS, App Vulnerabilities

At the AVAR conference in November, with the help of coauthor and independent security researcher Song Li, we will present our findings of an emerging mobile threat vector.

We have found that in a group of popular retail apps, such as Costco’s and Walgreens’ apps for Android, when a QR code is scanned using the app’s scanning feature, the app will pull content from the QR code’s URL. (Costco has recently released an updated app in which the QR code-scanning feature has been removed.) These apps are supposed to determine that the URL is from a trusted source. However, unlike browsers that enforce the same-origin policy, the policy validation implemented by these apps can be bypassed with a carefully crafted QR code. Such a QR code can trick the app into pulling malicious code and execute it within the app. We have posted a snippet of this research to demonstrate how sensitive user information–such as phone number, SIM card number, and user geolocation–can leak to attackers when the QR code is scanned.

As reported recently, Android has surpassed iOS as the largest operating system for mobile and tablet devices. And we’re not surprised that mobile threats are growing as well. As of today, McAfee has collected more than 6 million unique APKs (not counting inner components), of which 49% are potentially unwanted programs (PUPs) or malicious.

android-app-pie-chartandroid-app-pie-chartandroid-app-pie-chartandroid-app-pie-chart

These APKs are signed by 495,000 unique certificates, indicating a large community of Android developers from both the legit market and the underground economy. We expect to collect more than 4 million accumulated legit Android apps by end of 2014.

android-app-pie-chartandroid-app-trendingandroid-app-trending
Total number of Android apps, with projections for 2014.

As Google continues to raise the security bar, malicious apps may find it harder to sneak into Google Play or other app stores. Attackers have apparently aimed at alternative attack surfaces. First, more than 50% of Android devices are still running on Android 4.2 or earlier, without fixes for the majority of disclosed Android vulnerabilities. Second, OEM layer vulnerabilities have been discovered as well. Finally, apps such as the QR scanning attack we discuss have been observed as the chief security bottleneck. With each of these Android developers having to support multiple versions of the OS and to meet the time-to-market challenge in this fast-moving mobile space, it is hard for all app developers to make security their priority.

We in security industry try to raise customer and developer awareness and provide solutions. At AVAR we will share our insights, especially in app and device reputation. For more observations on mobile security, refer to the McAfee Labs Threats Reports.

Many thanks to my colleague Brad Stark for providing insightful Android malware statistical data.

The post ZebrAttack Creates Data Breach via Mobile OS, App Vulnerabilities appeared first on McAfee.

Companies Trying to Sell Unnecessary Work Along With Needed Web Software Upgrades

When it comes to the security of websites, often the basic security precautions are not being taken. This year we have looked at data showing that many Joomla, Drupal, and WordPress based websites are not being updated in a timely manner, which leaves them at risk from vulnerabilities that have been fixed in subsequent releases. Companies involved with the development or maintenance of websites should be trying to do more to make sure that websites are kept up to date, but a couple of recent situations showed there are some companies out there trying to use people’s needs for updates as an opportunity to sell them unneeded work instead. Below we will take a look at those and provides some advice on preventing being taken advantage of in that type of situation.

Magento Doesn’t Require Incremental Upgrades

While recently discussing a Magento upgrade with a potential client they mentioned that they had tried a test of the upgrade that had had problems and that other companies that they had talked to had told them that the upgrade has to be done through a series of incremental upgrades to prevent that type of thing. That is, instead of going from their current version of 1.5 directly to 1.9 the website would need to be upgraded from 1.5 to 1.6 then to 1.7 then to 1.8 and finally to 1.9. When we heard that we were perplexed, not only are incremental upgrades not needed but in looking over lots of material on Magento upgrades (due to our having dealt with probably about everything that can go wrong with a Magento upgrade) we have never even seen doing that suggested. It also wouldn’t have had any impact on the problems they had. Doing those incremental upgrades was going to increase the cost of the upgrade, which seems to be why the companies would be claiming it was needed.

If incremental upgrades were needed you would expect it to be in the official upgrade documentation, which it isn’t. To better understand why that isn’t needed lets break down the upgrade. The upgrade involves changing two things:

The first is replacing the old Magento files with the new ones. If you directly upgrade to the new version or do incremental upgrades you will end up with the same files in use. The incremental upgrade might leave some left over files that are not used in the new version. So for this part of the upgrade the incremental approach adds nothing.

The second is updating the database to make it compatible with the new version of Magento. Magento will automatically make all the necessary updates from the version were running to the new version. So doing incremental upgrades would just split up the updates, but the end result would be the same updates running. We have never had any problem with database update caused by going directly from as far back as version 1.3.x to the latest version, 1.9.x. It is true to that sometimes servers have problems running through all the database updates, but there are better options for handling that then doing a bunch of incremental upgrades (doing the database portion of the upgrade on a separate server is very effective workaround provided you do this in your test of the upgrade first to insure it doesn’t cause any complications).

Websites Don’t Just Fail and You Can Upgrade Older Zen Cart Versions

The second situation was a lot more troubling. We were first contacted by a potential client about getting a quote for a Zen Cart upgrade and then they wanted quote to replace the store with a new Zen Cart installation. When we asked what was wrong that they needed a new Zen Cart installation they explained that another company had told them that their current Zen Cart installation “will fail and I will wake up one day and it will be gone” and they would need a whole new one. The idea that the website would just fail one day sounds quite scary, but it isn’t true. Websites don’t just fail like that. The only situation we could think of where something close to like that is if a web host upgrades to a newer versions of PHP then older versions of Zen Cart will stop functioning. That can prevented by upgrading to a newer version of Zen Cart. So why couldn’t they just upgrade? Well the other company was claiming that there Zen Cart installation was to old to upgrade. We have no idea why they would say that since the version in use, 1.3.9f, is much newer than versions we frequently do upgrades from. Either the other company, which portrayed themselves as Zen Cart specialists, didn’t have any idea what they are doing or they trying to trick people into unneeded work.

Protecting Yourself

There are two good options to make sure you don’t get taken advantage of in situations like this. First, when you are looking into having an upgrade done contact multiple companies to discuss what they would do in the situation. In these cases when the suggested unneeded work was brought up we were able to explain why it wasn’t needed. The second is to ask in the forum for the software if what the company is telling you is accurate. From what we have seen the information in those forums is generally accurate and in the type of situations we described we are sure someone would have explained that what is being said by the companies isn’t true.

After hacking, Apple to send out more security alerts to users

Apple plans to send out more e-mails to alert users of a potential security risk following the hacking of celebrities’ iCloud accounts.

Apple CEO Tim Cook told the Wall Street Journal on Thursday that users will soon be able to receive e-mail notifications when iCloud data is restored. Apple already sends e-mails to users when a new password is requested, when a password is changed, or when an account is used on a new device for the first time.

The company will start to send out the new notifications in two weeks, according to the WSJ. It will also expand the two-step verification process—which requires a separate code or a key in order to login to an account—to include access to an iCloud account on the new iOS.

Read 3 remaining paragraphs | Comments