Keylogger Revealed in the Apple iOS Ecosystem

February 25, 2014

In the course of their daily grind, Financial Security professionals dealing with the current BYOD fever often refer to risks associated with use unmanaged endpoints in business operations — especially when this involves using consumer-oriented unmanaged tablets and/or phones running Android or iOS.  A special subset of that risk involves the theft of company credentials — generally still a username/password pair.  Once those credentials are ‘owned’ by hostile actors, a targeted organization is at elevated risk along any dimension associated with the ‘real’ worker’s role.  For example, a hostile who possesses credentials of the chief financial officer, treasury personnel, database administrator, server administrator, or other individual with elevated rights can (in theory) perform all the activities authorized for those individuals — which would result in material risk to your organization.  All risk management professionals and decision-makers at all levels need to keep these risks in mind as they evaluate the appropriateness of BYOD for their organization(s).

In the last month, two separate research teams (from Trustwave and FireEye) have produced proof-of-concept apps to exploit an iOS flaw that allows a hostile party to record every tap and keystroke made on an Apple iOS device — jailbroken or not.  This type of software has been around in the Android marketplace for some time.  But Apple and its ‘marketers’ have been adamant that various features of the iOS operating system architecture provide overlapping layers of protection to prevent this type of activity, and as a final backstop their (opaque) App Store app review practices effectively eliminate the risk of overtly hostile software successfully behaving in a hostile manner in the iOS ecosystem.  In other words, “just trust us…”  A recent example of ‘analysis’ of this type — stating that “there is essentially no iOS malware” — might include “Defending Data on iOS 7.”

Security researchers have identified a vulnerability which allows malicious actors to log your taps & keystrokes (X-Y coordinates) before sending that data to a remote server of their choice.

Mobile specialists on staff of security company FireEye have been collaborating with Apple after creating a proof-of-concept app, and deploying it through the production Apple App Store review process without detection, and then having it successfully exploit a non-jailbroken iOS 7 device after downloading and installing from Apple’s App Store.

In practice, the ‘keylogging’ would be an ‘added feature’ in an otherwise ‘reasonable’ app, and a hostile party would use phishing or other social engineering to mislead victims into installing their software.  Another route would be to exploit another remote vulnerability in iOS itself or in another app to begin the malicious app download process.

According to the authors, the exploit works on non-jailbroken modern iOS devices, including iOS 7.0.5, 7.0.6 and 6.1.x.

In the context of the recent iOS SSL vulnerability — something that any reputable static code security analysis product or service would have caught — it is difficult to support Apple’s opaque ‘trust us…” approach to security details.  I believe that Apple is going to have to be much more transparent to win over the Financial Services markets.

The exploit takes advantage of the way Apple’s exceptions to the iOS settings for “background app refresh.” Security-conscious users can use settings to ‘disable’ specific app’s background refreshing. App authors, though, are allowed to bypass the user’s wishes. One example is permitting an app to play music in the background without turning on its ‘background app refresh’ switch. It appears that in this case, the proof-of-concept app may have disguised itself as a music app to conduct background monitoring. MDM vendors also deploy apps that exhibit analogous behaviors to this ‘backgrounding exception.’ Even when an iOS device is set to deny all ‘Background App Refresh’ the MDM app will continue to run, examining the local device, and ‘calling home’ with results of that assessment.

As we have mentioned before on this blog, the Android app marketplace is still an ‘elevated security risk muddle,’* and there is no ‘Apple security magic.’ Apple has an excellent record of managing their image, but an uneven record at implementing real, or Financial Services-grade resistance to hostile actors.

Until Apple figures this one out, iOS users should avoid at least some of this risk by using the iOS task manager to stop unnecessary apps from running in the background. This will prevent a range of potential elevated risk monitoring that might be occurring.** iOS7 users can press the Home button twice to enter the task manager and see preview screens of apps opened, and then swipe an app up and out of preview to disable unnecessary or suspicious applications running on the background.

*Technical term.
**Remember, an MDM agent is a ‘trusted’ app and is used to qualify endpoints for some types of access to private infrastructure. If your company requires a given MDM agent, I recommend that you let it continue to run.
“Researcher Creates Malware to Captures Every Tap on Your Smartphone or Tablet.” By David Gilbert , January 31, 2014

“New iOS flaw makes devices susceptible to covert keylogging, researchers say — Proof-of-concept app in Apple’s App Store sent keystrokes to remote server.” By Dan Goodin – Feb 24 2014

“Background Monitoring on Non-Jailbroken iOS 7 Devices — and a Mitigation.” By Min Zheng, Hui Xue and Tao Wei, February 24, 2014

“Defending Data on iOS 7. Version 2.0″ by Rich Mogull, Securosis.

Open Source CMS in Financial Services?

January 11, 2014

I ran a a small personal blog on Drupal for a number of years. Drupal can dramatically simplify some categories of web content management compared to competing technology options.

A quick job search this evening for financial services openings involving Drupal in New York suggests a range of banking, finance, investments, and insurance organizations use this stack today.

Drupal is an open source content management platform powering millions of websites and applications. It is built, used, and supported by an active and diverse community of people around the world. It is written in PHP that uses a MySQL database, and supports a range of other emerging web technologies.

One reason I drifted off my Drupal platform involved the level of effort required to keep it updated and patched as new security vulnerabilities and exploits were published.

Drupal has a well-established record of moderately-critical and critical security vulnerabilities. This is not necessarily a bad thing. There is an active Drupal security team using relatively-well documented processes ( and in the context of an exemplary level of transparency.

In 2013 there were 3 major collections of remotely-exploitable critical & highly-critical vulnerabilities in the Drupal core, as well as 97 (mostly) remotely exploitable vulnerabilities in Drupal extensions.


  1. Running a Financial Services web site on Drupal with a range of typical features & integrations involves the same range of risk management obligations as with any other technology stack. As a result, security needs to be built into your software development lifecycle end-to-end — from requirements-gathering & architecture, through configuration, deployment & operations, and every step in between.
  2. We need to develop & document a set of core company-standard coding conventions & formal standards that attempt to incorporate exploit resistance and attack-awareness, along with security-centric logging/alerting/alarming/reporting practices throughout all Drupal-hosted application content (code, templates, configurations, CSS, etc.). If your organization does not support PHP development today, Drupal will drive you to PHP support. Building out a secure coding practice for a programming language without legacy support in your organization will require a non-trivial investment. The Drupal security team maintains code-level security guidance at:, which should help boot strap company-specific efforts which should be enthusiastically-integrated into all code/configuration activities.
  3. We need to use careful, thoughtful, skeptical and paranoid security code reviews of all ‘code’ & configuration changes prior to deployment.
    Organizations should also invest in a regular service of centralized security code analysis, along with security assessments in a deployed context, and ‘certification’ of Drupal modules — permitting only ‘certified’ or approved modules in production and pilot environments. This type of review does not guarantee risk-free operations, but would help to demonstrate Financial Services-grade due diligence and help to deliver a certain degree of safety in the module code. Some static security code analysis SaaS vendors support PHP to help your staffing challenges here.
  4. We need to have enough trained technical and leadership personnel on deck at all times in order to react efficiently & effectively to security advisories or exploit announcements that require relatively-immediate site and/or code changes.
  5. Finally, revisit the first recommendation above again and follow-through across your entire SDLC. That said we also need to invest in ongoing platform penetration testing & web application vulnerability assessments in order to ensure that we are not exposed to a known or not-yet-announced vulnerability. Again, SaaS support opportunities abound in the dynamic application testing. ‘App pen testing’ is not the solution to your web application needs, it is only one facet of a multi-dimensional full life-cycle approach that is critically-important.


Security Advisories – Drupal Core
Security Advisories – Contributed Projects
Security Advisories – Public Service Announcements

“Security Issues in Drupal Content Management System.” (2013)

The 10 most critical Drupal security risks. (2012)

CVE Drupal Vulnerability Statistics:
CVE Drupal Vulnerability Details:

Drupal Administration Guide — Securing your Site

Drupal Writing secure code. Last updated September 12, 2013

“Drupal Security Best Practices — A Guide for Governments and Nonprofits.”
By OpenConcept Consulting Inc. for Public Safety Canada
Principal Author: Mike Gifford, with a collection of contributors

Public Example: Drupal Security at University of Pennsylvania
Drupal Security Considerations
Drupal Secure Configuration
Drupal Approved Modules

“Mad Irish . net — Open source software security.”

Does Government Owning Your iPhone Matter?

January 2, 2014

A recent burst of news about NSA access to individual’s iPhones serves as a reminder that using modern mobile devices for some types of Financial Services business activities involves elevated risk.  Risk that is difficult to quantify.

Late last summer I wrote a little about the potential for NSA data gathering to influence Financial Services privacy and security promises.
This reference to iPhone surveillance is a reminder that using consumer devices to perform material company business of any kind, or to perform many types of common operations using company non-public data involves a certain amount of risk.  This should be factored into your ‘risk appetite’ discussions and planning — and this should occur at a number of levels throughout your Financial Services organizations.

Mass surveillance by U.S. intelligence organizations has been relatively-frequently documented in the last 7 years since Mark Klein, a retired AT&T communications technician, revealed that AT&T provided U.S. National Security Agency personnel with full access to its customers’ phone calls, and shunted its customers’ internet traffic to data-mining equipment installed in a San Francisco switching center since 2003.  The U.S. is not the only government engaged in mass surveillance.

“Shopping for Spy Gear: Catalog Advertises NSA Toolbox.” By Jacob Appelbaum, Judith Horchert and Christian Stöcker; 12-29-2013;

“…an NSA division called ANT has burrowed its way into nearly all the security architecture made by the major players in the industry — including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell.”
“These NSA agents, who specialize in secret back doors, are able to keep an eye on all levels of our digital lives — from computing centers to individual computers, and from laptops to mobile phones. For nearly every lock, ANT seems to have a key in its toolbox. And no matter what walls companies erect, the NSA’s specialists seem already to have gotten past them. “

“How The NSA Hacks Your iPhone (Presenting DROPOUT JEEP).” By Tyler Durden; 12-30-2013;

“NSA Data Gathering Hits Financial Services Privacy & Security Promises.” September 8, 2013;

Historical References to U.S. Mass Surveillance:

“Whistle-Blower Outs NSA Spy Room.” By Ryan Singel; 04-07-2006;
And “Wiretap Whistle-Blower’s Account.” Statement By Mark Klein; 04-06-2006;

“NSA’s Domestic Spying Grows As Agency Sweeps Up Data — Terror Fight Blurs Line Over Domain; Tracking Email.” By Siobhan Gorman; 03-10-2008;

“The central role the NSA has come to occupy in domestic intelligence gathering has never been publicly disclosed. But an inquiry reveals that its efforts have evolved to reach more broadly into data about people’s communications, travel and finances in the U.S. than the domestic surveillance programs brought to light since the 2001 terrorist attacks.”
“According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, credit-card transactions, travel and telephone records. The NSA receives this so-called “transactional” data from other agencies or private companies, and its sophisticated software programs analyze the various transactions for suspicious patterns.”
“The Treasury, for instance, built its database “to look at all the world’s financial transactions” and gave the NSA access to it about 15 years ago, said a former NSA official. The data include domestic and international money flows between bank accounts and credit-card information, according to current and former intelligence officials.   The NSA receives from Treasury weekly batches of this data and adds it to a database at its headquarters. Prior to 9/11, the database was used to pursue specific leads, but afterward, the effort was expanded to hunt for suspicious patterns.”  The NSA also has access from the Treasury to financial transactions globally via their connection to the Society for Worldwide Interbank Financial Telecommunication, or Swift, the Belgium-based clearinghouse for records of international transactions between financial institutions.

“Government Is Tracking Verizon Customers’ Records.” By Siobhan Gorman And Jennifer Valentino-DeVries; 06-06-2013;

“Verizon is required to provide NSA with “all call detail records” of customers, including all local and long-distance calls within the U.S., as well as calls between the U.S. and overseas, according to a court order labeled “top secret” published Wednesday by the Guardian newspaper.”
“Mass Surveillance in America: A Timeline of Loosening Laws and Practices.” By Cora Currier, Justin Elliott and Theodoric Meyer; 06-07-2013;
“FAQ: What You Need to Know About the NSA’s Surveillance Programs.” By Jonathan Stray; 08-05-2013;

“U.S. Collects Vast Data Trove — NSA Monitoring Includes Three Major Phone Companies, as Well as Online Activity.” By Siobhan Gorman, Evan Perez and Janet Hook; 06-07-2013;

“The National Security Agency’s monitoring of Americans includes customer records from the three major phone networks as well as emails and Web searches, and the agency also has cataloged credit-card transactions, said people familiar with the agency’s activities.”
“Civil-liberties advocates slammed the NSA’s actions. “The most recent surveillance program is breathtaking. It shows absolutely no effort to narrow or tailor the surveillance of citizens,” said Jonathan Turley, a constitutional law expert at George Washington University.”
“The Washington Post and the Guardian reported earlier Thursday the existence of the previously undisclosed program, which was described as providing the NSA and FBI direct access to server systems operated by tech companies that include Google Inc., Apple Inc., Facebook Inc., Microsoft Corp.  The newspapers, citing what they said was an internal NSA document, said the agencies received the contents of emails, file transfers and live chats of the companies’ customers as part of their surveillance activities of foreigners whose activity online is routed through the U.S.”
“The arrangement with Verizon, AT&T and Sprint, the country’s three largest phone companies means, that every time the majority of Americans makes a call, NSA gets a record of the location, the number called, the time of the call and the length of the conversation, according to people familiar with the matter.”

“Gamma FinSpy Surveillance Servers in 25 Countries.” By Vernon Silver; 03-13-2013;

“Computers running U.K.-based Gamma Group’s FinSpy surveillance tool, which can remotely take over computers and phones, have been found in 25 countries, according to an updated global scan of the Internet that mapped the locations of servers that control infected machines.”

“U.S. Confirms That It Gathers Online Data Overseas.” By Charlie Savage, Edward Wyatt and Peter Baker; 06-06-2013;

“The federal government has been secretly collecting information on foreigners overseas for nearly six years from the nation’s largest Internet companies like Google, Facebook and, most recently, Apple, in search of national security threats, the director of national intelligence confirmed Thursday night.”
“In the internal documents, experts boast about successful access to iPhone data in instances where the NSA is able to infiltrate the computer a person uses to sync their iPhone. Mini-programs, so-called “scripts,” then enable additional access to at least 38 iPhone features.”

“Privacy Scandal: NSA Can Spy on Smart Phone Data.” By Marcel Rosenbach, Laura Poitras and Holger Stark; 09-07-2013;

“SPIEGEL has learned from internal NSA documents that the US intelligence agency has the capability of tapping user data from the iPhone, devices using Android as well as BlackBerry, a system previously believed to be highly secure.”
“The material viewed by SPIEGEL suggests that the spying on smart phones has not been a mass phenomenon. It has been targeted, in some cases in an individually tailored manner…”

“iSpy: How the NSA Accesses Smartphone Data.” By Marcel Rosenbach, Laura Poitras and Holger Stark; 09-09-2013;

According to internal NSA documents from the Edward Snowden archive that SPIEGEL has been granted access to, “The US intelligence agency NSA has been taking advantage of the smartphone boom. It has developed the ability to hack into iPhones, android devices and even the BlackBerry, previously believed to be particularly secure.”
“A detailed NSA presentation titled, “Does your target have a smartphone?” shows how extensive the surveillance methods against users of Apple’s popular iPhone already are.”


Finally, if you are interested in an excellent recent 1-hour technical presentation on some of the technical surveillance aspects of this topic by Jacob “@ioerror” Applebaum at the 30C3: 30th Chaos Communication Congress (Hamburg, Germany, Dec 27-30, 2013)

Infrastructure and Integration, Culture Matters

December 17, 2013

A recent 60 Minutes episode highlighted an NSA staffer describing a Chinese plot to “take down” the U.S. financial system using social engineering & a firmware update to brick the computers that support all economic activity.  The story received a lot of unflattering attention (Google it).  The broader piece about recent NSA data-gathering and spying also seemed less like news than an advertisement.  This has resulted in a lot of attention on the nature of the story and the likelihood that there is material distance between the themes highlighted by the CBS report and the behaviors of NSA staff and leadership.  So, why should we care?

There are many reasons.  One assumes that many in our industry receive “news” via feeds & tweets — which must radically distill stories down to a very few words.  Many senior decision-makers “grew up” with news shows like 60 Minutes and have sensors tuned to content from its brand.  So, that channel can deliver messages to financial services leaders in ways many others can’t.

Later in the December 15th 60 Minutes broadcast was a report about the Chinese telecommunications equipment giant “Huawei.”  It could have been a useful reminder that infrastructure matters in global Financial Services risk management.  Global data communications networking makes decision-making about ‘inside’ & ‘outside’ and what or whom to trust much more complex and challenging.  Culture matters.  Nation-state behaviors matter.  The scale and scope of Financial Services operations make it an attractive target for intellectual property theft.  We all need to continue to enhance our understanding of threats associated with infrastructure purchasing and integration, as well as with extending our operations using partners and massive shared ‘cloud’ infrastructure.


“Update on Huawei.” Dec. 15, 2013

“Chinese telecom giant eyed as security threat.” Oct. 05, 2012,


Keylogger Credential Theft Still A Business Threat

December 3, 2013

The combination of malware keystroke loggers and a business model based on credentials sales is a real threat to financial services organizations today. It is not a misty theory or something only security professionals need to care about. Credentials, typically a set of strings we call a username and password, are the only layer of protection for most of our business web applications.  Many, if not most of our industry’s systems cannot detect then an unauthorized party uses a given user’s credentials.

Yesterday Trustwave researchers announced that they found another cache of roughly two million stolen credentials on an active botnet controller.

These included:

1.580,000 general web site login credentials
318,000 Facebook credentials
70,000 Gmail, Google+ and YouTube credentials
60,000 Yahoo credentials
22,000 Twitter credentials
9,000 Odnoklassniki credentials (a Russian social network)
8,000 ADP credentials (ADP says it counted 2,400)
8,000 LinkedIn credentials
and more…

The attackers appeared to start their operation around October 21 and drove it until November 17.​

There are a few important issues associated with the data they found.

First, while press reports often highlight social networking credential thefts, ‘real’ businesses are also targeted. In this case, ADP. Also, it is a certainty that there are lots of ‘real’ businesses in that 1.5M ‘web site’ credentials in the first category above.

Second, 46% of the roughly 2M passwords included in this cache were 10 characters or longer. It seems rational to assume that as businesses rachet up password length requirements, a material percentage of humans just use that same (or similar) ‘long’ password at all their sites. That is an elevated risk behavior that we need to have all members of our workforce resist.

Finally, weak passwords are still an important problem. Do not use them! What were the top 11 tolen passwords in this collection?

  1. 123456
  2. 123456789
  3. 1234
  4. password
  5. 12345
  6. 12345678
  7. admin
  8. 123
  9. 1
  10. 1234567
  11. 111111



“Look What I Found: Moar Pony!” 12-03-2013

Educational Security Videos Available

November 30, 2013

I’ve spent a lot of hours at home recently building up some continuing education credit hours with security convention videos. I learned a lot, but one key lesson is that there is an ocean of good and a small sea of great security-centric presentations available at no cost for anyone interested in the topic. There is tremendous diversity as well. Here are a few samples, and a set of links to larger collections of security convention presentations. We all have to find ways to stay relevant and to help the staff around us keep up as well.  Nothing replaces the kind of energy and valuable interaction that can result from participating in one or another of the many …cons available today.  In the context of ever-present spending constraints, though, consider integrating some of these excellent resources into your organization’s development planning:

There are some white hats attempting to build a globally-available list of ‘low hanging fruit’ vulnerabilities for literally all web sites on earth.
In “PunkSPIDER Open Source Fuzzing Project” the presenter explains how they do their work — a mix of web attacks and big data.
or a different version on this topic at:

JavaScript seems to be everywhere… Because at least some of it is executing on untrusted endpoints, it is crucial to resist abuse and protect ‘upstream’ infrastructure and data.
In “Javascript Static Security Analysis Made Easy with JSPrime” the presenter attempts to explain the scope of this challenge, and then demonstrates his open source static code security analyzer.

Encryption is something we are supposed to use, but not to write. Using commercial or well-tested open source crypto support libraries should satisfy, right?
Not so fast. In this presentation, “Crypto: You’re doing it wrong” the presenter demonstrates a range of techniques for decrypting both weakly and strongly encrypted cyphertext. I had never read about the approaches used by this individual, and they seem to be applicable across huge sections of our standard industry practices. This is an extremely interesting explanation of how key facets of cryptography work and how implementation details leave much encrypted content vulnerable to hostile decryption. Finally, the presenter outlines what we might do to resist his attacks.
Because it challenges so many deeply held assumptions, I strongly recommend this to anyone involved in software architecture or design.

Why do people click, or worse, type and then click?
In “Predicting Susceptibility to Socialbots on Twitter” the presenters explore how one might attempt to target people may be more likely to interact with profiles they don’t know on Twitter.
Their approach uses relatively standard statistical analysis against large collections of Twitter log data and establishes a foundation for future work on this topic. The presenters also offer advice about how we might best invest our training budgets to address some of what they found.
And later – corrected version – at:

If you are interested in the lowest-level details of great concern to hostile software security specialists, you might want to watch “OptiROP: The Art of Hunting ROP Gadgets.” It will walk you through one of the more productive paths used by malware artists — CPU machine code.

There are scores more…

“VoIP Wars: Return of the SIP”

“Abusing NoSQL Databases”

“TMI: How to attack SharePoint servers and tools to make it easier”

“I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell”

“Burning the Enterprise with BYOD”
or “Assessing the Risk of Unmanaged Devices”

“Evil DoS Attacks and Strong Defenses”

“iOS Reverse #=> iPWn Apps”
or “Attacking iOS Applications”
or “Your Droid Has No Clothes”

“Home Invasion 2.0 – Attacking Network-Controlled Consumer Devices”

“So You think Your Domain Controller is Secure?”

And see the full collections at:
BlackHat 2013 sessions:
Here is a BlackHat 2013 session listing:
(this is a big collection)

Defcon 2013 sessions:
Session listing:
(this is a big collection)

Derbycon 2013 Videos:
(this is a big collection)

Shmoocon 2013 sessions:
The file names include session titles.

BSides Deleware 2013 Videos:

Louisville Infosec 2013 Videos:

BSides Las Vegas 2013 Videos:

OISF 2013 Videos:

Hack3rcon 4 Videos:

BSides Rhode Island 2013:

Notacon 10 (2013) Videos:

AIDE 2013:
(AIDE==Appalachian Institute of Digital Evidence)

BSides Boston 2013 Videos:

ISSA Kentuckiana Web Pen-Testing Workshop:

Outerz0ne 9 (2013) Videos:

These are excellent resources.  We need to support the groups that organize these conventions, but we will never be able to participate in them all.  The fact that this huge pool of resources is available 24x7x365 enhanced their value.  Again, consider integrating some of them into your organization’s development planning.



Get every new post delivered to your Inbox.

%d bloggers like this: