Symantec Report Highlights Hidden Lynx Threat to Financial Services Enterprises

September 25, 2013

Last week researchers at security vendor Symantec released a whitepaper attempting to describe the nature and activities of a group of advanced, professional attackers working out of China, dubbed the Hidden Lynx team.

They report that Hidden Lynx offers a ‘hackers for hire’ operation that has stayed busy the last four years stealing specific information from a wide range of corporate targets.  Symantec says that Hidden Lynx activities display skill-sets far above some other attack groups also operating out of China — for example the Comment Crew (aka APT1) — and adds that they are “breaking into some of the best-protected organizations in the world.”

Hidden Lynx has targeted hundreds of organizations worldwide since November 2011.  Financial services organizations (not commercial banks) have been the vertical targeted most often by this group, amounting to almost 25% of the top 10 targeted industries.  In that same period, they also hit targets in United States almost 53% of the time.

Symantec’s analysis suggests that Hidden Lynx is “tasked with obtaining very specific information that could be used to gain competitive advantages… It is unlikely that this organization engages in processing or using the stolen information for direct financial gain.”

When Symantec looked at Hidden Lynx’s large scale attacks, the focus on Financial Services increased, amounting to 30% of their attacks.

The key conclusion offered by Symantec is that “cyber-espionage campaigns are becoming increasingly common,” and that “these attacks are becoming increasingly sophisticated.”

We can take steps to help resist attacks like those by Hidden Lynx keeping valuable information from falling into their hands. The key is to take those steps! Work with your information security consultants.  Protect all endpoints, yours included, from malware.  Use ‘safe’ web filtering services. Train your workforce to resist social engineering through all communications channels, including your browser.  Incorporate secure software practices into all of your business application investments.  Insist on secure infrastructure configurations and practices.

REFERENCES:

“Hidden Lynx – Professional Hackers for Hire.”
By Stephen Doherty, Jozsef Gegeny, Branko Spasojevic, and Jonell Baltazar.
Version 1.0 – Sept 17, 2013
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf

“Hidden Lynx – Professional Hackers for Hire.”
http://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire
17 Sept 2013

“Hidden Lynx and MSS protection.”
http://www.symantec.com/connect/blogs/hidden-lynx-and-mss-protection
18 Sept 2013


Apple iPhone 5S TouchID Beat Using Simple Approach

September 23, 2013

Some in Financial Services seemed to think that now, finally, it would be easy to do serious business with Apple’s new iPhone 5S TouchID mobile device.  The advanced biometric authentication would, so the argument goes, secure the environment — the device and its use — in ways that were going to make risk management easy…

…”Oh, those sad Windows users.  What will we do with them?”

————————————————————————————————–

The German hacker organization “Chaos Computer Club” (CCC) uploaded a YouTube video appearing to demonstrate a successful hack of the new iPhone TouchID biometric authentication.  In the short video an individual appears to access an iPhone 5S using a fabricated fingerprint.

This new option was promoted by Apple as a better way to protect devices and to protect sensitive information stored on or accessed by them.

Just last week, I heard an industry pundit say — seriously — that “mobile security was solved” because of the strength of Apple’s biometric security.”  When I responded with a muted challenge, the individual’s demeanor suggested pity for me (at best).

CCC member with the pseudonym starbug said on the organization’s site, “For years we have repeatedly warned against the use of fingerprints for access control. We leave fingerprints everywhere, and it is a breeze to create fake fingers from it.”

The CCC approach, as described in their announcement on Sat, Sept. 21st, used materials that are common in most households:

  1. Photograph the fingerprint of a targeted user with a resolution of 2400 dpi.
  2. Invert the photo on your computer
  3. Print on transparency film it using a laser printer at 1200 dpi.
    In a CCC video, the technique appeared to involve etching a PCB board,,, Not everyone has easy access to board etching equipment, but it is not that unusual (maybe as common as lock picks?)
  4. Apply a skin-colored latex milk or white wood glue to the image.
  5. The “pressure lines” create a fingerprint image in the deposited material.
  6. After drying, remove the counterfeit finger.
  7. Moisten the “fingerprint” slightly by breathing on it.
  8. Unlock the targeted iPhone with it.

Frank Rieger, speaker of the CCC, said that “The public should no longer be led around by the biometrics industry with false statements on the nose.  Biometrics is suitable to monitor and control people not to (secure) everyday devices against unauthorized access.”

Biometrics have always been a challenge.  That state continues.

In the case of the Apple 5S TouchID, the Apple marketing may have been a little misdirection as well — as in, ‘Hay! Look at this great new button over here!” — rather than dealing with the difficult block & tackle work of building out secure secure-enough endpoints and supporting cloud infrastructure across their entire life-cycles.  There may be niches in the consumer market for the TouchID, but it seems like the iPhone 5S implementation does not deliver for real business.

If this announcement described the real state of the Apple 5S TouchID technology and implementation, that identity infrastructure is still not ready for broad or routine integration into the operations of Financial Services enterprises.

What do you think?

REFERENCES:
​”Chaos Computer Club breaks Apple TouchID hacking iphone 5S”
By Rose Sodre, Sep 23, 2013
http://www.youtube.com/watch?v=xRjnDMgEJNM&list=TLGPmhzz00af0
“Chaos Computer Club hackt Apple TouchID.”
By frank, 2013-09-21 22:04:00
http://ccc.de/de/updates/2013/ccc-breaks-apple-touchid
[This page is in German.]
“The iPhone 5s Touch ID hack in detail.”

http://www.heise.de/video/artikel/The-iPhone-5s-Touch-ID-hack-in-detail-1966044.html
[
A video containing more details about the techniques used to copy and misuse a fingerprint against Apple iPhone 5S TouchID]
“Bypassing TouchID was ‘no challenge at all,’ hacker tells Ars — German hacker Starbug tells Ars how he bypassed the fingerprint lock on new iPhones.” by Dan Goodin – Sept 24 2013,
“We’ve cracked Apple’s fingerprint scanner: German hackers .”
Published on South China Morning Post (http://www.scmp.com)
http://www.scmp.com/print/business/companies/article/1315872/weve-cracked-apples-fingerprint-scanner-german-hackers

“iPhone 5s: About Touch ID security.”

http://support.apple.com/kb/HT5949?viewlocale=en_US

“Investigating Touch ID and the Secure Enclave.”

https://securosis.com/blog/investigating-touch-id-and-the-secure-enclave

By Rich Mogull, 23 September 2013
“A Quick Response on the Great Touch ID Spoof.”
https://securosis.com/blog/a-quick-response-on-the-great-touch-id-spoof
By Rich Mogull, 22 September 2013

NSA Data Gathering Hits Financial Services Privacy & Security Promises

September 8, 2013

Reputable news organizations have been covering the NSA data gathering and spying stories for months.

For Financial Services, the short version is that we can have little confidence in the information security or privacy of cloud-based collaboration services or the standard commercial encryption products and services we use in the day-to-day operations.

Months ago it was revealed that NSA’s Prism program allows participants to collect material hosted by Apple, Facebook, Google, and other US internet giants, including search history, the content of emails, file transfer/storage, and chat sessions.

The U.S. intelligence-gathering operation is also accessing data from smart phones from all leading manufacturers. Spiegel reported on NSA documents they have seen explicitly that note the NSA can copy encrypted “private” information from Apple iPhones & iPads, BlackBerry devices, and mobile devices running the Android operating system. This is not simple access to contacts or browser history. The NSA documents said they have “access to at least 38 iPhone features.”

UPI summarized a key issue: “tech firms and ISPs said they were coerced into handing over their master encryption keys or building in hidden methods, known as ‘back doors,’ to bypass normal computer, cryptosystem and algorithm authentication systems.”  Regardless of whether cooperation or intimidation was the path to this vendor access, the breaches seem to be factual and we need to adapt our business practices to this new environment.

The NSA information gathering and decryption capabilities appear to have invalidated many of our standard claims about data security and privacy. Our VPNs, our secured email communications, high-speed mobile data communications, and virtually all the “plumbing” used to communicate and store data are now vulnerable to active NSA data gathering programs. Given compliance obligations in our industry, continuing to sign SOX attestations may present ethical and legal challenges for many.  Some may also be in violation of contracts with customers, partners, and other banks.

At a minimum, you should advise senior staff in all organizations who develop strategy and senior decision makers that their written interactions as they explore ideas and attempt to identify the edges of compliance and legality are likely to be stored in U.S. government databases in clear text into the foreseeable future.

The same is true for those involved in the sensitive tactical work of implementing strategy. If there is any question about identifying the edges of compliance and legality, it is likely that increases the probability of showing up in government searches of this data.

Because of the way information about these capabilities are leaking out, it is unclear how that information is shared, and who is authorized and who is able to gain access for ‘discovery’ activities. The governance of that access control is also unclear as is how access policies and decision-making practices might evolve over time.

In that context, consider the operations of a normal global financial services corporation. It is commonplace to write the names of countries, cities, companies, and individuals located across the globe, many of which would likely match U.S. government filtering criteria. Once tagged for additional analysis, that once private information is exposed to examination of types and means that are still leaking out. It seems like an elevated-risk gamble for some categories of communications to be subjected those odds.

REFERENCES:

Much reporting on this topic has been delivered by The New York Times, the Guardian and ProPublica based on documents obtained by The Guardian.
For the Guardian: James Ball, Julian Borger, Glenn Greenwald
For the New York Times: Nicole Perlroth, Scott Shane
For ProPublica: Jeff Larson
“Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security.” Sept. 5, 2013
http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption

“N.S.A. Able to Foil Basic Safeguards of Privacy on Web.” Sept. 5, 2013
http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?hp&_r=0&pagewanted=all

“Revealed: how US and UK spy agencies defeat internet privacy and security.” Sept. 5, 2013
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

“Privacy Scandal: NSA Can Spy on Smart Phone Data.” Sept. 7, 2013
http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html

“Documents show NSA can crack most Web privacy encryption.” Sept. 6, 2013
http://www.upi.com/Top_News/US/2013/09/06/Documents-show-NSA-can-crack-most-Web-privacy-encryption/UPI-60871378450800/#ixzz2eMBRBQy4

“NSA Prism program taps in to user data of Apple, Google and others.” June 6, 2013
http://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data

Sarbanes-Oxley (SOX):
http://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act#Sarbanes.E2.80.93Oxley_Section_404:_Assessment_of_internal_control

.


Standard Application Attack Vectors Still Viable – Injection and Access Control Vulnerabilities

September 2, 2013

Arul Kumar, a 21 year old electronics & communication engineer from Tamil Nadu, India, recently discovered a critical bug in Facebook that permits the attacker to delete any photo from Facebook without user interaction.

Initially, the Facebook security staff was unable to verify this vulnerability.  After sending them a video recording of his proof of concept, the Facebook team acknowledged his finding.  In that Video Mr. Kumar exploited Mark Zuckerberg’s account, creating a deletion request link for one of Mr. Zukerberg’s photos.

So, what use is this example to the Financial Services technical community?

Mr. Kumar took advantage of a commonly-identified vulnerability in web and mobile applications.  He manually modified two parameters upon which Facebook servers would take critical actions. This particular injection attack modified Facebook’s ‘Photo_id‘ & ‘Profile_id‘ parameters.

Apparently, Facebook applications simply trusted these inputs from what were clearly untrustworthy endpoints.

Remember, applications must never trust user input.  Developers can remember this using the phrase “all input is evil.”  User input needs some level of sanity-checking — generally called input validation.  The Open Web Application Security Project (OWASP) Top 10 refers to this as its #1 vulnerability — ‘Injection’ at https://www.owasp.org/index.php/Top_10_2013-A1-Injection.

Because this attack also allowed an attacker to perform the deletion of other’s content, Facebook access controls were also vulnerable to abuse. This vulnerability and approaches to dealing with is are also outlined in OWASP #7, https://www.owasp.org/index.php/Top_10_2013-A7-Missing_Function_Level_Access_Control.

All Financial Services applications, even those shiny new mobile apps need to safety-check user input.  Applications also need to verify that access to functionality is granted only to those to whom it has been explicitly granted.

This work is a clear candidate for integration into your application security program.  Use it to show how creative individuals are able to exploit any and all input & access control vulnerabilities in your applications.  Any Financial Security organization could ignore such well organized and clearly stated work at their peril.

I also strongly recommend using OWASP resources.  They are free and easy to understand.  They include mature high level guidance as well as help for designers and developers.

REFERENCES:

“Delete any Photo from Facebook by Exploiting Support Dashboard.” by Arul Kumar
http://arulxtronix.blogspot.in/2013/09/delete-any-photo-from-facebook-by.html

Open Web Application Security Project (OWASP) Top 10
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Top 10 2013-A1-Injection
https://www.owasp.org/index.php/Top_10_2013-A1-Injection

Top 10 2013-A7-Missing Function Level Access Control
https://www.owasp.org/index.php/Top_10_2013-A7-Missing_Function_Level_Access_Control


%d bloggers like this: