Tag: security flaw

By Davey Winder for Forbes

At the start of May, I reported on a critical security vulnerability that could impact every Samsung Galaxy smartphone sold from late 2014 onwards. That zero-click bug scored a perfect 10 on the vulnerability severity scale. The good news was that it had been patched in the Samsung May 2020 security update. Just as Android users were recovering from that security shocker, and some have yet to get that update on their devices, it should be noted, along comes one more.

This time it’s in the form of another critical vulnerability, but rather than applying to Samsung devices only, it’s an issue that exists in almost every version of Android. Only users of Android 10 need have no concern here, all other versions of Android, however, are potentially affected. Given that, in April, Android 10 only accounted for around 16% of users, and Google itself says there are at least 2 billion Android users out there, that’s north of 1 billion Android devices potentially at risk.

The risk being that, if exploited by an attacker, this vulnerability could lead to an elevation of privilege and give that hacker access to bank accounts, cameras, photos, messages and login credentials, according to the researchers who uncovered it. What’s more, it could do this by assuming “the identity of legitimate apps while also remaining completely hidden.”

What is StrandHogg 2.0?
Researchers at a Norwegian security company called Promon discovered CVE-2020-0096, which they called StrandHogg 2.0: the more cunning “evil twin” to the original Android StrandHogg vulnerability it also found last year. “While StrandHogg 2.0 also enables hackers to hijack nearly any app,” the researchers said, “it allows for broader attacks and is much more difficult to detect.”

Rather than exploit the same TaskAffinity control setting as the original StrandHogg vulnerability, StrandHogg 2.0 doesn’t leave behind any markers that can be traced. Instead, it uses a process of “reflection,” which allows it to impersonate a legitimate app by using an overlay into which the user actually enters credentials. But that’s not all; it also remains entirely hidden in the background while hijacking legitimate app permissions to gain access to SMS messages, photos, phone conversations, and even track GPS location details. Using the “correct per-app tailored assets,” the Promon researchers said, StrandHogg 2.0 can “dynamically attack nearly any app on a given device simultaneously at the touch of a button.”

Stealthier than your average StrandHogg
Detection would also appear to be more complicated than the previous StrandHogg vulnerability. “No external configuration is required to execute StrandHogg 2.0, it allows the hacker to further obfuscate the attack,” the researchers said, “as code obtained from Google Play will not initially appear suspicious to developers and security teams.”

However, Google told TechCrunch, which broke the StrandHogg 2.0 news, that it had not seen any evidence of the vulnerability being exploited to date. I reached out to Google and a spokesperson told me: “We appreciate the work of the researchers, and have released a fix for the issue they identified. Additionally, Google Play Protect detects and blocks malicious apps, including ones using this technique.” The latter being important as exploitation of the vulnerability requires the device to already be infected by a malicious app.

How can you mitigate this critical Android vulnerability?
It’s not all bad news for Android users, though. Those with devices running Android 10 are not impacted. There’s more good news for those of you who are, however, running Andorid 9 or earlier, as Google included a patch for CVE-2020-0096 in the May 2020 Android security update. It was described there as a critical vulnerability that could enable a local attacker to use a specially crafted file to execute arbitrary code within the context of a privileged process. The usual fractured ecosystem warnings from me have to be flagged up at this point: many users will not see that update rolling out to them immediately, and some may never see it at all if they have an older unsupported device.

Tod Beardsley, research director at Rapid7, said that “since the fix for this bug is part of the core Android operating system, Android users are once again at the mercy of their handset manufacturers and their service providers, who are often slow to act when it comes to distributing security patches. People who are worried about this bug in particular should keep a close eye on when the fix for CVE-2020-0096 hits their particular distribution.”

“Attackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability, and the concern is that when used together, it becomes a powerful attack tool for malicious actors,” Tom Lysemose Hansen, Promon CTO and founder, said. He recommends Android users update to the latest firmware as soon as they can, and advises app developers to “ensure that all apps are distributed with the appropriate security measures in place in order to mitigate the risks of attacks in the wild.”

“Android device users need to be cautious of the apps they choose to install. Even as Google works to protect their users, malicious apps will still likely slide past their screening process on occasion,” Boris Cipot, a senior security engineer at Synopsys, said. “One way that users can stay alert and mindful is to do a bit of research on the app developers before downloading a given app. Check where the app comes from and if anything seems off, then think twice before proceeding with installation,” Cipot concluded.

Promon has issued a disclosure timeline, which shows it notified Google of the vulnerability on December 4, 2019, and an ecosystem partner patch was rolled out in April 2020 before the public fix within the latest Android security updates for users.

Discovery Bank discovered a system flaw on Monday which allowed the incorrect credit card card verification value (CVV) numbers to be used for online payments.

The CVV is the last three digits on the back of a bank card, and is considered a critical as a last-ditch security measure against certain card fraud.

Business Insider South Africa was tipped off about the flaw, and on Monday morning was able to make payments with a random CVV code, such as 000.

  • Discovery Bank said it was alerted about the issue last week
  • The bank suffered no fraud losses due to the issue
  • The flaw has now been fixed
  • Previously, the Bank didn’t require further authorisation such as an OTP (one-time pin)
  • When Business Insider later tried to use an incorrect CVV number, a call centre agent phoned to let them know it was incorrect us after the transaction to alert us that an incorrect CVV number had been used.

 

WhatsApp is hacked

Source: BBC

WhatsApp has confirmed that a security flaw in the app let attackers install spy software on their targets’ smartphones.

That has left many of its 1.5-billion users wondering how safe the “simple and secure” messaging app really is.

On Wednesday, chip-maker Intel confirmed that new problems discovered with some of its processors could reveal secret information to attacks.

How trustworthy are apps and devices?

Was WhatsApp’s encryption broken? No. Messages on WhatsApp are end-to-end encrypted, meaning they are scrambled when they leave the sender’s device. The messages can be decrypted by the recipient’s device only.

That means law enforcement, service providers and cyber-criminals cannot read any messages they intercept as they travel across the internet.

However, there are some caveats.

Messages can be read before they are encrypted or after they are decrypted. That means any spyware dropped on the phone by an attacker could read the messages.

What is encryption?
On Tuesday, news site Bloomberg published an opinion article calling WhatsApp’s encryption “pointless”, given the security breach.

However, that viewpoint has been widely ridiculed by cyber-security experts.

“I don’t think it’s helpful to say end-to-end encryption is pointless just because a vulnerability is occasionally found,” said Dr Jessica Barker from the cyber-security company Cygenta.

“Encryption is a good thing that does offer us protection in most cases.”

Cyber-security is often a game of cat and mouse.

End-to-end encryption makes it much harder for attackers to read messages, even if they do eventually find a way to access some of them.

What about back-ups?
WhatsApp gives the option to back up chats to Google Drive or iCloud but those back-up copies are not protected by the end-to-end encryption.

An attacker could access old chats if they broke into a cloud storage account.

How to stay safe on WhatsApp
WhatsApp discovers ‘targeted’ surveillance attack
Of course, even if users decide not to back up chats, the people they message may still upload a copy to their cloud storage.

Should people stop using WhatsApp?
Ultimately, any app could contain a security vulnerability that leaves a phone open to attackers.

WhatsApp is owned by Facebook, which typically issues software fixes quickly.

Of course, even large companies can make mistakes and Facebook has had its share of data and privacy breaches over the years.

There is no guarantee a rival chat app would not experience a similar security lapse.

At least, following the disclosure of this flaw, WhatsApp is slightly more secure than it was a week ago.

Signal is an open-source project
Some rival chat apps are open-source projects, which means anybody can look at the code powering the app and suggest improvements.

“Open-source software has its value in that it be can tested more widely but it doesn’t necessarily mean it’s more secure,” said Dr Barker.

“Vulnerabilities can still be found with any tech, so it’s not the answer to our prayers.”

And if someone did decide to switch to a rival chat app, they would still have to convince their contacts to do the same. A chat app without friends is not much use.

Is any device ever safe?
In theory, any device or service could be hacked. In fact, security researchers often joyfully pile in on companies that claim their products are “unhackable”.

They quickly discover vulnerabilities and the embarrassed companies retract their claims.

If people are worried data may be stolen from their computer, one option is to “air gap” the device: disconnect it from the internet entirely.

That stops remote hackers accessing the machine – but even an air gap would not stop an attacker with physical access to the device.

Dr Barker stressed the importance of installing software updates for apps and operating systems.

“WhatsApp pushed out an update and consumers might not have realised that security fixes are often included in updates,” she told BBC News.

WhatsApp did not help the cause, however, by describing the latest update as adding “full-size stickers”, and not mentioning the security breach.

“People need to be made aware that updates are really important. The quicker we can update our apps, the more secure we are,” said Dr Barker.

As always, there are simple security steps to remember:

  • Install app and operating system security updates
  • Use a different password for every app or service
  • Where possible, enable two-step authentication to stop attackers logging in to accounts
  • Be careful about what apps you download
  • Do not click links in emails or messages you are not expecting

Fin24 recently publishing article with the headline: “Massive Afrihost security flaw exposed”.
The article stated that “a massive security flaw” left the ADSL credentials of users vulnerable. The situation was brought to light by a Durban software expert, Taylor Gibb, who recently posted on Facebook that “Afrihost staff had been able to provide ADSL account credentials to users over the phone, leaving information at risk”.

Afrihost has released the following statement:

1. There was no breach of data at any time

No databases, personal information, payment information or account details have been breached or hacked in any way. The article is based on hypothetical scenarios conceived by the author of the article, who was never (at any time) in possession of the data mentioned.

2. Our clients are not at risk

Since no data was actually obtained, our clients are not at risk at all. We have also now ensured that consultants cannot view encrypted data, so there is no risk to clients whatsoever (based on the scenario in this article).

3. Passwords were never stored in plain text

The writer makes several assumptions regarding the state of personal data, such as passwords being stored in plain text, which are inaccurate. Passwords are encrypted.

4. The information relates ONLY to ADSL usernames and passwords

No payment information, personal information or ClientZone user login information were ever at risk. At absolute worst, the information in question could only be used to login to an ADSL account (and one that allows concurrent logins). Any client could still view their ADSL sessions via their ClientZone and request any unknown numbers be blocked from accessing their account. There would be zero possibility that these details could ever lead to obtaining payment or personal information.

5. Our team of staff are trustworthy

The article only refers to scenarios where a staff member of Afrihost could access vulnerable information. Our staff have no motivation to steal data from our clients, as they receive free internet for both fixed line (DSL or Fibre) and Mobile Data. In many cases, our staff give out their personal accounts to help our clients test their connectivity. While we did trust our staff with access to passwords – this ability has since been removed – this was always subject to identity verification. However, we have removed this feature for our client’s peace of mind and will find new ways to ensure that our clients enjoy the same level of convenience when interacting with our consultants.

We’ve always had to balance our need for increased security and safeguards with our client’s convenience. Changes to our security is in ongoing development at all times, and we had planned to devise a convenient way to roll these out with minimal impact to our clients.

As mentioned, no data was breached, no personal information was compromised and not a single client was adversely affected in any way.

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top