Archive for September, 2014
Instagram and Grindr stored images on their servers that were accessible without authentication, study finds
Instagram, Grindr, OkCupid and many other Android applications fail to take basic precautions to protect their users’ data, putting their privacy at risk, according to new study.
Data integration is often underestimated and poorly implemented, taking time and resources. Yet it
The findings comes from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG), which earlier this year found vulnerabilities in the messaging applications WhatsApp and Viber.
This time, they expanded their analysis to a broader range of Android applications, looking for weaknesses that could put data at risk of interception. The group will release one video a day this week on their YouTube channel highlighting their findings, which they say could affect upwards of 1 billion users.
“What we really find is that app developers are pretty sloppy,” said Ibrahim Baggili, UNHcFREG’s director and editor-in-chief of the Journal of Digital Forensics, Security and Law, in a phone interview.
The researchers used traffic analysis tools such as Wireshark and NetworkMiner to see what data was exchanged when certain actions were performed. That revealed how and where applications were storing and transmitting data.
Facebook’s Instagram app, for example, still had images sitting on its servers that were unencrypted and accessible without authentication. They found the same problem in applications such as OoVoo, MessageMe, Tango, Grindr, HeyWire and TextPlus when photos were sent from one user to another.
Those services were storing the content with plain “http” links, which were then forwarded to the recipients. But the problem is that if “anybody gets access to this link, it means they can get access to the image that was sent. There’s no authentication,” Baggili said.
The services should either ensure the images are quickly deleted from their servers or that only authenticated users can get access, he said.
Many applications also didn’t encrypt chat logs on the device, including OoVoo, Kik, Nimbuzz and MeetMe. That poses a risk if someone loses their device, Baggili said.
“Anyone who gets access to your phone can dump the backup and see all the chat messages that were sent back and forth,” he said. Other applications didn’t encrypt the chat logs on the server, he added.
Another significant finding is how many of the applications either don’t use SSL/TLS (Secure Sockets Layer/Transport Security Layer) or insecurely use it, which involves using digital certificates to encrypt data traffic, Baggili said.
Hackers can intercept unencrypted traffic over Wi-Fi if the victim is in a public place, a so-called man-in-the-middle attack. SSL/TLS is considered a basic security precaution, even though in some circumstances it can be broken.
OkCupid’s application, used by about 3 million people, does not encrypt chats over SSL, Baggili said. Using a traffic sniffer, the researchers could see text that was sent as well as who it was sent to, according to one of the team’s demonstration videos.
Baggili said his team has contacted developers of the applications they’ve studied, but in many cases they haven’t been able to easily reach them. The team wrote to support-related email addresses but often didn’t receive responses, he said.
Security managers have to do a lot more to stay a step ahead of determined hackers
Is there a reason that data breaches have been happening at a rapid clip lately? And is there more that we, as security managers, should be doing to make sure that our own companies don’t join the ranks of the breached?
Home Depot is the latest company to make headlines for a potentially big data breach, and it just might be the biggest one yet. The current record holder is Target, and we’ve more recently seen the company that owns grocery store chains Supervalu, Albertsons, Acme Markets, Jewel-Osco and Shaw’s compromised by hackers. J.P. Morgan and four other major banks appear to have fallen victim to security breaches. UPS stores were also hit by hackers, and several hundred Norwegian companies were compromised. These victims have joined the ranks of Neiman-Marcus, Michael’s, Sally Beauty, P.F. Chang’s and Goodwill. What’s going on?
MORE ON NETWORK WORLD: Free security tools you should try
The motivation for attacks like these is usually financial. The attackers are stealing credit card and debit card numbers, along with personal information, which they then sell in underground markets. We don’t yet know whether this is the case with the banks that were hit; those attacks may have been politically motivated, or we may learn that fraudulent transactions were used to steal money. In any case, there seems to be a big jump in electronic data theft for profit. But the stolen information is only valuable for a few days, and its value diminishes rapidly by the hour. Some security researchers are saying that this loss of value is motivating today’s data thieves to move quickly. Another factor may be Microsoft’s termination of support for Windows XP, which could be prompting hackers to go for one last all-out heist to grab what they can while many systems are still vulnerable. Perhaps, knowing that all the vulnerabilities of Windows XP would soon vanish, our thieves had a fire sale.
But I suspect there is more to the story. Most big businesses use standard security procedures and technologies that have been around for years, if not decades. Many of these defenses have not kept up with current threats. Take antivirus, for example. Signature-based malware detection has long been ineffective against modern malware, yet most companies continue to rely on it as a key defense. We know from the details of some of the retail breaches that those who have implemented advanced heuristic malware detection have ignored the alarms set off by the point-of-sale malware (for reasons I cannot fathom). Patching will always be a game of catch-up, with the attackers having the upper hand. And password-based authentication will evidently be with us forever, much as I might rail against it. Attackers use all of these to get through their victims’ defenses.
The simple fact of the matter is that attackers will always have several vulnerabilities to choose from at any potential victim they want to target. And security managers, even those who are really good at their jobs, will never be able to close every single hole. And it only takes one.
So if traditional information security practices are not enough, what else can we do? I’ve been giving that question a lot of thought lately, and I think part of the answer is to evolve our security technologies, just as the attackers evolve their techniques. That heuristic behavior-based malware detection technology I keep talking about is pretty cool, but is it still cutting-edge? It’s been around for three or four years. Is there anything newer out there? And how can we choose the right technologies that are going to be effective against emerging threats but still stand the test of time so their manufacturers will be around three years from now?
There are some new products starting to go to market, and venture capitalists are funding a lot of new security technology. I think we should all keep a close eye on them. I’m beginning to believe that in the cutthroat rivalry between attacker and defender, the best technology wins. The only way we can keep one step ahead of today’s hackers is to take two steps forward and advance our defensive capabilities to the point where we can reliably repel, or at least detect, today’s data thieves.
Is it crazy to pay $1300 for a Chromebook? Some reflections after a year and a half of living with Google’s luxurious Pixel.
When you stop and think about it, it’s kind of astonishing how far Chromebooks have come.
It was only last February, after all, that Google’s Chromebook Pixel came crashing into our lives and made us realize how good of an experience Chrome OS could provide.
At the time, the Pixel was light-years ahead of any other Chromebook in almost every possible way: From build quality to display and performance, the system was just in a league of its own. And its price reflected that status: The Pixel sold for a cool $1300, or $1450 if you wanted a higher-storage model with built-in LTE support.
Today, the Pixel remains the sole high-end device in the Chromebook world (and its price remains just as high). But the rest of the Chrome OS universe has evolved — and the gap between the Pixel and the next notch down isn’t quite as extreme as it used to be.
So how has the Pixel held up 18 months after its release, and does it still justify the lofty price? I’ve owned and used the Pixel since last spring and have evaluated almost every other Chromebook introduced since its debut.
Here are some scattered thoughts based on my experiences:
1. Hardware and design
As I said when I revisited the device a year ago, the Chromebook Pixel is hands-down the nicest computer I’ve ever used. The laptop is as luxurious as it gets, with a gorgeous design, premium materials, and top-notch build quality that screams “high-end” from edge to edge.
Chromebook Pixel Revisited
We’re finally starting to see some lower-end Chromebooks creep up in the realms of design and build quality — namely the original HP Chromebook 11 (though it’s simply too slow to recommend for most people) and the ThinkPad Yoga 11e Chromebook (which is sturdy and well-built but not exactly sleek) — and that’s a very good thing. In fact, that’s a large part of what Google was ultimately trying to accomplish by creating the Pixel in the first place. Think about it.
While those devices may be a step up from the status quo, though, they’re not even close to the standard of premium quality the Pixel delivers. When it comes to hardware, the Pixel is first-class through and through while other products are varying levels of economy.
The Pixel’s backlit keyboard and etched-glass trackpad also remain unmatched in their premium nature. Typing and navigating is a completely different experience on this laptop than on any other Chromebook (and, for that matter, on almost any non-Chrome-OS laptop, too).
The same goes for the Pixel’s spectacular speakers. Other Chromebooks are okay, but none is anywhere near this outstanding.
The display — man, oh man, the display. The Pixel’s 12.85-in. 2560-x-1700 IPS screen is like candy for your eyes. The vast majority of Chromebook screens (yes, even those that offer 1080p resolution) are still using junky TN panels and consequently look pretty awful. The two exceptions are the same systems mentioned above — the HP 11 and the ThinkPad Yoga 11e — but while those devices’ displays reign superior in the sub-$500 category, their low resolution is no match for the Pixel’s crystal-clear image quality.
I continue to appreciate the Pixel’s touchscreen capability to this day, too: While I certainly don’t put my fingers on the screen all the time, it’s really nice to have the ability to reach up and tap, scroll, or pinch when I feel the urge. For as much time as I spend using smartphones and tablets, it seems completely natural to be able to do that with a laptop as well. (Admit it: You’ve tried to touch a non-touchscreen laptop at some point. We all have.)
“Performance is where things get particularly interesting”
I will say this, though: The time I’ve spent recently with the Yoga 11e has definitely gotten me keen on the idea of a Chromebook being able to convert into a tablet-like setup. After using that device, I sometimes find myself wishing the Pixel’s display could tilt back further and provide that sort of slate-style experience.
3. Stamina and performance
At about five hours per charge, the Pixel’s battery life is passable but not exceptional — especially compared to the eight to 10 hours we’re seeing on some systems these days. As I’ve mused before, stamina is the Pixel’s Achilles’ heel.
Performance is where things get particularly interesting: When the Pixel first came out, its horsepower was unheard of for a Chrome OS device. I could actually use the system in my typical power-user way, with tons of windows and tabs running at the same time and no slowdowns or multitasking misery. Compared to the sluggish Chrome OS systems we’d seen up to that point, it felt like a full-fledged miracle.
The Pixel’s performance is no less impressive today, but what’s changed is that other Chrome OS systems have actually come close to catching up. These days, you can get solid performance in a Chromebook for around $200 with the various Haswell-based systems. The newer Core i3 devices give you a little more punch for around $300. Neither quite reaches the Pixel’s level of snappiness and speed, but in practical terms, they’re not too far behind.
So for most folks, performance alone is no longer a reason to own the Pixel. It’s an important part of the Pixel, for sure, but if that’s the only thing you’re interested in, you’d do far better to save yourself the cash and get a lower-end Chromebook with decent internals.
To Pixel or not to Pixel?
What is a reason to own the Pixel, then? Simple: to enjoy a top-of-the-line Chrome OS experience with all the amenities you could ask for. The device’s hardware quality and design, keyboard and trackpad, speakers, and display add up to make a wonderful overall user experience no other Chromebook can match.
As for whether it’s worth the price, well, that’s a question only you can answer. Is a high-end car worth the premium over a reliable but less luxurious sedan? For someone like me, probably not. But for someone who’s passionate about cars, spends a lot of time in a vehicle and appreciates the elevated quality, it just might be.
The same concept applies here. The Pixel remains a fantastic luxury option for users sold on the Chrome OS concept — people like me who rely heavily on cloud storage and spend most of their time using Web-centric apps and services.
Like with any luxury item, the level of quality the Pixel provides certainly isn’t something anyone needs, but its premium nature is something a lot of folks will enjoy — and that’s as true today as it was last year.