Snapchat user data exposed in huge data theft.

Image courtesy of aturkus Flickr photostream

Image courtesy of aturkus Flickr photostream


Usernames and phone numbers for more than 4.5 million Snapchat users have been published on a website called SnapchatDB.info after attackers took advantage of an exploit disclosed on the 23rd December 2013. According to TechCrunch, SnapchatDB said
“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does”
This is of course not the first vulnerability that has been discovered in the Snapchat service or app, various methods of secretly saving photos or recovering deleted photos have already hit the headlines in recent months, those were vulnerabilities in the app itself and would be exploited on the end-user device. This latest attack is using weaknesses in the API on the Snapchat servers themselves, the API is the method by which a Snapchat client communicates with the Snapchat service. These weaknesses allow for an automated system to send an enormous number of queries to the Snapchat server in a short period of time, discovering whether or not a given telephone number exists in the Snapchat database and retrieving other information associated with that number, of course the numbers themselves will be mobile telephone numbers. This attack, combined with further mining of data, for example through social media could be easily used to build a very large database of personal information for many kinds of further exploitation or resale. Although Snapchat were made aware of these vulnerabilities some months ago, GibsonSec – the publishers of the Proof of Concept exploit, claim that they are still easily exploitable and Snapchat DB proves that point.

 

These two areas, vulnerabilities in mobile apps and vulnerabilities in APIs, are areas still largely under explored by criminals but we fully expect to see malicious exploits, rather than simple proofs-of-concept ramping up over the coming years. We, as users, store ever more data; data often belonging to other people, on our mobile devices and app developers are very interested in getting hold of that data, as are criminals. Far too many apps routinely request (or simply steal) the data contained in your address book for example and far too many app users are willing to surrender this data for the dubious “pleasure” of inviting their friends to yet another social network/messaging platform. Trend Micro’s own data collected in ongoing analysis through our Mobile App Reputation Service reveals that more than 20% of *all* apps are consistently leaking data and the most common data to leak are your contacts, your location, your phone number and details about the handset and SIM.

 

In the old days, back when rainbows were still in black & white, if a stranger were to approach you in the street asking for a copy of your address book that would doubtless strike you as a bizarre request, likewise if a shop assistant insisted on the details of 100 of your friends in return for a discount voucher. Somehow as the data itself has become digitised and the means of transfer invisible and painless this has become entirely acceptable behaviour. Rather than continue this erosion of privacy; users of these types of service would be better advised to use the phone for its long-neglected purpose and maybe give those same friends a call, possibly even arrange to meet up(!) and talk about the great new app you’ve discovered in person, rather than selling your friends down the river.

 

As a social platform, your satisfied customers are your best ambassadors. If you begin to act in ways detrimental to their best interests then a storm is certainly coming, as Path found out to their cost in the early part of 2013.

 

E-currency, E-wallet, staying safe into the future.

Image courtesy of epSos.de

Commerce is certainly heading ever more towards the E. While alternative digital currencies still hover on the verges of mainstream today, the speed of their adoption indicates a positive future for e-money. Credit cards are already becoming out-dated as a form factor. In fact in many parts of the world the plastic card itself has simply become an emotionally comfortable way to get people to pay using NFC (PayPass, payWave etc.) and it does not take a large leap of faith to imagine the transition to the mainstream of the logical next step of e-wallets on an NFC enabled mobile device. Many financial institutions already offer NFC “stickers” to slap on the back of non-NFC enabled devices but the battle is still on for the dominant form-factor for delivery; SD cards, external devices (stickers or sleeves), embedded hardware, Cloud (via QR) or SIM integrated technology all have roles to play, some as short-term bridge technologies, some as the basis for longer-term solutions. For the foreseeable future, these digital links to traditional currency will vastly outnumber the alternative digital currencies.

If you do use digital currencies or NFC, how to secure those e-wallets? Mostly e-wallets are held on mobile devices that are no strangers to vulnerabilities from an Operating System perspective. On the app front Google’s own e-wallet was easily subverted through an escalation of privileges attack. The dominant platform, Android, suffers not only from vulnerabilities, but also from fragmentation. This means that there are many different flavours of Android, from many different manufacturers, many of which will never see an upgrade or security patch. The mechanism for getting a patch from Google to handset is simply too convoluted, relying on both handset manufacturers and carriers to act as middlemen. Middlemen who actually have an interest in getting you to buy a new phone rather than fix your old one… On top of that the (currently) under-explored area of vulnerabilities in the apps themselves and the widespread abuse of app store platforms for spreading Trojan type malware and there’s a perfect storm of threat brewing for e-wallets.

Much of the burden for securing these technologies lies with app developers and handset and OS manufacturers and perhaps the greatest step toward effective security would be the development of, and adherence to, an open standard that includes security mechanisms such as TPM on the mobile platform. Unfortunately Visa are already talking about waiving the need for merchants need to validate their PCI compliance if 75% of their transactions originate from NFC technology!

Of course consumers have a role to play too, making sure they keep their devices physically safe, using effective device locking passwords, enabling remote lock and wipe functionality and making sure that any sensitive information (or preferably all information) is wiped from the device when it will not be in their hands for a period of time, or when they are disposing of it.

As for the Bitcoin type currencies, dividing your assets between multiple wallets and keeping the lion’s share on a secure device that is not used for regular Internet access is your best defence, breaking wallets up into “spending” and “saving” functionality. There is currently no regulator in the Bitcoin world, so every transaction is effectively final.

By 2020, we fully expect digital currency to be embedded in the economies of the early adopter geographies and consequently there will be greater level of malicious interest in your digital pockets. On the security side, we would hope that those standards are more than just a pipe-dream and that effective multi-factor (biometric) authentication has, by then, been integrated into many of the sensitive transactions that we will increasingly carry out online.

For a wider look at our security predictions for 2014 and beyond check out “Blurring Boundaries” and of course 2020: The Series

GCHQ – General Chit-chat, Hazy Questions?

Photo by Jenny Mealing (jennifrog) used under Creative Commons.

Yesterday’s questioning of intelligence chiefs by Members of Parliament is a first in British history. The momentous occasion was preceded by anticipation that the three big authorities, MI5, MI6 and GCHQ, would offer an open and transparent account of the extent of their surveillance operations, in particular GCHQ. While mass data collection has been suspected, or in a few cases disclosed, for some time by the UK security agencies. However, I was struck by how little new information was actually shared and by the disappointingly weak line of questioning. One important area, for example, which wasn’t clarified at all was how the practice of sifting through who is a ‘threat’ and who isn’t is qualified, neither was the deliberate and systematic undermining of international cryptographic standards. The responses in the areas of “mass data collection” even appeared to give the lie to earlier assurance that only metadata was collected and that content never was, yet that area was never explored,. This assurance has now given way to a somewhat disingenuous assurance that “the people who work in GCHQ” would simply do not loo at the content, unless sufficient justification exists. In fact, they would “leave the building” if they were asked to “ Snoop”… Maybe part of the obvious disconnect is that those earlier assurances came from politicians themselves rather than the intelligence community.

For any commercial entity the Data Protection Act regulates and governs processing of personal information. Intelligence agencies and law enforcement, of course,  benefit from a number of exceptions from those same rules, so it has been left indefinite who in the back rooms is looking out for the interests of the general public. A vague personal assurance that data belonging to “non-threats” are not viewed and that candidates for GCHQ would not be employed if they were the sort to be tempted to do so, is not the same as a bound contract within a legal framework. Besides, somebody must have trusted Edward Snowden in a similar way at some point…

Speaking of Snowden, it would have also been helpful for some questions to have been asked to shed light on the relationships between GCHQ and foreign intelligence agencies; do they accept requests from other nations to surrender their data to UK citizens? A recent report on mass surveillance of personal data that came to light on the same day as the inquiry shows that NSA sent millions of records every day from internal networks to data warehouses at the agency’s headquarters. The US National Security Agency (NSA) is clearly working in collaboration with GCHQ, just how much is UK law helping the NSA to circumvent US law and vice versa and what is the relationship here? Just for example, how does a contractor in the US, to US intelligence services, end up with access to so much highly damaging sensitive information about British spy agencies?

It will be very interesting to see how the requirements of the security agencies, which were voiced in the February 2013 response to the Draft Communications Data Bill, (Intelligence Committee response, “Access to communications data by the intelligence and security Agencies (PDF)“) influence the next draft of that same bill. The somewhat chilling conclusion of that Intelligence Committee response includes the statement that:

“Any move to introduce judicial oversight of the authorisation process could have a significant impact on the Agencies’ operational work. It would also carry a financial cost. We are not convinced that such a move is justified in relation to the Agencies, and believe that retrospective review by the Interception of Communications Commissioner, who provides quasi-judicial oversight, is a sufficient safeguard.”

Of course there will be further sessions both in camera and hopefully more public questioning. While it is clear that, in the interests of national security,  many aspects of surveillance programmes cannot and should not be revealed; the level of public trust in the very people that have been charged with protecting our liberty is at such a low that only unprecedented steps stand any chance of restoring our faith.

It seems we truly do live in Interesting Times, which is more often that not, a curse.