Information security digest: May’14

May 2014 appears to be very stormy and volatile in regards to information security. Still overshadowed by Heartbleed and Windows XP “official demise” from April, it has brought a lot of troubles on its own.

May 2014 proves to be extremely stormy and volatile in regards to information security: still overshadowed by Heartbleed and Windows XP “official demise” from April, it has brought a lot of troubles on its own.

Backbones tapped

Probably the most serious incident disclosed late in May came from eBay, Inc. They acknowledged its database had been compromised two months prior to the announcement, and that they had only discovered that break-in a week before.

eBay insisted financial data had not been compromised. Still, intruders have hauled away personal data. The situation had been described in detail in our blog here.

It’s important to mention that this disclosure coincided with another announcement from eBay-owned PayPal (and somewhat overshadowed it). PayPal reported they have finally plugged the hole in its Manager portal. The bug could have made it easy for an attacker to hijack an admin’s account, change their password, and steal their personal information — not to mention their savings.

 

Manager is a feature of the service that allows users to manage their Payflow account, the company’s name for the gateway  merchants use to take payments from customers. The bug’s detailed description is available here, and potentially it’s very dangerous.

To a high degree both eBay and PayPal (especially PayPal) are backbones of the world’s e-commerce. Even if hackers fail to retrieve financial data, any degree of success with attacks against them is always troubling. If their defenses are penetrated, then how secure are other e-commerce providers and portals?

Microsoft’s bugfest

Microsoft is still in hot water after Windows XP support had been cut off in April.

It didn’t take long for cybercriminals to find and start using a new zeroday in Internet Explorer, which affected all of the browsers’ versions since IE 6 and all of the Windows including XP. After some considerations Microsoft did make a tough decision to issue a patch for IE for Windows XP remaining users too, “as an exception”. Which was met with, let’s say, “mixed reviews”. Some view this step as a reluctance of private and business users to move away from an antique and insecure (even though much loved) operational system, still used by millions around the world. A handful of attacks involving new exploits targeting Windows XP users had been reported. This might have influenced Microsoft decision to make “an exception”.

ie

A week after Microsoft bulk-patched an entirety of 13 security issues in Internet Explorer and Sharepoint Server, along with Windows, Office and its .NET Framework. It was the largest patch package of 2014 so far, covering some very serious issues – and how can they be not-so-serious given the world-dominant position of Microsoft Windows, Office and ubiquitousness of .NET?

Unfortunately, less than two weeks later Microsoft was badly hit with a disclosure of IE8 zeroday vulnerability made by HP’s Zero Day Initiative. The vulnerability could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages. ZDI reported the bug to Microsoft quite long ago: according to its own policy, it discloses vulnerability details after 180 days if the vendor hasn’t produced a patch. And the vendor hasn’t.

For some reason Microsoft remained tight-lipped even after the public disclosure. It acknowledged the problem, saying that some fixes are more complex than the rest, said the problem is being dealt with, but provided no details on how soon it is patched. This led to a well-expected slamfest over the Web: The vulnerability has gone without a patch for a little too long.

Bitly beetled

The link-shortening service Bitly announced that it’s ramping up its development of two-factor authentication following a compromise that leaked user information.

The breach, first discovered in mid-May, spilled users’ email addresses, encrypted (salted and hashed) passwords, API keys and OAuth tokens.

The service invalidated those credentials shortly after discovering the compromise Thursday, meaning that if users used either Facebook or Twitter to share shortened URLs, they’ll have to reconnect them the next time they log in if they want to publish through them.

Bitly is a good and widely used tool to save on links’ length (which is especially relevant in Twitter with its 140 symbols limit), which ensures its popularity. According to some data, Bitly shortens more than one billion links per month. It doesn’t charge its users for the services it provides, so there were no risks of direct financial loss. Still, identifiable personal data are in high demand among cybercriminals plotting phishing campaigns, so by no means was this incident “harmless”.

Apple Ransompie

A number of iPhone, iPad and Mac users, largely confined to Australia, discovered their devices had been “taken hostage” late in May with someone under alias “Oleg Pliss” demanding money for the unlocking code. At first this might look ridiculous: iOS based devices and ransomware, closely associated with PC and Android?

ios

Well, actually it seems there wasn’t any real ransomware infecting the devices. Someone abused Find My Phone function using stolen credentials of the end-users. It’s unclear, where have those credentials come from. Most likely the source is hacked or social-engineered iCloud accounts. Apple was quick to acknowledge the problem with remote lockings but denied that it has anything to do with iCloud:

“Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store.” (via ZDNet).

Kaspersky Lab Expert Christian Funk said that criminals have been deploying phishing attacks to compromise Apple IDs for a couple of years now. Last year, Securelist released a research article in which another Kaspersky Lab researcher explained attackers could launch ransomware campaigns against iOS and Mac devices by accessing iCloud accounts.

Increasing number of attacks against iOS-based devices is an unpleasant but not entirely unexpected development: They are popular enough to attract criminals, and at the same time iOS is still considered safe from malware. Actually it is indeed safer from the common PC and tablet/phones threats, it is not entirely immune. The incidents described above proves it.

Alone on Spotify

Spotify reported a security breach and requested the users of its Android app change their passwords. Spotify’s CTO Oskar Stal wrote on the company’s website that the company is investigating unauthorized access to its systems and internal company data. He also wrote that certain users will be asked to reset their passwords.

spotify

Twin Design / Shutterstock.com

“Our evidence shows that only one Spotify user’s data has been accessed and this did not include any password, financial or payment information… We have contacted this one individual. Based on our findings, we are not aware of any increased risk to users as a result of this incident,” Stal wrote.

Spotify is limiting updates to only its Android users and is not recommending any action for iOS and Windows Phone users. Moreover, it preferred not to disclose anything further. This led to an “educated guess” from the experts that there must have been some sort of a proof-of-concept attack demonstrated to Spotify teams, prompting them to take wider-than-expected action. If so, this is a good example of responsible reaction to a problem. Then again, it’s all guesswork so far. Spotify decided to not disclose any details.

Tips