Another week, another discovered security flaw. This week’s flaw, dubbed “Covert Redirect,” allows cyber-attackers to disguise themselves as log-in popups based on an affected site’s domain. Social media sites are among those affected, leaving potentially millions of users at risk of having personal information stolen.
These days it seems nothing is impervious to security flaws. This week’s discovery involved log-in tools OAuth and OpenID, leaving social-media users at risk. Facebook, Google+, LinkedIn and Microsoft and other sites commonly use the tools.
Discovered by Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore, the “Covert Redirect” flaw allows cyber-attackers to disguise themselves as a log-in popup based on an affected site’s domain.
Users taken in by the phony log-in can have their personal data released to the attacker instead of to the intended website, including name, birthdate, Social Security number or address, and other information.
Wang reported the potential issue to Facebook, which reportedly (according to CNET) told him they “understood the risks associated with OAuth 2.0,” and that “short of forcing every single application on the platform to use a whitelist,” fixing this bug was “something that can’t be accomplished in the short term.”
PayPal later announced it was not affected by the Covert Redirect flaw. “When we heard that security researchers recently discovered a vulnerability in open source login tools OAuth 2.0 and OpenID (which is widely used by many websites and web services, including some offered by PayPal), we moved quickly to determine the impact to our customers, PayPal said on its blog. “We have carefully investigated this situation and can tell you that this vulnerability has no impact on PayPal and your PayPal accounts remain secure.”
Noticing breaches
New research released this week found that 35 percent of 102 financial
organizations and 151 retail organizations in the United Kingdom, all of which process card payments, surveyed recently said it would take as long as three days to detect a breach on their systems. Atomic Research conducted the survey, which was sponsored by Tripwire, a global provider of risk-based security and compliance management solutions.
More important, according to the 2014 Verizon Data Breach Investigations Report, 85 percent of point-of-sale intrusions took weeks to discover and 43 percent of web application attacks took months to discover.
In the Tripwire survey, 4 percent of those studied had experienced a data breach where Personally Identifiable Information was stolen or accessed by intruders, and 36 percent did not have confidence in their incident-response plan. Moreover, 51 percent of respondents were only somewhat confident that their security controls can detect malicious applications, and 40 percent said they did not believe that recent high profile cardholder breaches have changed the level of attention executives give to security.
“It is great that recent breaches have increased cyber-security awareness
and internal dialogue,” said Dwayne Melancon, chief technology officer
for Tripwire. “However, the improved internal communication may be
biased by a false sense of security. For example, 95 percent of respondents said they would be able to detect a breach on critical systems within a week. In reality, nearly all of the recent publicly disclosed breaches have gone on for months without detection.”
Giving up?
In a move that sounds surprisingly similar to an admission of defeat at the hands of novel hackers, anti-virus software maker Symantec this week declared its intention to get out of breach prevention and focus instead on breach detection and mediation.
Within six months, the company will sell threat-specific intelligence briefings for clients so they can learn the when’s, how’s and why’s of the attacks they experience from cyber criminals. Symantec also is developing technology to scan for next-generation malicious software inside a network that mimics security software.
The company needs to pursue a new direction soon, as revenues have dropped for the last two quarters and are down 5 percent on the year. The company also recently ousted its CEO, the second to hold that position in as many years.
“It’s one thing to sit there and get frustrated,” says Brian Dye, Symantec’s senior vice president for information security, reports The Wall Street Journal. “It’s another thing to act on it, go get your act together and go play the game you should have been playing in the first place.”
New York reacts
New York’s Department of Financial Services is proposing bank-security audits that come on the heels of a department report that found the number of cyber-criminals attacks has been on the incline the past few years, and it is expected to climb higher.
“With today’s growing cyber threats, we need to make sure New Yorkers’ finances are protected from online predators,” Gov. Andrew Cuomo said in a released statement. “Targeted cyber-security assessments for banks will better safeguard financial institutions from attacks and secure personal bank records from being breached.”
According to the report, 22 percent of institutions surveyed had been hit with malware during the past three years, while 22 percent had been targeted by phishing scams and 7 percent by pharming. The report also noted that 15 percent of banks reported a mobile-banking exploitation in the last few years.
While approximately 90 percent of banking institutions surveyed reported having a security framework in place, the technologies are somewhat better deployed and understood at larger institutions than at small independent banks.
Crooks most commonly use intrusions for account takeovers, although ID theft, telco network disruptions and third party payment processor breaches are also common. About 15% of large banks also said they had experienced mobile-banking exploitation.
“The fact that so much of our financial lives are spent online makes banks increasingly tempting targets for cyber attacks,” noted Benjamin Lawsky, New York superintendent of Financial Services. “Hackers spend day and night trying to think up new ways to steal consumers’ personal information and disrupt our nation’s financial markets, and it’s more important than ever that we rise to meet that challenge.”
This is a bit ironic
In the months since the massive, multi-month data theft left tens of millions of customers’ data exposed, Target has been leading the industry in adopting more stringent anti-fraud mechanisms, including an accelerated adoption of chip-and-PIN (EMV) technology for its store-branded credit cards., contends one analyst.
Walmart Inc. has already implemented a chip-and-signature system, which requires users first swipe their card, then insert it into a separate chip reader to verify the card.
“The Target decisions have set the bar for the entire industry,” analyst Scott Valentin told The Wall Street Journal.