Apple adding Two-Step Verification

Apple ID and iCloud users will soon be able to use two-step, or two-factor, authentication to verify their identity when purchasing music from iTunes or apps from the App Store.

Apple’s two-step verification forces you to validate your identity in a two-step process when you make iTunes or Apps store purchases.
  1. The first step is entering your password when prompted.
  2. In the second step, Apple sends a verification code to one of your trusted devices. Once you enter the verification code you can complete your purchase. For example, the verification code could be sent to your phone via an SMS text message.
This two-factor verification makes it much harder for hackers to access your account through an account reset, as happened to Wired senior writer Mat Honan. (Click here to read how his account was hacked via an account reset).
The user has to define what a trusted device is ahead of time so that verification codes can be sent.
Google has also promoted championed two-factor, or two-step verification.
Click here to read the rest of the article on Wired.com.
If you use Apple products, click here to sign up for Two-Step verification.

Bluetooth Security – Bluejacking

I finally got around to configuring my smartphone and my car to connect to each other using Bluetooth. It’s incredibly convenient to be able to call someone or accept incoming calls by simply tapping a button on my steering wheel, which connects to my phone, which allows me to use my phone completely hands free. Bonus – no dorky headset required! This got me to thinking – just how secure is Bluetooth?

Here is a term that you may or may not have heard:

Bluejacking: The act of sending an unsolicited message, using the Bluetooth protocol, to a mobile phone, PDA or computer or other Bluetooth enabled device. This message could also be a vCard containing a message in the NAME field, using the OBEX protocol. Bluejacking sends data to the target device. It does not retrieve data.

Bluejacking is usually harmless, and was initially first used as a way to advertise Sony Ericson by a Malyasian IT consultant. However, it is confusing to users, who may think their phone is malfunctioning.

Wikipedia has a nice overview of Bluejacking at: Bluejacking

Bluejacking shouldn’t be confused with Bluesnarfing or Bluebugging, which are more serious threats to Bluetooth enabled devices.

More on these later.

Researcher Discovers words that Trigger Skype Surveillance

A researcher discovered that there are certain key words that will trigger monitoring of a Skype user’s communications in the version of Skype that is designed for users in China.

Researcher Jeffrey Knockey, a computer-science graduate student at the University of New Mexico, was able to bypass the encryption of this version of Skype and uncovered the secret keyword lists used in China to monitor Skype Communications. To be clear, these are keywords that are typed by users using the Skype text chat, not voice communications.

If a user types in a particular keyword or phrase, it triggers an alert detailing who sent the message and when, to a centralized server.

Some of the thousands of words and phrases that trigger the alert are political: “Reporters Without Borders”, “Amnesty International”, “Tiananmen slaughter”, “student demonstrations”.  Others are sex and porn related: “kinky cinema”, “live nude chat”; or related to violence: “hired killer”, “Molotov cocktail”.  Finally, there are other phrases that just don’t translate into English: “ancient horse recipe”, “throwing eggs”.

The rest of the story can be found here.

Fake Mandiant report is Spear Phishing campaign

Interest in the Mandiant report about China’s state sponsored hacking by Unit 61398 led to the creation of a PDF file that spoofs the original report and opens up multiple attacks on the reader’s computer.

Attackers were sending out booby-trapped files that looked like the original Mandiant report. The primary targets of the attack were Japanese and Chinese journalists. When the fake file is accessed, a decoy PDF File that resembles the original Mandiant report opens. The first four pages of the report display, and the computer that opened it becomes infected.

The goal of this spoofed report is to open up multiple attacks against anyone interested in the report who downloads what they think is the legitmate report. The following attacks might occur:

The attack communicates with a Command and Control server using the dynamic ddomain name expires[.]ddn[.]dynssl[.]com. (brackets inserted to prevent the accidental copying and pasting of the URL into a browser.) Researchers at the company Seculert found this attack. Brandon Dixon of Seculert said that once executed on the target system, a new process called “AdobeArm.tmp” begins running and the original first four pages of the Mandiant APT1 report is shown. This new process would wait several minutes before it contacted itsec[.]eicp[.]net:443, which is a domain that is linked to attacks on human rights activists.

The second attack exploits a vulnerability in Adobe Reader and Adobe Acrobat that has recently been patched. The attachment is meant to look like the orginal report and is poorly written in Japanese.

The malware was created to only communicate on Tuesdays betweeen 8 AM and 7 PM and to execute any new instructions.

The filename for the genuine report is Mandiant_APT1_Report.pdf. The filename for the spoofed, infected report is Mandiant_APT2_Report.pdf.

There were two articles about this. The latest article, written on March 6th, can be found here. The original article, from February 21st, can be found here.

The original Mandiant report, APT1, can be found here.

Spoofing Email – Part II

Here’s more technical information about how we are going try to prevent students from spoofing email addresses.

We are implementing three policies:

  • Sender Policy Framework (SPF) – verify sender IP address.
  • DomainKeys Identified Mail (DKIM) – digital signature embedded in email is matched to a public key of the digital signatue on the domain name server.
  • Domain-based Message Authentication, Reporting and Conformance (DMARC) – technical specification for performing email authentication – used by AOL, Gmail, Hotmail, Yahoo! and others who have implemented it.

I have more details below, based on information on Wikipedia:

Sender Policy Framework (SPF)

DomainKeys Identified Mail (DKIM)

Domain-based Message Authentication, Reporting and Conformance (DMARC)

Spoofing Email – Part I

I work in a high school, and we had a real world situation where email was spoofed.
Several students found a website hosted in Checkoslavkia that would allow them to enter someone’s email address into a simple text field and send out faked emails as if they were that person.

I’m sure everyone reading this post can think of several different ways to do this off the top of their heads, but these are 14 year old students we’re talking about, not exactly Lex Luthor material. The point is, they don’t need to be criminal super geniuses to do this.

The students initially sent out spoofed emails to other students by pretending to be the Registrar’s Office and listing fake disciplinary issues. Then they sent out a mass email to the entire student body, using the Dean of Student Life’s email address. The Dean was not happy at all.

So my boss, the head of the Technology Office, began working on the issue.  Our email is currently hosted by Google. What we ultimately did was embed digital signatures into the headers of all email legitimately originating from the school. This digital signature has been added as another setting on our DNS server. So when our Google Email server sends or receives an email from our school, it checks for the digital signature in the header of the email, makes a call to our DNS server to confirm the email, then adds a flag to that email if there is no digital signature. When the email enters or leaves the DNS server, the source is checked. If the address is from a known blacklisted site, then another flag is added. If both flags are present, then the email is bounced.

It is entirely possible to bypass both of these precautions by editing the header of the email, but it should stop most 14 year olds from pretending to be someone they’re not.

We have encountered some issues because of this, but I’ll write about them later.

50 Million Evernote.com Passwords Reset after Breach

Following suspicious activity on their website, Evernote reset 50 million user passwords.

Evernote released a statement declaring that they discovered suspicious activity on their site and blocked it by resetting user passwords. It appeared to have been a coordinated attempt to gain access to secure areas of the Evernote site.

It appears that the hackers had gained access to usernames, passwords, and email addresses.

A company representative claims in a statement that the company caught the hackers early and that they “believe this activity follows a similar pattern of the many high profile attacks on other Internet-based companies that have taken place over the last several weeks.”

According to Wikipedia, Evernote is suite of software and services designed for note taking and archiving.

Patrick LaForge, an editor at the New York Times quipped, “The least the Evernote hackers could do is organize my folders of random clipping and wine label photos.”

Click here for a link to the story on Wired.com.

Leaky Websites Forward Your Data to Others

The New York Times has a story about researches at Stanford who have uncovered a number of “Leaky” websites that cavalierly hand over your information to other websites.

  • For example, if you go to the Wall Street Journal’s website, and log in with the wrong password, your email address is sent to seven other unrelated companies.
  • If you sign into an NBC website, seven additional companies can capture your email address.
  • If you just click on a Home Depot ad, your user ID and first name are forwarded to 13 other companies.

These are the five ways that the Stanford Study categorized “Leaky Websites” noted five ways in which a user’s identity may be associated with third-party web tracking data.

  1. A third party is also a first party, e.g. Facebook, Twitter, or Google+.
  2. A first party hands off (“leaks”) identifying information to a third party.
  3. A third party buys identifying information from a “matching service.”
  4. A third party exploits a security vulnerability to learn a user’s identity.
  5. A third party “deanonymizes” its data by matching it against identified data.

Personally, I think it’s awful. I believe that there is an expectation that the information you provide one company ought to stay with that company. If other companies want my information, they can ask me for it (and I’ll tell them NO!) I also know that this isn’t the way things currently work.

Here’s the link to the Stanford Study. It’s eye-opening, and you should at least skim through it.

Here’s the link to the Leaky Website story on the New York Times.