Data Security

Surveillance Attack on WhatsApp

It has been reported that it was a surveillance attack on Facebook’s WhatsApp messaging app that caused the company to urge all of its 1.5bn users to update their apps as an extra precaution recently.

What Kind of Attack?

Technical commentators have identified the attack on WhatsApp as a ‘zero-day’ exploit that is used to load spyware onto the victim’s phone.  Once the victim’s WhatsApp has been hijacked and the spyware loaded onto the phone, it can, for example, access encrypted chats, access photos, contacts and other information, as well as being able to eavesdrop on calls, and even turn on the microphone and camera.  It has been reported that the exploit can also alter the call logs and hide the method of infection.

How?

The attack is reported to be able to use the WhatsApp’s voice calling function to ring a target’s device. Even if the target person doesn’t pick the call up the surveillance software can be installed, and the call can be wiped from the device’s call log.  The exploit can happen by using a buffer overflow weakness in the WhatsApp VOIP stack which enables an overwriting of other parts of the app’s memory.

It has been reported that the vulnerability is present in the Google Android, Apple iOS, and Microsoft Windows Phone builds of WhatsApp.

Who?

According to reports in the Financial Times which broke the story of the WhatsApp attack (which was first discovered earlier this month), Facebook had identified the likely attackers as a private Israeli company, The NSO Group, that is part-owned by the London-based private equity firm Novalpina Capital.  According to reports, The NSO Group are known to work with governments to deliver spyware, and one of their main products called Pegasus can collect intimate data from a targeted device.  This can include capturing data through the microphone and camera and also gathering location data.

Denial

The NSO Group have denied responsibility.  NSO has said that their technology is only licensed to authorised government intelligence and law enforcement agencies for the sole purpose of fighting crime and terror, and that NSO wouldn’t or couldn’t use the technology in its own right to target any person or organisation.

Past Problems

WhatsApp has been in the news before for less than positive reasons.  For example, back in November 2017, WhatsApp was used by ‘phishing’ fraudsters to circulate convincing links for supermarket vouchers in order to obtain bank details.

Fix?

As a result of the attack, as well as urging all of its 1.5bn users to update their apps, engineers at Facebook have created a patch for the vulnerability (CVE-2019-3568).

What Does This Mean For Your Business?

Many of us think of WhatsApp as being an encrypted message app, and therefore somehow more secure. This story shows that WhatsApp vulnerabilities are likely to have existed for some time.  Although it is not clear how many users have been affected by this attack, many tech and security commentators think that it may have been a focused attack, perhaps of a select group of people.

It is interesting that we are now hearing about the dangers of many attacks being perhaps linked in some way to states and state-sponsored groups rather than individual actors, and the pressure is now on big tech companies to be able to find ways to guard against these more sophisticated and evolving kinds of attacks and threats that are potentially on a large scale.  It is also interesting how individuals could be targeted by malware loaded in a call that the recipient doesn’t even pick up, and it perhaps opens up the potential for new kinds of industrial espionage and surveillance.

Proposed Legislation To Make IoT Devices More Secure

Digital Minister Margot James has proposed the introduction of legislation that could make internet-connected gadgets less vulnerable to attacks by hackers.

What’s The Problem?

Gartner predicts that there will be 14.2 billion ‘smart’, internet-connected devices in use worldwide by the end of 2019.  These devices include connected TVs, smart speakers and home appliances. In business settings, IoT devices can include elevators, doors, or whole heating and fire safety systems in office buildings.

The main security issue of many of these devices is that they have pre-set, default unchangeable passwords, and once these passwords have been discovered by cybercriminals the IoT devices can be hacked in order to steal personal data, spy on users or remotely take control of devices in order to misuse them.

Also, IoT devices are deployed in many systems that link to and are supplied by major utilities e.g. smart meters in homes. This means that a large-scale attack on these IoT systems could affect the economy.

New Law

The proposed new law to make IoT devices more secure, put forward by Digital Minister Margot James, would do two main things:

  • Force manufacturers to ensure that IoT devices come with unique passwords.
  • Introduce a new labelling system that tells customers how secure an IOT product is.

The idea is that products will have to satisfy certain requirements in order to get a label, such as:

  • Coming with a unique password by default.
  • Stating for how long security updates would be made available for the device.
  • Giving details of a public point of contact to whom cyber-security vulnerabilities may be disclosed.

Not Easy To Make IoT Devices Less Vulnerable

Even though legislation could put pressure on manufacturers to try harder to make IoT devices more secure, technical experts and commentators have pointed out that it is not easy for manufacturers to make internet-enabled/smart devices IoT devices secure because:

Adding security to household internet-enabled ‘commodity’ items costs money. This would have to be passed on to the customer in higher prices, but this would mean that the price would not be competitive. Therefore, it may be that security is being sacrificed to keep costs down – sell now and worry about security later.

Even if there is a security problem in a device, the firmware (the device’s software) is not always easy to update. There are also costs involved in doing so which manufacturers of lower-end devices may not be willing to incur.

With devices which are typically infrequent and long-lasting purchases e.g. white goods, we tend to keep them until they stop working, and we are unlikely to replace them because they have a security vulnerability that is not fully understood. As such these devices are likely to remain available to be used by cybercriminals for a long time.

What Does This Mean For Your Business?

Introducing legislation that only requires manufacturers to make relatively simple changes to make sure that smart devices come with unique passwords and are adequately labelled with safety and contact information sounds as though it shouldn’t be too costly or difficult.  The pressure of having, by law, to display a label that indicates how safe the item is could provide that extra motivation for manufacturers to make the changes and could be very helpful for security-conscious consumers.

The motivation for manufacturers to make the changes to the IoT devices will be even greater when faced with the prospect of retailers eventually being barred from selling products that don’t have a label, as is the plan with this proposed legislation.

The hope from cybersecurity experts and commentators is that the proposal isn’t watered-down before it becomes law.

G7 Cyber Attack Simulation To Test Financial Sector

The G7 nations will be holding a simulated cyber-attack this month to test the possible effects of a serious malware infection on the financial sector.

France

The attack simulation was organised by the French central bank under France’s presidency of the Group of Seven nations (G7).  The three-day exercise will be aimed at demonstrating the cross-border effects of such an attack and will involve 24 financial authorities from the seven countries, comprising central banks, market authorities and finance ministries.  It has been reported that representatives of the private sector in France, Italy Germany and Japan will also participate in the simulation.

Why?

As reported in March in a report by the Carnegie Endowment for International Peace (co-developed with British defence company BAE Systems), state-sponsored cyber attacks on financial institutions are becoming more frequent, resulting in destructive and disruptive damages rather than just theft.

The report highlighted how, of the 94 cases of cyber attacks reported as financial crimes since 2007, the attackers behind 23 of them were believed to be state-sponsored.  Most of these state-sponsored attacks are reported to have come from countries such as Iran, Russia, China and North Korea.

The report pointed out that the number of cyber attacks linked to nations jumped to six in 2018 from two in 2017 and two in 2016.

State-sponsored attacks can take the form of direct nation-state activity and/or proxy activity carried out by criminals and “hacktivists”.

State-Sponsored Attacks – Examples

An example of the kind of state-sponsored hacking that has led to the need for simulations is the attack by North Korean hackers on the Bank of Chile’s ATM network in January, the result of which was a theft of £7.5 million.

Also, in 2018 it was alleged that North Korean hackers accessed the systems of India’s Cosmos Bank and took nearly $13.5 million in simultaneous withdrawals across 28 countries.

As far back as 206 North Korean hackers took $81 after breaching Bangladesh Bank’s systems and using the SWIFT network (Society for Worldwide Interbank Financial Telecommunication).  The perpetrators sent fraudulent money transfer orders to the New York branch of the U.S. central bank where the Dhaka bank has an account.

What Does This Mean For Your Business?

An escalation in state-sponsored attacks on bank systems in recent years is the real reason why, in addition to fending cybercriminals from multiple individual sources, banks have noted an evolution of the threat which has forced them to focus on sector and system-wide risks.

As customers of banks, businesses are likely to be pleased that banks, which traditionally have older systems, are making a real effort to ensure that they are protected from cyber-attacks, particularly the more sophisticated and dangerous state-sponsored cyber-attacks.

Data Breach Report A Sharp Reminder of GDPR

The findings of Verizon’s 2019 Data Breach Investigations Report have reminded companies that let customer information go astray that they could be facing big fines, and damaging publicity.

The Report

The annual Verizon Data Breach Investigations Report (DBIR) draws upon information gained from more than 2,000 confirmed breaches that hit organisations worldwide, and information about more than 40,000 incidents such as spam and malware campaigns and web attacks.

Big Fines

The report reminds companies that although personal data can be stolen in seconds, the effects can be serious and can last for a long time. In addition to the problems experienced by those whose data has been stolen (who may then be targeted by other cybercriminals as the data is shared or sold), the company responsible for the breach can, under GDPR, face fines amounting to 4 percent of their global revenues if it has been judged to have not done enough to protect personal data or clean up after a breach.

Senior Staff Hit Because of Access Rights

It appears that senior staff are a favourite target of cybercriminals at the current time.  This is likely to be because of the high-level access that can be exploited if criminals are able to steal the credentials of executives. Also, once stolen, a senior executive’s account could be used to e.g. request and authorise payments to criminal accounts. The report also highlights the fact that senior executives are particularly vulnerable to attack when on their mobile devices.

Booby Trap Emails Less Successful

The report also states how sending booby-trapped emails (emails with malicious links) is proving to be less successful for cybercriminals now with only 3 per cent of those targeted falling victim, and a click rate of only 12 per cent.

What Does This Mean For Your Business?

The report is a reminder that paying attention to GDPR compliance should still be a very serious issue that’s given priority and backing from the top within companies, as one data breach could have very serious consequences for the entire company.

Senior executives need to ensure that there is a clear verification and authorisation/checking procedure in place that all accounts/finance department staff are aware of when it comes to asking for substantial payments to be sent, even if the request appears to come from the senior executives themselves via their personal email. Obtaining the credentials of senior executives can also mean that cybercriminals can operate man-in-the-middle attacks.

Executives and staff need to be aware that if a high-level email address has been compromised the first thing they may know about it is when funds are taken, so cybersecurity training, awareness and policies need to communicated and carried with all staff, right up to the top level.

The low level of booby trap emails being successfully deployed could be a sign that businesses are getting the message about email-based threats, or it could be that criminals are focusing their attention elsewhere.

Google Offers Auto-Delete of History After Three Months

Google is joining tech giants Facebook and Microsoft by offering users greater privacy of their data which for Google will give its users the option to automatically delete their search and location history after three or eighteen months.

What’s The Problem?

According to Google, feedback has shown that users want simpler ways to manage or delete their data, and web users have been more concerned about matters of their data privacy after several high profile data breaches, most notably that of Facebook sharing 50 million profiles of its users data with analytics company, Cambridge Analytica back in 2014.

The Change

Google already offers tools to help users manually delete all or part of their location history or web and app activity.  The addition of the new tool, which is scheduled to happen “in the coming weeks” will enable users to set up auto-delete settings for their location history, web browsing and app activity.

With the new tool, users will be able to select how long they want their activity data to be saved for – three months or eighteen months – after which time Google says the data will automatically be deleted from the user’s account.

The new automatic deletion will be optional, and the manual deletion tools will remain.

Facebook and Microsoft

At the beginning of May, Microsoft announced several new features intended to improve privacy controls for its Microsoft 365 users, with a view to simplifying its data privacy policies.

Also, Facebook’s Mark Zuckerberg recently announced a privacy-focused road map for the social network.

Google’s Tracking Questioned

Back in 2018, the ‘Deceived By Design’ report by the government-funded Norwegian Consumer Council accused tech giants Microsoft, Facebook and Google of being unethical by leading users into selecting settings that do not benefit their privacy.

In November 2018, Google’s tracking practices for user locations were questioned by a coalition of seven consumer organisations who were reported to have filed complaints with local data protection regulators. Although Google says that tracking is turned off by default and can be paused at any time by users, the complaints focused on research by a coalition member who claimed that people are forced to use the location system.

Furthermore, research by internet privacy company DuckDuckGo in December 2018 led to a claim that even in Incognito mode, users of Google Chrome can still be tracked, and searches are still personalised accordingly.

What Does This Mean For Your Business?

The introduction of GDPR and high-profile data breach and privacy incidents such as the Facebook and Cambridge Analytica scandal have made us all much more aware about (and more protective of) our personal data and how it is collected, stored and used by companies and other organisations. It is no surprise, therefore, that feedback to Google showed a need for greater control and privacy by users, and the announcement of the new (optional) automatic deletion tool also provides a way for Google to get some good data privacy PR at a time when other tech giants like Facebook and Microsoft have also been seen to make data privacy improvements for their users.

Current details about how to manually delete your Google data can be found here https://support.google.com/websearch/answer/465?co=GENIE.Platform%3DDesktop&hl=en and the ‘My Activity’ centre for your Google account, where you will most likely be able to make your automatic settings can be found here: https://myactivity.google.com/.

Microsoft’s Move Away From Passwords Towards Biometrics

In a recent interview with CBNC, Microsoft’s Corporate Vice President and Chief Information Officer Bret Arsenault signalled the corporation’s move away from passwords on their own as a means of authentication towards (biometrics) and a “passwordless future”.

Passwords – Not Enough On Their Own

Many of us are now used to two-factor authentication e.g. receiving a code via text or using apps such as Google Authenticator as a more secure way of using passwords.  Mr Arsenault also notes that hacking methods such as “password spraying”, where attackers attempt to access large numbers of accounts at once using some of the most commonly used passwords, are still effective and highlight the weakness of relying on passwords being used on their own.  Mr Arsenault highlights how damaging this can be for businesses where a hacker can get password/employee identity and use this to gain access to a whole network. This is one of the reasons why many businesses, including Microsoft, are moving away from the whole idea of passwords.

Setting Example – Biometrics

Microsoft is one of the most-attacked companies in the world, and this, combined with reports of the billions of password hack incidents worldwide, have driven the company to move beyond passwords.

For example, 90% of Microsoft’s 135,000 workforce can now log into the company’s corporate network without passwords using biometric technology such as facial recognition and fingerprint scanning via apps such as ‘Windows Hello’ and the ‘Authenticator’ app.

Also Uses Federated Cybersecurity

In addition to rejecting passwords for biometrics, Microsoft also uses a federated cybersecurity model.  This means that each Microsoft product has its own head of cybersecurity and that ethical hackers are actively encouraged to attack the company’s networks and products to test for flaws.

Scrapping Password Expiration Policies

Microsoft has announced that it is scrapping its password expiration policies in Windows 10 arguing that password expiration is an out of date method of data protection.  Users will now effectively be forced to update their passwords every few months once the Windows 10 May 2019 has been rolled out.

Other Tech Companies Moving Away From Passwords

Other tech companies that are known to be moving away from passwords towards biometrics and other methods include Google which has been testing USB key fobs which plug into customers’ computers and provide a second factor of authentication and Cisco which acquired dual-factor authentication start-up Duo in 2018.

What Does This Mean For Your Business?

As Microsoft points out, multi-factor authentication is more secure than relying on just a password for authentication, as password spraying and credential stuffing are widely in use and are still yielding good results for hackers.  As a recent National Cyber Security Centre (NCSC) survey has shown, many people still rely upon weak passwords, with ‘123456’ featuring 23 million times, making it the most widely-used password on breached accounts. There is a strong argument, therefore, for many businesses to look, as Microsoft is looking, towards more secure biometric methods of authentication, and towards a “passwordless future”.

Even though biometrics has been shown to make things incredibly difficult for cybercriminals to crack it, biometrics has not proven to have been 100% successful to date.  For example, a Reddit user recently claimed to have used a 3D printer to clone a fingerprint and then use that fake fingerprint to beat the in-display fingerprint reader on a Samsung Galaxy S10. Also, there was the report of the Twitter user who claimed to have fooled Nokia 9 PureView’s fingerprint scanner by using somebody else’s finger, and then just a packet of chewing gum, and of the incident back in May 2017 where a BBC reporter said that he’d been able to fool HSBC’s biometric voice recognition system by passing his brother’s voice off as his own.

There is no doubt that the move away from passwords to biometrics is now underway, but we are still in the relatively early stages.

Chrome For Android ‘Fake Address’ Phishing Risk Discovered

Developer James Fisher has reported that small changes could be made to Chrome for Android that could enable fake URLs to be displayed and users to be ‘jailed’ in a fake browser, thereby leaving them vulnerable to being duped into visiting fake, malicious pages.

Fake URL Display

Mr Fisher explains on his website about the possible new phishing method here: https://jameshfisher.com/2019/04/27/the-inception-bar-a-new-phishing-method/ .

According to Mr Fisher, if you visit his page URL (as shown above) on Chrome for mobile (Android) and scroll a little way, the page displays itself as hsbc.com.  He reports that this is because, as a result of the few small changes he has made, the page is able to ‘jail’ the user into a ‘fake’ browser. Mr Fisher’s website includes a video of how scrolling leads to the fake URL being displayed.

How?

Mr Fisher explains on his website that, using his method in Chrome for mobile, if a user arrives at a web page that they believe to be trustworthy and scrolls down so that the URL is no longer visible, they can then be switched into a fake browser.  The user is then ‘jailed’ into the fake browser which can either use an insertion of a screenshot of Chrome’s URL bar on another website (in the case of his demonstration HSBC) in the webpage, or could be made to detect which browser it’s in, and forge an inception bar for that browser.  Either way, the user can be tricked into seeing the URL for a page they’re not actually on.

Also, Mr Fisher explains that in his research, as part of trapping the user in a “scroll jail” he was able to include a very tall padding element at the top so that if a user tries to scroll into the padding, they are simply scrolled back down to the start of the content so that it  looks like a page refresh.  This whole process could, in the wrong hands, be able to dupe a user and trap them on a malicious page.

Phishing Risk

The obvious risk is that this could be used as a phishing method i.e. directing users to a fake page to enable sensitive data to be stolen or to direct users to a page loaded with malware.

What Does This Mean For Your Business?

At least now that the potential security risk has been discovered, explained and demonstrated, this should give Google the opportunity to close this loophole, thereby reducing the risk to users of Chrome for mobile. Although (at the time of writing) there is no fix as yet from Google, Mr Fisher has suggested that one fix could be for Google to retain a small amount of screen space above what he describes as the “line of death”, rather than giving up all screen space to the web page. This could make space for Chrome to signal that ‘the URL bar is currently collapsed’.

Back in December, research by Internet Privacy Company DuckDuckGo was reported to have produced evidence that could show that even in Incognito mode, users of Google Chrome could still be tracked, and searches were still personalised accordingly. Also, in February this year, there were more PR woes for Google when the discovery of a microphone in Google’s Nest Guard product that was not listed in tech spec, but which was put down to an erroneous omission by Google, caused a backlash that escalated to the US Congress.

123456 Still A Popular Password

A study by the UK’s National Cyber Security Centre (NCSC) into breached passwords has revealed that 123456 featured 23 million times, making it the most widely-used password on breached accounts.

Top Five Easy-To-Guess Passwords

The study, which analysed public databases of breached accounts to discover which words, phrases and strings were most popularly used, also found that the second-most popular string was 123456789, and that the words “qwerty” and “password”, and the string 1111111 all featured in the top five most popular breached passwords.

Names & Football Teams

The study revealed that people routinely use Christian names and the names of their favourite football teams as passwords, thereby making them relatively easy to crack.  For example, the most popular breached-password names were Ashley, Michael, Daniel, Jessica and Charlie. The most popular football team passwords noted by the study were ‘Liverpool are champions’, followed by Chelsea.

Not Confident

The NCSC study also found that 42% of those surveyed expected to lose money to online fraud, and that only 15% said that they were confident that they knew enough to be able to protect themselves online.

Big Risk – Password Sharing

The study also found that fewer than half of those surveyed used a separate, strong password for their main email account.  The risk of using the same password for multiple accounts and platforms is that if one of those accounts is compromised, cyber-criminals will sell your login details on and/or use ‘credential stuffing’ tools to try stolen passwords on multiple websites.

Stolen credentials are also routinely used in phishing attacks e.g. to send malicious emails to a victim’s list of contacts, and in targeted digital identity attacks, where the breached credentials are used to steal a victim’s entire digital identity, steal their money, or even to compromise their social media network data.

Passwords on Hacking Forums

As revealed back in January by security researcher Troy Hunt of ‘Have I Been Pwned’ service, 772,904,991 unique email addresses, and 21,222,975 unique passwords are already being shared on hacking forums as part of a collection of credentials stolen from multiple sites, dubbed Collection #1.

This highlights the importance of not sharing passwords between websites, and of changing passwords regularly.

What Does This Mean For Your Business?

This story highlights the importance of always using strong passwords that you change on a regular basis. Also, it highlights the importance of not using the same usernames and passwords on multiple websites as this can provide an easy route to your data for criminals using credential stuffing.

Managing multiple passwords in a way that is secure, effective, and doesn’t have to rely on memory is difficult, particularly for businesses where there are multiple sites to manage. One easy-to-use tool that can help is a password manager.  Typically, these can be installed as browser plug-ins that are used to handle password capture and replay, and when logging into a secure site, they offer to save your credentials. On returning to that site, they can automatically fill in those credentials. Password managers can also generate new passwords when you need them and automatically paste them into the right places, as well as being able to sync your passwords across all your devices. Examples of popular password managers include Dashline, LastPass, Sticky Password, and Password Boss, and those which are password vaults in other programs and CRMs include Zoho Vault and Keeper Password Manager & Digital Vault.

The new version of the Chrome browser (69) also has an improved password manager, which could help those who still appear to rely upon using very weak passwords e.g. 123456, password, 12345678 and qwerty.  The Chrome 69 password manager suggests passwords incorporating at least one lowercase character, one uppercase character and at least one number, and where websites require symbols in passwords it can add these. Users can also manually edit the Chrome-generated password, and when Google is generating the password, every time users click away from its suggestion, a new one is created. Chrome 69 can store the password on a laptop or phone so that users don’t have to write it down or try and remember it (if they are using the same device).

If you’re worried that people in your business may currently be using passwords that have already been stolen, you can find a list of the (from Troy Hunt of ‘Have I Been Pwned’) here:  https://www.troyhunt.com/pwned-passwords-now-as-ntlm-hashes/  and Mr Hunt provides some answers to popular questions about the stolen passwords in the ‘FAQs’ section of his blog post here: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/.

Fake Finger Fools Fool-Proof Phone

A Reddit user claims to have used a 3D printer to clone a fingerprint and then use the fake fingerprint to beat the in-display fingerprint reader on a Samsung Galaxy S10.

Fingerprint Scanner

The Galaxy S10 and S10+ phone models have an Ultrasonic Fingerprint Scanner embedded into the screen that uses soundwaves to create a 3D map of the owner’s fingerprint, and the recognition sensor at the bottom centre of the screen can then be used by the owner to gain entry to the phone by placing their fingerprint on it.

Made Fake Finger

The Reddit user, known only as ‘darkshark9’ claimed in a proof-of-concept uploaded to Imgur that they had been able to unlock their own Galaxy S10 phone using a fake finger that had been made using a photograph (taken using the Galaxy S10’s camera) of their own fingerprint on a wine glass.  The mystery ‘darkshark9’ claimed that they had used Adobe Photoshop and Autodesk 3ds Max to work on the photograph and had then used an AnyCubic Photon LCD resin 3D home printer (costing less than £400) to make a physical replica of the fingerprint.

It has been reported that it took ‘darkshark9’ less than 15 minutes to make the fake fingerprint that opened the phone.

Fingerprint Fear

This means that a person with same equipment who could obtain a photo of a fingerprint from an object such as a glass or phone at close distance, or using a higher-quality DSLR camera (from perhaps even across the room) could have the potential to quickly break into anyone’s biometric security protected phone and steal personal data, access apps etc.

What Does This Mean For Your Business?

Many security experts agree that using biometric security as a primary unlock method is less secure than a password or PIN, although it offers convenience and is liked by many users.  In the case of the Galaxy S10, although it was supposedly fooled with the fake finger model, its fingerprint scanner uses ultrasonic sound waves to map the user’s fingerprint in the first place which is more secure than the optical sensors used by some other phones that can be fooled by a paper printout of a fingerprint.

Having a fingerprint scanner / sensor on the phone is better than having nothing at all, as is the case with many people who leave their phones unlocked all the time rather than having to type in a PIN or password.

This is not the first time that phone biometric security measures have been defeated.  For example, it is also claimed that the S10’s facial recognition (because it uses cameras rather than infrared sensors) can be fooled by another phone playing a video of the S10’s owner face.

Also, in a Twitter thread, Manchun Wong claimed that she was able to fool her brother’s S10 facial recognition scanner using her own face, presumably because of the similarity of family and sibling resemblance. This is reminiscent of a case back in 2017 when BBC ‘Click’ reporter Dan Simmons reported that he had been able to fool HSBC’s biometric voice recognition system by passing his brother’s voice off as his own.

Biometric security on phones clearly has some way to go before the effectiveness lives up to the promise, and for the time being, although less convenient, password and PIN may be safer as the primary unlock method.

HTTPS Security Vulnerabilities Found

Research teams at Ca’ Foscari University of Venice and Tu Wien in Austria have discovered security vulnerabilities in the TLS browser encryption defence system of 5.5% of the 10,000 HTTPS sites which could leave website visitors vulnerable to attack.

What Is TLS?

Transport Layer Security (TLS) is one of the two security protocols (the other is SSL) used in HTTPS to encrypt the data between your browser and the web servers it communicates with. The visual symbol on a browser that this secure connection is place is a green padlock symbol.

HTTPS should secure communication over the Web by providing a cryptographic protection layer that protects the confidentiality and integrity of communication and enables client/server authentication.

The Research

The recent research carried out on top ranking HTTPs sites (ranked by Amazon’s Alexa analytics company) uncovered a number of potentially exploitable TLS vulnerabilities in 5,574 hosts that could be broadly grouped into 3 risk categories:

  1. 4,818 were found to be vulnerable to ‘man-in-the-middle’ attack (MITM). As the name suggests, this kind of attack involves a third party being able to intercept and tamper with communications – in this case between the web server and the user’s browser.
  2. 733 were found to be vulnerable to full decryption.  In this case, hackers could decrypt all the traffic passing through them.
  3. 912 were found to be vulnerable to partial decryption.

More detail of the vulnerabilities identified include:

  • 898 websites classed as fully compromisable, including e-commerce sites, e-banking services and other major websites.
  • 10% of login forms having confidentiality issues.
  • 412 websites possibly subject to cookie theft and exposing to session hijacking, with 543 websites subject to cookie integrity attacks.

Green Padlock Still Showing

The vulnerabilities identified by the researchers were present even though the green padlock symbol was still showing on the browser.  This indicates that the vulnerabilities are not fixed, not even noticed by the browser’s defence layer, and are not pointed out on the user side

The Causes

The vulnerabilities are thought to be caused by a combination of issues in how each site’s TLS encryption schemes have been implemented and a failure to patch any known bugs.  Most of the issues are, therefore, due to external or related-domain hosts.

What Does This Mean For Your Business?

For many businesses, buying a HTTPS certificate for their website was a trusted way to help ensure security, particularly with the introduction of GDPR.  This research, however, shows that even this system has holes in it, and it is particularly worrying for businesses (and as general web users) that, for example, 898 HHTPS websites were found to be fully compromisable.

The researchers have demonstrated how a relatively limited number of exploitable HTTPS vulnerabilities can be amplified by the complexity of the web ecosystem, and how the security of many so-called secure websites with encrypted connections can be severely harmed by cryptographic weaknesses, many of which are due to external or related-domain hosts.

This story also highlights the importance of keeping up to date with software patches and fixes.