Security Weekly 20: Evening of Delightful Stories About How Business Does Not Care About Security
At this time, the news from our digest contains a self-evident morality: many companies do not care about the safety of their customers until it causes direct financial damage. Fortunately, this does not apply to all companies, but this week was particularly rich in such shameful stories.
Hardly had time to release a new version of MacOS (a week has not passed), as a researcher from Synack, Patrick Wardle published a posh post on the High Sierra. It turns out that Keychain – a secure container for credentials, PIN-codes, bank card numbers and other important data – in fact already version three as nothing protects. That is, in fact, Keychain is such a place from which you can steal this one at once, that’s all.
- Comrade Wardle said that even though the application signed or unsigned, it’s still can merge the entire Keychain content dump in an open, unencrypted form. Strictly speaking, applications quite officially have access to Keychain, but only to their data – but here it seems to be to everyone. An important nuance: the exploit only works with the unlocked Keychain, but by default, it is unlocked when you log into the system.
Immediately after the publication Patrick poured out comments in the spirit of “what are you such a bad guy, not in Apple reported, but in the blog you publish”, and that he just does not have enough attention of others. But the poor fellow actually reported to the office, and even the exploit he sent was ready, just the office dismissed him! We were notoriously motivated, they say, there’s nothing to put software out of hopeless sources, and put it only from MacAppStore, and read the security warnings from macOS. That is, in principle, this is a template response for reporting all locally exploitable vulnerabilities. Who puts the left software – he himself is to blame. By the way, the reward program for vulnerabilities in Apple products does not apply to MacOS.
- Wardle did not publish an exploit and did not disclose any technical details about the vulnerability. But, if you believe him on the floor, the vulnerability found greatly enhances the possibilities of malware. It is worthwhile to pick up somewhere a practical Trojan (and for MacOS, more and more), and all your accounting and payment data flow into someone else’s hands. Not good.
According to the researcher, he tested the vulnerability on the versions of High Sierra and Sierra and sees no reason why she should not be on El Capitan. To protect against this can be at the cost of a small fraction of the convenience – just set the lock Keychain, so that you try to access it, you requested a password. Well, yes, if possible, avoid installing the application from the left sources.
In mobile applications for exchange trading, dozens of vulnerabilities were found
The words “investor” and “trader” even sound somehow rich. The little guys do not exchange these trifles to earn something at the stock exchange, they need serious money. But the situation on the fund market is changing so fast that they need the opportunity to conclude deals at any time, anywhere. That is through a mobile phone.
- Accordingly, there are a lot of mobile applications for trading. It is clear that their vendors should carefully build a security system, even to the detriment of convenience – the money at stake is large. But that turned out to be not so. Researchers from IOActive took 21 applications from the top (both for iOS and Android) and found their many fun holes. Lots of. Up to the storage of plaintext passwords and data transfer over HTTP.
And this time the researchers demonstrated a responsible approach to the disclosure of vulnerabilities and turned to the 13 brokerage companies that supply these applications. What would you think? Answered only two. They have no time to trade, but they stick with vulnerabilities. Alejandro Hernandez of IOActive expressed his reaction to the incident like this: “Gentlemen, I think, frustrated! I worked as an auditor and I know how the financial sector is tightly regulated. And it is very strange that we are faced with such problems. “
Deloitte claims that cyberattack has affected only a few clients
The “Big Four” auditors have always been considered an example of optimal business practices and policies. It is clear that in cybersecurity it is difficult to spread straw everywhere where it is possible to fall, but in this area, there are rules that you should not break if you do not want to substitute your customers. And here you are! Distinguished Deloitte, one of the pillars of the business community.
- According to the Guardian, the office was hacked back in the fall of 2016, and it was discovered only in March. Most likely, the attack went through the credentials of the administrator of the mail server. There was no two-factor authentication: the password was either fetched or lured out of the admin by some method of social engineering.
The leakage of Deloitte’s email in its consequences can be catastrophic, because of the company, when conducting an audit, deals with the most confidential business data of customers. However, the reaction of the most Deloitte discourages: the company claims that the attack did not affect the business of customers. And in general, “cybersecurity in the company is provided at the highest level”. It sounds like a bad joke, given that their email was read for six months by unknown persons, and they did not notice it.
