Discount Offers

Personal Self Defence Spray UK's No1 Spray Legal Pepper Spray Clone UK Sale Only

£22.99
End Date: Monday Dec-18-2017 9:46:38 GMT
Buy It Now for only: £22.99
Buy It Now | Add to watch list

SIA Licensed Security Tie Pin Badge K4S® Exclusive Design

£5.75
End Date: Wednesday Jan-10-2018 19:04:15 GMT
Buy It Now for only: £5.75
Buy It Now | Add to watch list

Security bouncer door supervisor bomber jacket coat Medium

£51.83
End Date: Wednesday Dec-20-2017 16:06:16 GMT
Buy It Now for only: £51.83
Buy It Now | Add to watch list

Combat Trousers Security Bouncer Police Security Door Supervisor

£19.19
End Date: Wednesday Dec-20-2017 16:47:09 GMT
Buy It Now for only: £19.19
Buy It Now | Add to watch list
0024440
Visit Today : 1
Visit Yesterday : 1
This Month : 17
This Year : 351
Total Visit : 24440
Hits Today : 4909
Total Hits : 3873044
Who's Online : 1

internet

Hackers’ delight: Mobile bank app security flaw could have smacked millions

Security researchers from the University of Birmingham last week went public about security shortcomings in mobile banking apps that leave millions of users at a heightened risk of hacking. The researchers developed a tool called “Spinner” to perform semi-automated security testing of mobile phone apps . After running the tool on a sample of 400 security critical apps, they were able to identify a serious flaw in many banking apps including those offered by HSBC, NatWest and Co-op as well as Bank of America’s Health account app. The researchers found that although banks had been diligent in building security into their apps, one particular technology used – so-called certificate pinning – which normally improves security, meant that standard tests failed to detect a serious vulnerability that could let attackers take control of a victim’s online banking.

Dr Flavio Garcia, one the the researchers, explained: Certificate Pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification. The security weak spot created a possible mechanism for an attacker – providing they are connected to the same network as the victim (eg, a Wi-Fi hotspot) – to perform a so-called “man in the middle attack” and retrieve the user’s credentials, such as username and password/PIN code . Other potential avenues for attack were also found, including the possibility for a wrong-un to do some in-app phishing in software offerings from Santander and Allied Irish bank. These attacks would have allowed the rogue take over part of the screen while the app was running and use this to phish for the victim s login credentials.

All the fixings

The University of Birmingham researchers worked with the banks involved, and the UK government’s National Cyber Security Centre to fix all the vulnerabilities, and the current versions of all the apps affected by this pinning vulnerability are now secure. Banking customers using the same old Apple device that the researchers used (probably a 1st generation iPad, which is limited to iOS 5.1.1) should probably think about using something else for their banking, according to app security firm Arxan. Winston Bond, technical director EMEA at the firm, urged banks to review the research and push updates to their customers.

Banks should fix vulnerabilities as quickly as they can and push updates to their customers, Bond said .

One of the issues highlighted by this research is that users of older Apple devices, which are restricted to older iOS versions, can’t pick up any updates once the app developer moves the minimum OS version for the app beyond their version . They are stuck on the last compatible version, with whatever bugs and vulnerabilities that includes.

For banks and other organisations to protect themselves from outdated apps, every major app developer has to balance the relentless pressure to adopt the latest iOS features against the need to keep updating the users of older devices, he added. More robust cryptographic technology deployments by banks would also guard against attacks even in cases where users are connecting into services from ageing or not fully patched devices.

Certificate pinning is a way to make sure that a mobile app will only talk directly to the server that it is meant to, Bond explained . All the communications traffic is strongly encrypted and it can only be understood when it gets to the right place . In this case, it stops anyone getting between you and the bank and seeing how much money you have in your account or changing the details when you tell the bank to pay someone.

“There are several ways to implement certificate pinning, with some trade-offs between flexibility and security, he added.

It’s also worth noting that the University of Birmingham team managed to carry out these attacks while following the app store licence agreement rules which prohibit reverse-engineering or modification of apps . Real attackers won’t play so nicely. Mark James, a security specialist at anti-malware firm ESET, added: Using financial services through your mobile device, either a smartphone or tablet, should ideally be done through your cellular mobile connection if possible, or if not, then through a VPN to minimise the chances of your connection being hijacked.”

Some initial results were given in the paper A Security Analysis of TLS in Leading UK Banking Apps presented at the Conference on Financial Cryptography and Data Security in January .

The full results were given in the paper Spinner: Semi-Automatic Detection of Pinning without Hostname Verification which was presented last week at the 33rd Annual Computer Security Applications Conference in Orlando, Florida in the US.

Sponsored: Getting the most value from cloud phone systems1

References

  1. ^ Getting the most value from cloud phone systems (go.theregister.com)

Hackers’ delight: Mobile bank app security flaw could have smacked …

Security researchers from the University of Birmingham last week went public about security shortcomings in mobile banking apps that leave millions of users at a heightened risk of hacking. The researchers developed a tool called “Spinner” to perform semi-automated security testing of mobile phone apps . After running the tool on a sample of 400 security critical apps, they were able to identify a serious flaw in many banking apps including those offered by HSBC, NatWest and Co-op as well as Bank of America’s Health account app. The researchers found that although banks had been diligent in building security into their apps, one particular technology used – so-called certificate pinning – which normally improves security, meant that standard tests failed to detect a serious vulnerability that could let attackers take control of a victim’s online banking.

Dr Flavio Garcia, one the the researchers, explained: Certificate Pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification. The security weak spot created a possible mechanism for an attacker – providing they are connected to the same network as the victim (eg, a Wi-Fi hotspot) – to perform a so-called “man in the middle attack” and retrieve the user’s credentials, such as username and password/PIN code . Other potential avenues for attack were also found, including the possibility for a wrong-un to do some in-app phishing in software offerings from Santander and Allied Irish bank. These attacks would have allowed the rogue take over part of the screen while the app was running and use this to phish for the victim s login credentials.

All the fixings

The University of Birmingham researchers worked with the banks involved, and the UK government’s National Cyber Security Centre to fix all the vulnerabilities, and the current versions of all the apps affected by this pinning vulnerability are now secure. Banking customers using the same old Apple device that the researchers used (probably a 1st generation iPad, which is limited to iOS 5.1.1) should probably think about using something else for their banking, according to app security firm Arxan. Winston Bond, technical director EMEA at the firm, urged banks to review the research and push updates to their customers.

Banks should fix vulnerabilities as quickly as they can and push updates to their customers, Bond said .

One of the issues highlighted by this research is that users of older Apple devices, which are restricted to older iOS versions, can’t pick up any updates once the app developer moves the minimum OS version for the app beyond their version . They are stuck on the last compatible version, with whatever bugs and vulnerabilities that includes.

For banks and other organisations to protect themselves from outdated apps, every major app developer has to balance the relentless pressure to adopt the latest iOS features against the need to keep updating the users of older devices, he added. More robust cryptographic technology deployments by banks would also guard against attacks even in cases where users are connecting into services from ageing or not fully patched devices.

Certificate pinning is a way to make sure that a mobile app will only talk directly to the server that it is meant to, Bond explained . All the communications traffic is strongly encrypted and it can only be understood when it gets to the right place . In this case, it stops anyone getting between you and the bank and seeing how much money you have in your account or changing the details when you tell the bank to pay someone.

“There are several ways to implement certificate pinning, with some trade-offs between flexibility and security, he added.

It’s also worth noting that the University of Birmingham team managed to carry out these attacks while following the app store licence agreement rules which prohibit reverse-engineering or modification of apps . Real attackers won’t play so nicely. Mark James, a security specialist at anti-malware firm ESET, added: Using financial services through your mobile device, either a smartphone or tablet, should ideally be done through your cellular mobile connection if possible, or if not, then through a VPN to minimise the chances of your connection being hijacked.”

Some initial results were given in the paper A Security Analysis of TLS in Leading UK Banking Apps presented at the Conference on Financial Cryptography and Data Security in January . The full results were given in the paper Spinner: Semi-Automatic Detection of Pinning without Hostname Verification which was presented last week at the 33rd Annual Computer Security Applications Conference in Orlando, Florida in the US.

Sponsored: Advanced Threat Prevention . Visit The Register’s Endpoint Security Hub1

References

  1. ^ Advanced Threat Prevention .

    Visit The Register’s Endpoint Security Hub (go.theregister.com)

Security services missed chances to bring in Arena bomber in months before attack, report finds

Security services missed a string of chances to bring in Salman Abedi in the months prior to the Manchester bombing, it has emerged. But he struck just days before a scheduled intelligence meeting about his activities was due to take place. An independent review into the attack concluded it is conceivable the atrocity could have been averted if the cards had fallen differently . Despite this, MI5 maintain it is ‘unlikely’ the plot could have been stopped.

Read More

Compiled by David Anderson QC, the report brings together the results of eight internal reviews by MI5 and the police, following the wave of attacks between March and June which included the Manchester bomb. The document lays bare how in the months and weeks before the attack there were a series of missed opportunities to confront Abedi – who had been on security services radar for THREE years and suspected of links to ISIS for at least two.

We now know that MI5 received intelligence about Abedi that has turned out to be significant – but wasn t thought to be at the time . As a result, he was not under investigation at the time of the attack – and he remained a closed subject of interest . We now know he could have been placed on ports action after he travelled to Libya in April 2017 – a step which would have triggered an alert when he came to Manchester .

This would have allowed him to be questioned and searched at the airport under the Terrorism Act.

Read More

Abedi was not placed on ports action however – and killed 22 people, injuring hundreds of others, at a Manchester Arena concert shortly after returning to the city from Libya. Describing this, the report says an opportunity was missed by MI5 to place Salman Abedi on ports action . The report says that on two occasions in 2017 MI5 came by intelligence which had its true significance been properly understood would have triggered an investigation into Abedi.

While the significance of intelligence was not fully appreciated at the time , the review concludes in retrospect , it can be seen to have been highly relevant to the planned attack . A subsequent data review of intelligence about 20,000 people identified Abedi as among a small number of people worth further examination – but Abedi struck nine days before a meeting was due to be held about this.

A meeting (arranged before the attack) was due to take place on 31 May 2017: Salman Abedi s case would have been considered, together with the others identified . The attack intervened on 22 May, it states.

Read More

Despite these findings, the report says that it is unknowable whether an investigation would have pre-empted and thwarted Abedi s attack, adding: MI5 assesses it would not. Describing MI5 s conclusions, the author says after detailed consideration of their intelligence – the intelligence whose true significance was not appreciated – it is unlikely Abedi would have been stopped.

The report reveals for the first time that Abedi had been on security services radar for three years. In 2014 he was actively investigated by MI5 – for six months – when it was thought he might have been acting suspiciously with a second subject of interest . However, because of his limited engagement with persons of national security concern , he was classed as low risk.

The following year – in October 2015 – his case was reopened because he was suspected of contact with an Islamic State figure in Libya . The case was closed the same day when it transpired any contact had not been direct.

Read the report in full below – if you can’t view it, you can also read or download the PDF here1 :

Despite this, the decision not to re-open the investigation into Abedi in 2017, following the new intelligence, was described in the report as finely-balanced and understandable .

There is a high degree of inherent uncertainty in speculating as to what might or might not have been discovered if an investigation had been opened on the basis of the new intelligence , MI5 s internal review, detailed in the report, concluded. MI5 s review also concluded: On the clear balance of professional opinion, successful pre-emption of the gathering plot would have been unlikely.

The review – ordered by government several weeks after the May 22 attack – looked at what the intelligence services knew ahead of the Manchester bombing, as well as the earlier one at Westminster, and the ones at London Bridge and Finsbury Park in the weeks afterwards. While complimentary of both intelligence and counter-terror services in many respects, the report does suggest that Manchester s attack in particular could potentially have been averted.

It is not the purpose of the internal reviews, or of this report, to cast or apportion blame, it adds.

But though investigative actions were for the most part sound, many learning points have emerged .

It is conceivable that the Manchester attack in particular might have been averted had the cards fallen differently.

References

  1. ^ read or download the PDF here (www.gov.uk)