Mobile Application Security

State of Application Security Report – Precis

We’ve extracted and summarised the salient points from the latest State of Application Security Report for Financial Services. If you wish to read and download the whole report from Arxan you can do so here.

Key Findings

Financial services organizations are among the top targets of hackers seeking high-value payment data, intellectual property, and other sensitive information.

  • Forty-one percent of mobile finance app users expect their finance apps to be hacked within the next six months
  • 50% of organizations have zero budget allocated for mobile app security
  • Employee, customer, and “soft” IP data are the top three targets of cyber-attacks in the financial services market
  • theft of “hard” intellectual property soared 183% in 2015

Vulnerabilities

Vulnerability assessments were conducted on 55 mobile finance apps in the US, UK, Germany, and Japan. The vulnerability assessments were based on the Open Web Application Security Project (OWASP) Top 10 Mobile Risks. Here is what they found:

  • 92% of the mobile finance apps tested were not addressing at least two OWASP Mobile Top 10 Risks
  • Lack of binary protection (98%) – this was the most prevalent vulnerability
  • Insufficient transport layer protection (91%).

These vulnerabilities make applications susceptible to reverse-engineering and tampering, in addition to privacy violations and identity theft.

Recommendations

For financial service organisations:

  • Strengthen the weakest links
  • Make security a source of competitive advantage
  • Align spending with risks

For customers:

  • Get apps only from authorized app stores
  • Don’t jailbreak or root mobile devices
  • Demand more transparency about the security of the apps you are using

If you wish to read and download the whole report from Arxan you can do so here.

“DROWN” Security Vulnerability

IT Security Vulnerability – “DROWN”

Another website vulnerability has come to light, called the Drown attack.

It is a hacking technique that makes even (Supposedly secure) https:// websites vulnerable. Researchers in the US, Germany and Israel believe that one third of websites using the HTTPS protocol are vulnerable.

This means hackers can obtain passwords, credit card information, emails and sensitive documents. Therefore financial institutions and online retailers should pay particular attention to this latest threat.

The current recommendation is that Administrators of vulnerable servers and websites need to take action. There is nothing practical that browsers or end-users can do on their own to protect against this attack.

If you want to know if a website is vulnerable before you use it, you can do so with this free testing tool. Should you have any further concerns you should contact your network and website administrators to determine the actions to take to protect against the threat.

How to avoid online scams

Action Fraud (a cyber crime reporting organisation), report that individuals and businesses lost over $25m during the Christmas period 2014 through online fraud.

So what can you do to protect yourself? Well, be aware. In this piece I’ve set out a few examples of how criminals may attempt to steal from you online, and how to spot and avoid them.


Look out for fake websites

Criminals are making replicas of genuine websites, “selling” products that never turn up. Mobile phones are the most common product to be scammed in this way.

How to spot it: 

  • Do they have an address and phone number? Google it and ring them up.
  • Check the URL to be sure it is the correct name for the retailer. On the payment page it should be secure – check for a padlock in the search bar.

 

Beware of “Phishing” Emails

These are emails that appear to be from familiar companies (e.g. Amazon, Apple) or retailers you have accounts with. They can be very convincing – take a look at the picture below purported to be from Amazon.

phishing

 

Clicking on embedded links or attachments in emails like this can lead you to malicious websites that could track your online activity and access passwords. Alternatively you could end up on a fake website which asks for your details.

How to spot it: 

  • Legitimate retailers won’t ask for your bank information or passwords in an email
  • Generic way of addressing you (“Dear Customers” above)
  • Strange email addresses, spelling mistakes, bad grammar

What to do:

  • Mark it as spam or junk
  • Do not click on any links, nor download any attachments
  • If you were expecting something from the retailer but you’re not certain this is it, contact them independently through their website or by telephone

 

Does it seem too good to be true?

Have you just received a $250 voucher by email? Maybe there’s a free offer on Facebook – for example have you seen those Ray Ban Sunglasses “deals”?

And be on the lookout for pyramid schemes – they are still around believe it or not. Typically something like send $10 to a friend and receive dozens of gifts in return.

How to spot it: 

  • It’s unlikely your real Facebook friends will want to get you a deal on Ray Ban sunglasses

What to do:

  • Don’t click
  • Check what Apps you’re subscribed to and remove all but the ones you know and trust

As in all things – if it seems too good to be true – IT IS!

Happy shopping…!

Technology leap frogging

I attended an excellent presentation at a BVI Chamber of Commerce luncheon recently. One of the topics addressed was the requirement to upgrade infrastructure in the British Virgin Islands, notably internet speeds.

During the Q&A session at the end, there were comments about the fact that the best internet download speeds achievable in the BVI are around 5Mbps, the average being typically less than 1MBps. Presently the fastest speeds are in South Korea, achieving an average of 22.2 Mbps. This was rightly cited as an area for immediate improvement in the BVI, and the need to catch up to retain competitiveness.

I would like to propose a reframing of this vision from catch-up to leap-frog, not least because the BVI is chasing a moving target. I was reminded of the several occasions I spent on business in East and West Africa around ten years ago.

African Leap-Frogs

Africa is a developing continent, but on my first visits to nations in the Eat and West I was filled with admiration with their telecommunications infrastructure. Whilst the major cities and towns enjoyed land-line telephone access (to an extent), once you travelled outside them into the bush almost no such infrastructure existed. This struck me as a major challenge, but I quickly realised that was not the case.

With the advent of mobile (cell) telephones, the infrastructure focus was simply on setting up relay stations with masts and independent power across the countries.

Solar-powered mobile base station in Niger

So all people needed was a mobile (cell) phone and they had communication in place. Furthermore, I was struck by the quality of the networks.

On an 8 hour drive from Dar es Salaam (Tanzania) due West into the interior I did not lose cell-phone coverage once. In fact there were only a couple of occasions where the signal dropped from 5 bars (and then only down to 4). At the time there were still large swathes of the United Kingdom that did not have mobile phone coverage. (My phone still dropped out on a section of the A1 motorway during a recent visit).

This was a perfect example of technology leap-frog. Instead of applying a traditional solution to the problem, African nations embraced the latest technology and deployed it to excellent effect. So-called developed nations would do well to follow this example.

UK leap-frogs (or not)

Opportunities abound. Take the High-Speed Two (HST) rail link in the UK; this has been a political football for twenty years and is still being debated and contested. Whilst the arguments continue, the existing rail infrastructure – some of which is built on lines opened in 1850 (yes 165 years ago) – is crumbling.

In my view the debate is moot; new rail links are required, so let’s get on with it. The real argument should be about what technology to deploy.

The UK has the slowest inter-city rail links in Western Europe. When HS2 commences in 2025 it will still be slowest.

The first HST link is due to open in 2025; the train designs are not confirmed but they will be a Eurostar/TGV/Shinkansen standard, achieving 250 kph (woohoo!). Is this better than what presently exists in Britain? Certainly. But 600 kph train technology exists today and is being implemented across the Far East. Imagine what will be available in ten years time (take a look at Elon Musk’s plans here). The UK is missing a huge opportunity to make a technology leap-frog in my view.

BVI Leap Frogs – the opportunity

Which brings me back to my start point – internet speeds in the BVI. The world record for internet speed is presently held by BT in the UK, who in January 2014 achieved a speed of 1.4 terabits per second (1,400,000 Mbps). Although this was an R&D test, what was notable was they achieved this on a standard optical fibre network – the same kind of fibre that is presently being laid in the BVI.

So in the not-to-distant future the UK and Europe will be able to easily achieve 1000Mbps speeds – 200 times faster than the present best speeds in the BVI.

So, the technology exists – let’s use it. Let’s set our sights on 1,000Mbps plus in the BVI and leap frog the Caribbean and the global offshore jurisdictions.

In fact, let’s leap frog the rest of the world.

Did he or didn’t he?

That’s the question exercising IT and cyber anaylsts over the claims by hacker Chris Roberts that he accessed in-flight entertainment and flight systems from his seat. The claims have been derided by Boeing and aviation experts.

Whatever the outcome, it highlights that this is a major security concern. This hacker claimed to have gained control from his passenger seat; but many airlines have now introduced wifi to their aircraft too, a service that is gradually rolling-out globally. So could someone hack into an airliner’s controls from the ground via wifi? Or on-board the aircraft as claimed by Mr Roberts?

I’ve worked in software all my life, and my view is that any system can be hacked. We tend to think of software-based systems as something operated by computers, electronic devices, microprocessors etc. Thinking this way can lead us to lose sight of the fundamental fact that all systems are designed and built by human beings, and therefore subject to human error and oversight. Airliners have proved all-too horrifically to be one of the terrorist’s weapons of choice.

New aircraft designs use TCP/IP technology for the main aircraft backbone, connecting flight-critical avionics and passenger information and entertainment systems in a manner that virtually makes the aircraft an airborne, interconnected network domain server.

There are and should be very real security concerns with this. One key to mitigating the threat will be ensuring that all systems related to flying the aircraft are an “island” – i.e. completely isolated from the non-essential flying systems.

Although Mr Robert’s claims have been dismissed, it seems he may have highlighted a very real achilles heal in the systems. If he is to believed, the IES was in fact connected to the avionics. If that is the case, then a way-in could be found.

PHISHING ALERT – BVI BEING TARGETED

There is presently a targeted E-Mail Phishing campaign against the British Virgin Islands with someone using LIME as the mechanism. They have cloned the Lime Email login site.

The actual website that users get sent to is hosted in Greece and they are harvesting email and password information from users that log in.

The picture below shows what the email looks like. If you receive an email like this DO NOT CLICK ANY LINKS! Delete it immediately.

Lime Phishing Email

The following pictures show the source code being used in the attack and the email script.

Lime Phishing

This is the Source Code:

Lime Phishing Source

As ever, remain vigilant. If you have even the slightest doubt over the veracity of an email, delete it and contact the company directly.

Children & Technology: Cookies, Webs and Touchscreens

Two Children Using Tablets, Faces Hidden, Girls, Classroom

The subject of children and technology tends to be a controversial one, with some aspects of it dividing opinions along unusual demographics that don’t follow traditional patterns such as age and wealth.

As a father working in the field of ITC with a wife that is a primary school teacher, I find this disparity of opinions intriguing, especially as so many people are vehement in their objections-against or reasons-for children being exposed to technology.

I remember reading an article in the Guardian newspaper earlier this year entitled “25 Best Apps to Keep Kids Entertained while Travelling…”. I was wholly unimpressed with the article and found the responses of readers in the comments section to be infinitely more interesting, many from people outraged at the suggestion that children should use electronic devices on journeys, with comments such as:

What a stupid article highlighting more useless drivel to hinder their child’s development … old fashioned parental interaction with the child should be norm.”

“This is grotesque and is symptomatic of everything wrong with modern life”

This begs the question, should children be using tablets and other digital devices for play time? If so, for how long?

As with most things, the answer is not a simple yes or no but rather something in between.

Keeping Pace

An indisputable fact is that children need to keep pace with technology, especially as in modern times the technology in people’s homes mirrors that used in workplaces much more closely.  Historically only large companies could warrant the cost of expensive computer systems but now powerful PCs and laptops in the home are ‘old hat’, with many households also having touchscreen devices.

In addition to keeping up with current technology, when children play with digital devices, they are at least interacting with the device as opposed to the passive entertainment provided by watching TV or looking out of a car window.

Apps and games require hand/eye coordination and if you choose the right applications, cognitive processing and problem solving, making them instructive and educational.

Unfortunately the very thing that has caused an explosion in tablets is the same thing that makes them seem like even using them is a game – they are incredibly intuitive.  While there is no tactile feedback (you can’t ‘feel’ the item you drag or slide), using fingertips to tap, touch and move items is something we begin learning from birth.

What Do I Do?

I have two cheap re-purposed Android tablets (1st Gen. Kindle Fires, $50 from Ebay) for my children to use and I follow a few simple rules:

  • The apps on them MUST be either creative or educational (drawing, colouring, spelling, puzzles, etc.)
  • I have to have used the app before letting the kids use it
  • The devices are switched to ‘airplane mode’ any time the kids use them (this disables any adverts, in-app purchases, increases battery life and prevents internet browsing)
  • The kids can’t use them for any longer than 10 to 20 minutes
  • The kids can’t use them in the car

As it stands, my kids use the tablets so infrequently that we haven’t needed to set limits on time but many parents do and this is a good idea.

Whenever we travel, we take books, colouring pens, toys, etc. and only resort to the tablets as a last resort.

Why Not The Car?

The reason we don’t allow the children to play electronic games in the car is because they generally have them in their lap, meaning they’ve got their heads down looking at something bouncing around: cue instant car sickness.

On car journeys, we will often put Disney soundtracks on the car stereo or audio books and my eldest is now 5 years old and has a cheap MP3 player and headphones, she loves being able to listen to her music of choice on journeys (without the rest of us being subjected to ‘Let It Go’ for the hundredth time!).

Our last resort for very long journeys is to play a film on one of the tablets which we mount to the back of the front headrests, putting the sound through the car stereo – this keeps the children upright, watching something at eye level and more often than not singing along!  Note however, that the latter means you are subjected to the full ‘Frozen’ soundtrack.

Summary

While obviously all children are different and there are hundreds of valid and effective parenting styles, I do believe that electronic devices have a place in children’s development but as with anything, parents must monitor usage and be selective about what is on them.  Remember that like paper and television, a tablet or other electronic device is just the medium – the benefits (or harm) come from what channelled through that medium.  With this in mind, I will write a follow up piece soon with the Apps I have installed for my children – if you have any suggestions for this list please send them to me!

Bob McKay