Showing posts with label ACCESS CONTROL AND AUTHENTICATION. Show all posts
Showing posts with label ACCESS CONTROL AND AUTHENTICATION. Show all posts

Tuesday, January 29, 2013

WhatsApp could face prosecution on poor privacy


A yearlong investigation by government privacy watchdogs in Canada and the Netherlands identified major weaknesses in the way the WhatsApp cellphone messaging application handled the personal information of its users.
Many of the problems have since been fixed, but Dutch authorities have yet to decide whether they will attempt to prosecute WhatsApp under Dutch privacy law, the two organizations said in a joint statement on Monday.
WhatsApp allows users to exchange messages like conventional instant messaging software, but rather than use screen names the system identifies users by their phone number. When a user signs up, they upload their cellphone's address book to WhatsApp to discover who among their existing contacts is available via WhatsApp.
That method was one of the things that originally drew the attention of the Office of the Privacy Commissioner of Canada and The Dutch Data Protection Authority.
Their investigation found that after uploading the address book and using the data to match existing users, the WhatsApp servers failed to delete the phone numbers of non-users as required by Canadian and Dutch law.
The app was also initially found to be sending messages in an unencrypted form, which leaves them vulnerable to eavesdropping and interception, particularly when sent over an unsecure Wi-Fi network. WhatsApp added encryption to messages in September 2012.
Finally, the investigation found the app was generating passwords for message exchanges based on things like the phone's IMEI (international mobile equipment identity) or MAC (media access control) address. Both are relatively easy to discover, opening the possibility that a third party could send and receive messages in the name of users without their knowledge. WhatsApp has since strengthened password generation, but users need to update their software to benefit from the change.
WhatsApp, which is based in Silicon Valley, could not immediately be reached for comment.
News of the investigation comes as the issue of mobile app privacy is increasingly coming into the spotlight.
In December, the State Attorney General of California launched a prosecution of Delta Airlines for failing to comply with California's privacy laws. California's online privacy law requires commercial operators of websites and online services, including apps, which collect personally identifiable information conspicuously to post a privacy policy. The state attorney general has begun looking at apps that either don't include such a policy or don't make it obvious to users.
But even if a privacy policy is put in front of consumers, many often click the "read and understood" button without looking at it, said Pat Walshe, privacy director at the GSM Association, an organization representing network operators. His organization has published guidelines for privacy by design for mobile phone applications.
"We want consumers to have confidence in the industry and that means a commitment to protect consumer privacy. Industry has to fill in the gaps or policy makers will do it, possibly in an overly prescriptive way," said Walshe.
(Jennifer Baker in Brussels contributed to this report.)
Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address ismartyn_williams@idg.com

Read more »

Friday, January 18, 2013

Google sees one password ring to rule them all


Google thinks it might have found an answer to the vexing problem of forgotten or weak passwords: "physical" passwords, which might come in the form of a piece of jewelry such as a ring.
In a research paper, two of its engineers write that current strategies to prevent the hijacking of online accounts, including the two-step identity verification system, are insufficient, partly due to the constant threat of attacks that exploit new bugs.
Google highlights phishing, in which hackers dupe account holders into revealing sensitive information by making them sign into a fake account login page, as one of the biggest security threats of today.
"It's time to give up on elaborate password rules and look for something better," the authors say. The research paper, by Google's Eric Grosse and Mayank Upadhyay, is to be published Jan. 28 in the publication IEEE Security & Privacy. It was first reported on by Wired earlier Friday.
At the core of Google's proposal is an idea it says has been used by businesses but has found little success among consumers: an encrypted USB-like device that people would use to log into password-protected websites and online accounts.
Google says it is working on an internal pilot with an experimental USB device that users first register with multiple websites where they have accounts. A compliant browser would make two new APIs (application programming interfaces) available to the website to be passed down to the attached device.
"One of these APIs is called during the registration step, causing the hardware to generate a new public-private key pair and send the public key back to the website," the paper explains. "The website calls the second API during authentication to deliver a challenge to the hardware and return the signed response."
The method wouldn't require any software to be installed, though users would need to be using a Web browser that's compliant with the effort, Google said. The registration and authentication protocols would be open and free, and the device would connect with a computer's USB without needing any special OS device drivers.
Basically, the Googlers envision a single device that people can slide into a USB slot and then use to log into any number of online accounts with a single mouse click.
Because carrying around another device may not prove popular among consumers, Google suggests the authentication device could be integrated into a smartphone or even a piece of jewelry. The device would be able to authorize a new computer for use with a single tap, even in situations in which the phone might be without cellular connectivity.
The technology aims to improve upon the company's current, optional two-step verification system. With that system, when users want to log into a Google service from a new computer, they're prompted to enter a code sent to their preregistered mobile phone, granting them access to the site.
The company says its experience with that system has been good, though it too can be abused by account hackers. After they steal a password and break into an account, they sometimes set up a two-factor authentication using their own phone number, "just to slow down account recovery by the true owner," the Google engineers wrote.
Google admits its proposed USB key approach is "speculative" and that it will need to be accepted on a wide scale. But the firm said it is eager to test the device with other websites.
"User device registration with target websites should be simple and shouldn't require a relationship with Google or any other third party," the engineers write. "The registration and authentication protocols must be open and free for anyone to implement in a browser, device, or website."
Google didn't say if or when the experimental system might make it into use. "We're focused on making authentication more secure, and yet easier to manage. We believe experiments like these can help make login systems better," a spokesman said via email.

Read more »

Saturday, September 22, 2012

Oracle database flaw deemed serious, could expose data

CSO by Antone Gonsalves

Some Oracle databases have what experts say is a serious flaw in the login system that a hacker can use to retrieve and change stored data.
The flaw, in Oracle Database 11g Releases 1 and 2Ã'Â leaves the token that is provided by the server before authentication is completed open to a brute-force attack, said Esteban Martinez Fayo, the Application Security researcher that discovered the flaw. If successful, an attacker can gain access to the database.
"An authentication bypass is quite serious," Kevin Mitnick, a well-known white-hat hacker and founder of Mitnick Security Consulting, said in an email. "Basically, an attacker can get to the data stored in the database, and even change it."
The vulnerability stems from the way the authentication protocol protects session keys. When a client connects to the database server, a session key is sent with a salt. Because this happens before the authentication process is finished, a hacker working remotely can link the key to a specific password hash.
"Once the attacker has a session key and a salt, the attacker can perform a brute-force attack on the session key by trying millions of passwords per second until the correct one is found," Fayo toldÃ'Â Kaspersky Lab'sÃ'Â Threatpost blog.Ã'Â
Because the hack occurs before authentication is done, no login failure is recorded in the server, so a person can gain access without triggering an abnormal event.
Oracle, which did not respond to a request for comment, patched the flaw in the latest upgrade of the authentication protocol, version 12. However, the company is not planning a patch for the flawed version, 11.1, Fayo said. Even with the upgrade, database administrators have to configure the server to only allow the new version of the protocol.
Because the fix requires an upgrade, the vulnerability will hound some Oracle customers for years, said Justin Clarke, a security researcher at Cylance.
"There are many large companies and critical infrastructure agencies which cannot afford the time or risk to upgrade all their Oracle clients and servers," Clarke said. "I can say with near certainty that we will see this vulnerability as long as Oracle 11g remains in use."
Previous flaws in Oracle's authentication protocol have been a well-kept secret in the security industry, Clarke said. "It's great to see that issues like this are being discussed publicly, and I hope that this helps serve as a wake-up call for Oracle and its users to dig deeper and assess the actual strength of systems."
Brent Huston, chief executive of security testing company MicroSolved, said even if a company prevents Internet access to a vulnerable database, the data is still at risk of an attack from the inside.
"Oracle's choice to lock this patch to an upgrade really forces the hand of those organizations with longer technology refresh periods and puts a lot of strain on the trust relationships they have with Oracle as a vendor," Huston said in an email.
Because of the vulnerability, customers that haven't upgraded their databases will have to implement some form of protection, particularly if they are subject to oversight by regulators, Huston said.
Fayo discovered the vulnerability after noticing that the client and server handled logins with incorrect passwords differently. A closer examination led to the discovery.
Fayo discussed the vulnerability Thursday at the Ekoparty Security Conference.
Oracle has battled with database flaws in the past. In January, InfoWorld uncovered a manual method to change the system change number (SCN), which could break the database. The SCN is a kind of time stamp for every transaction. If a database reaches its transaction limit, it could stop working properly.
Read more about application security in CSOonline's Application Security section.

Read more »