Bankrupt Financial App Security
In This Issue:
- Should you trust your money to their code? (Hint: nope)
- The Facebook hits just keep on coming
- How is your personal data being used?
- After the breach
Should You Trust Your Money To Their Code? (Hint: Nope)
Any form of banking is trusting your money to someone's code, but a lot of mobile banking doesn’t sound ready to play with the big kids yet. Ninety-seven percent, to be precise. Dark Reading brings us the goods with two pieces: Major Mobile Financial Apps Harbor Built-in Vulnerabilities, and In the Race Toward Mobile Banking, Don't Forget Risk Management.
If those pieces seem a little long, and you just want the eyebrow-raising stats from the report that it's based on, go here: The Vulnerability Epidemic in Financial Services Mobile Apps. The money quote: "97% of all apps tested lacked binary code protection, making it possible to reverse engineer or decompile the app’s exposing source code to analysis and tampering."
If you don't trust banks to get tech right, surely you can perhaps trust a tech company to get banking right. Right? Well… Apple Card: Three fatal flaws that hinder usability (and then there's Goldman Sachs). Either way, this is a problem that we’re collectively going to have to deal with in the coming decade, whether we like it or not.
Countermeasure:
Part of the care and feeding of your employees is dealing with their anxieties. Few things make us as anxious as financial stress. Educating your employees about the risks of banking applications, and perhaps identifying trusted vendors with the least horrible applications, can help reduce the incidence of fraud, identity theft and so forth among your employees. In turn, this will lower anxiety, and result in less susceptibility to social engineering.
The Facebook Hits Just Keep On Coming
By the time this newsletter is sent out, chances are you’ve already heard that Over 540 million Facebook records found on exposed AWS servers. This is compounded by Facebook demand for new user email passwords reveals appalling lack of security awareness; and naturally leads into a discussion along the lines of Are there viable alternatives to Facebook and Twitter?
Social media is a nightmare. Our very human need to reach out and connect with others leads us to post information online that can politely be described as indicative of poor operational security. Even most of us who know better can't help it. We are, with very few exceptions, social creatures. And we live in a society where face-to-face interaction has become increasingly rare, awkward, and even legally risky.
Social media has other problems, too. In addition to poor information security practices by social media companies, and our very human tendency to overshare, there's the use of social media for psychological warfare, social engineering, and the part where people are monsters, and being exposed to their opinions on a regular basis is damaging to our mental health.
It would be nice if there were an easy solution to the myriad problems of social media. Simply demanding rigid self-control from all employees is never going to work, because self-control is a myth. It's a popular myth, to be sure, but modern science overwhelmingly says that treating our ability to resist temptation as a moral failing that must be punished with the liberal application of the stick is a waste of time.
Countermeasure:
The best possible thing any of us can do to resolve social media issues is to remove the need for people to use social media. Social media serves two functions: a means to coordinate group activities, and a vehicle for our desperate search for personal acceptance. There are lots of ways to solve the former, including standing up your own social media site.
The latter is best solved through cultural changes, efforts around inclusiveness, and working hard to identify the social needs of each individual, and ensure they're met. People are always the weakest link in information security. Patching that vulnerability isn't accomplished via edict or fiat, but through compassion, empathy, and understanding.
How Is Your Personal Data Being Used?
Furthering the discussion about the role of social media, we have Personal Data: Political Persuasion. Though this is something of a long read, it’s interspersed with lots of illustrations that range from helpful to… just odd.
The piece in question is a primer on the influence industry. This is stuff we’re going to need to know to be even semi-functional digital citizens. Much of what’s discussed is uncomfortable, and not something that most of us want to admit; but if we work in information security, it’s information we need to know.
Today, the influence industry is largely focused on political goals. Tomorrow, the social cannons might be pointed at your organization. Are you ready to defend against them? Why Phone Numbers Stink As Identity Proof. Just as biometrics are not a replacement for passwords, phone numbers are not a replacement for any aspect of authentication. The idea is malodorous, and Krebs has an in-depth look at how we got to the ridiculously terrifying unfortunate point where far too many organizations use phone numbers for security purposes and sometimes do not offer any other alternative.
Countermeasure:
This piece should be read as widely as possible within your organization. If nothing else, it should be read by your information security and communications/social media teams. Information security starts with awareness.
After the Breach
If it bleeds, it leads. If there's an infosec compromise, the event itself gets sprayed all over the mainstream press; but how the problem is dealt with is arguably the more important part.
Post-mortems are important, and we should all be reading them. Learning from the mistakes of others is generally preferable to having to make those same mistakes ourselves. To that end, In its ransomware response, Norsk Hydro is an example for us all and ShadowHammer Dangers Include Update Avoidance are worth a look.
Countermeasure:
Your organization should have a formal process in place to seek out publicly posted post-mortems, and learn from them. You should also be performing a full post-mortem after every major infosec incident, and posting it publicly. Benefit from – and be a part of – the tide the lifts all boats.
This Week in IoT (in)Security:
Once upon a time, it was "this week in IoT schadenfreude." I think we're past schadenfreude. Now there's just sadness. Unending, unresolvable sadness.
- Researcher prints 'PWNED!' on hundreds of GPS watches' maps due to unfixed API
- Bashlite IoT malware upgrade lets it target WeMo home automation devices
- 7 Malware Families Ready to Ruin Your IoT's Day
Tweet of the Week:
This tweet should go without saying. And yet, it sadly still regularly needs be said.
"Yes, I'm a woman. Yes, I work in infosec. My gender does not matter more than my products. No gods. No heroes. No masters. No tokens." - H E X A (@hexadecim8)
Podcast of the Week:
This is an Interview with Kim Zetter, who broke the ASUS compromised updates story last week. Worth a listen.
Why The ASUS Supply Chain Hack Is a Big Deal
Quick Links:
- Researchers trick Tesla’s Autopilot into driving into oncoming traffic
- Kaspersky Lab Will Now Alert Users to 'Stalkerware' Used In Domestic Abuse
- Home DNA kit company asks you to upload your family tree for the FBI
- Hearing your touch: A new acoustic side channel on smartphones
- Office Depot fined millions for tricking customers into believing their PCs were infected with malware
- Terrorist’s mainfesto used to spread disk-wiping malware
- NDSU Offers Nation's First Ph.D. in Cybersecurity Education
Resources of the Week
Here's a trio of older posts from Krebs on Security that are excellent for helping to answer basic security questions from people with no security background. If you must explain to your great-aunt Winifred why she needs to care about securing her ancient PC, here are words (and helpful pictures) to use.
- The Value of a Hacked Email Account
- The Scrap Value of a Hacked PC, Revisited
- Krebs’s 3 Basic Rules for Online Safety