Citi iPhone banking app contains security flaw

iPhone-owning customers of Citigroup have been urged to update their mobile banking app immediately because of a security flaw that secretly stored account numbers, bill payments and security access codes in a hidden file.

 

The Citi Mobile app allows customers to check their account balances, transfer funds and pay bills from their iPhone, and is one of the most popular finance applications in the Apple App Store with approximately 120,000 users since it was launched in March 2009.

 

Citigroup told the Wall Street Journal that it had “no reason to believe that our customers’ personal information has been accessed or used inappropriately by anyone.”

 

 

However, there will undoubtedly be concerns that if users lost their iPhone the information could be accessed by an identity thief. Furthermore, it is believed that the sensitive data could also have been backed-up to customers’ Windows and Mac computers when they are synchronised with the iPhone. Certainly, there are many more chances for the typical malicious hacker to access information stored on a PC than on the controlled environment of an Apple iPhone.

 

 

Read More…

 

Embarrassing privacy flaw found on Facebook

A researcher has found a critical security flaw on Facebook that could be exploited by hackers to expose sensitive information about users.

 

M J Keith, a senior security analyst with security firm Alert Logic, discovered the vulnerability which could lead to private information being exposed, or users’ Facebook pages being maliciously defaced.

 

IDG security reporter Robert McMillan has explained the problem well:

The bug has to do with the way that Facebook checked to make sure that browsers connecting with the site were the ones they claimed to be. Facebook's servers use code called a "post_form_id" token to check that the browser trying to do something -- liking a group, for example -- was actually the browser that had logged into the account. Facebook's servers check this token before making any changes to the user's page, but Keith discovered that when he simply deleted the token from messages, he could change many settings on any Facebook account.

 

This is called a CSRF (Cross-site request forgery attack), which – if left unpatched – would allow hackers to set up malicious webpages that could submit instructions to the victim’s Facebook account without validation.

 

The consequence? Well, a hacker could make your hitherto private information public, or force your profile to “like” a Facebook group that you may find embarrassing.

 

M J Keith reports on AlertLogic’s website that he informed Facebook of the problem on the 11th of May, and that the problem has now been fixed.

 

However, IDG has reported that the security hole is still present.

 

Hopefully, if it’s not already patched, this privacy flaw – which comes at an embarrassing time for Facebook – will be removed soon.

 

If you’re a regular user of Facebook, you could do a lot worse than join the Sophos page on the site to ensure you are kept up-to-date with the latest security news. Oh, and remember to be careful about clicking on suspicious links..

 

By Graham Cluley, Sophos

 

Facebook disables chat after security hole discovered

Facebook has taken down its instant messaging-style system which allows members to chat real-time with each other after claims that the system suffers from a serious security problem.

 

According to a report by TechCrunch, a security flaw allows your Facebook friends to secretly spy on your private live chats as well as any see any pending friend requests that you have made.

 

In the past Facebook has insisted that privacy is its “highest priority”, but there isgrowing concern that the site has played fast and loose with the personal information of its 400 million users, encouraging them to share too much private data online and changing privacy settings to be more “open”.

 

A video has been posted on YouTube which allegedly demonstrates the security hole:

 

The news that Facebook has disabled its chat system suggests that they are working on fixing the security problem. Hopefully it will be resolved quickly.

 

But even if this security issue is fixed promptly there are other security issues on Facebook, as with any other social network, that need to be considered if you plan on continuing to use the site. Make sure you read our guidelines for better security and privacy on Facebook.

 

Oh, and you might want to become a Fan of Sophos on Facebook too to ensure you are kept up-to-date with the latest security news.

 

by Graham Cluley, Sophos

 

 

German Government: Don’t use Firefox

The German government has advised computer users not to run Firefox and run an alternative browser instead, because of a critical security flaw.

 

The advice, which comes from BürgerCERT, part of the German Federal Office for Security in Information Technology (known as the Bundesamt für Sicherheit in der Informationstechnik or BSI), recommends that computer users stop using Firefox until Mozilla releases a fix.

 

The reason why Germany is suggesting such seemingly drastic action is that there is a critical vulnerability in currently available versions of Firefox that could be exploited by hackers to launch malicious code on users’ computers.

For its part, Mozilla has acknowledged the security vulnerability, and advises that a patched version 3.6.2 of Firefox is scheduled to be available on March 30th.

 

Here is a rough translation (courtesy of Google Translate):

Recommendation
Because of the Mozilla Foundation, a privately disclosed vulnerability Bürger-CERT recommends the use of alternative browser until Mozilla has released Firefox version 3.6.2. The current release of Firefox 3.6.2 Plan provides for delivery on Tuesday 30 Before March 2010.

 

Description
There is an as yet unspecified vulnerability in Mozilla Firefox version 3.6. A remote attacker to execute using rigged websites the opportunity to inject malicious code in the context of the logged on user.

 

Security researcher Evgeny Legerov discovered the vulnerability last month, controversially making code which exploited it available to those who were prepared to pay. That’s not an approach which is likely to have won him many friends at Mozilla, who would much prefer that vulnerability researchers worked with them on responsible disclosure.

 

It must be an uncomfortable time for German web users too. After all, in January they were advised not to use Internet Explorer, and now they’re being told to keep a wide berth from Firefox until it’s fixed.

 

It’s certainly a lot easier for computer-savvy home users to leapfrog from browser to browser than companies.

 

Switching your web browser willy-nilly as each new unpatched security hole is revealed could cause more problems than it’s worth. For instance, imagine how much training some users will require to switch from one browser to another.

 

And it’s worth bearing in mind – what are you going to do when your replacement browser itself turns out to contain a vulnerability? Are you going to switch yet again?

 

My advice is to only switch from Firefox if you really know what you are doing with the browser you’re swapping to. If you stick with Firefox, apply the security update as soon as its available.

 

If you can’t wait – Mozilla says it has produced a release candidate build of Firefox 3.6.2 which already contains the fix (obviously it hasn’t been through their complete quality assurance process yet). You can download it from their website at https:/ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/

 

By Graham Cluley, Sophos

 

 

German Government: Don’t use Internet Explorer

The German government has advised computer users not to run Internet Explorer and run an alternative browser instead, because of a critical zero-day security flaw.

 

The advice, which came in the form of an official statement from the German Federal Office for Security in Information Technology (known as the Bundesamt für Sicherheit in der Informationstechnik or BSI) says that the as yet unpatched vulnerability is likely to be the same one blamed for hacker attacks on Google and other US companies last week.

 

The BSI advisory claims that although Microsoft’s advice to run Internet Explorer in ‘protected mode’ and disable Active Scripting makes it more difficult for hackers to attack, it does not completely prevent them.

Here is a rough translation (courtesy of Google Translate) of the BSI statement:

Critical vulnerability in Internet Explorer

BSI recommends the temporary use of an alternative browser
Bonn, 15.01.2010.

In Internet Explorer there exists a critical yet unknown vulnerability. The vulnerability allows attackers to inject malicious code via a specially crafted webpage into a Windows computer, in order to infiltrate and control computers. The past week has become known in the Hacker Attack on Google and other U.S. companies has probably exploited the vulnerability.

Affected are the versions 6, 7, and 8 of Internet Explorer on Windows XP, Vista and Windows 7. Microsoft has published a security advisory, in which it discusses ways of minimizing risk and is already working on a patch for the security hole. The BSI expects that this vulnerability will be used in a short time for attacks on the Internet.

Although running Internet Explorer in "protected mode" as well as disabling Acitve Scripting does make it more difficult to attack, it can not completely prevented. Therefore, the BSI recommends that users switch to an alternative browser while waiting for Microsoft's patch.

Once the vulnerability has been closed, the BSI on its warning and information service MayorCERT also informed. Keep informed about the civic-CERT and the BSI warns citizens and small and medium enterprises from viruses, worms and vulnerabilities in computer applications. The expert analysis of the BSI around the clock, the security situation in the Internet and send alerts when action is needed and safety information via E-mail.

 

The vulnerability means that a hacker could send you a message, perhaps pretending to be from a colleague or friend, and – if you clicked on a link in that email – your vulnerable installation of Internet Explorer would visit a malicious webpage infecting your Windows PC with a Trojan horse.

 

At that point the hackers could effectively grab control of your computer, with the potential of stealing company secrets, personal information or using it to spread spam or other attacks. The problem is that right now Microsoft doesn’t have a patch to fix their software.

 

Of course, the German government’s advice that internet users should switch to alternative browsers is unlikely to well received at Microsoft, and pressure is sure to grow on the company to release an “out-of-band” patch to resolve the security flaw as soon as possible.

 

With Google pointing the finger of blame for the attacks at China, it’s perhaps not surprising that the German government should be keen to ensure that its own computers (whether they be in government or industry) are not next in the firing line of hackers.

 

Alternative internet browsers such as Firefox, Safari and Opera have all suffered from security vulnerabilities in the past, of course.

 

You can read SophosLabs’s write-up on the Microsoft security flaw here, as well as further commentary by principal virus researcher Vanja Svajcer.

 

With all this talk about state-sponsored cyber-spying originating from China clearly spooking the German authorities, it’s perhaps a little ironic that the Germans themselves were accused of using the internet and malware to spy on another country a couple of years ago.

 

by Graham Cluley, Sophos