Apple finally adopts HTTPS for the App Store - here's why it matters

Last year, a Googler named Dr. Elie Bursztein noticed that Apple's App Store protocols weren't very secure.

Much of the interaction your iDevice had with the App Store was conducted via plain old HTTP.

Apple should really have been using HTTPS, or secure HTTP.

HTTPS, as you probably know, is HTTP traffic carried inside a Secure Sockets Layer (SSL) or Transaction Layer Security (TLS) wrapper.

→ SSL/TLS uses public-key cryptography to create a secure data channel, even between users or websites that have never corresponded before. Conventional encryption, like a doorlock, relies on a single key that can lock or unlock. How to share that one-size-fits-all key before you start using it is a security problem all of its own. Public key cryptography relies on an algorithm that uses two keys. One is kept private, and the other made public. What the public key locks, only the private key can unlock.

The problem with HTTP is that if you're on someone else's network, whether it's wired or wireless, they can probably listen into all your web traffic.

Likewise, if someone else is on your network, they can do the same thing, eavesdropping undetectably.

Worse still, it's very likely that they'll be able not only to watch what you're doing, but also to modify the traffic you send and receive.

So, in an ideal world, there would be HTTPS only, since the encryption layer inhibits both eavesdropping and unauthorised modification. Nobody would use HTTP for anything.

And why not? SSL/TLS encryption can be made largely transparent both to the programmer and the user, so the difference in online experience between encrypted and unencrypted web sessions is pretty modest.

In practice, however, HTTPS isn't quite as convenient for your IT department as HTTP.

You need to get certificates signed, your private keys stored securely, and more.

That means an operational change, which means paperwork, implementation time and (you can guess what comes next) money.

Also, because every HTTPS download is encrypted uniquely for each user each time they fetch it, it's much harder to cache HTTPS traffic.

If 2000 users from the USA pull down the same image file from your database in New Zealand, you can't rely on a web cache on the USA side to serve up an identical copy of the file to 1999 of them, because each download is individually negotiated and encrypted.

That means an operational change, which means paperwork, implementation time and (you can guess what comes next) money.

As a result, a sort-of HTTP/HTTPS hybrid evolved.

You use HTTPS for the parts of the transaction that really have to be secret, such as sending passwords, credit card numbers and other Personally Identifiable Information (PII).

For everything else, you use HTTP.

That was the model used by many online services, including webmail providers and social networks, until fairly recently.

Things started to change after the release of Firesheep, security researcher Eric Butler'smildly controversial effort to push the envelope of web encryption.

Implemented as a Firefox plugin, Firesheep listened on the network until the HTTPS-protected part of your social networking session was complete.

Then it sniffed out your session cookie, the magic token embedded in your post-authentication HTTP requests that tells Facebook, Twitter and others that you're an authorised user.

Firesheep could then pretend to be you, posting status updates, links, tweets and more from your accounts as if you had done it yourself.

Of course, even without actively hijacking your social networking accounts, an eavesdropper can learn an awful lot about you from your HTTP traffic.

After all, not everything you upload to Facebook or Twitter is inevitably intended for public consumption, so it oughtn't really to be uploaded without being wrapped in an SSL/TLS session.

Facebook, Twitter and others, bless them all, eventually bit the bullet and simply switched to HTTPS for everything. (At least, they did for web-based clients. Special-purpose mobile apps were, and some still are, a different story, but we shall ignore that issue here.)

But Apple, it seems, didn't bother with HTTPS everywhere, even for its own App Store, until 2013.

Since there's no other place to shop when you're buying or selling iDevice software, and since Apple likes it that way, you might think that Cupertino would have set the bar a bit higher.

You might also have expected Apple to react a bit more quickly after Dr. Bursztein's fairly detailed explanations of why the bar reallyneeded to be higher.

In July 2012, he explained several problems, which he's now made public, including active attacks (that's where you change HTTP content en route between server and client) by which a malcontent could steal your password, trick you into buying the wrong App, deliver you a bogus update, or quietly prevent you from applying a needed update.

Burzstein also showed that the App Store routinely uploaded an unencrypted list of already-installed Apps from your device.

That doesn't sound like much, but it is.

Firstly, some of those Apps will identify aspects of your life that would be handy for a social engineer to know: the bank you use, the newspapers you like, the games you play, the share-trading services you invest with, and more.

Secondly, the complete selection of Apps on your device may very well be unique to you, thus making it a handy form of digital fingerprint for an attacker.

Earlier this year, Apple finally made a start towards the change that many of its web traffic competitors like Google, Facebook and Twitter made some time ago, and bumped all the App Store's active content to HTTPS:

Good. (Better yet would have been to serve everything using HTTPS, but let's be thankful for what we've got.)

If you're a web developer and your web services rely on users sending you traffic that contains anything at all that oughtn't to be public, you should be doing the same.

Even data that isn't legally considered PII can be pure gold to cybercrooks, and so leaking it could be putting your customers at risk.

And you wouldn't want that, would you?

Learning more about SSL/TLS

Would you like to know more about SSL/TLS?

Here's a quarter-hour Sophos Techknow podcast, featuring Paul Ducklin and Chester Wisniewski as they explain the S in HTTPS:

Listen now:

(03 August 2012, duration 16'10", size 11MBytes)

Listen later:

Google Glass: the ultimate creepy stalker toy?

Yesterday was a challenging day for the double X-chromosomed - or, really, for anybody who doesn't want to be spied on.

First, there was this Ars Technica pieceabout ratters: hackers who use remote administration tools (RATs) to gain access to (primarily) women's webcams, files and PC microphones to steal files and surreptitiously spy on victims, whom they refer to as "girl slaves."

Then there was this: ReadWrite's roundup of five creepy things you'll be able to do with Google Glass.

If you're not yet familiar with Google's internet-enabled head gear, ITTechWiz has a rundown of what these things will do.

Google told The Verge that it's aiming to release Glass by the end of 2013.

While we wait, there's time to ponder the privacy invasions Google's glasses portends.

For one, it will be a boon to those who don't have the technical acumen to actually hack into somebody's computer and take it over like the ratter crowd.

As ReadWrite pointed out, Google's device removes the social awkwardness, and obviousness, of pointing a camera or smartphone at somebody to snap their photo or grab some video of them.

Taking the phone or camera out of the equation means that stalker types can just look and snap, or leer and record, as the case may be.

Of course, it's not only attractive women who'll be potentially targeted by creeps. It's could be children, or anybody, for that matter.

Google hasn't included facial recognition for their first iteration of Glass. I tried to find thoughts from them on whether it would be included in future versions, but I came up short. Enlighten me, please, if you've seen such.

Given the social networking giants' attraction to this technology up to this point, it's hard to imagine Google will refrain from including it in the long term.

In the meantime, the Glass-clad will have the option of quietly muttering voice commands to their Android-enabled face gear so as to do a bit of Google stalking on whomever they just met.

The invasion of privacy this promises to usher in is reminiscent of "Girls Around Me," the stalking app that tied in to Foursquare to enable users to access women's specific location, photos, Facebook details including birthdays or relationship status or schools attended, and whatever else Facebook and Foursquare's check-in functions had broadcast about its targets.

Thankfully, at least one business has already banned Google Glass.

The 5 Point Cafe in Seattle on Monday posted this ban:

If you’re one of the few who are planning on going out and spending your savings on Google Glasses – what will for sure be a new fad for the fanny-pack wearing never removing your bluetooth headset wearing crowd – plan on removing them before you enter The 5 Point. The 5 Point is officially a No Google Glass zone.

Nicely done, 5 Point. Thank you for protecting your patrons' privacy, particularly in your gadget-savvy city.

ZDNet's James Kendrick predicts that when public awareness of Google Glass reaches a critical mass, and when people understand that the devices can record photos, video and audio of the wearer's surroundings, we'll see more such bans.

Don't be surprised if within weeks of the Google Glasses general release we start seeing bans of it cropping up all over the place.

I hope he's right.

I'd suggest that as we await the availability of what admittedly sounds like insanely fun gadgetry, outside of the scary privacy bits, you practice the same caution with regards to your privacy around Google Glass as I recommended with Girls Around Me.

To wit: Check your applications. Stay safe. Check what they're beaming out about you. Check your children's applications. Be aware of the information your kids' apps beam out about them.

Better safe than Google-stalked.

Skype in hot water over failure to let French police eavesdrop

French telecom regulators have suggested that Skype could face charges for failing to register as a telecom and do all the things that French telecoms are supposed to do - for example, let police eavesdrop on calls.

ARCEP, the French telecom authority, on Tuesday posted a notice stating that they have informed the Paris public prosecutor that as Skype provides French internet users with the ability to make phone calls, it is thereby obliged to comply with regulations that include routing emergency calls and "implementing the means required to perform legally ordered interceptions."

Skype's failure to declare itself an "electronic communications operator" after being "requested several times" by ARCEP could be classified a criminal offense, ARCEP says.

Here's a statement Skype sent to Ars Technica about the désaccord désagréable:

Skype is a globally known and used software app that seamlessly enables millions of people to communicate every day via their Internet connection. We have engaged with ARCEP in discussion over the last several months during which we shared our view that Skype is not a provider of electronic communications services under French law. We will continue to work with ARCEP in a constructive fashion to seek agreement on a resolution that ensures people, wherever they are, can continue to rely on Skype as they do today.

As the Washington Post reported last July, Skype has been sharing more and more data with law enforcement authorities since Microsoft purchased the company in May 2011.

That includes making online chats and other user information such as addresses and credit card numbers available to police.

At any rate, Skype may never have deserved its former reputation as a safe harbor for activists to communicate without fear of interception.

Christopher Soghoian, a tech policy analyst and privacy advocate at the American Civil Liberties Union (ACLU) wrote this about Skype last year:

Skype has always been rather evasive when it comes to discussing this issue. Whenever questions come up, the company makes it a point to mention that it provides end-to-end encryption, but then dodges all questions about how it handles encryption keys.

Skype's strategy is genius - most journalists, even those that cover tech, know very little about the more granular aspects of cryptography. When Skype says it provides end-to-end call encryption, journalists then tell their readers that Skype is wiretapping proof, even though Skype never made that specific claim. Conveniently enough, Skype never bothers to correct the many people who have read a tad bit too much into the company's statements about security.

So it would seem that if France does put the collar around Skype's neck and get it to heel, not much will change.

It appears that Skype has long been going along with law enforcement's request to intercept communications.

If French citizens ever inhabited a safe zone outside of that type of surveillance, it sounds like that bubble will likely get popped soon.

Barack Obama hacked by SQL injection

This story has been updated with content that supersedes much of the original content. Updates are found at the bottom of the story

Hackers disclosed this morning that they have been able to compromise BarackObama.com through a SQL injection attack.

The English of the post is quite poor; however, the researcher makes a very valid point. Shouldn't the most powerful, well-protected man in the world have a website that is at least reasonably secure? Storing credentials in plain text is even more embarrassing than being vulnerable to SQL injection. Sometimes passwords must be stored in a reversible manner, but you should make the attacker at least work at it a bit.

More concerning is the screenshot that shows the URL as donate.barackobama.com. What other unencrypted information about donors might be stored in this database? If passwords haven't been encrypted, it doesn't take much imagination to figure out that other sensitive data is unencrypted as well.

On the bright side, it does appear that the staffers who log in to this site have somewhat secure passwords. The lengths are not impressive, but most show the recommended mix of letters, numbers, and capitalization and are not based on obvious dictionary words.

I deliver a seminar entitled "Anatomy of an Attack: How Hackers Threaten Your Security," in which I discuss how SQL injection attacks work and demonstrate an actual attack to show how simple it can be for even someone unskilled to perform this type of reconnaissance. Another point that is often difficult to explain is that there is no such thing as "safe surfing."

As administrators, we are often our most dangerous users. Time and again, when asked, administrators will say their scariest surfer is an executive, the sales guy, or the mail clerk. The bigger danger is having administrative privilege and not realizing how pervasive the threat on the web is. When the NY Times, Google, and BarackObama.com are hosting malware, there are no safe websites despite the false confidence gained by not surfing porn.

What can you do to avoid becoming the next victim of this type of compromise? One piece of advice I give in "Anatomy of an Attack" is to approach inputs on your website from a whitelisting angle, rather than trying to blacklist every possible way you think someone could enter malicious input. There are many ways to encode SQL commands to bypass filtering, so it is best to only accept characters that should be valid input.

Sensitive data should always be encrypted regardless of where it resides. Many companies are beginning to encrypt laptop hard disks, but this is just the beginning. Desktops and servers are as likely as anything else to contain personally identifiable information and should be treated with the same caution as laptops. Sensitive data must be tracked and secure practices applied whether that data is in a database, on a backup tape, or being transported on a USB key or smart phone.

Our recent introduction of DLP into Sophos Anti-Virus helps administrators discover this data when it is being transferred, and can also help identify endpoints that may contain data that needs protection. The extent to which this data is spread throughout your organization may surprise you.

I invite anyone in the Atlanta or Chicago areas to join me for my next two "Anatomy of an Attack" seminars. The presentation is purely informational, and not focused on our products or a sales pitch. In addition to providing information on all the latest threats, who is behind them, and how to defend yourself, I demonstrate some live malware and how criminals are distributing it through the web, giving insight into how you can better defend your networks.

Update: The Tech Herald is reporting that they have spoken to the Democratic National Committee who deny Obama's site was hacked. This is not surprising, and I believe is also incorrect. The usernames all match up with Obama staffers and campaign staff, which if the screenshot posted by Unu was mocked up would be a lot more work than most scammers would bother with.

Additionally my wife brought to my attention that several of the passwords are in fact based upon the names of the users and are of far poorer quality than I originally had posted. Just another reason to choose a good password... You never know when someone who stores it insecurely will leak it, and potentially make you look quite foolish.

Update 2: Upon doing further research it would appear the users viewed in the screenshot may in fact be related to Roosevelt University. The Tech Herald has updated their post above confirming that information. A source aware of the events has informed me that the barackobama.com site may have been used as a proxy in accessing the Roosevelt University MS Access database. No data collected nor used by barackobama.com or the DNC was compromised. By Googling for some of the names provided in the screenshot it is quite easy to confirm that they are associated with Roosevelt University.
The more interesting part is the statement from Blue State Digital that the database that was compromised is not hosted by them. They stated that they do not use Access databases, and do not host any content associated with barackobama.com. Whether this is an elaborate hoax, or a yet to be found hole that allowed someone to proxy from the Obama site is yet to be determined.

nkdsecurity

Track and Field Athletes Test Positive, Eight Years Later

Six track and field athletes who competed at the 2005 world championships in Helsinki have been cited for doping after their samples were reanalyzed and found to contain banned substances, the sport’s international governing body said Friday.

The athletes, from Russia and Belarus, include three gold and two silver medalists. Among them was Nadzeya Ostapchuk of Belarus, a shot putter who placed first. She had also been stripped of her gold medal at last summer’s London Olympics after testing positive for an anabolic steroid after her event.

The hammer throw champions in 2005, Ivan Tsikhan of Belarus and Olga Kuzenkova of Russia, were also found to be doping, the international federation, I.A.A.F., said. The other athletes cited were Andrei Mikhnevich of Belarus (shot put), Vadim Devyatovskiy (hammer) of Belarus and Tatyana Kotova of Russia (long jump).

“The I.A.A.F.’s message to cheaters is increasingly clear that, with constant advancements being made in doping detection, there is no place to hide,” the organization’s president, Lamine Diack, said in a statement.

The I.A.A.F. did not say what banned substances were found in the re-examination. Antidoping officials keep samples for a minimum of eight years because that is the statute of limitations for retroactively banning an athlete for testing positive.

Officials said disciplinary procedures had begun against the six athletes, which could result in the stripping of their medals and suspensions from the sport.

Source : New York Times

http://www.nytimes.com/2013/03/09/sports/olympics/track-and-field-athletes-test-positive-for-doping-eight-years-later.html?ref=sports&_r=0