Friday Five: 12/8 Edition
Catch up on all the week's InfoSec news with this roundup!
The Securities and Exchange Commission’s Cyber Unit – founded in September – was able to put one down in the win column this week. FCW’s Adam Mazmanian reports the group was able to halt a cryptocurrency offering, PlexCoin, that "hit all the characteristics of a full-fledged cyber scam." Apparently the offering was laden with extraordinarily false promises, like a return between 200 percent and 1,354 percent, in less than a month. Two Canadians charged in the crackdown managed to funnel away a pretty penny - $810K of the $15 million - paid by investors since August.
2. oBike Reviewing App Security After International User Data Leak by Zhaki Abdullah
oBike, an Singapore-based bike share app, worked quick to fix an issue in its API that allowed users to refer friends to the service. While the service is based in Singapore, it also has offices - and services - in Melbourne and London. The issue with the API leaked unencrypted user data, the names of users, where they took rides to, and so on. While sensitive data, like credit card information and users' passwords weren't leaked, a spokesman for the company told Zhaki Abdullah a reporter with the Straits Times it had disabled the API and was looking into preventing data from being leaked in the future. "We are relooking the sharing and security functions of the app, to ensure that no further user data is compromised," the spokesman said.
Not a week can go by without researchers uncovering sensitive data left either on an Amazon S3 instance or in this week's case, a misconfigured MongoDB database. Researchers with Kromtech Security Center, which distributes the MacKeeper software, discovered the database contained the data of over 31 million users of a virtual keyboard. The keyboard, ai.type, can be added on to either iOS or Android devices. There was apparently no shortage of information left online: Users' phone numbers, full names, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number, IMEI number, emails associated with the phone, country of residence, links and the information associated with the social media profiles including birthdates and photos, IP, and location details.
Interesting research from PhishLabs via Wired on Tuesday: Phishers have managed to hijack legit - and safe looking - HTTPS websites in order to trick users into thinking they're safe. According to research that's the case at least 24 percent of the time, a big jump from the less than three percent it was this time last year. Attackers are either making their own sites or stealing sites something that will make it increasingly tricky to know the difference between a fake, malicious one and a real one.
Threatpost recaps some mobile security research published by the University of Birmingham's School of Computer Science (.PDF) this week. The academics released an automated testing tool, Spinner, as part of an investigation they carried out. The tool helped detect flaws – man-in-the-middle attacks mostly – in several high profile banking apps, Bank of America and HSBC to name a few, which developers went on to fix. The issues stemmed from how the apps implementing certificate pinning and certificate verification used when creating a Transport Layer Security (TLS) connection.