Mobile, Vulnerability

Santander downplays risk of ‘personal data-stuffed’ cookies

‘If compromised’, cookies would not allow access to online services ‘on their own’

The Spanish banking giant Santander has downplayed growing concerns over its alleged inclusion of “sensitive data” in its cookies.

The bank did not deny including personal data in cookies.

In a post on widely read security mailing list Full Disclosure, an anonymous contributor details a number of alleged problems on Santander UK’s consumer eBanking site.

He claims that Santander online banking “unnecessarily stores sensitive information within cookies”. Depending on which areas of online banking the customer uses, he claims this data allegedly includes the user’s name, PAN (credit card number), bank account number and sort code, Alias and UserID.

“Of particular concern is the full PAN, which PCI DSS states should be rendered unreadable anywhere it is stored,” the whistleblower stated.

He adds that he had gone public after experiencing problems getting the bank to play attention to (now fixed) cross-site scripting problems he had previously unearthed on its website.

The source alleges that Santander is violating its own cookie policy, which states that session cookies “do not contain personal information, and cannot be used to identify you” as well as the credit card industry’s PCI DSS regulations (PDF).

Santander issued a statement strongly denying allegations that anything was amiss. It said that data stored in its cookies posed no risk to account security.

The data items stored within our cookies, if compromised, would not allow access to our online services on their own and our primary login processes do not rely on cookie data.We review the use of our cookies and the data contained within them, and if necessary will review the IDs used by our customers to limit any future risks.

We take the security of our customer data very seriously. Customers can change their IDs at any time themselves and are reminded not to use the ‘remember me’ function on public or shared computers.

The Full Disclosure critic argues that Santander’s handling of cookies does pose a risk, in cases where customers fail to close their browser after an e-banking session. “Additionally, whilst the cookies expire at the end of a session, they are not overwritten on logout,” he explains. “This mean any user who does not close their browser, even if they log out correctly, will still have these cookies present until they close their browser, [t]hus increasing the window for exposure.”

In the UK, Santander is the third biggest bank and a major provider of mortgages, with a combined total of more than 25 million British customers. The Full Disclosure posting was brought to our attention by three Reg readers who described it as unverified but potentially noteworthy. ®

News, Vulnerability

Payment protection tops list of SMS spam scams

d lads frm Lagos lov txt 2

AdaptiveMobile, a company which spends most of its time filtering out junk SMS messages, has written up a list of the scams hitting GSM handsets, with mis-sold payment protection insurance topping the list.

The spam texts differ significantly from the usual email spam in being more direct, claiming intimate knowledge of the recipients’ financial affairs, and obviously being much shorter. The top five all promise instant money, not from some unknown benefactor but from large companies from whom theft is morally permissible.

First up is mis-sold Payment Protection Insurance, with a message providing a detailed figure of compensation available. Payment protection was mis-sold in some cases, and many refunds have been given (though that has not stopped some people trying to make claims on their refunded policies), which makes the scam more believable.

Next up is a loan offer, followed by accident compensation and “new legislation” which will allow the punter to write off debts “instantly”, with better-performing pensions rounding out the top-five list.

The SMS scammers provide exact figures for owed compensation for accidents, encouraging the recipient to justify such promises with selective memory or creative interpretation, which may also filter out the more suspicious types who wouldn’t fall for the scam anyway.

Interestingly all the top five SMS scams end with variations on “to opt out text STOP”, which is required of premium-rate text messages but has obviously become recognisable as the ending of any legitimate message. In this case replying would just confirm the validity of the phone number so should be avoided.

Spam SMS was previously not particularly widespread, just as cold calling was almost unknown in the UK, as the cost of making a call or sending a text was prohibitive. But these days the cost of communication has fallen to such a level that text spamming – sending hundreds of thousands of messages in the hope one will stick – is now financially viable.

For the network operators, spam texts present an interesting problem too, as they have a contractual responsibility to deliver messages which have been paid for. Ten years ago most SMS spam was sent from hacked SMS centres (routing nodes), but these days numerous operators offer unlimited texting so cost is no barrier – even if the sender is breaching the terms and conditions of the connection.

Those Ts&Cs also allow the operator to filter out spam, using filters from AdaptiveMobile or elsewhere, but they walk a path much narrower than their email-providing equivalents, and thus tend to err on the side of delivery, exposing all of us to ever more spam. ®

Mobile, News, Vulnerability

A lesser-known new feature in iOS 6: It’s tracking you everywhere

iJust want to alert you to opportunities!

Apple has enabled user tracking of its customers once again, with the recently released iOS 6 enabling advertisers to see which apps users have run, and which adverts they’ve seen – all for the benefit of the users, of course.

The feature wasn’t highlighted by Apple at the launch of iOS 6, as Business Insider points out in its detailed rundown, but the new tracking number is important as it enables advertisers to target users, and provides decent enough obfuscation to make switching it off really quite difficult, though those making use of it would question why one would want to turn it off anyway.

The IFA, or Identification For Advertisers, is a random number generated once by the iOS device which is used to uniquely identify that device between applications. The number is available to apps which can send it to their advertising service of choice to pull down new adverts, perhaps based on previous usage of viewing, without sharing the identity of the user or their equipment.

Prior to iOS 5, developers could use the UDID, a unique device identifier which was available to applications. The UDID worked fine, but there was no way to prevent applications reading it and while lots of applications, and advertisers, were benignly making use of the UDID, customers started to get riled about privacy and (after giving developers a decent warning) Apple pulled the plug.

UDIDs weren’t just used by advertisers, they also allowed apps to download settings when reinstalled into a device where it had previously been used (assuming the vendor kept records), and enabled analytical software (such as Crashlytics) to identify when different applications are crashing on the same device – pointing to faulty hardware – something impossible with alternative schemes.

Apple’s new IFA isn’t guaranteed not to change – the device could generate a new random number at any time, but Cupertino isn’t saying how often, or if, it will. But that shouldn’t matter to advertisers who don’t care if it’s not perfect. More importantly the IFA can be switched off by users, or (more accurately) one can switch the “opt out” option to “on”, assuming one can find it under Settings/General/About/Advertising, not “Privacy” where one might expect to find it – Business Insider has a step-by-step guide with pictures.

While we’re on the subject, Bruce Schneier reminds us that last month Apple posted details of how toopt out of its own advertising platform iAd, or the tracking performed by iAd at least, one has to keep watching the ads as long as one wants free stuff.

Which brings us to the question of why one would bother. We’re told that tracking is used to present adverts in which we might be interested, and ensure that the same adverts aren’t presented repeatedly everywhere we go, but that might not be as true as one would hope if Google is any guide.

Some months ago your correspondent expressed some interest in a Fluke Thermal Imager, from a technical point of view, and since then at least half the websites visited have shown the same advert for Fluke, which eventually phoned to ask if I was going to buy one. I’m not – I have an interest, but no use, for such a thing – but still I’m unable to avoid the adverts everywhere.

If that’s the future of tracked adverts then random selection would seem a more desirable option, and if it enhances one’s privacy then that’s all to the good. ®

Mobile, News, Vulnerability

New Virus FakeLookout.A Discovered by TrustGo Security Labs

On Oct 17th 2012, TrustGo Security Labs uncovered a new malware on Google Play, named Trojan!FakeLookout.A.

Figure 1

This malware hides itself in the full Application List after installation. It only shows up in the Downloaded app list where it uses Lookout’s icon and the name “Updates”.


Figure 2

This malware can receive and execute commands from remote server.

Server address:









According to remote server’s commands, the malware can steal user’s SMS messages and MMS messagesand upload them to remote server via secure FTP. It will also upload the complete file list from the user’s SD card to the remote server. Then remote server will control the malware to upload specific files. This is a severe threat to user’s privacy and sensitive data.

TrustGo Security Labs successfully accessed the FTP server and discovered uploaded files from some victims. The following is the root directory of the FTP server.

Figure 3

Upon exploring the directories, TrustGo Security Labs found a variety of SMS messages and video files from victims.

Figure 4

Based on the static analysis of code and the evidence found on the server, TrustGo positively identified the app as containing malware.

Based on IP address, the server is located in Colorado in the United States.

Further investigation shows remote server hosts a malicious website!

It dropped a backdoor Trojan file (Figure 5) and runs shell code in Windows Powershell. Once the Trojan opens a backdoor, it waits for further commands.

Figure 5

The malicious website is targeting multiple platforms including Windows, Mac and Unix/Linux operating systems (see figure 6). It will drop different Trojan files depending on the user’s operating system.

Figure 6

The hacker is attacking multiple platforms including Windows, Mac, Unix/Linux operating system and Android. The Android malware found on Google Play is just a part of the attack.

News, Vulnerability

One year on, SSL servers STILL cower before the BEAST

70% of sites still vulnerable to cookie monster

The latest monthly survey by the SSL Labs project has discovered that many SSL sites remain vulnerable to the BEAST attack, more than a year after the underlying vulnerability was demonstrated by security researchers.

BEAST is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt the encrypted cookies that a targeted website uses to grant access to restricted user accounts.

October figures from SSL Pulse survey of 179,000 popular websites secured with the ubiquitous secure sockets layer (SSL) protocol reveals that 71 per cent (127,000) are still vulnerable to the BEAST attack.

The latest stats show little change from September figures, down just one percentage point from the 71.6 per cent vulnerable to the BEAST attack recorded last month.

Exposure to the so-called CRIME attack was also rife, 41 per cent of the sample support SSL Compression, a key prerequisite of the attack.

The so-called CRIME technique lures a vulnerable web browser into leaking an authentication cookie created when a user starts a secure session with a website. Once the cookie has been obtained, it can be used by hackers to log in to the victim’s account on the site.

The root cause of the BEAST attack, first outlined by security researchers in September 2011, is a vulnerable ciphersuite on servers. The dynamics of the CRIME attack are more complex but capable of being thwarted at the browser or quashed on a properly updated and configured server.

The SSL Pulse survey also looks at factors such the completeness of certificate chains and cipher strengths, among other factors.

Of the 179,000 sites surveyed only 24,400 (or 13.6 per cent) deserve the designation as “secure sites”, according to SSL Labs. ®


‘Four horsemen’ posse: This here security town needs a new sheriff

Body which issues CISSP tin stars set for shakeup?

As the overpriced beers flowed and dusk approached in central London pubs surrounding the venue of RSA Europe last week, talk often turned towards the (ISC)2 security certification body.

(ISC)2, which administers the widely recognised Certified Information Systems Security Professional (CISSP) qualification, was “a waste of money” and its board of directors “filled with a bunch of out-of-touch boobs” who are unaware of the practical issues in the working life of an infosec professional, we heard.

Membership fees for the organisation are $85 a year. But what do the 80,000 (ISC)2 members get in return?

A cursory search reveals that the beer-fuelled criticism is matched by a series of critical blog posts by respected members of the security community, including Jack Daniel, co-founder of the BSides security conference, and other security honchos such as Rob Graham.

Many of these blog posts note that upcoming (ISC)2 elections in late November offer a chance to make a change.

(ISC)2 directors are elected for a three-year term. Four of the 13 seats on the board are up for re-election this time around. As well as the six candidates on the approved slate there will also be a chance to vote for two alternative (unendorsed) candidates, one standing on a reform ticket. Eligible (ie, fully paid-up) members of (ISC)2 also have the opportunity to cast their vote for a write-in candidate. More details on the (ISC)2 board election process can be found here.

Now it seems that a group of radicals wish to infiltrate the group. The “Four Horsemen of the Impending Infosec Apocalypse” – prospective candidates for the (ISC)2 election who not included on the official slate – have put themselves forward for election. Only one of the four – Dave Lewis (@gattaca) – made the cut. Scot Terban, Boris Sverdlik and Chris Nickerson all fell short. Another candidate, Diana-Lynn Contesti, will appear on the official ballot papers. Contesti was previously on the board but is not an incumbent.

Manifestos for members of the loosely formed “freak ticket” alliance can be found by searching for (ISC)2 on There’s also a CSOonline article on Lewis’s candidacy and desire to restore the integrity of the CISSP exam. Both Lewis and Contesti are Canadian residents.

The two successful unendorsed candidates managed to get 500 nominations from (ISC)2 members, via emails in support of their candidacy from registered accounts, before a 17 September deadline. Pulling off this not-inconsiderable feat means that their names will appear on the ballot for the upcoming election. Signing the petition to get someone on the ballot does not commit members to vote for them in the actual election.

Of the two unendorsed candidates, only Lewis represents reform. The lack of choice among the rest is likely to irk critics of the organisation, who are not difficult to find.

“I think (ISC)2 and the CISSP just need to go away, be put on an ice floe and sent out to sea – but since that seems unlikely, I’ll support folks who want to make a change,” writes Daniel, in characteristically caustic style. “Wim Remes made it to the board last year from a write-on candidacy, let’s see if we can get more – at least on the ballot.”

Another critic, (an association of infosec professionals in the Washington DC area)writes: “Keeping the same old guard on the board will simply result in a certification that continues to be disconnected from the day-to-day practical aspects of today’s security professionals. The first step to reconnect the ISC2 board with the practical aspects of today’s infosec pro is to get more community representation.”

And there’s more along the same lines from Rob Graham of Errata Security, who writes: “The best known professional certification in cybersecurity is the ‘CISSP’ (by the (ISC)² organisation), but it’s horrible. The test givers are incompetent. The organization is corrupt. Its ethics are unethical. It’s a typical example of rent-seeking behavior rather than a badge of quality. These problems have only gotten worse over the last decade as the organization has resisted reform.”

Graham, like Daniel, praised the election of Wim Remes to the board last year as part of a much-needed reform process. Remes is is a manager in risk and assurance practice at Ernst & Young in Belgium. But what really appeals to those who dislike the stuffed shirts is his work organising the well-regarded BruCON security conference and presenting at BlackHat.

Remes told El Reg that he might have joined in with the criticism last year himself but 10 months on the (ISC)2 board has shifted his opinion. The board of (ISC)2 is made up of representatives from academia, industry and internet committees. Unlike critics, Remes doesn’t think the group is out of touch.

“We need fresh blood but we don’t want to throw our history away,” he said. “The present board are a diverse bunch who are well in touch with what’s happening in security, and knowledgeable.”

“They’re not stuffy types… and not on the board just to be on the board. (ISC)2 is less bureaucratic than I thought it would be,” he added.

CISSP certification helps people to get or retain jobs in information security but it’s not mandatory to have any qualification to have a job in the profession.

Remes cites the fact that the 80,000 membership of (ISC)2 is going up as evidence that the organisation is still relevant and focused on the needs of its members. The (ISC)2 board meets face to face quarterly in diverse and sometimes exotic locations as well as taking part in more regular teleconferences.

Although the board is in charge of governing (ISC)2, the day-to-day running of the organisation is left to a management team.

John Colley, managing director for EMEA and co-chair of the European advisory board for (ISC)2, said members get two broad categories of benefit.

The first is “continuing professional education opportunities”, he said. “We do this by staging online and face to face events with the (ISC)2 Secure series and Think Tank sessions and by negotiating concessions and discounts at major industry events around the region,” Colley explained.

The second major benefit cited by Colley is that “(ISC)2 provides a voice for the community, develops recognition for the profession itself and facilitates opportunities to give back to society.”

The latter, in particular, sounds a bit woolly. Against this Colley said that (ISC)2 member volunteers will be presenting to an audience of over 3,000 schoolchildren in the UK during Get Safe Online Week (22-26 October). (ISC)2 is also developing an application security challenge for Cybersecurity Challenge UK, a government-backed scheme aimed at filling the growing security skills gap by attracting newcomers to the infosecurity profession, he said.

Remes highlighted networking opportunities organised by local chapters and the ability to share best practice as a key benefit of remaining a CISSP.

Colley added that the thorny issue of what members get for their $85 (£53) membership fees crops up every year, normally around the time of board elections. “To understand the value received for AMFs [annual membership fees], we made a concerted effort to ask the members in this region what they are looking for from (ISC)2,” he said.

A light-hearted look at the benefits of being a CISSP can be seen in a video by security blogger Javvad Malik (below).


News, Vulnerability

Apple banishes Java from Mac browsers

Fanbois told to install Oracle’s plugin

Apple has discontinued its own Java plugin, issuing an ‘update’ that removes it from MacOS and encourages users to instead download Oracle’s version of the software.

The update, available now and depicted at the bottom of this story, advises users to install new software with the following effect:

Java for OS X 2012-006 delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_37. This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a web page, click on the region labeled “Missing plug-in” to go download the latest version of the Java applet plug-in from Oracle.

It’s not clear why Apple has taken this decision, but Sophos security researcher Paul Ducklin hasblogged his opinion that this regime “may sound like a bug, but for most users, it’s a feature,” given Java’s security issues. Ducklin even suggests Cupertino’s decision may be related to Oracle’s recent release of a security update for Java.

Mac users seem a little confused about what’s going on, if this thread in Apple’s support communities is any indicator.

The move leaves Cupertino hostile to Flash in browsers for mobile devices and Java in browsers for desktops. One anti-plugin decision looked picky. Two may look like a developing policy. ®

Apple's notification about Java