Today we’re looking at issues of information security, including a bombshell report describing serious flaws in banking and financial services apps, the kind of apps that need security the most. We’re also diving into a plague of facebook groups openly hawking credit card information and other sensitive or fraudulent materials in plain sight.
A new report from payment consulting firm Aite Group for the cybersecurity company Arxan has compiled a long list of security weak spots in several major financial mobile apps. With financial information being some of the most sensitive of all personal information, the report shows the industry-level problem of financial services and institutions not adopting security technology quick enough. Among the problems described in the report are lack of binary protections, unintended data leakage, insecure data storage, weak encryption, and insecure random-number generation.
The report, called “In Plain Sight: the Vulnerability Epidemic in Financial Mobile Apps” is making waves in financial and information security circles.The report examines the protective capabilities of thirty financial services apps found on the Google Play store. Using widely available software tools, they were able to reverse engineer almost all of the apps, showing a serious lack of protection.
Arxan listed the key findings, which were that 97 percent of all apps tested lacked binary code protection, making it possible to reverse engineer or decompile the apps exposing source code to analysis and tampering. 90 percent shared services with other applications on the device, leaving data from the financial institution’s app accessible to any other app on the device. 83 percent insecurely stored data outside the app’s control, like in the local file system, external storage, and copied data to the clipboard, allowing shared access with other apps and exposing a new attack surface through APIs. 80 percent implemented weak encryption algorithms or incorrect implementation of a strong cipher, allowing adversaries to decrypt sensitive data and manipulate or steal it as needed. 70 percent used an insecure random-number generator, a security measure that relies on random values to restrict access to a sensitive resource, making the values easily guessed and hackable.
Cybersecurity analyst and researcher behind the study, Alissa Knight told ZDNet:
“There’s clearly a systemic issue here – it’s not just one company, it’s 30 companies and it’s across multiple financial services verticals. It’s almost as if the developers who wrote the code didn’t realize that it’s possible to actually browse the directory structure of this mobile app and pull these files out, pull the keys out of subdirectories.”
According to the report, Several mobile banking apps hard-coded private certificates and API keys into their apps. Hackers could exploit this by copying the private certificates to their computers and running any number of free password-cracking programs against them. Should the hackers successfully crack the private key, they would be able to decrypt all communication between the back-end servers and mobile devices, among other things.The API keys allow an adversary to then begin targeting the financial institution’s API servers, gaining them access to data in the back-end databases.
What this basically means is that banks has made it hilariously easy to access servers. One directory they found was actually labeled “API keys.” API keys are like a private password used to track and control how the API is being used. The key is a unique identifier and authentication token, defining authorizations specific to the identity associated with it. In the hands of the wrong person, it can be used to authenticate a device with the back-end servers of the app. With the exposed source code of the app, hackers could modify URLs and change how the app behaves and where it sends data.
Knight didn’t name the companies or the apps to avoid people taking advantage of the vulnerabilities but did go into which categories had more problems. The report also shows the total number of vulnerabilities discovered across all app categories was 180. The financial institutions tested in the US represented 85 percent of the vulnerabilities while the ones in Europe represented 15 percent.
The three app categories with the highest number of critical vulnerabilities that can compromise the confidentiality, integrity, or availability of the user or financial institution were retail banking, retail brokerages, and auto insurance companies. The three app categories with the fewest critical vulnerabilities were Health Savings Account banks, health insurers tied with mobile payment apps, and credit card issuers. The app category with the most severe findings was auto insurance, as these apps contained the most number of hard-coded private keys, API keys, and API secrets in their code. Interestingly, the report found that the apps with the most security controls were the cryptocurrency category and that smaller companies had the most secure development hygiene while larger companies had the most vulnerable gaps.
According to Computerworld, Arxan’s research vice president, Aaron Lint said: “It’s no secret that the finance industry is a hot target because the payload is cold, hard cash. Virtually none of the apps tested in this research had app security measures in place that could even detect an app was being reverse-engineered, let alone actively defend against any malicious activity originating from code level tampering.”
The report recommended that financial institutions should adopt a comprehensive approach to application security, including app shielding, encryption, and threat analytics. They suggested their developers receive adequate secure programming training to develop apps that protect and detect against reverse engineering, malware, device cloning, code injection, keylogging, screen sharing, and many, many more threats.
In addition to minimizing risk by not naming any of the companies in the study, the Aite Group also decided not to tell any of the companies about the security holes in their apps. That’s because people who act on their own to find these security flaws are examining sites or apps without the company’s permission. This can lead to debilitating lawsuits or blacklisting within the cybersecurity industry.
The sloppy security behind many of the apps is a gift to cybercriminals, who have been thriving in online groups on facebook. In our next story, researchers at Cisco’s Talos security division uncovered 74 facebook groups devoted to selling stolen credit card information, identities, spam lists, hacking tools, and more. The weirdest part is how they’re operating in plain sight. Facebook groups with names like “Legends of Hack,” “Spam professional,” “Facebook hack phishing,” and “spammers family” have allowed people from all over the world to congregate and share sensitive information.
In a blog post last Friday, Talos researchers posted photos and other information about the operations of these groups they’ve been tracking over several months. They found the activities of these accounts ranged from shady to downright illegal. Despite the names being a dead give away, some of these groups have remained on Facebook for up to eight years.
According to the post, “In all, Talos has compiled a list of 74 groups on Facebook whose members promised to carry out an array of questionable cyber dirty deeds, including the selling and trading of stolen bank/credit card information, the theft, and sale of account credentials from a variety of sites, and email spamming tools and services. In total, these groups had approximately 385 members.”
Talos tried to get some of the groups removed by reporting them through Facebook’s abuse reporting function. Some groups were removed immediately, while other groups only had individual posts removed. After contacting Facebook’s security team, many of the malicious groups were taken down, but new groups started appearing. The Talos team discovered several posts of people selling credit card numbers and their CVVs, sometimes with the photos of the victims or their identification documents.
Group members offered access to massive email lists, forged documents, and assistance moving large amounts of cash among other illegal activities. Many of the sellers asked for payment in cryptocurrencies, others used middlemen as go-betweens who would take a cut. The success rate and legitimacy of the users are hard to measure, but there are often complaints posted by members who have been scammed by other members.
One of the examples Talos used was an offer of spamming services, using an Apple-themed phish that could avoid spam folders of Hotmail and Yahoo. The email included a PDF invoice with links to view or cancel the order, but the links direct to a phishing site that looks like an apple website. The IP address used to host the site is also used to host many other suspicious domain names likely used for similar scams.
In a statement to Wired, a Facebook spokesperson wrote:
“These Groups violated our policies against spam and financial fraud and we removed them. We know we need to be more vigilant and we’re investing heavily to fight this type of activity.”
They noted that most of the groups were created last year and that some of the users associated with the groups have been banned, with measures taken to prevent them from creating new groups.
Cisco Talos researcher Craig Williams told Wired that the fix is tightening moderation and for users and auditors to hold Facebook accountable. “This requires a collective effort—from Facebook, from users, and potentially from security companies like us—to keep these actors off social media sites,” he says. “It’s going to require constant vigilance.”
The researchers concluded that social media’s flaws include underlying algorithms that can’t distinguish benign activities from unethical and illegal ones. Many scammers operating within these groups largely do so with impunity. To work against these individuals and groups, Talos suggests social media platforms ought to continue manual and automated efforts at identifying and removing malicious groups. They believe security teams and vendors should work together to share information among themselves and with customers. They also think consumers should be as skeptical and informed as possible, as spam attacks prey on individuals as entry points.
Q&A portion of “We Need to Talk About Diversity” Panel at Portland State University regarding Damore’s Google Memo. Panelists include James Damore, Heather Heying, Helen Pluckrose, and Peter Boghossian.
A German court in Detmold has sentenced Holocaust denier Ursula Haverbeck to 14 months in prison, after the 89-year-old woman lost her appeal to a prior conviction on Tuesday. However, four months were shaved off her original conviction of 18 months. Prosecutors wanted the sentence upheld, Haverbeck’s lawyers were seeking exoneration.
Ursula Haverbeck, often dubbed the “Nazi Grandma” in the German press, has been sentenced to 14 months in prison for incitement of racial hatred. Haverbeck has been handed several jail terms but has yet to be jailed.
The Detmold court had initially sentenced Haverbeck to eight months imprisonment in September 2016, after she sent a letter to the town’s mayor, Rainer Heller, claiming that Auschwitz was not a concentration camp.
Following the trial, the octogenarian handed out pamphlets to journalists, as well as the judge and prosecutor, entitled “Only the truth will set you free,” in which she once again denied the Nazi atrocities. Haverbeck was handed an additional 10-month sentence for the stunt.
Under German law, denying the Holocaust — in which 6 million Jews were murdered by the Nazis between 1941 and 1945 — constitutes incitement of racial hatred and can carry a prison sentence of up to five years.
Haverbeck and her late husband Werner Georg Haverbeck, who was an active member of the Nazi party in the run-up to and during the Second World War, founded a right-wing education center called Collegium Humanum, which has been banned since 2008. She has also written for the right-wing magazine Stimme des Reiches (Voice of the Empire), which she also used to express her views that the Holocaust never took place.
Haverbeck, from the German town of Vlotho near Bielefeld, has been sentenced for similar charges on five other occasions. The most recent, in October, saw her sentenced to six months in prison by a district court in Berlin for incitement of racial hatred after she claimed at a public event that the gas chambers and Auschwitz concentration camp “were not real.”
In August she was handed a two-year sentence by a regional court in Lower Saxony.
Haverbeck has appealed the rulings passed down against her and proceedings in each other case remains ongoing. Haverbeck claims she has been merely been repeating an opinion.
This Tuesday’s appeal verdict is not final, either. Haverbeck’s lawyers intend to take the case to the Higher Regional Court in the town of Hamm, their last chance to challenge the sentence.
Tetris Syndrome, which is when you play a game too long and you start to dream about it, and hallucinate about it on the edges of your vision.
The Tetris Effect, funnily enough, is named after Tetris, the classic game. Though it’s named after the game, it’s actually more about what happens after you’ve played it.
If you’ve been playing Tetris for a while, you might find that every time you close your eyes you see the Tetris pieces outlined in the darkness, just like how you might still see light when you close your eyes if you’ve been looking at the sun for a while.
Tetris effect and lucid dreams
The Tetris Effect is where you’ve done something so often that it starts to change the way you think about other things in your life. Repetitive activities begin to pattern your every thought. So for example if you’ve been playing Tetris for ages every day, but take a break to go shopping, you might pack your groceries onto the conveyor belt at the checkout as you would pack Tetris pieces together, so they all fit nicely.
You might be thinking that it’s a bit extreme to have a whole effect named after one game, but it goes deeper than that. It can be applied to more than just Tetris, in fact it applies to any activity thats repetitive, particularly involving shapes or colours. It’s the effect of a habit.
You could be walking down the road and imagine the bushes and benches as obstacles in Temple Run. It doesn’t have to be electronic games, it doesn’t even just have to be an effect of any game. For example you might see paving stones as pieces of a jigsaw puzzle, or if you’ve spent time in the military or as a cadet you might be walking casually but still think ‘left, left, left, right left’.
Why does it happen?
The Tetris Effect is a result of memory. If you’re doing the same thing over and over, your brain assumes it’s something you need to be good at, something you can do without even thinking too hard about it. It makes sense, they’re skills you’ll need again so your brain continues developing the mindset of those skills even when you’re not doing that particular activity.
The tetris effect and dreams
So the Tetris Effect is a result of our brains trying to learn and remember a skill, where else do we go over things we’ve learnt and remembered? In our dreams. We often dream of things we’ve been doing and especially things we’ve done over and over again, so it can be expected that if the Tetris Effect becomes evident in your waking life, it could show up in your dreams as well. In a study where people were taught the game Tetris, 60% of them reported Tetris showing up in their dreams.
Tetris Effect and LUCID Dreaming
Getting your habit to show up in your dreams is one thing, that’s easy, but using the Tetris Effect of your habit to have lucid dreams is slightly different. Those who play video games are already more likely to find it easier to lucid dream (see my article on lucid dreaming and video games) as you’re used to having control of an alternate reality.
The Tetris Effect can take it that one step further, as your mind will already be going over the skill it’s trying to develop. If you find yourself lucid, the Tetris Effect could mean that not only are you aware it’s a dream, but you might also have control over it.
If your dream bears similarities to a game you’ve played or an activity you’ve repeated, for example if there are buildings in your dream world that resemble ones you might manipulate in a game, then you may find that you’re able to create and control your dream world as you would in the virtual reality of your game.
Game Transfer Phenomena
The Tetris Effect links to the game transfer phenomena, as both stem from the same thing: playing video games repeatedly. Game transfer phenomena is basically a blurring in the minds of gamers between the real world and the game world.
There have been cases where gamers have been going about their every day life but will see or hear aspects of a game. Some have found that they constantly hear theme tunes from their games, or make involuntary links with what they’re seeing in the real world and how it would be in the game world. Basic reflexes might be influenced by games, for example if at any point you jerk your thumbs as they held a controller.
Obviously it’s harmless effect, there’s no danger in looking through the eyes of a gamer. The only real worry, mainly of concerned parents and scornful press, is gaming addiction. There is of course a point where gaming can become unhealthy, if it becomes your entire life, but as long as you’re not locked away with just you and your console for days on end, you should be fine.
The tetris effect and games
You could even say you’re benefiting from the effect of gaming, particularly if you play games that involve problem solving. You might find yourself looking for solutions and logic in life, and there’s definitely no harm in that.
The Tetris Effect and Insomnia
If you find yourself experiencing a more extreme Tetris Effect, so if it becomes almost addictive and overwhelming, you might start to have difficulty with your sleep. We’ve all had nights where we’ve wanted one more game, or where we’ve let our thoughts distract us from falling asleep. But the Tetris Effect may mean you become so obsessed with a certain activity that it’s all you can think of.
If your Tetris Effect stemmed from playing an electronic game this could also contribute to insomnia, as blue light (emitted by loads of different electronic devices with screens) interferes with your body clock. The light emitted by different devices is usually what the body associates with daytime, so after playing games you might find yourself feeling more energetic, especially with adrenaline from the game still rushing.
Not playing right up into the early hours of the morning can help you avoid any negative effects on your sleep though. As can having a break between your gaming session and the time you go to bed.
The Tetris Effect and positivity
Surprisingly, the Tetris Effect can help you feel more positive. Our brains are programmed to focus more on negative experiences, if you spill a cup of tea it’s something you’ll remember, but if you make the perfect cup of tea, the likelihood is you wont remember it the next day. It’s just the way things are.
Whilst it might not seem like we control the Tetris Effect, we can actually try and use it to help us think more positively. Just as we can train our brain to look at buildings as we might look at Tetris blocks, we can train it to look for positives rather than negatives.
So for example rather than looking at things that don’t seem to fit as well they should, we can practice looking to the left or right a bit, and focusing instead on the things that do fit. We can use the Tetris Effect to get the same positive feeling in real life as we would when succeeding in a game.
Psychiatry has not always been kind to people whose sexuality veers from the societal norm. Homosexuality was considered a mental illness in many countries as late as the mid-20th century—if it was not classified as an outright crime. Even Sweden, that Scandinavian bastion of openness and equality, identified being gay as a disorder as late as 1979.
He came to his own people, from his psychiatry is not always a form of sexual and social norms. Considered a mental illness in many countries it is believed in the mid-20th century – if charges are not visible. Even Sweden, the Scandinavian Tower to the intricacies of openness and equality, with which the disorder was recognized at the end of 1979.
One woman in the southern province of Smålandeven, managed to get Social Security benefits to the gay parade.
A reading greater than its parts protested RFSL, the Swedish Federation of lesbian, gay, bisexual and transgender people. Sweden has been removed from what was believed in 1944, but according to the “National Council for health and safety” that develops standards for health, not even to the disease. As part of the context of the American Psychiatric Association announced that while homosexuality as a mental disorder in 1973, although she continued to sexual orientation disturbance “referring they felt about their sexual orientation (among other new interference).
Tract is fed up with the lack of it was gaining power in traditional letters and phone campaigns, planned to occupy the building RFSL gay unusual pathologies National Council demonstrations. On 29 September, through eight ‘Man Liberation Week “in Stockholm (Stockholm Pride later), the assembly RFSL protesters block National Council on the stairs at the building, chanting and waving banners. Barbarian Strholm the new director of the National Council of Second, finally sat down and came with demonstrators and their cause became acceptable. in late October 1979, the National Council of homosexuality as a kind of disease, making Sweden the first European country to do so.
Needless to say, all countries have taken. It was not until 2014 that a panel of the World Health Organization has concluded that they are based on the facts of the specific disorders of gay men and those of the American Psychiatric Association transgender treatment remains controversial.
When Cheryl Clemons and her husband were scrambling to evacuate their Galveston home, their focus was on her father’s paintings, a cherished carved chest, the pets and of course themselves. The cable equipment was the farthest thing from their minds. Just when Clemons thought it couldn’t get any worse than moldy furniture, she got a bill for $931.72. She says it was like adding insult to injury.
“With all the devastation and everything going on I thought it was over the top, just too much,” she said.
It’s her first Comcast Cable bill since Hurricane Ike flooded her Galveston home more than five weeks ago. There’s a $66 credit for not having phone service, but also a $1,000 charge for not returning her DVR, modem and other equipment.
“That’s a lot of money right now,” Clemons said.
She thought she could straighten it out with a phone call, she was wrong.
“She told me basically we were responsible for that equipment,” Clemons told us.
Comcast told us the same thing, because Cheryl and her husband did not dig through their dirty debris pile to retrieve the equipment and return it.
“That was far down on my list of priorities,” she said.
Now she’s responsible. She should file the loss with her insurance provider and Comcast promises to give customers, “plenty of time, over 90 days, to be reimbursed before restitution needs to be made.”
They say they understand this is a difficult time, but Cheryl isn’t so sure.
“[I] never missed a payment. Cut me some slack,” she said. “A lot of people are in a bad place right now so they should think about that.”
Cheryl and her husband rented their home. They have renter’s insurance but she says it won’t cover the Comcast equipment.