Zero Day Weekly: Samsung Knox controversy, Twitter Digits, bricked FTDI chips
Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending October 24, 2014. Covers enterprise, controversies, reports and more.
This week, Google released invites to its latest attempt to reshape the inbox; Twitter ruffled feathers with its new password replacement Digits; a Windows update is bricking cloned FTDI chips; Samsung Knox got NSA approval then took a hit for shoddy crypto; iCloud had another bad week, and much more.
Google launched an invite-only app called Inbox that aims to make email more useful and preview next-gen capabilities. Inbox isn't the new version of Gmail as has been speculated, but Google used the same team to create the app. This week Google also announced that it now supports what the company claims is a more secure form of two-factor authentication (2FA), dubbed Security Key, by adding support for FIDO Universal 2nd Factor (U2F) devices to Google Chrome.
At the first Twitter Flight mobile developer conference in San Francisco on Wednesday, Twitter announced Digits, the company’s password replacement effort that employs a user's phone number and SMS two-factor authorization. The process has three steps: a login screen with an option to sign up via mobile device; a screen to enter your phone number, and a screen to enter the confirmation code Twitter sends you via SMS. Like Vine, Digits will operate as a brand unto itself. However, Twitter's former security lead doesn't think it's a safe solution.
- FTDI appears to have used a recent Windows update to be brick cloned/fake FTDI chips on a wide variety of devices. The hardware hackers at Hack A Day reported that a recent driver update deployed over Windows Update is bricking cloned versions of the very common FTDI FT232 [USB to UART] chip. FTDI is adamant that this move is necessary to fight counterfeiting.
@pof @marcograss All the work on access control and separation undone with bad crypto practice... typical :(
— Joshua Brindle (@Joshua_Brindle) October 23, 2014
- The NSA approved Samsung Knox devices for classified government use earlier this week — but in response one security researcher published findings Thursday showing that Knox only obfuscates passwords:
If you're going to start Knox you have to provide your password to get access to the data and the Knox home screen. But there is a small button under the textfield called "Password forgotten?" By tapping it, you have to provide your PIN. If the PIN is correct, the Knox app will show you a little password hint (the first and the last character of your password!! + the original length of your password!)
Samsung really tried to hide the functionality to generate the key, following the security by obscurity rule. In the end it just uses the Android ID together with a hardcoded string and mixes them for the encryption key. (...)
The fact that they are persisting the key just for the password hint functionality is compromising the security of that product completely.
For such a product the password should never be stored on the device. Instead of Samsung Knox, use the built-in Android encryption function and encrypt the whole device.
Update October 26, 2:06 am PST: Samsung responded to the security reasearcher's post about KNOX saying, "We analyzed these claims in detail and found the conclusions to be incorrect for KNOX enterprise solutions." Samsung said in regard to the accusation that KNOX stores an alternative PIN in plaintext for password recovery, "we would like to reassure our customers that KNOX enterprise containers do not store any alternative PIN for password recovery purposes, relying instead on IT admins to change and reset passwords through their MDM agent."
Apple Inc's iCloud storage service in China was attacked by hackers trying to steal user credentials, Chinese web monitoring group Greatfire.org reported, adding that it believes the Beijing government is behind the campaign. Using a MITM attack, the hackers intercepted data and potentially gained access to passwords, iMessages, photos and contacts.
- Microsoft found a new Windows zero day actively exploited through Power Point. Tuesday the company disclosed a vulnerability that affects all supported releases of Microsoft Windows, excluding Windows Server 2003, and released a Fix it "OLE packager Shim Workaround" that should stop the known PowerPoint attacks. It does not stop other attacks that might be built to exploit this vulnerability.
- Facebook revealed Require-Recipient-Valid-Since (RRVS) where if a user's account were connected to a recycled Yahoo email address, that account could be taken over (and potentially compromised) by the new Yahoo account owner — all through a simple password change request. Facebook engineers explained in a blog post on Thursday how they have been working with the Yahoo Messenger team to patch up the problem.
- Ed Bott tells us that Windows 10 will build in standards-based two-factor authentication to every device, effectively neutering most phishing attacks and password database breaches. Microsoft also announced new features aimed at securing corporate machines from malware attacks and data leaks.
- Office-supply company Staples Inc. disclosed Tuesday that it is investigating a potential issue involving credit card data,” but did not release additional details.