Perimeter defenses are not enough – heartbleed lessons demand server side application security to protect your data and keys

Imagine waking up one morning, and discovering that even though you’ve been locking the front door, a window had been left unlocked… for the past two years.

That’s what the internet community discovered early this week. OpenSSL, a free open-source toolkit that provides the security foundation for encrypting communication, left a window open.  A window was left open on every server running OpenSSL 1.0.1 to OpenSSL 1.0.1f, for two years.

An exploit, called the heartbleed bug, revealed that a simple programming error enables an attacker to read the contents of a 64kb chunk of server memory. Within those 64kb of memory, anything from passwords to private keys are stored.  This exploit is unique because it requires no authentication, minimal sophistication, and can be distributed.  The risk this exploit presents is unprecedented.

Renowned security expert Bruce Schneier, rates this bug on a 1 to 10 scale of severity, as an 11.  Schneier goes on to say that due to the incredible length of exposure, even if patched we must assume that all private keys have been compromised, all passwords have been stolen, and anything really is vulnerable.

The mitigation prescribed by multiple leading experts is two-fold.  First, the relatively low-cost update of server-side packages. Ironically, diligent updates of software inadvertently made this bug an issue. Second, re-generate compromised secret data, i.e. public/private key pair, SSL certificates, and every password.  Let’s consider what this second mitigation achieves.

Netcraft reports that over 500,000 sites are vulnerable. The world now engages in a massive effort, of unimaginable cost, to reverse the effects of a careless coding error. And yet, even if all 500,000 sites are updated, all key pairs, certs and passwords changed, we’ve only returned to the state of internet security circa the end of 2011!

A window open for two-years closes, but the mitigation is not complete.  We’ve seen the Android Master Key vulnerability, the Target breach, and now heartbleed demonstrate that once perimeter defenses are broken the crown jewels are exposed for the taking. Time after time, a breach occurs and a reactive mitigation is applied.

The heartbleed bug basically changes everything about what must be considered as viable attack surfaces for server side exploits.  The internal data has now been proven vulnerable, and perimeter defense will only delay the next breach, in which the heart of the enterprise is exposed via memory scanning vulnerabilities again.

A layered approach that leverages security at the application layer is critical and obviously necessary.

Arxan’s Application Protection Platform provides binary hardening to protect the applications that manifest a business’s core assets – data and keys.  Arxan’s unique application security embeds active Data Obfuscation Guards without changing server side code so that sensitive data, such as user credentials, passwords, or ids are protected from being sniffed out as a result of these memory-scanning attacks.   Data obfuscation will render the contents of the memory useless.

Arxan’s durable key protection can also be directly embedded into the server side code and protects the critical data within server side logic before it is deployed.  Enterprise server keys and certificates will then include self-protection from compromise, so that even if perimeter defenses are breached again and server side keys were pulled down, they would not be in clear/plain text or usable .

Clearly we must learn from the apparent misnomer that server side code is not penetrable from client machines.   Moving forward and learning from the pain and costs of the heartbleed breach, the lesson for security professionals is that scanning of sever memory is possible and will likely happen again.  Enterprise security strategies must to evolve from 2011 to incorporate additional layers of server side protection.

Arxan security experts strongly advise on deploying a holistic security solution to protect the  ‘soft and vulnerable’ center of an enterprise so that once perimeter defenses (crusty exterior) are defeated, the internals, where data and keys  can reside,  are not left  so very vulnerable and defenseless.  Layering with  Arxan’s Application Protection Platform hardens the soft and vulnerable interior of server-side memory, to mitigate enterprise risk and loss. This defense in-depth approach assures that even if another memory-centric attack, such as heartbleed, occurs valuable data and key, as well as significant breach-related costs will be spared.

 

Arxan at GDC 2014 and in PC Gaming Alliance member forum

Arxan will be exhibiting at GDC 2014 this week in San Francisco and Arxan Game Security Expert, Rennie Allen, will be speaking at a session titled ‘Game Security’. The session will focus on how gaming software is extremely vulnerable to software hacking and how to defend against attacks.  If you’re attending the conference, be sure to join the session on Thursday, March 20 at 10 AM in Room 302, South Hall to learn more.

Exploring the gaming attack landscape associated with different game architectures, Rennie will present best practices for game protection. This applies to protection against attacks such as server cloning, cheating, or reverse-engineering and tampering for botting & intellectual property theft. As gaming continues to see huge growth, hackers are increasingly seeing opportunity in manipulating gaming code, compromising game integrity and compromising game revenues.

Whether it’s a MMORPG (massively multiplayer online role-playing game), handheld, console, casual or a graphically-rich desktop game Arxan Technologies provides gaming security solutions to protect your gaming experience.

In other news, Arxan, as a leader in securing gaming apps has been a longtime member of the PC Gaming Alliance (PCGA).  Recently, the PCGA announced a new forum allowing companies the opportunity to provide their input on the personal computing  gaming market.  The PCGA was originally founded to support collaboration among gaming companies to  provide ecosystem improvement or optimizations in the gaming industry.

For more information, stay tuned for an upcoming Gaming Security Best Practices Whitepaper discussing a number of topics that apply to the gaming community.

OWASP ID’s New Mobile Risk for 2014

The Open Web Application Security Project (OWASP) recently released their list of the Top 10 Mobile Risks for 2014. Based on industry polls for new vulnerability statistics in the field of mobile applications, the number ten spot went to the lack of binary protections.

These security protections can be built into mobile apps easily, but are often overlooked. Among other security measures, the need for code obfuscation is a key factor in securing mobile apps. Without this, mobile apps are easily exploitable and can lead to a high risk of IP theft, brand erosion and data compromise.

According to the OWASP Website: “A lack of binary protections results in a mobile app that can be analyzed, reverse-engineered, and modified by an adversary. Unfortunately, it is extremely common for apps to be deployed without binary protection. The prevalence has been extensively studied by a large number of security vendors, analysts, and researchers.” Arxan has a deep familiarity with the need for binary level protection. We encourage you to visit our App Protection Resources page to get a quick mobile app assessment and determine if your apps are at risk.

Arxan has been a leading voice warning that mobile apps require protection beyond the use of traditional secure coding techniques. To combat modern application threats, enterprises and app developers need to set up Application Integrity Protection (AIP) for binary hardening.  Arxan supplies forward thinking enterprises with advanced binary code protection solutions. As hackers are always innovating, AIP is working towards future-proofing business assets in the rapidly evolving App Economy by constantly improving security measures.

Recently Arxan discussed these new protections at the 2014 RSA Conference in San Francisco where we celebrated some impressive growth and enterprise adoption momentum we’ve enjoyed over the past year. We were excited to also announce that we earned the Information Security Excellence Award for our Mobile App Integrity Protection Suite from Info Security Products Guide 2014.

“Leaky Apps” and Brand Compromise

The last year’s revelations around secret N.S.A. surveillance has raised the red flag for both companies and consumers and further focused the spotlight on data security and privacy. With the proliferation of mobile devices, mobile apps are becoming an even more attractive target for cyber criminals every day.The New York Timesrecently published a story around the N.S.A. and Britain’s Government Communications Headquarters accumulating data from “leaky” apps. Newly revealed documents from the N.S.A. disclose that both the U.S. and British agencies, regularly acquire information from specific apps on mobile devices in their search for terrorists and intelligence targets.

Other high-profile security breaches have also brought the topic of security to the forefront of consumer’s minds. Household names like Target, Starbucks, and Yahoo have either been attacked or have been exposed for lacking security controls. The Target malware attack, in which personal information was taken from customer’s credit cards as they were swiped and stored into Target’s database, affected 40 million credit and debit card accounts. Neiman Marcus announced this week that a breach that occurred mid-December could affect ‘millions’ of customers as well. Yahoo and Starbucks have also raised questions about security lapses. Beyond the immediate impact of the data theft, consumers are likely to have a tainted image of the affected brands for some time to come.

The role of app security is being investigated by Arxan as we are looking into further understanding of confidentiality and integrity risks in such attacks. Last year at Apps World North America we presented material on the next generation of mobile app attacks. We will be presenting more information this year in San Francisco at Apps World North America 2014.

Arxan has been working to protect apps for more than a decade and we are ideally positioned to keep up with the new pace of innovation as the world becomes increasingly interconnected. As we said in our blog post about smart watches and other wearable devices, Arxan’s Application Protection Products are used today to protect distributed apps on mobile or embedded platforms. As the world around us becomes increasingly connected, Arxan will be there protecting you as well.

Gartner: Recommendations for Mobile Commerce Security

It seems that enterprise mobility and its accompanying risks are here to stay. Mobile payments are substantially increasing at a rate that causes Gartner to forecast that in 2017, the worldwide mobile payment market will have nearly half a billion users with nearly three-quarters of a trillion US dollars in value. As mobile commerce growth booms, so do the dangers to enterprises whose apps are not secure.

Apps are now leveraged by employees and consumers for services and products, which has prompted rapid mobile app development. The app economy is challenged by threats that include fraud, reverse-engineering, tampering, malware injection, piracy, intellectual property theft, unauthorized access and sensitive data loss.

Arxan’s recent newsletter  features the recent Gartner Research Report: Secure M-Commerce Through Three Categories of Mobile User Authentication and Fraud Prevention to provide you with the information and resources you need  to ensure your mobile commerce (m-commerce) apps are  protected from hacker attacks.  The newsletter titled “Mitigate Risk with Enterprise-Grade Mobile App Shielding Technology,” highlights the risks that confront m-commerce, recommends best practices, and demonstrates the necessity of securing mobile apps before they go “into the wild.”

Gartner researchers Avivah Litan and John Girard report that mobile commerce requires endpoint-centric fraud prevention solutions and new types of user authentication in order to keep m-commerce reliant enterprises secure. They recommend the use of mobile application security solutions to fortify apps and to prevent corruption. Arxan Technologies’ Mobile App Integrity Protection works to secure the app environment, as well as the app itself, by arming apps with self-defense and tamper-resistant capabilities.

2013: Rapid App Economy Growth Won’t Slow Down for Security

As we reflect on this past year in the App Economy, we have seen a major spike in mobile banking as it is a convenient way to transfer funds and purchase last minute gifts on the go – especially in the midst of a hectic holiday season. According to a recent consumer survey conducted by Deloitte, 68 percent of smartphone owners and 63 percent of tablet owners plan to use their devices for holiday shopping, leaving many people vulnerable to cracked mobile banking apps.

Arxan recently published our second annual State of Security in the App Economy Report, discovering that 76 percent of the Android financial apps we tested had been “cracked” while 36 percent of the tested iOS financial apps were hacked variants. In addition, we found mobile financial apps to be particularly at-risk, compared to others. The report also exposed that 78 percent of the top 100 Android and iOS apps have been hacked—100 percent of the top paid Android apps and 56 percent of the top 100 paid iOS apps were found to be compromised.

As mobile shopping traffic increases and mobile technology innovation continues, Arxan remains committed to safeguarding apps across mobile platforms to keep up with the most advanced mobile cyber threats.

You can find Arxan’s full 2013 State of Security in the App Economy Report with a detailed infographic highlighting the results.

 

The Jailbreaking Threat Rears its Ugly Head

What does it mean to Jailbreak a device, and why does it matter? With the holiday season coming up and new mobile devices being as popular a gift as ever, we thought we would offer a refresher on this threat vector.

Jailbreaking is the process of bypassing restrictions, policies and safeguards built by Apple into iDevices to enable device owners to install apps from outside the App Store, and to bypass usage restrictions and checks built into the platform.

While in the ideal application, jailbreaking is executed by a user on their personal device in order to use it in a manner that is not controlled by the manufacturer or seller of the device, in reality, hackers capitalize upon the stripping away of critical security logic. Through this open access afforded by a jailbroken device, hackers are able to steal identity, compromise experience, commit fraud and other electronic crimes.

Further, jailbroken environments are a threat because hackers can leverage the lack of security to cause financial loss and brand erosion.

What is Jailbreak Detection?

In light of the increasingly vulnerable environment created by a jailbroken device, Jailbreak Management Policies have emerged. It should be noted that preventing jailbreaking is not necessarily the goal of these policies, despite the increasing controversy surrounding the issue. The quick and reliable detection of its occurrence has proven to be valuable for application owners, rather than a focus on deterring users from jailbreaking. Detection becomes a crucial moment for applications to alter their data processing and execution mode to preserve IP, data, finances and resources against exploitation.

In addition, companies can customize the programming of their apps to react to jailbroken circumstances in a manner that corresponds to their business policy and MDM layer. For example, an app can notify the user that it is operating in a jailbroken environment, or the app can notify a server and being a response process.

Arxan has been working to protect apps in hostile and untrusted user conditions for more than ten years. By being inserted into the binary of an app Arxan’s Jailbreak Detection Guards reliably detect when an app is running in a jailbroken environment. Mobile app owners are provided with discrete intelligence on any circumstances surrounding a Jailbreak, so that they can modify their use to ensure security.

FS-ISAC Fall Summit: Presenting Mobile Security Advances with PenFed

It’s that time of the year again, when the financial services community gathers for the FS-ISAC Fall Summit going on right now at the Arizona Grand Resort in Phoenix, AZ.

Arxan is being joined by Pentagon Federal Credit Union (PenFed), one of the largest credit unions in the country with over 1.2 million members to talk about mobile application security initiatives and the unique challenges they pose to the Enterprise.

In addition to offering market leading mortgages, automobile loans, credit cards, checking, and a wide range of other accounts, PenFed recognizes that mobile banking is the most rapidly growing channel in banking. According to Gartner, the global mobile payment transaction value in 2013 will see a 44 percent increase from 2012.

Along with the opportunity for mobile banking and payment innovation, PenFed is one of many financial service leaders concerned about this expanding attack surface. They recognize that new and unique strategies for proactive security are a crucial factor for any Mobile First technology plan.

At FS-ISAC, Arxan’s CTO Kevin Morgan is leading a case study discussion titled: “Mobile Security Advances in PenFed Mobile Footprint?” with Sean Carrick, Information Security Architect at PenFed. Carrick will share thought leadership on current mobile application security initiatives and the unique challenges they pose to the Financial Enterprise, and Morgan will provide an overview of advances in the mobile app security landscape.

The app layer is now a highly sought after target of hackers and requires defense against hacking and cracking attacking to maintain its integrity, including security logic and intellectual property. According to Gartner, hardening should be used for critical applications, such as transactional ones and sensitive enterprise applications.

Please feel free to visit the FS-ISAC Summit’s website for more information. Or to set-up a meeting with Arxan at the event, email:info@arxan.com

Convenience is Key: Mobile Banking on the Rise

Bank of America, the United States’ second largest bank, reported last week that more users log on to their mobile platform than their online banking service. Not only is virtual banking eclipsing traditional banking in brick and mortar branches, but banking on mobile devices is now a contender for the most popular way to bank.

As a result of this upswing in mobile and online banking, banks are closing branches at a higher rate each year. Some analysts predict that in the next 4 years, use of mobile payments and banking will grow even more. According to Forrester Research, there will be 108 million mobile banking users in the U.S. by 2017. In 2012, 13% of American and 9% or European mobile phone users were consistent mobile bankers, but these numbers have rapidly risen.

Why have so many Americans willingly abandoned their local bank branch? According to some experts convenience, and thus mobile banking, is the key to customer loyalty. It seems that the ease of mobile banking has become an expectation for consumers, and that banks who offer effortlessly navigated mobile banking apps retain more customers than those who do not.

Convenience has also proven to be an indicator of who is using mobile banking. Consumers in walkable areas, especially Northeast U.S., are the least likely to use mobile banking.. While the inhabitants of that part of the country are just as tech-savvy as their counterparts on the South and West Coasts, and just as likely to own smartphones or tablets, they are still not nearly as likely to use this service. Convenient access to banks seems to explain why consumers in New York, Philadelphia, Boston and Washington D.C. haven’t cottoned on to mobile banking at the same rate, since in most cases they have easier access to physical bank branches in their walkable metropolises.

It is clear that mobile banking is here to stay, and that it will continue to grow in popularity among consumers. With hackers eager to find new ways to access bank account information, maintaining the integrity of financial apps is more important than ever for banking institutions. To keep up with the massive innovation in mobile banking technologies, apps must be hardened with built in “guards” that provide self-defense and tamper-resistance technology while also deploying quickly with little overhead.

Arxan helps to keep mobile banking applications safe for financial institutions to deploy, and ultimately, convenient for consumers.

Maintaining Consumer Trust through Financial App Security

Online and Mobile banking are growing more prevalent among Americans, according to a survey conducted by the American Bankers Association (ABA) and a study released by Javelin this week. The ABA report revealed that 39 percent of Americans’ preferred method of banking is online, with its tech-savvy sibling mobile banking also on the rise. By 2018, 89 percent of American households will use online banking, up from 84 percent today. These growing rates of adoption for mobile financial transactions make digital banking and payment protection compulsory.

Arxan and its leading mobile app integrity technology stand right at the center of innovation in this field. Gartner® forecasts the volume of mobile payment transactions worldwide to be at $235 billion this year with growth projecting to $721 billion by 2017; a strong indication that consumers’ phones will continue to play an increasingly large role in not only how they manage money, but how they spend it on a regular basis.

While this growing market space brings opportunity, the unfortunate reality is that the relative immaturity of the industry leaves it vulnerable to a number of exploitations, as the apps that make mobile banking and payments easy also can leave individuals’ information exposed. In this mobile device-reliant environment, mobile app developers must deploy critical code – such as jailbreak/route detection, security certificates, sensitive intellectual property, etc. – onto a device itself, where the software resides in distributed and untrustworthy environments without application protection for digital banking or payment apps.

With vital information stored locally on a phone or mobile device itself, it lacks the protections afforded by traditional database firewalls, allowing hackers to easily leverage available third party tools to completely disable and compromise mobile app integrity, gaining unauthorized access to source code and opening a Pandora’s box of attacks.

Arxan brings a unique solution set forward to mitigate these fears, offering app integrity protection that secures enterprises in the App Economy against next generation application threats where competitors, counterfeiters, or private hackers might compromise a financial application’s by tampering with deployed software to conduct mobile fraud, discover consumer data, distribute malware, steal IP or corrupt devices. Specifically, Arxan’s technology protects financial applications against attack with built in “guards” that provide self-defense and tamper-resistance technology that deploys quickly with little overhead—all operating on the binary code of an application.

With banking trending toward online and mobile technology, security will continue to be a concern with more valuable information being stored on individuals’ devices. Security must continue to be a priority for those who use online and mobile banking, as the success of these technologies will depend on how well consumer information and assets are protected.