Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending October 24, 2014. Covers enterprise, controversies, reports and more.
This week, Google released invites to its latest attempt to reshape the inbox; Twitter ruffled feathers with its new password replacement Digits; a Windows update is bricking cloned FTDI chips; Samsung Knox got NSA approval then took a hit for shoddy crypto; iCloud had another bad week, and much more.
Google launched an invite-only app called Inbox that aims to make email more useful and preview next-gen capabilities. Inbox isn't the new version of Gmail as has been speculated, but Google used the same team to create the app. This week Google also announced that it now supports what the company claims is a more secure form of two-factor authentication (2FA), dubbed Security Key, by adding support for FIDO Universal 2nd Factor (U2F) devices to Google Chrome.
At the first Twitter Flight mobile developer conference in San Francisco on Wednesday, Twitter announced Digits, the company’s password replacement effort that employs a user's phone number and SMS two-factor authorization. The process has three steps: a login screen with an option to sign up via mobile device; a screen to enter your phone number, and a screen to enter the confirmation code Twitter sends you via SMS. Like Vine, Digits will operate as a brand unto itself. However, Twitter's former security lead doesn't think it's a safe solution.
@pof @marcograss All the work on access control and separation undone with bad crypto practice... typical :(— Joshua Brindle (@Joshua_Brindle) October 23, 2014
If you're going to start Knox you have to provide your password to get access to the data and the Knox home screen. But there is a small button under the textfield called "Password forgotten?" By tapping it, you have to provide your PIN. If the PIN is correct, the Knox app will show you a little password hint (the first and the last character of your password!! + the original length of your password!)
Samsung really tried to hide the functionality to generate the key, following the security by obscurity rule. In the end it just uses the Android ID together with a hardcoded string and mixes them for the encryption key. (...)
The fact that they are persisting the key just for the password hint functionality is compromising the security of that product completely.
For such a product the password should never be stored on the device. Instead of Samsung Knox, use the built-in Android encryption function and encrypt the whole device.
Update October 26, 2:06 am PST: Samsung responded to the security reasearcher's post about KNOX saying, "We analyzed these claims in detail and found the conclusions to be incorrect for KNOX enterprise solutions." Samsung said in regard to the accusation that KNOX stores an alternative PIN in plaintext for password recovery, "we would like to reassure our customers that KNOX enterprise containers do not store any alternative PIN for password recovery purposes, relying instead on IT admins to change and reset passwords through their MDM agent."
Apple Inc's iCloud storage service in China was attacked by hackers trying to steal user credentials, Chinese web monitoring group Greatfire.org reported, adding that it believes the Beijing government is behind the campaign. Using a MITM attack, the hackers intercepted data and potentially gained access to passwords, iMessages, photos and contacts.