‘Secret Chat’ Messages Aren’t So Secret After All

The universal truth about secrets? They almost always tend to get leaked. This was the case for a cross-platform messaging app, which flaunted the privacy offered by a “Secret Chats” messaging feature.

This messaging app describes itself as a privacy-oriented app, intended for sending encrypted personal or business secrets without storing them to memory. However, as one security researcher discovered, this could not be further from the truth.

The secret chat feature was designed to be a one-on-one chat where all messages sent back and forth were encrypted with a key known only by the chat’s participants. Theoretically, no third parties could access or unencrypt the content without first obtaining one of the chat participant’s devices.

Upon closer inspection, it can be seen that these supposedly “secret” messages are copied and stored in plain text on a cache database on the device. So, anyone with access to the device could easily read them from the phone’s memory.

What’s even scarier is that it was also found that any deleted messages from the chat were in fact not actually deleted from the app’s memory. Although a message may appear to be deleted from the conversation, it is not truly gone and still lives on in the cached files.

The lesson to learn here? While encryption is a wonderful thing, there is a right and wrong way to approach it. Only encrypting one element of an app does little for security’s sake. Complete end-to-end encryption is needed to ensure that your messages are safe from prying eyes.

While mobile messaging apps work to implement stronger security practices, there are a few steps you can take to ensure the protection of sensitive, personal information:

  • Be wary of the secrets you share with mobile messaging apps. Thanks to their various security flaws, mobile messaging apps all too often spill the beans when it comes to sensitive information. For this reason, it’s a good idea not to even put that information in their hands in the first place.
  • Install comprehensive security software on your mobile device. Every device you own should have safety precautions installed on it. McAfee® Mobile Security is available for both Android and iOS, and offers a variety of protections to help keep unwanted people out of your devices.
  • Keep your passwords secure and change them often. Hackers love when you use the same password for each account, as it makes them that much easier to guess. So, assign a different password to each account or device and keep each one personal and private. To help you deal with the hassle of creating multiple complex passwords and managing them all, leverage a password management app, such as True Key™ by Intel Security.
  • Upgrading to a new device? Wipe the old one. Make sure your old phone is restored to factory defaults and all personal information has been completely wiped – before you sell back the device. This way when someone buys your mobile phone, they won’t also be getting all of your personal information for free.

As always, to keep up with the latest security threats, make sure to follow @IntelSec_Home on Twitter and like us on Facebook.


Example of Chinese Military Converging on US Military

We often hear of vulnerabilities in the US military introduced by net-centric warfare and a reliance on communications network. As the Chinese military modernizes, it will introduce similar vulnerabilities.

I found another example of this phenomenon courtesy of Chinascope:

PLA Used its Online Purchasing Website for its First Online Purchase

Written by LKY and AEF   

Xinhua reported that on, April 7, the PLA announced that five manufacturers won the bidding, totaling 90 million yuan (US$14.48 million), to supply general and maintenance equipment to the PLA. The article said that these were the first purchase orders that the PLA received since it launched its military equipment purchasing website in January. The site is at http://www.weain.mil.cn/. 

The PLA claimed that it saved close to 12 million yuan (US$1.93 million) compared to the list price. The purchase order consisted of items such as containers for maintenance equipment and tools, gas masks, carrier cases, and army field lighting. The article said that the PLA equipment purchasing website was launched on January 4. On February 25, the PLA General and Maintenance department made a public announcement on the website calling for bids. On March 19, the public bidding was held at Ordnance Engineering College in Shijiazhuang City of Hebei Province. 

Over 20 manufacturers submitted bids and 5 of them, including some privately owned companies, won the bidding.

Source: Xinhua, April 12, 2015

(emphasis added)

You can imagine the sorts of opportunities this story presents to adversaries, including impersonating the Chinese Web site, phishing either party (supplier or purchaser), and so on.

I expect other militaries to introduce similar vulnerabilities as they modernize, presenting more opportunities for their adversaries.

Network Security Monitoring Remains Relevant

Cylance blogged today about a Redirect to SMB problem found in many Windows applications. Unfortunately, it facilitates credential theft. Steve Ragan wrote a good story discussing the problem. Note this issue does not rely on malware, at least not directly. It’s a problem with Microsoft’s Server Message Block protocol, with deep historical roots.

(Mitigating Service Account Credential Theft on Windows [pdf] is a good paper on mitigation techniques for a variety of SMB problems.)

Rather than discussing the technical problem, I wanted to make a different point. After reading about this technique, you probably want to know when an intruder uses it against you, so you can see it and preferably stop it.

However, you should be wondering if an intruder has already used it against you.

If you are practicing network security monitoring (described most recently in my newest book), then you should already be collecting network-based evidence of this attack.

  • You could check session data and infer that outbound traffic on using traditional SMB ports like 139 or 445 TCP are likely evidence of attack. 
  • You could review transaction data for artifacts of SMB traffic, looking for requests and replies. 
  • Best of all, you could review full content data directly for SMB traffic, and see exactly what happened. 

Whenever you see a discussion of a new attack vector, you will likely think “how do I stop it, or at least see it?”

Don’t forget to think about ways to determine if an attacker has already used it against you. Chances are that certain classes of intruders have been exercising it for days, weeks, months, or perhaps years before it surfaced in the media.

PS: This post may remind you of my late 2013 post Linux Covert Channel Explains Why NSM Matters.

Please Support OpenNSM Group

Do you believe in finding and removing intruders on the network before they cause damage? Do you want to support like-minded people? If you answered “yes,” I’d like to tell you about a group that shares your views and needs your help.

In August 2014, Jon Schipp started the Open (-Source) Network Security Monitoring Group (OpenNSM). Jon is a security engineer at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign. In his announcement on the project’s mailing list, Jon wrote:

The idea for this group came from a suggestion in Richard Bejtlich’s most recent book, where he mentions it would be nice to see NSM groups spawn up all over much like other software user groups and for the same reasons.

Network security monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. It is an operational campaign supporting a strategy of identifying and removing intruders before they accomplish their mission, thereby implementing a policy of minimizing loss due to intrusions. At the tactical and tool level, NSM relies on instrumenting the network and applying hunting and matching to find intruders.

Long-time blog readers know that I have developed and advocated NSM since the late 1990s, when I learned the practice at the Air Force Computer Emergency Response Team (AFCERT).

I am really pleased to see this group holding weekly meetings, which are available live or as recordings at YouTube.

The group is seeking funding and sponsorship to build a NSM laboratory and conduct research projects. They want to give students and active members hands-on experience with NSM tools and tactics to conduct defensive operations. They outline their plans for funding in this Google document.

I decided to support this group first as an individual, so I just donated $100 to the cause. If you are a like-minded individual, or perhaps represent an organization or company, please consider donating via GoFundMe to support this OpenNSM group and their project. You can also follow them @opennsm and Facebook, and check out their notes at code at GitHub. Thank you!

One bad app spoils the barrel (and your privacy too)

Today there is an app for just about anything. From dating apps to apps that navigate you around cities, nowadays there is something for everyone. In fact Apple’s App Store reportedly now has over 1.3 million apps available to download to make consumers’ lives that much easier whilst on the go.

In short, apps allow us to get the information we want, when we want it and the ease that comes with this capability is what makes us not think twice about pressing the download button. But by doing so, do we actually take the time to think about the information hungry cyber criminals out there? The only difference is that the information they want isn’t a review of that new restaurant in town but rather the information you use to pay for that meal.

With mobile malware on the rise, it’s time we became more aware of our app safety. It just takes one bad app to open the door for cyber criminals to steal your precious data. Worryingly, a recent McAfee Labs™ Threats Report found when testing 25 of the most downloaded apps, 18 failed the security test and they failed the test four months after their developers had been notified of the vulnerabilities. In addition, another report revealed that 82% of mobile apps are able to track you, and malicious software was found in 35% of these privacy intrusive apps. And in most cases, consumers are unknowingly downloading this malware onto their devices.

When Intel Security surveyed UK and German mobile users on their security habits we found that over two thirds of respondents do not read the terms and conditions when downloading an app onto their phone. Their reasons for not doing so were that they did not care about the terms and conditions or permissions. They want the app regardless and people seem to always trust official app stores.

But whilst these trusted app stores do make the efforts to ensure malware-laden apps are kept off their shelves, it still occurs. There are also many untrusted app stores whose apps frequently contain malware.

So what can you do to keep the bad apps off of your phone or tablet? Here are my top three tips:

  1. Review what your apps are up to. Read reviews and check app permissions before downloading. Use security software to run a scan of app permissions to help identify suspicious requests. Does that cooking app really need your location details? Think twice before clicking ‘yes’.
  2. Regularly update your apps. It might be tedious but updates often have security patches that protect your information and your device from the latest malware.
  3. Protect your devices. McAfee LiveSafe™ service keeps hackers and identity thieves at bay and allows you to safely surf, shop, search, and bank online so you’re not at risk of having your data stolen. The more precautions you take to ensure your device is protected, the better.