| Follow us on: |   |
|
Mobile Security archives
BlackBerrySync.com Compares SMobile and Lookout Security
Filed Under: Mobile SecurityMonday, April 19th, 2010
On Thursday morning, the good people over at BlackBerrySync.com released the results of a study that attempted to compare two mobile security products to determine which is the best. BlackBerrySync.com is widely considered to be one of the leading sites on the Internet for all things BlackBerry and they have also been followers of SMobile’s products for quite a while. In fact, the author of the study has been using SMobile’s security software on her personal device for quite some time now.
The author does a great job of explaining the reason behind her desire to perform this side-by-side test of five of the leading spyware applications that are available to attackers who are interested in spying on users of BlackBerry devices. The spyware products she tested against were Flexispy, MobileSpy, PhoneSnoop, Flexispy Pro, and SpyBubble.
Instead of simply restating her results of the tests, I believe you should probably just read her report in order to get the full picture. There were some pretty startling results…
iPhone Compromised, I Mean “Hacked”
Filed Under: Mobile Security, SecurityFriday, March 26th, 2010
The world awoke this morning to the news that the iPhone had been hacked. Besides the fact that I hate the term “hacked”…it is used, incorrectly, ad nauseum. But, I digress. The annual Pwn2Own contest is one of the central focuses of the CanSecWest conference that is currently underway. Up for grabs is a prize purse of $100,000, tempting hackers to pull out their tools and tricks to come up with the latest and greatest attacks against the world’s most popular electronic devices.
This conference is just one of a few places during the year where you’ll find some of the best and brightest minds, where it pertains to technology, all in the same room. Many of these individuals should be considered reputable security researchers that, while working tirelessly to undermine security mechanisms, do so in responsible ways that disclose their findings to the vendors before releasing them to the public. Some of the participants are not quite as responsible. Nevertheless, each and every participant of the Pwn2Own competition has worked, likely, months and months to uncover tiny little vulnerabilities that they may be able to leverage in front of the CanSecWest crowds in their bids to win the cash and notoriety.
The same story holds true for these two young fellows that “hacked” the iPhone in under 20 seconds. What I would assume to be months and months of fuzzing, testing, sniffing, scripting, exploiting, then likely scrapping it all and starting over, led to the finding of a browser vulnerability in the iPhone that allowed them to jump outside of the browser’s application “sandbox” and access data that they shouldn’t otherwise be able to access.
I can already hear the moaning and sniffling from myiPhone-using friends. I’ve also already heard too many say that it is more theoretical that this attack could ever work than not, because it still involves user intervention for it to be successful (check out some of the comments from the first link I provided). That’s fine. I understand where it comes from. However, if someone were to ask me if I was surprised by this finding, I would say, definitively; “NO!”
Of course I’m not surprised that a browser exploit was successful and that it allowed the attacker to gain access to sensitive information. This happens each and every single day in the PC world. It has also already happened to BlackBerry, Android, Symbian and every other browser that has ever been used to access the Internet. Browser exploits will always be a viable attack vector, as long as users continue to accept and follow unsolicited links.
In my opinion, the real problem for Apple and the iPhone is the fact that this particular browser exploit allowed the attackers to break out of the “application sandbox“, where they were able to then access and upload data from other areas of the device. In this particular instance, once the attackers pointed the iPhone browser to their specially crafted web site, the attack forwards the contents of “the local SMS database of the phone to the server we control”. The purpose of the “application sandbox” is to explicitly restrict one application from accessing data and resources that belong to another application without first requesting permission to do so, in the form of an API (application programming interface).
The other interesting piece of information that came out of this finding was that when the local SMS database had been obtained, SMS messages that a user would assume to have been deleted were still present in the database file. If you’ll think back to last summer, the SMobile Global Threat Center published a lengthy whitepaper discussing the possibility of bypassing the backup encryption functionality built-in to iTunes. One interesting piece of information that we found, through a series of tests to document and illustrate our process, was that deleted contacts still existed in raw format in the SQLite database file that functioned as the device’s address book.
What we were able to determine is that for some reason, the SQLite database that the iPhone uses has the ability to track changes to the database file. In tracking those changes, the raw file “remembers” the data that was deleted. Even though the deleted data is no longer visible in the database tables, as they are viewed with a SQLite database viewer, the data is still visible when viewing the raw file with a ‘cat’ or ‘grep’ command. Check out the whitepaper for more information about this.
The two gentlemen that developed this attack went on to state that if the exploit were written to do so, it could also capture the full address book, any photos that exist on the device, music, and email. Since I have not tested this functionality, I would venture a guess to say that since we know deleted SMS and deleted contacts could be obtained, that deleted emails can be obtained as well. At least, I would think your deleted sexting pics and Rick Astley songs are safe for now.
Mariposa Botnet Hits Android via HTC Magic and Vodafone…or Does It?
Filed Under: Mobile Security, SecurityTuesday, March 23rd, 2010
About two weeks ago, I was sitting in our new Threat Center and we were tinkering around with a website that is part of our tool set to identify indications of malware or infections affecting smartphones across the world. The website that we were looking at is called Twitterfall.com and it allows a user to perform keyword searches to match against tweets that are being published. It’s amazing how quickly information hits Twitter and even more amazing how quickly that information is re-tweeted, copied and pasted, and parroted as the truth.
Among others, one of the keywords I chose was “android malware”. I was immediately presented with dozens upon dozens of nearly identical tweets parroting the sentiment that Vodafone had sold at least one Android handset to a Panda Security employee that was infected with malware. Obviously, this immediately sparked raging discussions in Android and Apple forums declaring Android a failed iPhone killer. iPhone fans were ready to begin singing “another one bites the dust” as they saw Android’s attacks being repelled.
But, what was lost in the immediate attempts to castigate Android as an inherent security flaw because of it’s open source philosophy, was the fact that the Android device in question was not infected with malware. What’s that you say? Not infected? That’s right…not infected. What actually happened was that a Panda Security employee received an HTC Magic device running the Android operating system, from the carrier Vodafone, that had three instances of malware pre-loaded onto the device’s SD card. The device SD card is wholly separate from the Android operating system.
When the Panda employee connected the device to her PC via the USB cable, she was automatically alerted to the fact that her anti-virus software on the PC had detected the existence of an autorin.inf and autorun.exe that were both being flagged as malicious. Further analysis indicated that the device was infected with the Mariposa botnet, the Conficker worm and a Lineage (the game) password stealing tool. This is terrible news, right? Of course it is…for Vodafone and for HTC. But is it necessarily bad news for Android? Not really.
Let’s take a a closer look at what actually happened. HTC manufactures the Magic device and chose Android to drive the proverbial bus. HTC likely purchases SD cards from some other manufacturer and may do some level of formatting or configuring of the SD card before or after it has been installed in the Magic device. HTC then ships the handsets with some Vodafone specific ROM installed on the device, and the pre-installed SD card to Vodafone. Vodafone then sells the device to a customer. As an interested observer, I don’t really see where Android plays any factor in this equation at all.
This is certainly not the first time we have seen malware being distributed directly from some vendor or retail center. Just to level the playing field, let’s focus on the case of iPod’s being distributed with a free SIWEOL.A worm that affected Windows PCs. Ok, that was a cheap shot. But the point is that we have seen plenty of cases that indicate that attackers are doing whatever they have to do in order to get their malware in your lives. We know that USB media drives come from retail stores with malware. Digital picture frames have been the attacker and McDonald’s in Japan had to recall 10,000 MP3 players back in 2006. There are still more examples of these types of successful attacks that I’ll continue to ignore.
With the exception a very few security centric blogs or analysis pieces that responsibly laid the blame of this attack on a faulty QA process between HTC and Vodafone, too many outlets were ready to call Android the problem. But, what was lost in the finger pointing was the fact that a proven defense-in-depth strategy is what identified the problem and protected this user (and many others) from becoming a victim of and possibly propagating the affects of the attack. It also didn’t hurt that the victim of the attack was a security-minded employee of a reputable PC security company. This particular user was employing best practices and relied upon an anti-virus solution to assist in identifying malicious content. Bravo!
The only part that Android could have played in this whole story would have been if Vodafone had bundled an anti-virus application with the device’s ROM that was configured to detect Windows-based malware that resided on the device’s SD card. At the point that this story broke, there would have been exactly zero smartphone AV applications in the world that were capable of detecting this threat. But, proven PC security mechanisms worked…as they should have.
What should be taken away from this whole debacle (since it wasn’t learned from the previous ones) is that when using technology, both in conjunction or on it’s own, there are limitations to what can be done to protect yourselves. As a user that may be interested in protecting your personal information or financial assets, it is increasingly important to properly leverage technology to provide coverage where it applies. In this scenario, the malware that existed did not affect the Android device, so there was no capability to detect it on the SD card. But, when it did became an issue and could affect the Windows system, there was a capability to detect and defend.
Some might expect an Android anti-virus application to be able to detect this type of malware if it resides on the device. This is where those limitations I spoke of come into question. At this point in the game, it’s simply not possible for a Smartphone to effectively handle detection of every PC malware that we know about. There simply is not enough resources available on the device. But, the PC can handle it…and in this case, it did.
Cybercrime Complaints, Reported Losses Increase
Filed Under: Mobile SecurityMonday, March 15th, 2010
By M.P. MCQUEEN
Complains about Internet crime in the U.S. soared last year in a phenomenon tied to the poor economy, law-enforcement officials say.
The number of reports increased 22.3% in 2009 over 2008, and reported losses soared to $559.7 million, up from $265 million a year earlier.
Losses per incident also rose in transactions in which a loss occurred, to a median of $575, according to information provided Friday by the Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center, a nonprofit federally funded group that aids local law enforcement. The center develops information and refers complaints involving cybercrimes to appropriate investigative agencies, including international police. Losses were $17.8 million in 2000, the center’s first year of operation.
SMobile GTC Sees Android Malware Coming
Filed Under: Blog, Mobile Security, Mobile ThreatsFriday, March 12th, 2010
Open source versus closed source. It’s a discussion that often leads to heated arguments and one that will likely continue well beyond its usefulness. The discussion began before many of us realized there would need to be terms such as “malware” and the often incorrectly used “hacker”. Regardless of what side of the discussion you come down on, the term Android has not helped to lessen the veracity of the debate. Since Google released the first Smartphone operating system that was supposed to be completely open source, the debate between BlackBerry, Windows Mobile, iPhone and Symbian users continues to get louder.
Whether you’re new to the Smartphone revolution or are an Android convert from some other platform, there is a reason that you chose Android. Some wanted to break the stuffy business-like feel of the BlackBerry. Others were excited about the possibilities that an operating system built on a Linux kernel with incredible customization capabilities brings. Some wanted something that was friendly or easier to use than the Windows Mobile or their Symbian device. Then there are the ones that just want to be anti-Apple. There are just as many anti-everything-Apple as there are Apple “fanboys” in the world. There are also those that just got a deal from their provider that they couldn’t refuse. Regardless of the reason, Andriod’s market share is growing….
To continue reading, download the full Android Malware Whitepaper
Mobile Devices Facing Security Challenges
Filed Under: Mobile SecurityTuesday, March 9th, 2010
By DOUG TSURUOKA
Smart phones and other mobile devices remain vulnerable to hacker attacks, and Apple products in one way more than most, says Daniel Hoffman, an executive in the computer security business.
Apple hasn’t developed adequate software to protect and encrypt (scramble so that only authorized folks can read the data) core components of its new iPad tablet computer, Hoffman says. He’s chief technology officer for privately held SMobile Systems, a Columbus, Ohio-based company that provides security software applications for mobile devices.
Hoffman, of course, has a vested interest in noting such possible security weaknesses. Still, he says, it shouldn’t detract from his point that more users need to understand that all mobile devices — including Apple’s iPad and iPhone — must be protected in the same manner as PCs.
Read more on mobile devices facing security challenges
Five Simple Tips for Better Mobile Security
Filed Under: Mobile SecurityMonday, March 1st, 2010
You talk all day on your phone. You peck out dozens or hundreds of messages. You access files remotely. You check your calendar hundreds of times per month. Clearly your mobile phone is VERY important to you.
If it’s important to you, it’s also important to hackers who know it contains valuable information to help them hack into your corporate network or find data to be used for financial gain (ie credit card numbers, passwords, personal information and etc).
Read the entire article on Better Mobile Security
Effective mobile security is a reality says BlackBerry
Filed Under: Mobile SecurityThursday, February 25th, 2010
Introducing mobile technology into the NHS, especially smartphones, can generate good cost savings, as well as enhance the security of the staff and the patient, said Daniel Morrison-Gardiner, a senior government account manager with BlackBerry.
Speaking at the Mobile and Wireless Healthcare conference in Birmingham yesterday, Morrison-Gardiner explained to his audience of NHS professionals that community-based services can reap many benefits from the use of smartphones.
Services such as auditable mileage claims by staff – using data from on-phone global positioning system technology – and the ability to manage workflows on the move, without having to return to the office or power up a laptop, can all improve the level of patient service, he explained.
Read the entire article on BlackBerry Mobile Security
Sexting Spy – Tracking Teen Texts
Filed Under: Mobile Security, Mobile Security NewsWednesday, February 24th, 2010
Before teenagers even have time think about consequences, risque and revealing information is instantly sent out and once it’s done, there is no getting it back. Sexting has become almost as popular as sex itself.
A recent study found nearly 40% of teens have sent or received sexual text messages; 20% have sent naked pictures. Girls are more likely to sext than boys.
In some cases sexting has turned tragic, Hope Witsell, 13, and Jesse Logan, 18, committed suicide after nude pictures of them circulated. Here in West Virginia, promiscuous pictures courtesy of a cell phone were found on a Chapmanville High School computer. For parents, technology presents a whole new challenge.
Parents can pick and choose how much information they want to know from viewing every message to just keeping track with GPS. It’s simple to use, the program is installed on the phone and SMobile takes over tracking the information.
Read the entire article: “Sexting Spy, Tracking Teen Texts”
New security threat against ‘smart phone’ users
Filed Under: Mobile Security, Mobile ThreatsWednesday, February 24th, 2010
Nefarious: The software can even drain a smart phone’s battery.
Computer scientists at Rutgers University have shown how a familiar type of personal computer security threat can now attack new generations of smart mobile phones, with the potential to cause more serious consequences.
The researchers demonstrated how such a software attack could cause a smart phone to eavesdrop on a meeting, track its owner’s travels, or rapidly drain its battery to render the phone useless.
These actions could happen without the owner being aware of what happened or what caused them.
Read the entire article on New Security Threats against ’smart phone’ users
