| Follow us on: |   |
|
Security archives
Study of Android Malware in the Market
Filed Under: Mobile Threats, SecurityMonday, March 29th, 2010
The SMobile Global Threat Center (GTC) has released a study of malicious applications that currently exist in the Android Market. This study attempts to identify applications that are available for download that either market themselves as spyware, or have the ability to be used as a spying application against an unaware user. SMobile identifies and categorizes malicious applications that could enable illegal spying based upon the fact that the application lends the ability to hide itself from detection from a user. According to information security managers around the world, spyware represents the greatest threat to intellectual property or proprietary information manipulated on mobile devices. Law enforcement officials have stated that spyware could lead to identity theft, loss of sensitive, personal or financial information, and is often used to illegally track the movements and communications of consumers.
To continue reading, download the full report:
iPhone Compromised, I Mean “Hacked”
Filed Under: Mobile Security, SecurityFriday, March 26th, 2010
The world awoke this morning to the news that the iPhone had been hacked. Besides the fact that I hate the term “hacked”…it is used, incorrectly, ad nauseum. But, I digress. The annual Pwn2Own contest is one of the central focuses of the CanSecWest conference that is currently underway. Up for grabs is a prize purse of $100,000, tempting hackers to pull out their tools and tricks to come up with the latest and greatest attacks against the world’s most popular electronic devices.
This conference is just one of a few places during the year where you’ll find some of the best and brightest minds, where it pertains to technology, all in the same room. Many of these individuals should be considered reputable security researchers that, while working tirelessly to undermine security mechanisms, do so in responsible ways that disclose their findings to the vendors before releasing them to the public. Some of the participants are not quite as responsible. Nevertheless, each and every participant of the Pwn2Own competition has worked, likely, months and months to uncover tiny little vulnerabilities that they may be able to leverage in front of the CanSecWest crowds in their bids to win the cash and notoriety.
The same story holds true for these two young fellows that “hacked” the iPhone in under 20 seconds. What I would assume to be months and months of fuzzing, testing, sniffing, scripting, exploiting, then likely scrapping it all and starting over, led to the finding of a browser vulnerability in the iPhone that allowed them to jump outside of the browser’s application “sandbox” and access data that they shouldn’t otherwise be able to access.
I can already hear the moaning and sniffling from myiPhone-using friends. I’ve also already heard too many say that it is more theoretical that this attack could ever work than not, because it still involves user intervention for it to be successful (check out some of the comments from the first link I provided). That’s fine. I understand where it comes from. However, if someone were to ask me if I was surprised by this finding, I would say, definitively; “NO!”
Of course I’m not surprised that a browser exploit was successful and that it allowed the attacker to gain access to sensitive information. This happens each and every single day in the PC world. It has also already happened to BlackBerry, Android, Symbian and every other browser that has ever been used to access the Internet. Browser exploits will always be a viable attack vector, as long as users continue to accept and follow unsolicited links.
In my opinion, the real problem for Apple and the iPhone is the fact that this particular browser exploit allowed the attackers to break out of the “application sandbox“, where they were able to then access and upload data from other areas of the device. In this particular instance, once the attackers pointed the iPhone browser to their specially crafted web site, the attack forwards the contents of “the local SMS database of the phone to the server we control”. The purpose of the “application sandbox” is to explicitly restrict one application from accessing data and resources that belong to another application without first requesting permission to do so, in the form of an API (application programming interface).
The other interesting piece of information that came out of this finding was that when the local SMS database had been obtained, SMS messages that a user would assume to have been deleted were still present in the database file. If you’ll think back to last summer, the SMobile Global Threat Center published a lengthy whitepaper discussing the possibility of bypassing the backup encryption functionality built-in to iTunes. One interesting piece of information that we found, through a series of tests to document and illustrate our process, was that deleted contacts still existed in raw format in the SQLite database file that functioned as the device’s address book.
What we were able to determine is that for some reason, the SQLite database that the iPhone uses has the ability to track changes to the database file. In tracking those changes, the raw file “remembers” the data that was deleted. Even though the deleted data is no longer visible in the database tables, as they are viewed with a SQLite database viewer, the data is still visible when viewing the raw file with a ‘cat’ or ‘grep’ command. Check out the whitepaper for more information about this.
The two gentlemen that developed this attack went on to state that if the exploit were written to do so, it could also capture the full address book, any photos that exist on the device, music, and email. Since I have not tested this functionality, I would venture a guess to say that since we know deleted SMS and deleted contacts could be obtained, that deleted emails can be obtained as well. At least, I would think your deleted sexting pics and Rick Astley songs are safe for now.
Mariposa Botnet Hits Android via HTC Magic and Vodafone…or Does It?
Filed Under: Mobile Security, SecurityTuesday, March 23rd, 2010
About two weeks ago, I was sitting in our new Threat Center and we were tinkering around with a website that is part of our tool set to identify indications of malware or infections affecting smartphones across the world. The website that we were looking at is called Twitterfall.com and it allows a user to perform keyword searches to match against tweets that are being published. It’s amazing how quickly information hits Twitter and even more amazing how quickly that information is re-tweeted, copied and pasted, and parroted as the truth.
Among others, one of the keywords I chose was “android malware”. I was immediately presented with dozens upon dozens of nearly identical tweets parroting the sentiment that Vodafone had sold at least one Android handset to a Panda Security employee that was infected with malware. Obviously, this immediately sparked raging discussions in Android and Apple forums declaring Android a failed iPhone killer. iPhone fans were ready to begin singing “another one bites the dust” as they saw Android’s attacks being repelled.
But, what was lost in the immediate attempts to castigate Android as an inherent security flaw because of it’s open source philosophy, was the fact that the Android device in question was not infected with malware. What’s that you say? Not infected? That’s right…not infected. What actually happened was that a Panda Security employee received an HTC Magic device running the Android operating system, from the carrier Vodafone, that had three instances of malware pre-loaded onto the device’s SD card. The device SD card is wholly separate from the Android operating system.
When the Panda employee connected the device to her PC via the USB cable, she was automatically alerted to the fact that her anti-virus software on the PC had detected the existence of an autorin.inf and autorun.exe that were both being flagged as malicious. Further analysis indicated that the device was infected with the Mariposa botnet, the Conficker worm and a Lineage (the game) password stealing tool. This is terrible news, right? Of course it is…for Vodafone and for HTC. But is it necessarily bad news for Android? Not really.
Let’s take a a closer look at what actually happened. HTC manufactures the Magic device and chose Android to drive the proverbial bus. HTC likely purchases SD cards from some other manufacturer and may do some level of formatting or configuring of the SD card before or after it has been installed in the Magic device. HTC then ships the handsets with some Vodafone specific ROM installed on the device, and the pre-installed SD card to Vodafone. Vodafone then sells the device to a customer. As an interested observer, I don’t really see where Android plays any factor in this equation at all.
This is certainly not the first time we have seen malware being distributed directly from some vendor or retail center. Just to level the playing field, let’s focus on the case of iPod’s being distributed with a free SIWEOL.A worm that affected Windows PCs. Ok, that was a cheap shot. But the point is that we have seen plenty of cases that indicate that attackers are doing whatever they have to do in order to get their malware in your lives. We know that USB media drives come from retail stores with malware. Digital picture frames have been the attacker and McDonald’s in Japan had to recall 10,000 MP3 players back in 2006. There are still more examples of these types of successful attacks that I’ll continue to ignore.
With the exception a very few security centric blogs or analysis pieces that responsibly laid the blame of this attack on a faulty QA process between HTC and Vodafone, too many outlets were ready to call Android the problem. But, what was lost in the finger pointing was the fact that a proven defense-in-depth strategy is what identified the problem and protected this user (and many others) from becoming a victim of and possibly propagating the affects of the attack. It also didn’t hurt that the victim of the attack was a security-minded employee of a reputable PC security company. This particular user was employing best practices and relied upon an anti-virus solution to assist in identifying malicious content. Bravo!
The only part that Android could have played in this whole story would have been if Vodafone had bundled an anti-virus application with the device’s ROM that was configured to detect Windows-based malware that resided on the device’s SD card. At the point that this story broke, there would have been exactly zero smartphone AV applications in the world that were capable of detecting this threat. But, proven PC security mechanisms worked…as they should have.
What should be taken away from this whole debacle (since it wasn’t learned from the previous ones) is that when using technology, both in conjunction or on it’s own, there are limitations to what can be done to protect yourselves. As a user that may be interested in protecting your personal information or financial assets, it is increasingly important to properly leverage technology to provide coverage where it applies. In this scenario, the malware that existed did not affect the Android device, so there was no capability to detect it on the SD card. But, when it did became an issue and could affect the Windows system, there was a capability to detect and defend.
Some might expect an Android anti-virus application to be able to detect this type of malware if it resides on the device. This is where those limitations I spoke of come into question. At this point in the game, it’s simply not possible for a Smartphone to effectively handle detection of every PC malware that we know about. There simply is not enough resources available on the device. But, the PC can handle it…and in this case, it did.
SMobile Systems Inc Receives 2009 Best of Business Award
Filed Under: SecurityMonday, March 22nd, 2010
Small Business Commerce Association’s Award Honors the Achievement
SAN FRANCISCO, March 13, 2010, SMobile Systems Inc has been selected for the 2009 Best of Business Award in the Computer software category by the Small Business Commerce Association (SBCA)
The Small Business Commerce Association (SBCA) is pleased to announce that SMobile Systems Inc has been selected for the 2009 Best of Business Award in the Computer software category.
The SBCA 2009 Award Program recognizes the top 5% of small businesses throughout the country. Using statistical research and consumer feedback, the SBCA identifies companies that we believe have demonstrated what makes small businesses a vital part of the American economy. The selection committee chooses the award winners from nominees based off statistical research and also information taken from monthly surveys administered by the SBCA, a review of consumer rankings, and other consumer reports. Award winners are a valuable asset to their community and exemplify what makes small businesses great.
About Small Business Commerce Association (SBCA)
Small Business Commerce Association (SBCA) is a San Francisco based organization. The SBCA is a private sector entity that aims to provide tactical guidance with many day to day issues that small business owners face. In addition to our main goal of providing a central repository of small business operational advice; we use consumer feedback to identify companies that exemplify what makes small business a vital part of the American economy.
SOURCE: Small Business Commerce Association
CONTACT:
Small Business Commerce Association
Email: Press@SBCAAwards.org
URL: http://www.SBCAAwards.org
###
Computer Security 102 – Escape from the Botnet
Filed Under: SecurityThursday, February 18th, 2010
It used to be that malware writers’ favorite trick was to delete your C: drive. You used to know right away when your computer was infected: it didn’t work right. Those Good Old Days are gone. The modern perp never wants you to notice that he is using your computer. If you do notice and stop his activities, he can no longer make money by using your computer. He wants to use your computer for many different things, mostly tied to getting money, some of it yours.
He wants to use it to send spam to thousands of mailboxes. He is paid to send spam for many reasons. Some perps use spam to try to trick targets into revealing personal information, or to install malware, or to sell fake pills and watches.
He wants to collect your login credentials. Since many people reuse their bank login credentials on other sites, he is interested in all your login credentials.
He wants to use it to attack hundreds of websites with traffic they can’t handle. He has “customers” who pay him to attack web sites. These “customers” have many reasons to pay for this “service.” Some are competitors of the targets, some are people with political agendas, some could be governments trying to disrupt entire countries. Some even run “protection” rackets, collecting “payments” from web sites so that they won’t be attacted by these racketeers.
He can use your computer to spy on you and collect sensitive documents and information from your computer. This information can be used by terrorists, and badly acting governments and corporations.
He can use your mobile computer (your cellphone) to send expensive SMS messages or make expensive phone calls. You pay for these in your phone bill and the perp gets your money.
1 in 3 Data Breaches Involve Mobile Devices
Filed Under: Blog, SecurityThursday, February 4th, 2010
Early last week, PGP Corporation and the Ponemon Institute released the results of their joint venture, 5th annual, 2009 Annual Study: Cost of a Data Breach. In an effort to save our readers from the imminent snore fest that will follow downloading this report, here are some of the highlights of the study:
Key Findings:
- 36% of the cases studied involved lost or stolen mobile devices
- 42% of the cases studied involved 3rd part mistakes or flubs
- 24% of the cases involved a malicious or criminal attack that resulted in the loss or theft of personal information
- Data breaches from malicious attacks and botnets doubled from 12% to 24% in 2009
- The total cost to the enterprise rose from $202 to $204 per compromised record
- The average organizational cost of a data breach increased from $6.65 million to $6.75 million in 2009 with the magnitude of the event ranging from 5,000 to more than 101,000 lost or stolen records.
Sexting Survey Provides Startling Results
Filed Under: Blog, SecurityMonday, February 1st, 2010
In the waning days of 2008, a survey was commissioned by The National Campaign to Prevent Teen and Unplanned Pregnancy and Cosmogirl.com to explore electronic activity of teens and young adults. I’m not entirely certain, but this may have been one of the first comprehensive looks at the tendencies of teens towards sharing themselves (photographically) with their companions and complete strangers. A simple Google search indicates that since this study was commissioned, interested parties are taking notice of the wave that is sweeping across the world. More recently, MTV and the Associated Press teamed up to revisit the realities of sexting amongst teens. These results may be surprising to some, but they certainly are not to me.
Mobile Security Threats and Prevention
Filed Under: Blog, Mobile Security News, SecurityWednesday, January 27th, 2010
The cell phone and smart phone industry have rapidly developed in the United States and across the world. The days of the phone being used as simply a voice device has come and gone. Today each cell phone has become a small PC in the pocket of each person.
Though the public may remember the basic rules of security when using their home PC’s, they quickly forget that the same risks apply to there cell phones as well. The apple IPhone has set a new standard as to who is using the new generation of smart phones as well as redefining the applications that will be run on the device.
Read more on Mobile Security Threats and Prevention
Securing Your Mobile Device…Part 2
Filed Under: Blog, SecurityWednesday, January 20th, 2010
In my first segment of the “Securing Your Mobile Device” series, I talked about some very simple configuration changes that should be immediate, but standard across every Smartphone platform. Now that we’ve set a passcode on our handset and disabled some services that might lend our new mobile device to the curiosity of the run-of-the-mill snooping miscreant, let’s take a look at what might be the next thing we need to consider with our new handset. (For my BlackBerry, Windows Mobile and Symbian readers, hang with me for a few seconds as I set this all up. The information will still apply to you.)
One of the first things I did when I got my Android (besides rooting it) was to check out the apps that I could tinker with from the Android Market. I’m sure the same could be said for my iPhone friends and the iTunes App Store. I found all kinds of goodies that I thought would be fun to play with. There was an app to manage my backgrounds, several useful ones to better my keyboard (hint!) and typing experience, apps for managing RSS feeds, some mobile news roundups, tools and utilities for me to manage the innards of my device, some connectivity tools and I even came across one that would teach me the secrets of the Kama Sutra. The point is that there are now over 20,000 apps in the Android Market that users can either pay for (often at a reasonable price) or simply download free of charge. Android and iPhone users will undoubtedly spend hours upon hours in the first few months of owning their device looking for apps to streamline their daily routine and interactions.
Haitian Tragedy Could Lead to Fraud
Filed Under: Blog, SecurityWednesday, January 13th, 2010
On Tuesday, the people and country of Haiti found themselves to be the victims of a great tragedy, in the form of a 7.0 magnitude earthquake that rocked the country. Waking up this morning we’re seeing, as it should be, humanitarian efforts popping up all around us. While those efforts are almost always of the best intentions, it is worth mentioning that tragedies such as this always seems to bring the worst creatures of our species from the woodworks.
With nearly every major tragedy we have seen over the last decade, we’ve seen good hearted people that have donated time and (possibly more importantly) money to the efforts to re-stabilize the affected. Unfortunately, we also see fraudsters and criminals use these tragedies as a means to make a quick buck off of the backs of those individuals that would like to help.
I will not attempt to take a look at all of the charity efforts underway and attempt to determine what is real and what is fake, but I would like to take this time to caution everyone that would like to donate to be somewhat cautious when and how they choose to donate. You will likely be approached in person, over email, on television, the radio and now I would highly expect to see these same types of offers finding their way into your mobile devices.
I would expect to see “TXT to Donate” offers where, I would assume, you will be asked to send an SMS message to some short code SMS premium number that will automatically charge your mobile account and will deposit the funds into some sort of relief fund. While I’m certain there will be legitimate “TXT to Donate” type funds setup that will undoubtedly pass the funds on to those in need, I can guarantee that there will be just as many, if not more that are completely fraudulent. I’m equally as certain that smartphone applications will also begin popping up that purport to provide some sort of support to the relief efforts as well. I would just like to caution everyone to be vigilent, perform your due diligence when choosing how and where to donate your money to the relief efforts that will ensue.
When in doubt, please look to the time-tested, standard organizations for providing your support. I hear the Red Cross is always a good place to direct your assistance efforts….
