Security archives
Computer Security 102 – Escape from the Botnet
Filed Under: SecurityThursday, February 18th, 2010
It used to be that malware writers’ favorite trick was to delete your C: drive. You used to know right away when your computer was infected: it didn’t work right. Those Good Old Days are gone. The modern perp never wants you to notice that he is using your computer. If you do notice and stop his activities, he can no longer make money by using your computer. He wants to use your computer for many different things, mostly tied to getting money, some of it yours.
He wants to use it to send spam to thousands of mailboxes. He is paid to send spam for many reasons. Some perps use spam to try to trick targets into revealing personal information, or to install malware, or to sell fake pills and watches.
He wants to collect your login credentials. Since many people reuse their bank login credentials on other sites, he is interested in all your login credentials.
He wants to use it to attack hundreds of websites with traffic they can’t handle. He has “customers” who pay him to attack web sites. These “customers” have many reasons to pay for this “service.” Some are competitors of the targets, some are people with political agendas, some could be governments trying to disrupt entire countries. Some even run “protection” rackets, collecting “payments” from web sites so that they won’t be attacted by these racketeers.
He can use your computer to spy on you and collect sensitive documents and information from your computer. This information can be used by terrorists, and badly acting governments and corporations.
He can use your mobile computer (your cellphone) to send expensive SMS messages or make expensive phone calls. You pay for these in your phone bill and the perp gets your money.
1 in 3 Data Breaches Involve Mobile Devices
Filed Under: Blog, SecurityThursday, February 4th, 2010
Early last week, PGP Corporation and the Ponemon Institute released the results of their joint venture, 5th annual, 2009 Annual Study: Cost of a Data Breach. In an effort to save our readers from the imminent snore fest that will follow downloading this report, here are some of the highlights of the study:
Key Findings:
- 36% of the cases studied involved lost or stolen mobile devices
- 42% of the cases studied involved 3rd part mistakes or flubs
- 24% of the cases involved a malicious or criminal attack that resulted in the loss or theft of personal information
- Data breaches from malicious attacks and botnets doubled from 12% to 24% in 2009
- The total cost to the enterprise rose from $202 to $204 per compromised record
- The average organizational cost of a data breach increased from $6.65 million to $6.75 million in 2009 with the magnitude of the event ranging from 5,000 to more than 101,000 lost or stolen records.
Sexting Survey Provides Startling Results
Filed Under: Blog, SecurityMonday, February 1st, 2010
In the waning days of 2008, a survey was commissioned by The National Campaign to Prevent Teen and Unplanned Pregnancy and Cosmogirl.com to explore electronic activity of teens and young adults. I’m not entirely certain, but this may have been one of the first comprehensive looks at the tendencies of teens towards sharing themselves (photographically) with their companions and complete strangers. A simple Google search indicates that since this study was commissioned, interested parties are taking notice of the wave that is sweeping across the world. More recently, MTV and the Associated Press teamed up to revisit the realities of sexting amongst teens. These results may be surprising to some, but they certainly are not to me.
Mobile Security Threats and Prevention
Filed Under: Blog, Mobile Security News, SecurityWednesday, January 27th, 2010
The cell phone and smart phone industry have rapidly developed in the United States and across the world. The days of the phone being used as simply a voice device has come and gone. Today each cell phone has become a small PC in the pocket of each person.
Though the public may remember the basic rules of security when using their home PC’s, they quickly forget that the same risks apply to there cell phones as well. The apple IPhone has set a new standard as to who is using the new generation of smart phones as well as redefining the applications that will be run on the device.
Read more on Mobile Security Threats and Prevention
Securing Your Mobile Device…Part 2
Filed Under: Blog, SecurityWednesday, January 20th, 2010
In my first segment of the “Securing Your Mobile Device” series, I talked about some very simple configuration changes that should be immediate, but standard across every Smartphone platform. Now that we’ve set a passcode on our handset and disabled some services that might lend our new mobile device to the curiosity of the run-of-the-mill snooping miscreant, let’s take a look at what might be the next thing we need to consider with our new handset. (For my BlackBerry, Windows Mobile and Symbian readers, hang with me for a few seconds as I set this all up. The information will still apply to you.)
One of the first things I did when I got my Android (besides rooting it) was to check out the apps that I could tinker with from the Android Market. I’m sure the same could be said for my iPhone friends and the iTunes App Store. I found all kinds of goodies that I thought would be fun to play with. There was an app to manage my backgrounds, several useful ones to better my keyboard (hint!) and typing experience, apps for managing RSS feeds, some mobile news roundups, tools and utilities for me to manage the innards of my device, some connectivity tools and I even came across one that would teach me the secrets of the Kama Sutra. The point is that there are now over 20,000 apps in the Android Market that users can either pay for (often at a reasonable price) or simply download free of charge. Android and iPhone users will undoubtedly spend hours upon hours in the first few months of owning their device looking for apps to streamline their daily routine and interactions.
Haitian Tragedy Could Lead to Fraud
Filed Under: Blog, SecurityWednesday, January 13th, 2010
On Tuesday, the people and country of Haiti found themselves to be the victims of a great tragedy, in the form of a 7.0 magnitude earthquake that rocked the country. Waking up this morning we’re seeing, as it should be, humanitarian efforts popping up all around us. While those efforts are almost always of the best intentions, it is worth mentioning that tragedies such as this always seems to bring the worst creatures of our species from the woodworks.
With nearly every major tragedy we have seen over the last decade, we’ve seen good hearted people that have donated time and (possibly more importantly) money to the efforts to re-stabilize the affected. Unfortunately, we also see fraudsters and criminals use these tragedies as a means to make a quick buck off of the backs of those individuals that would like to help.
I will not attempt to take a look at all of the charity efforts underway and attempt to determine what is real and what is fake, but I would like to take this time to caution everyone that would like to donate to be somewhat cautious when and how they choose to donate. You will likely be approached in person, over email, on television, the radio and now I would highly expect to see these same types of offers finding their way into your mobile devices.
I would expect to see “TXT to Donate” offers where, I would assume, you will be asked to send an SMS message to some short code SMS premium number that will automatically charge your mobile account and will deposit the funds into some sort of relief fund. While I’m certain there will be legitimate “TXT to Donate” type funds setup that will undoubtedly pass the funds on to those in need, I can guarantee that there will be just as many, if not more that are completely fraudulent. I’m equally as certain that smartphone applications will also begin popping up that purport to provide some sort of support to the relief efforts as well. I would just like to caution everyone to be vigilent, perform your due diligence when choosing how and where to donate your money to the relief efforts that will ensue.
When in doubt, please look to the time-tested, standard organizations for providing your support. I hear the Red Cross is always a good place to direct your assistance efforts….
Securing Your Mobile Device…Part 1:
Filed Under: SecurityMonday, January 4th, 2010
Now that the holidays have come and gone, it’s time to settle in to our normal work routines for the long haul to spring. Most of us have had ample time to tinker around with the new gadgets and gizmo’s we got for Christmas and have likely become at least comfortable navigating our way through the menus and settings on our shiny new Smartphones. Now is probably the right time to start thinking about securing those devices.
As SMobile has shown in the various whitepapers and research projects published at our Global Threat Center, different Smartphone platforms offer different levels and types of possibilities for securing access to the systems and the data they hold. For instance, Android, BlackBerry, iPhone, Windows Mobile and Symbian all offer the ability to set a passcode on the handset to gain access to the device. Some platforms offer stronger protections than others, but they all attempt to limit prying eyes from gaining easy access to your device. It is also extremely effective in preventing an attacker from installing software that we affectionately refer to as “Spyware”. Nearly every variant of spyware that we have analyzed here at SMobile requires that the attacker physically install and perform at least some very basic initial configurations in order for the software to function properly. The bottom line is that configuring your device to require a passcode be entered for access to be granted may be the single most effective way of keeping your information secure.
Read more about securing your Smartphone…
Mobile Security Blog
Filed Under: SecurityMonday, December 21st, 2009
Over the past few weeks I’ve been struggling with ideas for New Year’s resolutions for 2010. I can honestly say that I have never made a New Year’s resolution in all of my 32 years, but life has dictated that it may be time to make a few. My short list of ideas includes a number of things to enrich my personal life beyond material things that have come and gone and a few to advance my education and technical expertise. That’s where this blog comes in…well, that and the boss said I had to. Around my numerous pool leagues, I’m constantly bombarded with questions about the newest Smartphone to hit the market or which operating system is the best, and when someone should expect a new update to some random application they tinker with or the OS as a whole. It’s difficult to keep up with all of the devices that are rapidly deploying to the market and the numerous carriers that will support what devices. I would have to take my shoes off to be able to count the names of blogs and websites off of the top of my head that devote countless hours and articles to these very issues. Heck, Android has an app for that (pardon the pun).
So, in the coming months I will be focusing most of my attention on security related issues that might affect Smartphone users, as well as some that are not necessarily related to mobile devices. Since I began, and much of my career, in the InfoSec world as a CERT analyst and penetration tester, the state of security issues related to wired networks is still a major concern of mine. In fact, up until about 6 months ago, I was happily cracking wired networks and only carried a BlackBerry Pearl in my pocket. I understood the threat that existed in my pocket, but it was not a concern that was on the forefront of my mind. Most of the places I went into for work wouldn’t even let me carry my phone into the room. I’ve recently made the transition (rather seamlessly, I might add) to Android and I’m loving every day that my pretty little myTouch and I get to spend together.
Read more about mobile device security…
