Tag Archives: security

Android is Still King of Mobile Malware

Probably not part of Samsungs advertising budget of several billion dollars last year, is the fact that their devices are the greet purveyors of mobile malware. According to a report by security company, NQ Mobile, as reported by FiercemobileContent, 95% of all mobile attacks are aimed at Android OS devices, of which Samsung is the largest licensee.

Two thirds of all malware is classified as potentially unwanted programs such as spyware, pervasive adware, Trojans as surveillance hacks and root exploits. Another quarter of malware is designed to profit from personal details stored or entered into the device and only 7% renders the users device useless. 

Attack vectors are App Repackaging where the hacker inserts malicious code into legitimate apps for sale or distributed in various app markets. Smishing has a user click on a link which triggers the download of the malicious code or sends them to a rogue website. A third vector is the spoofing of a site to look like a bank or credit card site that extracts usercon personal details for later abuse.

By comparison, Apple devices such as iPad and iPhones are not vulnerable to these attacks or vectors. That’s because of the ‘sandbox’ approach to app operations, the non-anonymous development or modification of apps and the screening of apps which Apple uses to assure quality products are available in the store. Sandbox means that any developer can write code to affect their data, but not by any other app, or sensitive system function outside the sandbox. To present your app to the App Store, or to edit your app in the App Store, you have to have the app product digitally signed. That assures that there is a virtually zero probability that anyone else could have tampered with your app (there’s a HASH function that snaps a view of the app and can be used to determine if anything changes), and that anyone else besides you could have submitted that app. And, the review process for apps makes sure nobody is successful at introducing nasty software disguised as something else.

Thee three features of iOS takes all the fun out of writing malware: bad guys need to pretend to be someone else or something else and need to operate anonymously. Take those issues away, and they’ll Have to give up the bad guy business or play with the other OS, which they obviously have done.

Identity Thieves Masquerade as Job Sites

The creation of job posting websites like monster.com, hotjobs.com, careerbuilder.com or even dice.com has really made the marketplace of employers finding employees and employees finding employers an automated, fast and high quality process. Of course, finding 300 resumes in a week is easy. Finding the 5 resumes of the people that you really intend to interview is another story.

The visitor’s familiarity with job sites and knowing that they can lead to interviews and hopefully a job or a better job makes them vulnerable, and makes the thief’s job easier.

A story in BusinessWeek highlights the risk of ‘how much information’ you should give to a jobs website. In the story, identity thieves are asking for your social security number, drivers licence number, mailing address and birthdate details – even before you start the search let alone start the job.

My recommendation? Never divulge birthdate information except to family, and never, ever, ever give your SSN to a website.

Identity Theft Getting Easier

ID_Theft_Cartoon

ID_Theft_Cartoon

Identity theft is a $50 billion problem, and the habits of citizens can sometimes make them targets for identity theft. A recent article highlighting that the very sensitive Social Security Number is crackable, that is predictable at an increasing rate made me reflect on my own habits and practices and put me in a sharing mood.

The algorithm developed by computer scientists at Carnegie-Mellon University was able to correctly predict the SSN for Americans born after 1988 for 8.5% of targets in less than 1,000 attempts. That’s an alarming prospect involving trivial computational resources.

ceball_imgOf course victims don’t deserve to have their identities stolen. But their online activities does impact their ability to be safe.

For example, the other day a social networking site that I was contemplating joining asked me to provide my birthdate information. I ignored the request and was told it was mandatory. Too bad and I left.

FaceBook allows users to post their birthdates for friends to see. Of course, we all love getting attention on our birthdays, but since it is a big site and acts as a big target for hackers, getting that database of birthday information is worth a great deal of effort.

A friend in New Jersey signed up to a birthday registration site and asked me to do the same so both he and I could exchange automated email birthday wishes in some kind of grand calendar. I refused. Even though I like to birthday greetings (my half-life is coming due soon) like anybody else, I don’t like to share it online because I am concerned about the risk of theft and abuse. Surely if the nations largest retailers are routinely hacked for credit card information, a crummy birthdate calendaring site is not only a softer target but they’re not likely to do anything about it when they discover the hack… and neither are the victims.

So what can you do if you know where someone lives and their birthdate?

With the rise in phishing attacks masquerading as banking sites, ebay or paypal sites, users can be duped into providing other sensitive personal information like mother’s maiden names that further takes down one more layer in the wall of security around any one person, like the brick game, shown here for Pocket PC.

So, if someone can predict your SSN, and someone else can find your birthday, and someone else can find out your address…. Isn’t that a recipe for disaster?

Solution:

Stop the gathering, publishing and promoting of birthdates on line. Keep this a personal, human-to-human thing.

Create a service that discovers and reports what the web knows about you. I like the idea of reports that are more personal than the web reputation services I’ve seen for brand reputation management services. Downside of course, is that you can find out information about people who aren’t you. Could be useful in tracking down deadbeat dads that owe child support payments.

NCP Introduces Server to USA

ncp

ncpSome folks think that recessions are exactly the wrong time to introduce new products. Sadly, these industry laggards miss out on the great advantage that recessionary times bring to vendors. Fortunately, NCP and Brockmann & Company (and many others I’m sure) believe that recessionary times are EXACTLY the right time to introduce new products.

That’s because:

  • Prices for marketing services such as advertising, PR agency fees, consulting and contracting are lower. These service providers’ sales teams are working to keep production to capacity and will do deals to at least cover costs, if that means a new client or saved client.
  • Editors of websites and trade magazines are tired of the bad news because the readers are tired of bad news. They are looking to write/talk about people and organizations that are in it for the long haul and have something positive to say.
  • Analysts and opinion leaders are keen to explore potentially hot new areas, and so have the time open on their calendars to listen and write about new product introductions.
  • Customers have time to discover and learn about new and interesting products and services that solve real business problems.

NCP, the German VPN security company plans to introduce the NCP Secure Enterprise Server and the NCP Secure Enterprise Management System to the US market. Until now, only the client has been available for download, sale and support from NCP. For the first time users can purchase licenses to the server that terminates the IPSec and SSL clients through a newly forming network of NCP authorized security resellers.

Secure Enterprise Server

Software is designed to enable large scale terminations of both IPSec and SSL sessions, providing a monitoring window and control point for any VPN connection to the enterprise network. This way, the same security policies can be applied regardless of access methodology. The recommended configuration of hardware and software (NCP software is integrated onto a hardware platform by the reseller) platforms can support a high availability load balancing service for SSL session integrity and quality. The architecture is scalable to as many as 10,000 concurrent SSL sessions.

The server supports termination of iPhone VPN clients including PPTP, L2TP and Cisco IPSec. And for Windows shops, the software can be loaded onto Windows Server 2008 (32 or 64-bit servers) or Linux. (The client already supports Symbian OS).

The server can also provide a VPN-oriented Network Access Control to confirm policy settings (presence of updates and patches) and initiate remediation services to ‘clean up’ poorly managed devices BEFORE they attach to the enterprise network.

Secure Enterprise Management System

Once an enterprise gets to about 100 or so clients, the time and cost of effective management of the VPN communications system overwhelms the general deployments. At that level, enterprises need professional tools to managed the automated deployment of software, the management of updates and surveillance of the sessions.

The management system acts as the central point of control for administration, configuration and operation and can be integrated with LDAP or Active Directory services for Identity and Access Management controls such as password authentication, or other methods or policy services. Activity logs record what VPN-attached users did while connected, providing an effective central audit trail in the event of suspicious activities, and software version control features assure that plugin updates and configuration settings can be delivered over the LAN without necessarily engaging in a VPN connection.

The SEMS can also pass information up into higher level enterprise management applications.

I’m confident that NCP will discover that a recession is precisely the right time to expand their footprint in the US and introduce the server and management software products. The power of their careful approach to the market – downloadable clients first and then servers with plenty of reseller value-add to be enabled – will certainly attract clever security resellers who appreciate quality product and focused market entry. Besides, NCP knows many client users that are looking for more sophisticated and complementary server solutions that can support their environments and security requirements for an array of remote and mobile device implementations.

 

Lawful Intercept Focuses on Skype

skype

skypeIn a nod towards lawful EU intercept of Skype calls, Skype earns endorsement from an Italian drug dealer. The Luxemburg division of eBay has until now refused to unlock the encryption of Skype calls, prompting a more concentrated effort by EU law enforcement and regulatory bodies.

I tried to find out if Skype conforms to [[CALEA]] the US requirements for lawful intercept, but good ol' Google let me down.