The history of mobile malware started out on Palm OS. Attackers then moved on to Symbian, and now play around on Android and iOS.
At the Vienniese deepsec conference, the following slide was presented by McAfee:
Not much to add here…
Mobile security has been a topic ever since this network was opened – so far, no really large breakout has taken place.
Canalys has now released the following press release – as always, highlighting was added by yours truly:
Canalys today announced its updated worldwide mobile security forecast, estimating an average investment growth of 44.2% per year, reaching $759.8 million by the end of 2011 and turning into a $3 billion market opportunity in 2015.[1]
According to Canalys figures, only 4% of smart phones and pads shipped in 2010 had some form of mobile security downloaded and installed, highlighting a low end-user awareness level and the relative infancy of the market. Mobile security uptake is anticipated to rise rapidly over the next four years, as enterprises conform more strictly to data protection and compliance practices, and consumers begin to understand the impending security threat to their personal data. Canalys forecasts that by 2015 over 20% of smart phones and pads will have mobile security software installed.
…
Not much to add here…
Two years ago, nobody cared about mobile malware. OK, there were a few small outbreaks – but nothing which made its owners money.
InformationWeek now reports the following:
More than 1 million cell phone users in China has been infected with a virus that automatically sends text messages, and the attack is costing users a combined 2 million yuan ($300,000 U.S.) per day.
According to Shanghai Daily, “the ‘zombie’ virus, hidden in a bogus antivirus application, can send the phone user’s SIM card information to hackers, who then remotely control the phone to send URL links.”
…
As this product relies purely on social engineering or idiocy, I would not consider it a virus – let’s see when this is combined with an exploit for maximum damage and automatic spreading…
Traditionally, mobile networks were relatively safe places. The low CPU power of mobile device made using them for botnet attacks impractical – that is, until tethering and 3G dongles came along.
Mobile Business Briefing now reports the following:
Content delivery platform company Akamai said that “more than half of the observed mobile attack traffic” recorded by its servers originated from three countries: Italy (25 percent), Brazil (18 percent) and Chile (7.5 percent).
…
Given that mobile phones have not been used for botnets so far, the conclusion we can draw here is that many Italians use wireless broadband…
A lot has been spoken and written about cyber warfare in the past – so far, we have not seen any actual cases.
This has now changed. TechPinger.com reports the following:
Security experts first learned of the new strain of software in June, but only disclosed its ability to infect major industrial systems in recent weeks. “This is cyber sabotage,” said Roel Schouwenberg, a senior researcher for the security firm Kaspersky Labs. “Stuxnet is designed to basically bring down a plant or take down operations.”
Given the bold passage above, it should be clear that there is some sort of governmental force behind it – let’s see when the Iranians retaliate.
Image: Wikimedia Commons / Sepehrnoush; scitexing by Tam Hanna
Apple has frequently removed applications from the store in the past. Amazon did so with an ebook and got an outcry…which is why Google originally planned to retain the kill switch in the Android OS for the absolute emergency.
Given that mobile phone security becomes more and more of a topic, the situation has arisen. A blog post by a Google Engineer reads as following:
…
Recently, we became aware of two free applications built by a security researcher for research purposes. These applications intentionally misrepresented their purpose in order to encourage user downloads, but they were not designed to be used maliciously, and did not have permission to access private data — or system resources beyond permission.INTERNET. As the applications were practically useless, most users uninstalled the applications shortly after downloading them.
After the researcher voluntarily removed these applications from Android Market, we decided, per the Android Market Terms of Service, to exercise our remote application removal feature on the remaining installed copies to complete the cleanup.
…
As of now, nothing is known about these applications. Let’s see whether they will show up at one of the security conferences – if not, we could have our first black-hat targeting Android…
Apr 282010
Spam is an age-old topic. While most of us probably delete most spam messages on sight, there must be enough morons who actually read them or the whole game wouldn’t pay out for the spammers.
FlowTown.com have now created the image below:
Unfortunately, their method of gathering the data was not disclosed…but it nevertheless makes for interesting reading!
Owners of Linux-based routers are in for a “reverse treat” – a botnet called Chuck Norris attacks these devices.
PCWorld reports the following:
…
Once installed in the router’s memory, the bot blocks remote communication ports and begins to scan the network for other vulnerable machines. It is controlled via IRC.
Because the Chuck Norris botnet lives in the router’s RAM, it can be removed with a restart.
…
So: change that default password, folks!
I guess that everybody who frequents the Tamoggemon Content Network is well aware that cell phone providers always know where your cell phone is. You lot probably also know that this data is often logged, and can theoretically be used for all kinds of data-mining processes.
So far, the common assumption was that cell phones will not be tracked without a court order. Unfortunately, this is untrue. CNet News reports the following:
In that case, the Obama administration has argued that warrantless tracking is permitted because Americans enjoy no “reasonable expectation of privacy” in their–or at least their cell phones’–whereabouts. U.S. Department of Justice lawyers say that “a customer’s Fourth Amendment rights are not violated when the phone company reveals to the government its own records” that show where a mobile device placed and received calls.
The message is short and sweet here: if your phone is on in the USA, the US government knows where you are. Do with that what you want to, and don’t hold us liable…
Jul 152009
Austria has suffered from waves of unwanted premium SMS over the last two years or so – a recent Cisco report claims that the boys now have a new method:
Text message scams targeting users of handheld mobile
devices, such as cell phones and smart phones, are
becoming a common fraud tactic. At least two or three
new campaigns have surfaced every week since the start
of 2009. The spike in frequency can be attributed partly
to the economic downturn, but it’s also the massive—and
still growing—size of the mobile device audience that is
making this new frontier for fraud irresistible to criminals.…
The report goes on to claim that various kinds of social-engineering based methods are used – a particulariuly devious one is outlined below:
Customers were contacted
by either SMS or phone and asked to provide “verification
details,” such as bank account numbers, to collect a
grand prize. Victims were also asked to purchase scratch
cards worth QR500 (approximately US$135) and provide
those numbers as “security” when they collected their
fictitious prize
Further information can be had in the PDF below – page thirteen, onwards:
http://cisco.com/web/about/security/intelligence/Cisco_2009_Midyear_Security_Report.PDF
Nov 252008
CNET’s News team got their hands onto a recent Symantec report on the state of cyber-crime. The boys listened to “underground IRC channels”, and then analyzed the data.
Computer criminals have become more professional in the last year, creating underground economies where malware, bank accounts and services are bought and sold “freely”. If everything offered would be sold (a highly unlikely scenario), sellers would net 270 million dollars in a single year.
The most scary part of the report is the following quote:
“The big picture is this system is highly self-sustaining. You can buy the attack tool kit, use it to steal information and sell that information to others in the economy,” Zulfikar Ramzan, technical director of Symantec Test and Response, said in an interview. “You don’t need to have expertise in every area of cybercrime. You can have expertise in just one area and with others, form a supply chain to make money.”
Of course, it’s always possible that Symantec is peddling fear here in a fashion similar to what F-Secure did with S60 virii – so take these results with a grain of salt.
Sep 182008
The folks at Asus once were a very good hardware manufacturer. Their motherboards enjoyed fame among overclockers, power users and OEM’s alike due to their excellent stability, durability and longevity. Unfortunately, this eventually changed with the delivery and success of the eeePC…one could say that the success went to the head of each and every Asus employee/contractor except for Lars Schweden (who recently left to LG).
The company no longer provides press samples in a manageable fashion, and silently reduced the battery capacity of its eeePC devices without informing customers about it. Now, however, neglicgence/hybris have reached a completely new level!
Purchasers of ASUS laptops have found various “goodies” on the recovery CD’s that shipped with their laptops. We aren’t talking about gimmicks here, but rather about:
* A directory called “Crack” that appears to contain serial numbers for other software packages
* A directory containing a large number of confidential Microsoft documents for PC manufacturers, including associated keys and program files
* Various internal Asus documents and source code for Asus software
….
One of the confidential Asus documents includes a PowerPoint presentation that details “major problems” identified by the company, including application compatibility issues.
It IMHO is very difficult to explain how something as stupid as this can happen. Not only does a huge company use cracks (I hope that somebody publishes a list of the affected applications so that their owners can sue), but they actually are too lazy to check the recovery CD’s before shipping them out to customers.
For me, all of this speaks a clear language: keep your fingers off whatever box the folks at ASUS’s may spit out. Even though their stuff may be dirt cheap, it is likely to bite you in the long run…
via PCpro
Recently, I was the beneficiary of a “sweet” deal from Resco. Resco Suite is comprised of many of the company’s apps for PalmOS (See Tam’s review). Since I already owned Resco Explorer 2007, Resco Viewer, and Resco Backup Pro, the suite didn’t really interest me until they decided that users who owned 3 or more Resco products could get a 70% discount on Resco Suite! I was sold so I now own the lot. My first idea was to use IDGuard instead of SplashID to keep all that information protected on my palm.
What about a desktop conduit? I should get this out of the way right at the beginning. SplashID has a desktop conduit and IDGuard doesn’t. I spoke to Jan Slodicka at Resco about what he thought the timetable for getting a desktop component for IDGuard would be. He thought that there could be a conduit in about 6 weeks. In my opinion, this is the major benefit of SplashID over IDGuard. Once IDGuard has a conduit, it will be hands down the best PalmOS Identity protection app out there. IDGuard NOW has a backup conduit!
Importing records: The first hurdle was getting the data from SplashID into IDGuard. At first I had problems, the import feature in IDGuard choked when importing a vID export file from SplashID – it imported just 29 of over 300 records I had. On the Other hand the import of the SplashID pdb went fine (once I took the password off the SplashID database). Resco was great when it came to troubleshooting this and now the import works perfectly, vID or pdb file. For your own protection IDGuard can’t decrypt the SplashID database, you must know the password and remove it first.
Some benefits of IDGuard over SplashID:
- Documents: Safe storage, safe processing
- Audio/image attachments
- Reminders
You can attach documents to a record. These documents can be in most formats you find on your device – doc/xls/ppt/pdf/images/html/zip/txt/audio/etc. When you attach a file IDGuard asks if you wish to delete the original. In this way you encrypt a file and delete the unencrypted version. You can open the document directly from IDGuard, with 2 caveats – 1) you need a reader for the type of document you are opening (e.g., Documents 2 Go for .doc files) and 2) the reader needs to be in RAM. By default I keep all my D2G applications on my card (you can move applications to the card from within D2G). When I tried to open a .doc file the screen blanked for a second then returned to the login screen of IDGuard. After I moved the application into RAM it opened beautifully. Depending on the application, IDGuard will either make a temporary file that is opened, then deleted when it is finished (as with images viewed with Resco Viewer), or the app will warn you that a file will be made in a certain directory on your card and you will be responsible for deleting it (if you view an image with Media).
I played an audio file (mp3) directly from IDGuard without any problems whatsoever. If you have a mic on your device you can also record your own audio attachments.
Another great feature is the reminders. You can set a reminder on records.
I found when I was recategorizing my records in IDGuard that it had so many fewer choices of icons than SplashID had. This can be somewhat frustrating in that I like to be able to quickly look at records and know what they are from their icon (especially if I’m in the icon view). When I imported my database over to IDGuard all my SplashID entries that had been marked with an icon of a PDA were now marked with a CD icon or a question mark. I prefer distinguishing my software serial number entries between PC software and PDA software. It is categorized that way and should be “iconized” that way. There is a smartphone icon, so I decided that was how I would differentiate. There should be a book icon, in my opinion. I guess I’d just like to see more of a selection.
Overall IDGuard is a superior piece of software. The ability to encrypt so many different kinds of documents/files and view them straight from within IDGuard is a tremendous advantage. Once the desktop component for IDGuard is out I’ll be taking SplashID off my device. Jan as Resco said they will be incorporating the encryption technology used in IDGuard into Explorer 2008 – I can’t wait! I also spoke to Nikolai Filipov at SplashData. Nikolai hadn’t even realized that Resco had released their IDGuard product until I had contacted him. Nikolai said in his email, “… it appears that their application is based on SplashID. SplashID has been the best-selling password manager for Palm OS for over 6 years.” SplashData even provided me with a reviewers guide and a serial number to help with my review. In going through both apps, I became more and more impressed with IDGuard’s abilities. At the same time It is evident that the SplashID interface /GUI has had more time to mature and has slightly more flexibility. Some graphical components are the same on both apps, lending some credence to the assertion by SplashData (for instance, the font selection dialogues are very similar in both apps – note that all skinning in these screen shots was done by SkinUI).
A nice ability that SplashID has is to be able to change the background colors in the list view. Although this seems minor, it is extremely useful when you change to hires mode. In IDGuard, I can barely discern the background colors, which makes it easier for my eye to accidently slip from one row to the next. In SplashID I changed the color of the colorized rows in hires to a darker color, and that made all the difference in the world.
The below screenshot show the SplashID choose color dialog:
To wrap it up I’ve made a chart showing the differences and similarities (I’ve highlighted in red the items I believe are the most important differences):
| Feature | SplashID | IDGuard |
| GUI | Customizable in different views – generally more flexible | Customizable in different views |
| Encryption | 256-bit Blowfish | Industrial standard AES |
| Desktop Component | Yes – Vista compatible | Yes (edited) |
| Document processing | No | Yes – encryption of all types of documents |
| Attachments | No (except notes) | Yes – Attachments can be created also with built-in camera or audio recorder |
| Reminders | No | Yes |
| Customizable record templates and categories | Yes | Yes |
| Secure memos | No | Yes |
| Special data editors for address/ phone number/ e-mail | No | Yes |
| Data Sources (Databases) | Yes – Synchronize multiple SplashID databases single data source on palm | Yes – Multiple data sources on Palm |
| Backup/Restore | Yes | Yes |
| Export/Import/Send | Yes | Yes |
| Password generator | Yes | Yes |
| password strength meter | Yes | Yes |
| Auto-locking | Yes – auto lockout after 10 failed attempts, Time to Auto Lock after exit is configurable at immediately, 1,2,3,4,5,10,15,20,25,30 minutes | Yes – wait time gets longer after each failed attempt, Time to Auto Lock after exit is configurable at immediately, 1, 2, 5 minutes |
| Hint for Password | Yes | Yes |
| Web Auto Fill – one click to open a website on the desktop and login automatically | Yes | Yes |
| Custom icon support | Yes | No |
For several years, now, security experts have been talking about the threat posed by Palm OS malware and malicious hackers. And, really, it’s all been talk. There have been a few, not-very-successful trojans, and an exploit for Treos that would let someone retrieve a few bits of info even if the Treo was locked. But that’s pretty much it.
Still, the security people have a point. The average Treo-toting businessperson uses their device as a way to carry around the documents,programs, and media that they need to have handy. In other words, the really important stuff that they use a lot resides on their Treo. Of course, that would be a luscious target for crackers if they could get in. But, with no multitasking or services, the Palm OS is probably one of the most secure operating systems developed.
Of course, that’s all going to change when Palm OS 2 comes out.
Okay, before everyone jumps on me yelling “But Linux IS secure!”, let me say:I like Linux. It’s definatley secure. But a basic truth is that the more complex you make a computer system, the more bugs you get. And the more bugs you get, the easier it is to break into a system. And let’s not forget multitasking, the lack of which has been the primary factor protecting the Palm OS from a storm of viruses and other malware.
So, how do you fix that? You focus on making a PDA, not a tiny computer that has 3000 ports wide open. At the same time though, you leave the door open for third party developers to design this sort of thing. In other words, you give your users a choice–the not-that-security-conscious business people can have a PDA, and PDA enthusiasts(who are probably more security conscious) can mod the thing to their heart’s content.
Content, RSS
Twitter