When Butterflies and Worms come to Smartphones

Pda phoneThe story that an HTC Andriod phone has been found to be hosting malware has caught the attention of many people in the past day or so. The story is big in its own right. However, when the malware found was then identified as being related to the Mariposa botnet, then it took on an even bigger dimension. The bust of the guys behind the Mariposa was the big security news of last week.

That this was found, on a new Andriod based smartphone, is being offered up as a proof-point that these new devices could be the next battlefield against the cybercriminals. This time last year Conficker was the big security topic. I noticed with interest, that one year on, it even managed to get in on the act. The smartphone was found to also be hosting malware that related to Conficker.

The malware was identified, when the user connected the smartphone, via USB, to the PC. The PC had a security package installed and it detected the malware as it tried to infect the PC. This is proof positive of the need and effectiveness of having an up-to-date security product installed on the PC, as it helped protect it in the first instance. Secondly, in doing so, it also stopped the further transmission and spread of the Mariposa and Conficker malware onto other users. The vendor of the smartphone is looking into how the malware found its way onto the device. As with the PC some years back, infections could happen in the factory, wherein, the software loaded onto the PC was found to have been compromised. PC manufacturers were quick to learn from this and security procedures and processed put in place to mitigate against this. By and large it was successful, albeit there were and still are rare instances when it is found that the point of distribution for a piece of malware was in the factory pre-loaded software.

What this incident also suggests is that the smartphone itself needs to take some responsibility for its own security. It needs to play its part in the chain of security or confidence. Yes, procedures and processed need to re-evaluated to ensure that malware is not inadvertently  loaded onto the device at point of manufacture. Yes – we need to ensure that any PC that these devices are connected to have security software running on them, as an additional layer of security. However, the device itself needs to be secured and be seen to be secured.

March 10, 2010 | Filed Under Security | Leave a Comment 

Now ‘Music’ wades into the fight against cybercrime

MusicI came across this interesting posting from the Microsoft Digital Crimes Unit. They reported on an interesting initiative in Nigeria. A programme has been established to help young Nigerians, involved in cybercrime, to shift their focus by helping their local communities to find online alternatives to Internet fraud, and to educate their peers.

One of the ways the group has engaged with Nigerian youngsters is through music with the release of a song called ‘Maga Need No Pay’ which challenges young Nigerians to avoid creating new cybercrime victim. You can watch the video for the song here.

Nigeria has for a long time been associated with a particular online fraud, the so-called ‘Nigeria’ or ‘419’ scams. These scams are advance fund frauds, wherein, the scammers promise a fortune in exchange for advance payments. I see it as being a welcome development if this initiative can divert young Nigerians from pursuing cybercrime. The intent is to get them to focus on something more positive and altruistic, helping their communities embrace and unlock the ‘net for benevolent purposes. Let’s see if Music can help stem the tide of cybercrime.

February 22, 2010 | Filed Under Security | Leave a Comment 

Public BETA: Norton SafeWeb Lite

Norton SafeWebSearch engine poisoning has become a very popular tactic to direct people to compromised web sites that, in turn, will attempt to scam you or install malware. This approach recognises that, for most of us, we now rely on the search engine on a daily basis. It is our first port of call to find out about something, someone or somewhere. The hackers and cybercriminals have latched onto this and are now inserting malicious URLS, or compromising legitimate ones, in an attempt to divert us into their hands.

This is something that the search engine operators, and we in the security community, are developing and deploying solutions for. Norton customers, for the past year or so, have been able to have their search engine results ‘marked-up’, to allow them to see what URLs we understand to be good, as opposed to those which we know, or suspect, to be compromised or bad. This uses a technology we developed called Norton SafeWeb. We involve those Norton Customers who are part of our Norton Community Watch initiative (35 million or so of them at the latest count), to help feed us suspicious URLs that we can then analyse. It is a layer of security that we know is very effective and from which many of our customers benefit from.

The good news is that we are now looking at deploying a version of the Norton SafeWeb technology to non-Norton customers. To that end we have just put into public BETA, a tool called Norton SafeWeb Lite. You can download it here from the Norton BETA site.

February 16, 2010 | Filed Under Announcements, Security | Leave a Comment 

Did the job of security software just get bigger?

Well, it sure looks that way. We are only just into the second month of 2010, and yet, we can now see in prospect a whole raft of innovation coming our way. At CES in Las Vegas last month, a lot of the attention was given to eBook readers and new slate/tablet based PCs. These new devices are squarely focused on the opportunity with digital content. The success of Amazon and Apple with iTunes, clearly shows that there is a big market for digital content and that money can be made as a result. We have seen a lot of activity in the eBook reader market, with many companies starting to launch products. Amazon, with the Kindle, have very much been in the vanguard of showing how this can all come together.

CES also witnessed a range of announcements with respect to tablet computers. We saw products from HP, Lenovo (interesting cross-over laptop/tablet device), Sony, Archos etc. These products will start to come to market from the mid-point of this year. Many people commented that these CES announcements were a pre-emptive strike to gain interest and profile ahead of the long and much anticipated Apple tablet device. And so, last week, Apple finally took the wraps off of the ‘iPad’. The headlong rush into the brave new world of digital content devices is now on. What are the security implications of all this? That is a very good question.

In all of the product announcements, a picture was painted of us having almost constant and ubiquitous access to digital content, be that web sites, books, news, music, videos, pictures etc. That content will be accessed, managed and importantly paid for from these new devices. They themselves, when you strip them back, all have an operating system, a browser, storage and some means to connect to the internet. At the end of the day they are PC of some sort, hence, from a security perspective they face all the same challenges. We all (regrettably) know that hardware and software have flaws and vulnerabilities and that the hackers and cybercriminals live off the back of this. I will predict, that in the coming months, will see proof of concept announcements, along the lines that a particular device or OS, used in any one of these devices, can be compromised and that on the back of this a particular exploit can be enacted. The iPad has just been announced and it uses the iPhone OS. Just today, Apple has released a patch to block remote code execution on the iPhone, therefore by default, the iPad.

This will spook many people and will not doubt garner many headlines. However, that does not mean that users will be immediately impacted; not in the short term. How come? Well, as ever, it comes down to money. The hackers and cybercriminals, in theory, now have a fertile new segment to exploit and pillage. These new devices hold digital content that has a real value attached to it. To transact and procure this content, on these devices, we are going to use our online ‘identities’. Again, these have real value and quickly attract the attention and focus of the cybercriminals.

However, their desire to do so will be checked not initially by technical considerations, rather, economic ones. The cybercriminals need to have a large ‘addressable market’, to adopt the parlance of the marketeers, before they will really focus on it. For the moment, the hottest product in town is the Apple iPad. I have read that some of the analysts are predicting that up to 6M of these devices could be sold this year. That seems a big number, but if you think that the installed base of Windows PCs stretches into the billions of units, and that the Mac installed based stretches into the hundreds of millions, then it still is relatively small. The numbers and economics suggest that the cybercrimimal would be better to focus on the existing, large and established Windows and Mac markets. These new digital content devices will be afforded some protection in that they are operating in a nascent market segment.

 At the moment, there is not much, if any, commonality with the products that have been announced – everyone is off and doing it their own particular way. Heterogeneity is not the ideal bed-fellow for the hackers and cybercriminals. It can and will force them to have to create different versions of malware, that all takes time and effort, read for that cost. So, again it is economic considerations that dictate where the cybercriminals put their focus.

Past experience is always instructional in shaping the reality of today. This new category of digital devices is going to be huge. It will grow quickly, but it will not necessarily happen overnight. The heterogeneity of the nascent market will afford some initial protection. But, as the number of people buying and using these new devices grows, and as people start to converge upon the few winning products, then we will start to see real attacks come to pass. They will impact many people and will yield real revenue and reward for the cybercriminals. Hence, the perimeter, that we as a security community have to patrol, will get bigger and that bit more complex.

February 3, 2010 | Filed Under Security | Leave a Comment 

The Google ‘hack’

TrojanThis past week has seen a whole slew of stories and coverage on the Google-China incident. We have labelled the malware at the heart of this ‘Trojan.Hydraq’. Symantec Security Response have written a blog on this and provid a very interesting insight into the whole  incident and how it came to pass . You can find the link to it here.

January 21, 2010 | Filed Under Security | Leave a Comment 

Is connecting to the ‘net becoming faster?

computer_networkWell according to the latest report from Akamai, yes it is. In their latest state of the internet report, make the claim that the ‘net is getting faster. Looking at the third quarter of 2009, the report found that most countries in the top-10 list for Internet performance saw an average 18 percent increase in speed from the second quarter. South Korea topped the list, with a 29 percent jump in speed to 14.6 megabits per second, while Ireland came in second for most improved, with a 26 percent rise to 5.3Mbps.

This is all very encouraging, if you are in the top tier of countries. However, during the third quarter, 103 of the 226 countries measured had average connection speeds below 1 Mbps. The slowest connection speed? Well, the ignominy of that particular title goes to the island of Mayotte, located in the Indian Ocean, with an average connection speed of 43Kps, however, I am sure given its wonderful location there are other merits.

Interestingly, the report is now going to turn its attention to mobile internet connection speeds. Akamai analysed the average connection speeds from three of the leading mobile providers within the United States. They observed speeds of circa 700 Kbps.  However, there seems to have been a lot of variability between the carriers and also in what city you are in. I am sure that this rings true with many of us.

A faster internet brings with it more users and also the ability to do more things online. It also provides more opportunity for the hackers and cyber-criminals. In a shift from prior quarters, Russia and Brazil unseated the United States and China as the two largest attack traffic sources. Cyber attacks are now a global phenomena, with Akamai observing attack traffic originating from 207 unique countries. They also noted that they believe that Conficker worm is still very active.  During the third quarter, 78 percent of internet attacks observed by Akamai targeted port 445, up from 68 percent during the previous quarter. Port 445, which is used by Microsoft Directory Services, is the same port that Conficker targets, aiming to exploit a buffer overflow vulnerability in Windows and infect the targeted computer.

January 15, 2010 | Filed Under Announcements, Market trends, Security | Leave a Comment 

What is ‘private’ any longer?

Spy_eyeThe word is getting out there, not as quickly as we would want, that people need to be careful about just how much information they provide about themselves, and to whom, via social networking sites. In all the excitement of discovering the utility of a social network site, people can unwittingly compromise themselves. This is an issue for everyone, however, a lot of the focus, quite rightly, has been on kids and youngsters to keep them out of the prying eyes of on-line predators.

Zoe Kleinman has brought an interesting perspective to all of this with an article she has written on the BBC News site. In her piece she referes to research to be presented by Dr Kieron O’Hara of  Southampton University, wherein,  he calls for people to be more aware of the impact on society of what they publish online.  Privacy law is driven by a concept of a reasonable expectation of privacy. As more of our private lives have moved online, either intentionally or not, then the expectation of privacy has changed. What is normal now? The bottom line is that, with more people putting ever more private information out there, then we not have the level of legal recourse that we think we have. However, we are part of the community and our actions do ultimately drive the social norm. Hence, the solution is down to us and what we ourselves do on-line.

January 8, 2010 | Filed Under Announcements, Identity theft, Security | Leave a Comment 

Is there a funny side to cross site scripting?

httpCross Site Scripting (or XSS) is one of the most common web-application attacks that we see today. In general, cross-site scripting refers to that hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content to an end-user, with the possibility of collecting some type of data from the victim.

Today, websites rely heavily on complex web applications to deliver different output or content to a wide variety of users according to set preferences and specific needs. The heart of the issue is that if mistrusted content can be introduced into a dynamic page, neither the web site nor the client has enough information to recognize that this has happened and take protective actions.

The BBC have reported on an XSS attack, wherein, visitors to Spain’s EU presidency website have been greeted by an image of hapless fictional character Mr Bean instead of Spain’s Socialist leader. It would appear that many people in Spain, feel there is a strong physical resemblance between Mr Zapatero and Mr Bean. Now, it would appear that this XSS attack was not malicious, just a prank to poke fun.

However, XSS can and is widely used for more malicious purposes. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code. Any web page which passes parameters to a database can be vulnerable to this hacking technique. So, whilst this incident with Mr Zapatero is amusing, the fact remains that XSS is pernicious and dangerous technique and really is no laughing matter.

January 6, 2010 | Filed Under Security | Leave a Comment 

File scanning – a game of hide and seek?

VirusQA (quality assurance) is a critical step in the creation of new software. It tests the code to ensure that it does what is supposed to do. Now, for the creators of malware, one of their critical QA steps is to test their code against the leading security products, to see if it can go ‘undetected’ and therefore be successful in being executed on the target system. Brian Krebs, in his blog, has brought to our attention an new underground service that lets the malware writers check their work.  There are already a few legitimate file-scanning services that have been in operation for some time. They allow users to upload a suspicious files and scan it against dozens of commercial anti-virus tools. If a scan generates any virus alerts or red flags, the report produced by the scan is shared with all of the participating anti-virus makers, so that those vendors can incorporate detection for the newly discovered malware into their products.

Now, what Brian Krebs has reported on, are a new generation of file-scanning services that do not share their results or the malware with the anti-virus community. The malware authors have to pay for this service, but what it allows them to do is to quickly test and check their software against the leading security products. However, the results of these tests and the files themselves, remain hidden. It would appear that in offering, a service such as this, hands the advantage to the malware creators. Or does it?

The ability for the malware authors to test their files against security products has always been a dynamic in our industry. Every time we bring out a new release of our products, they move quickly, to test and assess what this means for their software. They would always appear to have an advantage in this regard. However, we have always been aware that what the malware guys want to do, is in effect, try to ‘fly below the radar’ of detection. What I mean by this is, that they want to go unnoticed and undetected. The best way to do this,  is to control and limit the number and distribution of their files or binaries, so as to not attract the attention of the security community. Hence, when a file is submitted to one of the file-scanning services, it is then really known to the whole security community.  This is where Reputation based security technology really comes into its own.

With this approach, we look at all new files and binaries and when we find a new file, we assess its reputation to understand if it is to be trusted or not. In doing so, reputation based security turns the advantage of anonymity and relative low distribution of a file against the malware authors. It is a very powerful approach and effective defence. We implemented reputation based security into the Norton 2010 products. We also created a video that explains how all this works. Hence, whilst the arrival of this new generation of malicious file-scanning services is bothersome, it is not necessarily ceding the advantage to the malware authors.

January 5, 2010 | Filed Under Security | Leave a Comment 

Don’t do the crime if you are not prepared to do the time!

jailHave you ever heard of Albert Gonzalez? The chances are probably that you have not. However, he has now entered into infamy, having been convicted of the largest identity fraud scam in US history. You can get more details on him and the case using this link. In addition to having paid back $2.7M and offered up a condo, jewellery and cars as further restitution, he is now facing a jail sentence that could stretch to 25 years. They certainly wave a big stick in the US when it comes to internet fraud in the US.

The interesting thing in this case was that he was able to get his hands on the 130 million credit and debit cards relatively easily. It appears he used ‘wardriving’ as his preferred modus operandi to hack into the companies he targeted. Thereafter, he then used a sniffing program to grab the payment card details that were being used by the companies to transact with their customers.

What Albert Gonzalez brings into sharp focus is just how much money can be made from  internet crime and the sort of lifestyle it can afford to those who participate in it. It also does bring into sharp relief the downside of this activity; when you are caught you go to jail and for a long time.

January 4, 2010 | Filed Under Security | Leave a Comment 

Next Page »