With the increasing popularity of mobile devices like iPhones and Android-based phones, we are beginning to see targeted malware, raising the question, do we need anti-malware for our mobile devices? ReadWriteWeb Enterprise was prompted to write an article on this topic as a result of the Android game Tap Snake which was reported to be spyware.
It appears the mobile anti-malware market is fairly immature:
I took to the opportunity to test a few of the anti-malware apps available on the market: antivirus free from droidSecurity, Lookout, Symantec‘s Norton Mobile Security for Android beta, and Smobile. I was also going to try SmrtGuard, but I couldn’t get the app to activate before Tap Snake was removed from Android Market. Of those four apps, only one detected Tap Snake as a potential threat.
The article goes on to say that tightly controlling what apps can be loaded onto mobile devices may all enterprises need at this time.
Slate recently published an article entitled, "The End of
Malware?" The sub-title is, "How Android, Chrome, and the iPad are
shielding us from dastardly programs." The premise trotted out the
usual, Windows is insecure; Android, Chrome, and the iPad are more
secure because they deploy sandboxing technology, i.e. restricting an
application's access to operating system resources.
While this may be a good thing, it is hardly the "end of malware."
Not even close.What the author is missing is the intent and motiviation
of the bad guys. They go where the money is, i.e. where there is the
opportunity to steal cash from people's bank accounts, steal credit card
information, steal intellectual property they can sell. At present,
these opportunities are minimal on Android, Chrome, and iPads. Once
there is critical mass for profitable hacking, you will definitely see
an increase in exploits on these devices.
Now even with limited opportunities for profitable hacking we are
starting to hear about vulnerabilities on these devices. Just yesterday I
wrote about a Massive iPhone
Security Issue where passcode protected content on the iPhone can be
accessed by simply attaching the device to a computer running Ubuntu or
OSX. Therefore, if you lose your iPhone, your passcode protection is
useless.
If you need to hear more, check out the June 3 article in the Wall
St. Journal, Dark Side Arises for Phone Apps. Here are some key
quotes, first on Google:
In one incident, Google pulled dozens of unauthorized
mobile-banking apps from its Android Market in December. The apps,
priced at $1.50, were made by a developer named "09Droid" and claimed
to offer access to accounts at many of the world's banks. Google said
it pulled the apps because they violated its trademark policy.
The apps were more useless than malicious, but could have been
updated to capture customers' banking credentials, said John Hering,
chief executive of Lookout, a mobile security provider. "It is becoming
easier for the bad guys to use the app stores," Mr. Hering said.
And on Apple:
Apple vets applications before they appear in its App
Store, but risks still exist. In July 2008, Apple pulled a popular game
called Aurora Feint from its store after it was discovered to be
uploading users' contact lists to the game maker's servers. More
recently, it yanked hundreds of apps it said violated its policies,
some out of security concerns.
In conclusion, while sandboxing is a good idea, there is no silver
bullet when it comes to security.
The Register is reporting on an "unusually sophisticated attack" on the well known Adobe PDF vulnerability that is caught by only four of 41 anti-virus vendors tested by Virus Total.
As Computerworld and others reported in mid-December, Adobe chose to release the patch to this vulnerability in its normal cycle on January 12, 2010 instead of rushing it out as soon as it was ready.
RAM Scraping is a new type of malware being tracked by the security forensics team at Verizon Business. Good article describing it here.
RAM Scraping attacks were first seen targeting Point-of-Sales terminals as a way to get credit card information. However, as users increase the use of password managers to mitigate the risks of phishing and keyloggers, I can see RAM Scraping attacks increasing in popularity.
The London-based Times OnLine had a story today entitled, "New Trojan virus poses online banking threat." With all due respect, Mike Harvey, their Technology Correspondent, appears to have gotten a few things wrong as follows:
The headline is referring to the Clampi Trojan, which is not new. It was first discovered in 2006 according to McAfee and 2008 according to Symantec. In fact as late as July 23rd, Symantec classified Clampi as "Very Low" risk. Since then, Symantec has raised the risk level to "High."
The Clampi Trojan is just one of many trojans that cyber criminals are using to steal people's online banking credentials. What these trojans have in common is the keylogging capability, i.e. the ability to capture all of your keyboard clicks.
The real story is that sophisticated cyber criminals are focusing on stealing money directly out of small and medium business accounts.
For more details on Clampi and funds transfer fraud, see my earlier blog posts here and here respectively.
Two more high profile organizations have succumbed to Web 2.0 based exploits, New York Times and RBS Worldpay. These highlight the shortcomings of traditional IT security. I have no doubt that both of these organizations had deployed traditional firewalls and other IT Security tools, yet they were still breached by well understood exploit methods for which there are are proven mitigation tools.
The current RBS Worldpay problem was merely a hacker showing off a SQL Injection vulnerability of RBS Worldpay's payment processing system. Late last year RBS Worldpay suffered a more damaging breach involving the "personal and financial account information of about 1.5 million
cardholders and other individuals, and the social security numbers
(SSNs) of 1.1 million people."
The New York Times website itself was not breached. A third party ad network vendor they use was serving "scareware" ads on New York Times site. Martin McKeay points out on his blog:
"it appears that the code wasn’t directly on a NYT server, rather it was
served up by one of the third-party services that provide ads for the
NYT. Once again, it shows that even if you trust a particular site
you’re visiting, the interaction between that site and the secondary
systems supporting it offer a great attack vector for the bad guys to
gain access through."
On the other hand, the average user coming to the New York Times site is not aware of this detail and will most deservedly hold the New York Times responsible. Web sites that use third party ad networks to make money, must take responsibility for exploits on these ad networks. For now, as usual, end users have to protect themselves.
I recommend that Firefox 3.5 users avail themselves of Adblock Plus and NoScript. Adblock Plus obviously blocks ads and NoScript by default prevents JavaScript from running.
What's particularly interesting about NoScript is that you can allow JavaScript associated with the site to run but not the JaveScript associated with third party sites like advertising networks. Based on my reading of Troy Davis's analysis of the exploit, if you were using Firefox 3.5 and running NoScript with only New York Times JavaScript allowed, you would not have seen the scareware ad.