mobile security

I took the time to read McAfee Avert Labs’ top ten security threats for 2007. The section on mobile security caught my eye:

More mobile attacks

Mobile threats will continue to grow as platform convergence continues. The use of smartphone technology has played a pivotal role in the threat’s transition from multifunction, semi-stationary PCs to palm-sized “wearable” devices. With increased connectivity through BlueTooth, SMS, instant messaging, email, WiFi, USB, audio, video and Web, there are more possibilities for cross device contamination.

2006 saw efforts by mobile malware authors to achieve PC-to-phone and phone-to-PC infection vectors. The PC-to-phone vector was achieved with the creation of MSIL/Xrove.A, a .NET malware that can infect a smartphone via ActiveSync. Existing phone-to-PC vectors remain primitive in nature at this time, such as infecting via removable memory cards. However, McAfee expects that this next stage will be achieved in 2007.

SMiShing, which involves taking the techniques of phishing by email and porting them to SMS (SMiShing instead of phishing), is also expected to increase in prevalence. In August 2006, McAfee Avert Labs received its first sample of a SMiShing attack with VBS/Eliles, a mass mailing worm that also sends short message service (SMS) messages to mobile phones. By the end of September 2006, four variants of the worm had been discovered.

In addition, for-profit mobile malware is expected to increase in 2007. While most of the malware Avert Labs has run across includes relatively simple Trojan horses, the outlook has changed with the J2ME/Redbrowser Trojan. J2ME/Redbrowser is a Trojan horse program that pretends to access Wireless Access Protocol (WAP) web pages via SMS messages. In reality, instead of retrieving WAP pages, it sends SMS messages to Premium Rate numbers, thus costing the user more than intended. A second J2ME, Wesber, appearing in late 2006, also sends out messages to a premium SMS number.

Late 2006 saw a flurry of spy-ware offerings in the mobile world. Most are designed to monitor phone-numbers and SMS call-logs, or to steal SMS messages by forwarding copies to another phone. One spyware in particular, SymbOS/Flexispy.B, is able to remotely activate the microphone of the victim’s device, allowing someone to eavesdrop upon that person. Other spyware can activate the camera. McAfee expects that the offerings of commercial spyware targeting mobile devices to grow in 2007.

It is easy for such reports to over-simplify and tar all mobile devices with the same brush. The same statement written for the PC world wouldn’t fly.

In the PC world we have Linux, Windows, BSD or OS X * just as in the mobile world we have various S60 incarnations, Windows Mobile/Pocket PC and a whole host of other proprietary mobile OS’s – all of which are very different beasts.

Analysts in other leading companies said this exact same thing last year, perhaps with the exception of IBM who pointed out:

However, other much-hyped security trends are unlikely to break out in 2006, including attacks on VOIP (voice-over-IP) systems and on mobile devices

Whilst I agree with some of what is written, I would like to emphasise that some mobile OS’s are more vulnerable than others. And layer 8 will probably continue to be the most effective attack vector – as is the case on the PC side.

* Well, sort of

Powered by Gregarious (41)

Whilst analysts in Gartner and McAfee are busy looking into their crystal balls to find where attacks will focus in the following year, I noticed two very interesting articles (here and here) on the Symi Weblog. In my opinion they raise some very interesting questions that have not been commented on, and are ones which I think are highly valid.Ollie Whitehouse has pointed out on a number of occasions that Microsoft’s sharing of code between traditional desktop Windows and it’s mobile counterparts is a risky business, and one that could set the software giant up for a continuation of it’s Patch Tuesdays and Zero Day Wednesdays.

His argument is based around the fact that whilst Microsoft are continuously patching the desktop incarnations of Window’s, the mobile side which is using a lot of the same code is going un-patched.

This leaves open a lot of unanswered questions.

Whilst Windows Mobile is not the most popular Smartphone OS, it is increasing in popularity. And as smartphone’s proliferate, so will the attention level of hackers and malicious code writers interest in a given OS.

So is Windows Mobile/BC/Pocket PC edition following in the footsteps of it’s predecessors? With regards mobile threats, are we at the stage today with the mobile devices like we were in the early nineties with Windows 3.0/3.1? Is this code reuse and lack of patching going to cause problems further down the line?

Could this be a case of those who do not learn from history are doomed to repeat it.

And whilst in recent years Microsoft has started to take security a lot more seriously, is there enough focus on the mobile side?

Powered by Gregarious (41)

I read on McAfee’s Mobile Security Blog about a new so called ‘multidropper’ spyware package which appears to be the first of it’s kind. A multidropper is essentially a wrapper in which other packages are placed. It uses the embedded SIS command from the Symbian Packaging Standard which when executed tells the wrapper to install embdedded package a, b, c and so on.

From reading between the lines (for legal reasons I believe), creator of this malicious package has signed up an account with Flexispy and embedded their package within a .SIS file.

However, as our friends at McAfee rightly point out, Flexispy accounts are by default tied to one IMEI unless the account holder purchases a multi user license

Can I install on several phones at simultaneously?
Yes. If you have a multi user licence, you can install FlexiSPY on multiple devices, and have all the call activity recorded into your account. Please contact support for details. As a convenience for our Customers, we allow two separate devices to report to one account for the first 30 days following purchase. After this period, accounts using multiple phones to one account must purchase a multi user licence, or their service is temporarly suspended

So when McAfee state that it is unlikely that the author of the spyware is the original account holder, I assume this implies that s/he also has access to a multi user account? Judging by the above FAQ statement I would say multi user accounts have a higher cost associated with them, that they are not high in number and are approved on a case-by-case basis. This means the attack vector has one huge flaw and can be cut dead at any time. Together with McAfee, I am also of the opinion that the current incarnation of Mobispy/A will not be going very far anytime soon.

Powered by Gregarious (41)

It seems almost every day new articles appear on new websites relating to the theft or loss of laptops. This week, the UK based Nationwide building society will mail all of their 11m (yes, ELEVEN MILLION) customers to inform them of a laptop which was stolen in August. Why it has taken Nationwide 3 months to mention this hiccup will only serve to further exacerbate customer anger. Trying to cover things up in this way will cost them more dearly than if they were just open and honest in the first place.
Other details Nationwide refuse to disclose include:

• what customer information was on the laptop
• where the laptop was stolen from
• how many customer details were on the laptop
• why so much sensitive data was there in the 1st place
• if any encryption was used laptop was using

All in all, this amounts to a huge embarrassing situation for Nationwide. Looking at the big picture, it seems they first tried to sweep the incident under the carpet and that has just made matters worse. Furthermore, failing to answer basic questions about the event and how secure the laptop will surely makes matters worse.

Who does incident handling and damage control at Nationwide?

If they have they don’t appear to be doing a very good job of it. The only useful piece of information that they have disclosed is:

the information did not include any PINs, passwords, account balance information or memorable data.

They go on to say:

since the loss of the laptop we have taken steps to improve our security measures further and provide additional protection to our customers

Could this be a case of shutting the stable door after the horse has bolted? I certainly think so.

The main customer concern here seems to be one of Identity Theft. In the UK, a criminal needs very little information in order to impersonate you. Your name, age, sex and address is all they need in order to start impersonating you. For more information about protecting your identity, see the UK Home Office’s Identity Theft website.

If you wish to read on about other laptops that have been stolen this week, the BBC is reporting another interesting theft of some laptops from some offices used by LogicaCMG that contain payroll information for 50% of the workforce of London’s Metropolitan Police.

Powered by Gregarious (41)

An article posted in the The Register last week just caught my attention. It was quoting Paul Miller, head of Symantec’s Mobile and Wireless Security Group. In this article were a lot of statements which I disgree with. On this blog I try as best as I can to remain impartial and not promote or bash any one vendor more or less than any other, but in this case I can’t help but feel that what I read amounts to little more than a modifed version of what I read one year ago in a Gartner Report.

This same Gartner report is quoting the same threats will increase which is exactly the same thing that it said last year. Whilst I don’t want to quote Paul Miller out of context, I find statements such as this highly controversial:

“Plus, operating systems on mobile phones lag those on PCs by six years – and hackers attack the weakest link. “

Six years? Weakest link? What mobile device does he use? And from which vendor? I don’t think he could be further from the truth. For example, I would say that Microsoft could learn a lot from Nokia with regards the security features in the new S60 3rd Edition operating system. Where are the patch Tuesdays and Zero Day Wednesday’s for Symbian? After all, the article went on to say:

Mobile phones will out-ship PCs by five to one this year, and are far more likely to be lost or stolen, according to statistics quoted by Symantec.

Miller continues:

But any computer attached to a network needs AV, and a smartphone is a computer and that IT staff need to target perhaps the top 5% of their users for additional defensive software such as firewalls and encryption, because they will be the senior execs and salespeople who keep critical business data on their phones.

This statement on the other hand is absolutely justified, and 5% might even be a little conservative. The threat of Flexispy as a tool for industrial espionage is very real, but statistically, you have a higher chance of misplacing or even loosing your phone so I would put mobile encryption higher in the ‘must have’ list.

So is the picture as bad as mobile AV and PF vendors would have you believe? I don’t think so. They love to focus on Flexispy as it is perhaps the best example of any application that has emerged this year that can justify why a mobile AV&PF should be installed onto your smartphone. However, one critical factor has been overlooked in all of this: User education. With smart phones the only way to get infected is if the user clicks ‘yes’ to install something e.g. over bluetooth (yes, there are other ways to install software), but in general it’s down to the user. And we are starting to see implementation of content signed software. When this becomes more mainstream, how far will bluetooth propagating crimeware really get people if the application is unable to talk to the network?

So lets see where we are at the end of 2007 with regards mobile security trends. More of the same? I know where I’ll put my money…

Powered by Gregarious (41)