Tag Archive: Security


image

Mobile security company Lookout has continued to expand its list of Android Market applications that have been found to contain malicious code known as ‘RuFraud’. Researchers spotted 22 malicious apps by the start of the week, prompting Microsoft to offer victims free Windows Phone handsets, while five more have been discovered since then.

The titles include several horoscope apps, wallpaper utilities that offer pictures from movies such as Twilight and Moneyball, fake downloaders for popular Android games such as Angry birds, and fake free versions of other games.

Once downloaded, the apps trick users into agreeing to charges that will be applied to the bill due to SMS messages sent to premium numbers. The code appears to affect users in Europe and Asia, rather than North America.

Google has quickly pulled the offending titles from the app portal, however the situation has given credence to criticism of the mobile platform’s security features. The company’s open approach is said to make it easier for attackers to post malicious apps without encountering problems in the approval process. Fragmentation is also seen as a potential problem, as most Android handsets are running older OS versions that lack the latest security protection.

Thanks: Electronista

image

The image of Android users as people who seek out danger and live on the edge may not be far from the truth. That’s the image that Verizon has been trying to project in some of their ads for the Droid Razr and a new study from Websense suggests that it’s an accurate portrait – but in ways that Verizon had rather not project.

The study suggests that while iPhone users are happy to stay within the bounds of Apple’s walled garden, enjoying music and video from legitimate sources, Android users spend more times exploring the web’s less reputable districts.

Unlike iPhone users, Android owners spend more time reading about guns and ‘exploding shuriken’ than they do playing Angry Birds, and many of them venture out in search of information on hacking and other ‘illegal or questionable’ activities, as shown in the chart below. Almost all iPhone users get their apps exclusively from Apple’s carefully crated App Store, but Android users have no problem getting their apps from a wide variety of unsanctioned (and sometimes illegal) marketplaces.

While a lot of fuss has been made about Google’s lack of tight control over what apps get into their marketplace, users are really sticking their neck out by getting their apps elsewhere. It’s remarkably easy for a legitimate looking Android app to be repackaged with malware and most users won’t know the difference until they are already infected.

A lot of questions have been raised about the security of Google’s mobile OS. McAfee recently reported that Android was shattering records for mobile malware, with almost all new viruses being targeted at it. While Microsoft’s Windows Phone and Apple’s iOS remain relatively safe, some security experts are suggesting that it might be wise to keep your Droid protected with security software, as reported over at Monsters & Critics. Some have gone so far as to call Android the ‘smartphone Windows of the future,’ referring to the high number of security threats targeting Microsoft’s venerable OS.

Thanks: Neowin

image

Internet safety is a topic that we are all commonly reminded of as we move to an increasingly digital age. Now, another reminder of how much we willingly share with those we don’t know has been shown, as reported by the BBC.

Using what is known as a ‘socialbot’, researchers were able to acquire information that a Facebook spokesperson rebuked as being “overstated and unethhical”. A socialbot is a botnet adapted for usage on social networks. The worst part of the socialbot’s power is how affordable it is. Dubious websites offer the bots for sale over the internet for as little as 29USD, or 18GBP.

A socialbot differs from a normal botnet in the sense that it can pass itself off as a normal Facebook user. A regular botnet is a type of virus that can infect a user’s computer, and can make use of this to send out spam or partake in digital attacks against other websites. The socialbot takes control of an existing Facebook account, and is able to perform normal activities, such as posting statuses and sending friend requests.

The research was performed by four members of the University of British Colombia, with 102 socialbots being commanded by one ‘master’. The master sends commands to the other bots, which they then act upon. These commands would likely consist of seeking profiles and adding them. In the space of eight weeks, the bots sent out 8,570 friend requests and had 3,055 acceptances. The research showed a relation in the number of Facebook friends a user had, and the likelihood of the socialbot being accepted as a friend.

Remaining within Facebook’s limitations for sending friend requests, the bots sent only 25 requests per day. Any more and the bots risked triggering the fraud detection and prevention system existing on Facebook. According to Facebook, the research is not reflective of how they prevent socialbots operating, as the accounts operated from ‘trusted’ university IP addresses. An IP address used by a real-life criminal operating socialbots would apparently raise alarm bells within the company.

Many people are now growing more aware of friend requests coming ‘out of the blue’, so to speak, and it reflects how people could be growing more aware of the people seeking to acquire more information, whether you intended to give them the information or not.

Thanks: Neowin

image

Facebook has announced two new features to try and improve the security of your account. The first, entitled Trusted Friends, allows you to designate three to five friends that can unlock your account for you if you forget the password. The other less interesting feature, called App Passwords, lets you assign a unique password to Facebook apps.

With Trusted Friends, if you lose your Facebook password you can have codes sent to your friends that let you access your account. What isn’t spelled out is whether you need all of the codes from your friends to unlock the account or if a single code will work. While this is being touted as a way to access your account if you lose both your Facebook and email account, this seems more like a backdoor to let intruders into your account. Even if all of your friends need to send you their codes to access the account, you’re still trusting that they are going to be secure themselves. Anytime you have a backdoor into an account, you end up weakening security, not strengthening it.

There’s even less details about App Passwords. The concept is sound: Don’t share your Facebook password with 3 rd party applications. The actual implementation is still vague and given the company’s security track record, who knows if it will work as intended.

Interestingly enough, the security infographic that Facebook released seems to be using the term Guardian Angels instead of Trusted Friends.

Thanks: Neowin

image

HTC has confirmed that it has commenced work on a patch for the gaping security hole that was discovered in its Android phones over the weekend. HTC has has also acknowledged that the vulnerability could allow a maliciously crafted third-party application to access a customer’s data without permission. The company claims that it is working quickly to issue a security update for its Android devices.

However, as with all patches and updates for mobile devices, HTC cautions that the update process will require testing by its carrier partners. This is likely to hinder any speedy release of a fix, though, when it does arrive, it will be sent over-the-air.

HTC has urged its customers to install the update as soon as they get it, and to use caution when downloading and installing apps from untrusted sources in the meantime. The company also adds that it is unaware of any users who may have been affected by the security threat to date.

Thanks: Electronista

image

If you own an iPhone or iPad you might think that your chances are slim that you might pick up a virus, at least compared to using an Android device. However, there’s still a danger that you could lose your data or even lose your entire iOS device with the fear that someone else might access your private contacts and other information. Now, the well known security software maker McAfee (purchased by Intel earlier this year), has announced it will release a new iOS app called WaveSecure that’s designed for the individual user for data and theft protection.

The $20 app will allow users to wireless back up an iOS’s contacts as well as photos and videos. If you need to, you can also wireless restore your contacts even if those contacts are sent to an Android phone. If you happen to lose your iPhone or iPad, the WaveSecure app allows users to use a web-based solution to help track and locate a missing device. If you also feel that someone is going to use the info on your missing iPhone or iPad for nefarious purposes, you can also wipe out your contacts and restore them at a later date.

McAfee has previously released iOS security software for businesses (the Enterprise Mobility Manager) but this is the first time the company has released security software for general users of the iPhone and iPad. The WaveSecure app is available in a variety of languages from the iOS app store.

Thanks: Neowin

image

Microsoft today issued 13 security updates that patched 22 vulnerabilities in Internet Explorer, Windows, Office and other software, including one that harked back two decades to something dubbed “Ping of Death.”

Of Tuesday’s 13 updates, called “bulletins” by Microsoft, two were labeled “critical” –the most-serious rating in the company’s four-step score — nine were marked “important,” the next-most-dangerous category, and two were pegged as “moderate.”

Three of the 22 individual vulnerabilities patched today in the baker’s dozen of bulletins were rated critical. The remainder were split — 15 and four, respectively –between important and moderate.

Researchers today called out MS11-057, which patches seven flaws in Internet Explorer (IE), as the most important to patch pronto.

“This is the anticipated IE update, about what we expected,” said Andrew Storms, director of security operations at nCircle Security, referring to Microsoft’s habit of updating its browser every two months. “The most important thing here is that it affects IE9.”

Today’s IE update was the second to patch critical vulnerabilities in IE9 on Vista and Windows 7. Microsoft first fixed a critical IE9 bug in June.

“MS11-057 affects all Windows versions, and all it takes is a malicious [Web] page to take control of a PC,” echoed Wolfgang Kandek, chief technology officer for Qualys. “It’s a no-brainer to put this at the top of the list.”

Other security experts from Symantec and Kaspersky Lab also highlighted the IE update as the one users should deploy first.

“Both of [the critical vulnerabilities] can be exploited by a drive-by download,” said Joshua Talbot, security intelligence manager with Symantec’s security response team, in an email. “The fact that vulnerabilities such as these continue to be so common is one reason why web-based attacks are so prevalent.”

Drive-by download attacks are those that can be triggered simply by steering a vulnerable browser to a malicious website. Users are typically duped into visiting such sites by search poisoning efforts or links embedded in spammed email messages.

Most experts, including those on Microsoft’s payroll, called out MS11-058 as the second update to apply as soon as possible.

That update patches a pair of vulnerabilities in Microsoft’s DNS (domain name system) service, which is used by many organizations to translate Internet addresses into the domains recognizable to humans.

Microsoft ranked one of the MS11-058 bugs as critical on Windows Server 2008 and Server 2008 R2 when running the DNS service, and warned that attackers could remotely exploit such servers simply by sending it a malformed query.

“[That] could potentially allow an attacker who successfully exploited the vulnerability to run arbitrary code on Windows Server 2008 and Windows Server 2008 R2 DNS servers having a particular DNS configuration,” said Microsoft in a follow-up post to its Security Research & Defense blog today.

“This is significant, as the majority of organizations running Microsoft-based networks do have DNS activated on their servers,” said Marcus Carey, a security researcher with Rapid7, in an email today.

Kandek seconded that as he pushed for MS11-058 to make second on the patch-ASAP list. “Microsoft’s DNS service is pretty widely deployed, many IT shops have it in place,” he noted.

Kandek and his colleague, Amol Sarwate, the manager of Qualys’ vulnerability research lab, expect attackers to closely examine the DNS patch in the hope of crafting a working exploit. “It’s going to be interesting to malware authors, who, if they successfully exploited it, could modify search results users see,” said Sarwate.

“I think this will be a good challenge for researchers because [DNS servers are] a good target,” added Kandek.

Microsoft pegged that vulnerability as a “3” on its exploitability index, indicating it doesn’t believe a reliable exploit will appear in the next 30 days.

Kandek wasn’t so sure, and said he wouldn’t be surprised if hackers figured out how to hit vulnerable DNS servers.

Unlike other researchers, nCircle’s Storms had a different pick for second place: MS11-064,an update that patched two bugs in the Windows TCP/IP stack.

The vulnerability marked “CVE-2011-1871” brought back memories for Storms.

“This looks like the “Ping of Death” from the early-to-mid 1990s,” said Storms. “Then, when a specially-crafted ping request was sent to a host, it caused the Windows PC to blue screen, and then reboot.”

Two decades ago, the Ping of Death was used to bring down Windows PCs remotely, often as a way to show the instability of the operating system. “People would say, ‘You’re stupid to put your machines on the Internet,” said Storms.

“My suspicion is that if this catches fire and someone writes a small attack tool and releases it, you could see [Windows PCs] blue screened at your local coffee shop,” Storms said, talking about the possibility of crashing machines on a free Wi-Fi network.

Storms said it appeared that today’s “Ping of Death” bug was a different vulnerability than Microsoft patched in its now-ancient OSes of the 1990s.

The bug exists in Windows Vista, Server 2008, Windows 7 and Server 2008 R2, Microsoft said, but not in Windows XP or Server 2003.

Others were less concerned with the new Ping of Death problem. “It’s definitely an old-school kind of attack,” said Sarwate of Qualys. “But if it is exploited, I think it would be more on the prank side.”

“There are easier ways to bring down a [Web] server than this,” said Kandek, when asked whether the vulnerability might be exploited by hacking groups such as Anonymous that have knocked major sites offline this year using traditional denial-of-service attacks.

Microsoft also patched other vulnerabilities in Windows, including several two in remote access components of the OS and one in the kernel, as well as bugs in Visio, Visual Studio and the .Net Framework.

August’s security patches can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Thanks: ComputerWorld / Fayerwayer