Posts Tagged ‘mobile-security’
Wednesday, June 30th, 2010
As mobile phones continue to evolve, they’ve become nearly as fast, powerful, and connected as personal computers. With this transformation has come drastically increased susceptibility to malware and viruses, as consumers use their internet-connected phones to download apps and access banking information.
Originating in the days of simplistic cell phones, these threats have evolved along with the devices themselves, and an independent security researcher recently traced their development in a post on the meedabyte blog.
In the article, security expert Cristofaro Mune cites online app stores–carrying thousands of smartphone applications from thousands of third-party developers–and the high-speed data capabilities of today’s 3G and Wi-Fi devices as two of the recent advancements that make today’s mobile phones increasingly vulnerable to viruses and malware.
Tags: 3g, apple, apps, devices, iPad, iphone, malware, mobile-security, security, smartphone, viruses, wifi
Posted in Uncategorized | No Comments »
Monday, June 21st, 2010
A recent Network World article describes the new security vulnerabilities posed by the latest smartphone technologies — specifically the new, high-speed 4G mobile networks. Because today’s smartphones have processors, storage capacities and network connection speeds that nearly rival those of PCs, they are becoming increasingly subject to the same malware and security threats that have long afflicted the PC market.
4G makes the situation more accelerated…. And what will really accelerate the growth of mobile malware and spyware will be the volume of traffic that people will be able to use. Data usage will increase and there are going to be more places that will get infected.
This is expected to become a serious concern for enterprise IT, as more executives use smartphones — and the various apps downloaded to these phones — to access corporate data in and out of the workplace. The Network World article describes a number of tactics integral to protecting enterprise security in the presence of mobile devices, including:
- remote wipe functionality on all mobile devices, (in the event that a device is lost or stolen)
- native application control capabilities allowing IT to specify which apps are and aren’t permitted on a company network-connected device
Network World also notes that anti-malware technology specifically designed for these high-powered mobile devices is still in its infancy.
Tags: 4G, android, device security, hackers, iphone, malware, mobile-security, smartphone
Posted in Uncategorized | No Comments »
Wednesday, June 16th, 2010
We’ve already posted about the growing threat of mobile malware as the mobile/smartphone market expands faster than security can keep up with it.
A recent article on The Register reports that a downloadable game for the Windows Mobile platform — 3D Anti-Terrorist Action — has been discovered to contain a Trojan that could potentially cost its victims a considerable amount of money. The infected version of the game, available from a number of Windows Mobile download sites, contains the “Terdial-A” Windows-CE Trojan, which makes expensive, international calls with the user’s phone. Victims are typically unaware of the malware until they receive the shocking mobile phone bill.
Internet security firm Sophos believes the infected game is the work of a Russian-speaking hacker who is likely attempting to access some of the money from the pricey calls.
Tags: hackers, malware, mobile-security, trojan
Posted in Uncategorized | 1 Comment »
Wednesday, June 9th, 2010
An recent report on Gawker details the discovery of a security breach that has exposed the email addresses of over 100,000 iPad owners–among them high-ranking government and military officials and media moguls–along with corresponding iPad ICC-ID data that could potentially leave the devices open to spam and malware. The ICC-ID is a device-specific identifier used to authenticate each iPad’s SIM card on the AT&T network.
The breach was discovered by security research group Goatse Security, who successfully captured approximately 114,000 iPad owner email addresses and their corresponding ICC-IDs.
According to Gawker,
Goatse Security obtained its data through a script on AT&T’s website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad “Settings” application.
To make AT&T’s servers respond, the security group merely had to send an iPad-style “User agent” header in their Web request. Such headers identify users’ browser types to websites.
The group wrote a PHP script to automate the harvesting of data.
Even more shocking is the list of compromised iPad owners. Gawker reports that among the victims of the breach are:
- multiple devices registered to DARPA (US Dept. of Defense)
- House of Representatives, US Senate, Dept. of Homeland Security, FCC and NASA staff members
- a US Air Force Commander
- Diane Sawyer of ABC News
- New York City Mayor Michael Bloomberg
- New York Times CEO Janet Robinson
- high-level executives at Dow Jones, HBO, Viacom, and Time Warner
- White House Chief of Staff Rahm Emanuel
The security researchers who discovered the breach notified AT&T (who has since publicly confirmed the vulnerability) and the issue has been corrected.
Tags: apple, at&t, darpa, device security, iPad, mobile-security, security
Posted in Uncategorized | No Comments »
Tuesday, June 8th, 2010
A recent Wall Street Journal article discusses the growing concern among experts that mobile app security is not keeping up with the rapidly expanding smartphone/mobile market.
“Mobile phones are a huge source of vulnerability,” said Gordon Snow, assistant director of the Federal Bureau of Investigation’s Cyber Division. “We are definitely seeing an increase in criminal activity.”
The FBI’s Cyber Division recently began working on a number of cases based on tips about malicious programs in app stores, Mr. Snow said. The cases involve apps designed to compromise banking on cellphones, as well as mobile “malware” used for espionage by foreign nations, said a person familiar with the matter. To protect its own operations, the FBI bars its employees from downloading apps on FBI-issued smartphones.
The article points out that while some believe Google’s Android Market to be less secure than other mobile app stores, (due to its apparently less strenuous vetting process for new apps), even apps from Apple’s iPhone App Store could pose potentially harmful security threats to users.
Tags: android, apps, FBI, iphone, malware, mobile-security, security
Posted in Uncategorized | 1 Comment »
Sunday, June 6th, 2010
Just released for public beta, two new apps promise wiretap-proof communications for wary users of Android-based smartphones. Developed for Google’s Android mobile platform by hacker Moxie Marlinspike and his startup Whisper Systems, the “RedPhone” app encrypts calls made over VoIP using ZRTP, an open source cryptography scheme. Their “TextSecure” app employs a similar open source cryptography method known as “Off The Record” to send and receive scrambled text messages. As he described in a recent Forbes.com blog posting, Marlinspike intends for the apps to be used in place of Android phones’ built-in calling and texting systems, thereby subverting insecure communication systems.
We’ve entered this really problematic situation where we have insecure infrastructure everywhere, communications being broadcast in the air around us, and anyone with a bit of radio equipment can reach out and intercept communications…. Individuals need to start taking steps to protect their privacy and the confidence of their communications.
According to the article, the number of wiretaps made legally has “exploded” since the passage of the Communications Assistance for Law Enforcement act of 1994, which required developers to include backdoors for law enforcement in their products.
Marlinspike plans to submit his apps to Apple for use on the tightly-controlled iPhone as well, though the company’s strict review process may present a challenge.
Tags: android, iphone, mobile-security, security, voice-encryption, voip, wiretap
Posted in Uncategorized | No Comments »
Wednesday, May 26th, 2010
Following closely on the heels of their purchases of PGP and VeriSign, Symantec has made a major investment in smart-device security specialist Mocana, actually leading the company’s C-round of venture financing. As part of Symantec’s new “Norton Everywhere” initiative–aimed at securing the growing world of internet-connected, non-PC devices–the resulting technology partnership will expand Symantec’s offerings into the “Internet of Things.”
More on today’s announcement:
Tags: device security, embedded devices, hack, internet of things, mobile-security, Mocana, norton, security, symantec
Posted in Uncategorized | No Comments »
Sunday, May 2nd, 2010
While most of us depend on major carriers for cell phone service, it is now possible to create small GSM networks for relatively little expense using parts that can be found at many hardware stores. Within these networks callers can communicate between handsets on a local level, and on an internet-enabled system calls can be made over VoIP.
Users savvy enough to attempt this feat can do so with the help of OpenBTS systems, who created the project as a means to provide cellphone service in areas without the proper infrastructure. So far it has been implemented on the South Pacific island of Niue and at the Burning Man Festival in Black Rock Desert, Nevada.
The system can operate with the aid of a basic PC setup running an open-source software called Asterisk, can be powered by batteries normally used in boating and requires a simple universal software radio peripheral for connection. And by recreating the technology used in the global GSM network, OpenBTS is compatible with most consumer handsets. However, how this kind of “DIY” network solution affects the security of the data being transmitted remains to be seen.
Tags: devices, encryption, gsm, mobile-security, voip
Posted in Uncategorized | 3 Comments »
Wednesday, April 28th, 2010
A recent article on CNET reports that researchers have found a way to target a person’s mobile phone, obtain its number, locate the phone geographically, track the phone’s–and its owners–movements, and ultimately listen to the phone’s voicemail messages. But the most shocking aspect of this cyber-spy scenario is that it is completely legal, using databases and protocols that are part of the mobile telecommunications system.
As one researcher described it:
If I want to find Brad Pitt, I find his number using the caller ID database, use Home Location Register access to figure out what provider he has. T-Mobile is vulnerable to voice mail spoofing so I get into his voice mail and listen to his messages…. But I can also have the system tell me the numbers of the callers and I can take those numbers and look them up in the caller ID database and use the Home Location Register system to find their providers and break into their voice mail, and so on.
Tags: brad pitt, cybersecurity, hack, hackers, iphone, iphone crypto, iphone fips, mobile-security
Posted in Uncategorized | 2 Comments »
Tuesday, April 13th, 2010
Since its release less than three years ago, the Apple iPhone has become a massively successful network device. With its always-on connectivity and access to an enormous range of third-party apps, consumers have flocked to the iPhone around the world. But as they bring these devices in to the corporate environment, these same features become serious concerns for enterprise IT experts attempting to ensure the security and integrity of a company’s data.
But, as recently reported on Australia’s IT News, the iPhone could soon be enterprise-ready, thanks to the coming iPhone OS 4.0 update from Apple.
A prominent feature of the new OS is a “Mobile Device Management Service” which allows IT managers to remotely configure and monitor a corporate fleet of iPhones — similar to what many enterprise networks already use for Blackberry and Windows Mobile smartphones. This would also allow for the remote locking or wiping of iPhones in the event of loss, theft, or security breach. The update also offers more advanced data encryption and password management features, as well as enterprise-wide app distribution.
Additionally, the new iPhone OS will have support for SSL VPN applications, as well as Microsoft Exchange Server 2010 — important features if the iPhone is to become widely accepted for enterprise email use.
Tags: device security, enterprise, iphone, IT, mobile-security
Posted in Uncategorized | No Comments »
