Few days ago Juniper Networks has released a report on the status of Android Malware. The results are not encouraging for the Android Addicted since they show a 472% increase in malware samples since July 2011 (see the infographic for details).
This does not surprising: already in May in its annual Malicious Mobile Threats Report, report, Juniper had found a 400% increase in Android malware from 2009 to the summer of 2010. This trend is destined to further grow since the Juniper Global Threat Center found that October and November registered the fastest growth in Android malware discovery in the history of the platform. The number of malware samples identified in September increased by 28%. whilst October showed a 110% increase in malware sample collection over the previous month and a noticeable 171% increase from July 2011.
As far as the nature of malware is concerned, Juniper data show that the malware is getting more and more sophisticated, with the majority of malicious applications targeting communications, location, or other personal information. Of the known Android malware samples, 55%, acts as spyware, 44%, are SMS Trojans, which send SMS messages to premium rate numbers without the user’s consent.
The reason for this malware proliferation? A weak policy control on the Android market which makes easier for malicious developers to publish malware applications in disguise. From this point of view, at least according to Juniper, the model of Cupertino is much more efficient and secure.
Easily predictable Google’s answer came from the mouth of Chris DiBona, open source and public sector engineering manager at Google. According to DiBona, Open Source, which is widely present in all the major mobile phone operating systems, is software, and software can be insecure. But Open Source becomes stronger if it pays attention to security, otherwise it is destined to disappear. In support of this statement he quotes the cases of Sendmail and Apache, whose modules which were not considered enough secure disappeared or came back stronger (and more secure) than ever.
But DiBona’s does not stop here (probably he had read this AV-test report which demonstrates that free Android Antimalware applications are useless): “Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself.”
From this point of view Google hopes that Ice Cream Sandwich will lead Android Security at the next level even if some features are raising security concerns among Infosec professionals.
In a certain sense one might say that it could be quite easy for Checkpoint to make predictions at this point of the year considered that we are in the middle of 2011 (and truthful predictions should already come true), but this is not my point of interest. My point of interest is the fact that, in my prevision evaluation of security predictions for 2011 (we were in December 2010), I was a little bit disappointed for the fact that it had not been possible to compare Check Point, a landmark in Network Security, with the other vendors since at that time it did not release any prediction for the current year. The perspective of this vendor, focused on network security, is a really interesting complement to the landscape (that is unifying endpoint, network and cloud security), since Check Point is considered the pioneer of modern firewall, as well as inventor of the stateful inspection technology, the foundation of network protection.
According to John Vecchi, head of product marketing for Check Point, the following areas will be on the radars and agendas of CISOs worldwide
- Virtualization and the cloud: according to him, the challenges associated with this trend include lack of skills in the security team, cost of new solutions and regulatory issues. To these challenges I would also add fragmentation of Cloud Environments which need powerful tools to normalize, securize and manage such environments. As a matter of fact we are experiencing the proliferation of Hypervisors, operating systems, services and application that must forcefully coexist each other on the same environment;
- IT consumerization: Tablets and Smartphones are becoming inseparable companions of Organizations and Enterprises, but, although they are breaking the line between personal and professional life, they have not been natively conceived for a professional usage, and this paves the way to new threats that need to be faced. According to the Israeli company 30% of enterprises are implementing tablet computers and by 2013, we will see a 100% increase in smartphone usage. Meanwhile, according to Juniper Networks, Android Malware increases 4 times faster…
- Consolidation and complexity in security. According to Check Point there is a huge trend to converge and unify information security technologies. This challenge is not a surprise: the company is well known among security professionals for the completeness of its management framework and the consolidation (of vendors and technologies) is a well consolidated trend in market, vendors and technologies;
- Web 2.0 and social media: this is another consolidated trend whose last (and more relevant) example is the affair of Primoris Era and the consequent risks of social espionage or social (media) engineering which can have a devastating impact for the Enterprises. But this is not the only risks: due to their six degrees of separations: social networks are a powerful (and reliable) mean to spread infections. In my opinion, this challenge is strictly related to IT consumerisation (as mobile technologies, social media is an example of consumer technologies which rapidly spread into Enterprise), and Enterprises are generally not prepared to face similar threats, which are increasingly pushing the users to cross the boundaries which separate personal and professional usage of their working tools. In both cases, in my opinion, the possible countermeasures are similar: not only technology but (most of all) education for users who should be made aware of risks deriving from crossing that line: would you ever store the last financial plan in the same computer when your son chats, surfs the web or share his life on Facebook? Why should you do on the same phone or tablet where you share your life (without considering the fact that data are continuously sent to Apple, Google and so on…).
- Data security and data loss: according to Check Point, $7.2m is the average cost of a data breach in 2011. USBs and laptops, corporate email and web mail are the largest sources of data ,loss. Agreeable security challenge, but too easy after the affair of Wikileaks.
- Threat landscape: according to Check Point, this can be broken down into two motives: Crime and profit, and Cyber-warfare and hacktivists. The biggest recent threats include stuxnet, operation aurora (belonging to the second category), and zeus zbot (belonging to the first). These are the so called Advanced Persistent Threats that are increasingly used not as “exercises of style” but as real weapons for fighting wars on the virtual battlefields or stealing money.
The last predictions have little to deal with security (in the sense that they are general concepts) but are worthwhile to be mentioned as well:
- Governance, risk and compliance: according to Check Point Governance and compliance has the greatest influence on the information security programme for 60% of companies. In my opinion this challenge goes in the same direction of consolidation and complexity in security which need unified management whose role, definitively is just to enforce the policy (at least this is my model);
- Cost-saving IT and Green IT: the latter two are strictly joined (and in a certain sense also joined with Cloud and virtualization). IT has always been considered an enabler: but probably in the current complicated situation it is not enough and IT must also support the enterprise to control costs (and moreover in this scenario information security must be a business process).
After analyzing Check Point’s Top Threats I enjoyed in comparing them with the available predictions of other vendors. Of course I had to do some assumptions, that is: I mapped the “Threat Landscape” to Advanced Persistent Threat, “IT Consumerization to Mobile”, and “Data Security and Data Loss” to Removable Media.
The results are represented in the following table:
Checkpoint confirms the mobile as the Top Threat for 2011 (as done, in total, by 6 of the 7 examined vendors, the only excluded, Kaspersky, simply put the mobile as a top threat for 2010). Similarly, Advanced Persistent Threats gained the preference of 5 vendors of the 7 examined, including Check Point, as Social Media did. Curiously, as far as Cloud and Virtualization are concerned, Checkpoint’s Top Challenge is similar to the one provided by Symantec (and Trend Micro): I would have expected more vendors addressing the Cloud and Virtualization as a key concern for the 2011 (and the examples of Epsilon, Amazon and Sony are particularly meaningful of the level of attention deserved by this technology).
On Facing the 2011 Top Security Challenges, particolarly meaningful for Check Point is the role played by the unified management technologies. This is not surprising since, on one hand, vendors and technologies are converging and consolidating themselves in few vendors with a multi-domain porfolio (the ast firm in order of example is Sophos with the acquistion of Astaro); on the other hand Check Point management technologies are considered the state-of-the-art for a unified management framework.
- Some Random Thoughts On The Security Market (paulsparrows.wordpress.com)
- What do RSA, Epsilon and Sony breaches have in common? (paulsparrows.wordpress.com)
The thought of this night is dedicated to yet another couple of android malwares detected (as usual) in China.
It was a bit of time that the droid was not sick, however, as the change of season is often fatal to humans, so it is for the Androids which caught two new infections in few days.
On May, the 11th, it was the turn of a new Trojan embedded, once again as in the case of the notorious DroidDream (but I’d rather say that malware is becoming a nightmare for the Google Creature) in official applications inside the Android Market. All the applications were published by the same developer, Zsone, and were suddenly removed by Google.
The Trojan, which affects Chinese users, is characterized by the ability to subscribe users in China to premium rate QQ codes via SMS without their knowledge. QQ codes, used primarily in China, are a form of short code that can subscribe users to SMS update or instant message services. The malware was embedded in 10 apps by the developer named Zsone available on the Android Market and alternative markets.
Once the user starts the app on their phone, the app will silently send an SMS message to subscribe the user to a premium-rate SMS service without their authorization or knowledge. This may result in charges to the affected phone owner’s mobile accounts. Even if the threat affects Chinese Android phone owners who downloaded the app from the Android Market, the total number of downloads attributed to this app in the Android Market has appeared to be under 10,000. All instances of the threat have been removed from the market.
On May, the 12th, it was the turn of ANDROIDOS_TCENT.A, discovered by Trend Micro. This malware, which only affects China Mobile subscribers (the state-owned service provider considered the world’s largest mobile phone operator), arrived to users through a link sent through SMS, whose message invited the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually led to a malicious file (fake AV have landed on mobile devices as well).
The malware is capable to obtain certain information about the affected devices such as IMEI number, phone model, and SDK version and connects to a certain URL to request for an XML configuration file.
Two very different infections, having a common origin from China: the first example emphasizes once again the breaches into the security and reputation model of the Android Market. The second one features a well established infection model who is rapidly gaining credit (and victims) also in the mobile world: the SMS phishing. I think we will often hear speaking about in the next months.
The two malware infections came a couple of days after the Malicious Mobile Threats Report 2010/2011 issued by Juniper Networks which indicated a 400% increase in Android malware since summer 2010 and other key findings, several of which were clearly found in the above mentioned infections:
- App Store Threats: That is the single greatest distribution point for mobile malware is application download, yet the vast majority of smartphone users are not employing an endpoint security solution on their mobile device to scan for malware;
- Wi-Fi Threats: Mobile devices are increasingly susceptible to Wi-Fi attacks, including applications that enable an attacker to easily log into victim email and social networking applications
- 17 percent of all reported infections were due to SMS trojans that sent SMS messages to premium rate numbers, often at irretrievable cost to the user or enterprise
- Device Loss and Theft: according to the author of the report: 1 in 20 among the Juniper customer devices were lost or stolen, requiring locate, lock or wipe commands to be issued
Will it also be for these reasons that Smartphone security software market is expected to reach $2.99 billion by 2017? Maybe! Meanwhile I recommend to be very careful to install applications from parallel markets and in any case (since we have seen that this is not enough) to always check the application permissions during installation. Moreover, do not forget to install a security software if possible as the 23% of the droid users (among which there is me) does.
- Android market affected by SMS Trojans (nakedsecurity.sophos.com)
- Security Alert: Zsone Trojan found in Android Market (mylookout.com)
- Update: Android Malware DroidDream: How it Works (mylookout.com)
The intention by UK-headquartered company Sophos to acquire Astaro, the privately-held security company co-headquartered in Karlsruhe, Germany and Wilmington, Massachusetts (USA) is simply the last effect of the process of vendor consolidation acting in the information security market. It is also the trigger for some random thoughts…
In the last two years a profound transformation of the market is in place, which has seen the birth (and subsequent growth) of several giants security vendors, which has been capable of gathering under their protective wings the different areas of information security.
The security model is rapidly converging toward a framework which tends to collect under a unified management function, the different domains of information security, which according to my personal end-to-end model, mat be summarized as follows: Endpoint Security, Network Security, Application Security, Identity & Access Management.
- Endpoint Security including the functions of Antivirus, Personal Firewall/Network Access Control, Host IPS, DLP, Encryption. This component of the model is rapidly converging toward a single concept of endpoint including alle the types of devices: server, desktop, laptop & mobile;
- Network & Contente Security including the functions of Firewall, IPS, Web and Email Protection;
- Application Security including areas of WEB/XML/Database Firewall and (why not) proactive code analysis;
- Compliance: including the functions of assessment e verification of devce and applications security posture;
- Identity & Access Management including the functions of authentication and secure data access;
- Management including the capability to manage from a single location, with an RBAC model, all the above quoted domains.
All the major players are moving quickly toward such a unified model, starting from their traditional battlefield: some vendors, such as McAfee and Symantec, initiallty moved from the endpoint domain which is their traditional strong point. Other vendors, such as Checkpoint, Fortinet, Cisco and Juniper moved from the network filling directly with their technology, or also by mean of dedicated acquisitions or tailored strategic alliances, all the domains of the model. A further third category is composed by the “generalist” vendors which were not initially focused on Information Security, but became focused by mean of specific acquisition. This is the case of HP, IBM and Microsoft (in rigorous alphabetical order) which come from a different technological culture but are trying to become key players by mean of strategic acquisitions.
It is clear that in similar complicated market the position and the role of the smaller, vertical, players is becoming harder and harder. They may “hope” to become prey of “bigger fishes” or just to make themselves acquisitions in order to reach the “critical mass” necessary to survive.
In this scenario should be viewed the acquisition of Astaro by Sophos: from a strategical perspective Sophos resides permanently among the leaders inside the Gartner Magic quadrant but two of three companions (Symantec and Mcafee, the third is Trend Micro) are rapidly expanding toward the other domains (meanwhile McAfee has been acquired by Intel). In any case all the competitors have a significant major size if compared with Sophos, which reflects in revenues, which in FY 2010 were respectively 6.05, 2.06 and 1.04 B$, pretty much bigger than Sophos, whose revenues in FY 2010 were approximately 260 M$, about one fourth of the smaller between the three above (Trend Micro which is, like Sophos, a privately-owned company).
In perspective the acquisition may be also more appealing and interesting for Astaro, which is considered one of the most visionary players in the UTM arena with a primary role in the European market. Its position with respect to the competition is also more complicated since the main competitors are firms such as Fortinet, Check Point and Sonicwall which all have much greater size (as an example Checkpoint revenues were about 1.13 B $ in FY 2010 which sound impressive if compared with the 56 M $ made by Astaro in the Same Fiscal Year).
In this scenario, the combined company aims to head for $500 million in 2012.
Last but not least both companies are based in Europe (respectively in England and Germany) and could rely on an US Headquarter in Massachusetts.
From a technological perspective, the two vendors are complementary, and the strategy of the acquisition is well summarized by the following phrase contained in the Acquisition FAQ:
Our strategy is to provide complete data and threat protection for IT, regardless of device type, user location, or network boundaries. Today, we [Sophos] offer solutions for endpoint security, data protection, and email and web security gateways. The combination of Sophos and Astaro can deliver a next generation set of endpoint and network security solutions to better meet growing customer needs […]. With the addition of Astaro’s network security, we will be the first provider to deliver truly coordinated threat protection, data protection and policy from any endpoint to any network boundary.
Sophos lacks of a network security solution in its portfolio, and the technology from Astaro could easily fill the gap. On the other hand, Astaro does not own an home-built antivirus technology for its products (so far it uses ClamAV and Avira engines to offer a double layer of protection), and the adoption of Sophos technologies (considered one of the best OEM Antivirus engine) could be ideal for its portfolio of UTM solutsions.
Moreover the two technologies fit well among themselves to build an end-to-end security model: as a matter of fact Information security is breaking the boundary between endpoint and network (as the threats already did). Being obliged to adapt themselves to the new blended threats, which often uses old traditional methods to exploit 0-day vulnerabilities on the Endpoint, some technologies like Intrusion prevention, DLP and Network Access Control, are typically cross among different elements of the infrastructure, and this explains the rush of several players (as Sophos did in this circumstance) to enrich their security portfolio with solutions capable of covering all the information Security Domains.
Just to have an idea, try to have a look to some acquisitions made by the main security players in the last years (sorry for the Italian comments). Meanwghile the other lonely dancers (that is the companies currently facing the market on their own), are advised…
- Sophos to acquire Astaro – some reactions (nakedsecurity.sophos.com)
- Sophos Acquires Internet Security Appliance Maker Astaro (techcrunch.com)
- Application Security: What’s Next? (paulsparrows.wordpress.com)
During these days I enjoyed speaking with many colleagues about the results of the tests and definitively, I must confess that firewalls were not the only entities unaware the TCP Split Handshake, as a matter of fact, none of the professionals I discussed with (of course including me the first time I read about it) were familiar with this method of establishing TCP connections.
Nevertheless the show must go on: professionals must study to stay up-to-date (and learn what TCP Split Handshake is), firewalls (if susceptible to attack) must be fixed in order to learn how TCP Split handshake is correctly handled.
After the surprising findings of the test vendor are running for cover, so I spent half an hour to check the state-of-the-art after some communications from NSS Labs (unfortunately I was not able to attend the webinar of today) and some rumors on the Infosec arena.
Among the manufacturers found susceptible to TCP Split handshake attack during the first round, Palo Alto Networks has released an update (4.0.2) to fix the TCP Split Handshake Evasion, after the fix the manufacturer was able to pass the TCP handshake attack test.
As far as Juniper Networks is concerned, today a communication sent by E-mail by NSS Labs has indicated that this vendor is working on a fix as well: a configuration setting which will be enabled by default for new customers.
But probably the most interesting piece of news is the fact that today some Cisco representatives today went to NSS Labs to participate in the vulnerability-assessment on site and sort out any issues directly. Cisco refused to accept the results of the tests since was not able to reproduce the issue on any tested platform (ASA, IOS Firewall, IPS Appliances). An updated blog post about the findings is expected later today. NSS Labs also expects to publish updated findings related to what firewalls it tested have completed remediation to protect against the TCP Split Handshake attack.
Just for fun…
(But not only!), I gave a look individually to other vendors not involved in the tests to see if they had analyzed the behavior of their technologies on this issue.
Some McAfee representatives indicated me that their Enterprise Firewall platform is not prone to TCP Split Handshake attack. I looked for some information and I found this post from the vendor. Would be interesting if the security manufacturer from Santa Clara could release a more detailed documentation (maybe they already released but I did not find it J).
Stonesoft issued a blog post with the result of the test performed individually on its Stonegate Devices with the same BreakingPoint method pointed out in the original document describing the attack. The finding is that with the only firewall function the security device is not vulnerable if the “strict mode” is enabled in the advanced properties of the node. In normal or loose mode the traffic is permitted (even if Stonesoft indicates that the firewall does not get spoofed, that is correctly recognizes the origin of the session). With the antivirus function enabled the firewall is not vulnerable in any mode.
Astaro except some tweets indicating that the technology is not vulnerable. Would be interesting, also in this case, if the vendor could release some detailed document on the necessary configurations to be implemented to avoid the spoof (or if they are enabled by default).
At this point I look forward to read the result of Cisco/NSS joint tests…