Do you remember Mobile Phishing and the related risks? Well This morning I had a bad surprise and could see it anction with my hands (or better with my fingers on the display of my Android Device).
This morning I woke up early (6 AM) since I previously arranged a travel to my hometown which takes approximately 4 hours. As usual I have the bad habit to check email upon awakening, directly from my Android device. This morning found a strange DM strange DM on my Twitter Account:
This made me laugh so hard when i saw this about you lol hxxp://t.co/AusOXeQ
I already exchanged some DMs in English with this contact, so, the content was not so strange (probably a similar message from an Italian contact would have received a different impact and triggered an alarm bell). Moreover I suppose my neurons were not completely up and running (actually they are rerely in this state), so a little bit for curiosity, a little bit for fun I clicked the link directly from my mobile device.
In the following screenshots you may realize how easy and dangerous for the user, mobile phishing is: as a matter of facts the link points to a bogus Twitter-like site, but, believe me, from a 3.7″ screen is really difficult to discriminate it.
The page is really similar to the real one:
But yes, if you look carefully at the address bar (but at the 6 AM with the sleep fog surrounding you is not so easy) you will notice a misplaced detail and it is the link (currently up): hxxp://www.ltwittier.com/session-verify (but not all the address is visibile on the bar). If you click on the text box the situation is even worse since the address bar, a default beaviour for the Android Browser, disappears.
Needless to say, if you login, your account will be hacked and your contacts will suffer the same fate.
This event shows how easy is to fall victim of phishing in case of mobile devices and, even worse, in case the bait comes from Social Network (and a professional social network how Twitter is for me, in which I trust the reputation of my contacts).
Always remember to check the links and be careful to follow strange links from mobile devices!
If you point to the incomplete link: hxxp://www.ltwittier.com/ there is a clear evidence of the fact that the site is bogus:
http://paulsparrows.files.wordpress.com/2011/09/wronglink.png” alt=”" width=”300″ height=”494″ />
Just a couple of months ago, in writing the first post about Mobile Warfare (which should have later become Consumerization of Warfare) I expressed some considerations about the growing need for illiberal government to prevent the use of mobile devices as preferred media for the rioters to capture live images of the events, and to spread the information all around the Globe by mean of Social Networks.
Cutting off the Internet has been the first clumsy countermeasure applied by Egypt and Syria, but it is really unlikely that this kind of massive preventive block will be applied again by other countries because of the huge dependence of Internet, which characterizes our epoch, and consequently, as a collateral damage, would stop other vital activities.
As a consequence, I hypothesized that possible future countermeasures will aim to make unusable directly the source of information (read mobile devices), and the media for sharing them (read social networks), relying upon a new generation of Cyber-warfare among which:
A massive Denial of Service for mobile devices through massive exploit of vulnerabilities (more and more common and pervasive on this kind of devices), through massive mobile malware deployment or also by mean of massive execution of mobile malware (as, for instance, Google did in order to remotely swipe the DroidDream malware). Honestly speaking I consider the latter option the less likely since I can easily imagine that no manufacturer will provide cooperation on this (but this does not prevent the fact that a single country could consider to leverage this channel).
No manufacturer will provide cooperation on this? Maybe… Too many times reality surpasses imagination, and when it comes to reality that surpasses the imagination, then surely it comes from Apple. This time, unfortunately, not in the sense that we’re used to (admiring products years ahead of the competition, which previously did not exist not even in our imagination), but in the sense that a patent recently filled by Apple could implicitly provide cooperation for illiberal governments to prevent smartphones to take live images of protests.
It looks like that Apple is Apple is developing software that will sense when a smartphone user is trying to record a live event, and then switch off the device’s camera (only the camera, the other functions will not be affected) by mean of infrared sensors directly installed on the device. The real reason is probably the need to prevent concertgoers to post footage of events on YouTube or other similar sites (at the expense of the organizers which sometimes sell sell their own recordings of the events), which could potentially allow Apple to negotiate better conditions with labels when dealing for placing music on sale on iTunes (and could also potentially provide another source of revenue by charging people to film live events).
But besides commercial considerations, there is another important aspect (a collateral damage I would say). The events of recent months have shown us that the concerts were not the only places where the phones have been used to capture live images. In North Africa and Middle East they have been used to document repression and illiberality. But what would have happened if this technology had really been developed? Probably it would have limited the effect of the winds of change in Tunisia, Egypt, Syria and Libya, since Mobile Devices (and their cameras) played (and are playing) an important role to witness the real entity of the events.
Imagine if Apple’s device had been available to the Mubarak regime earlier this year, and Egyptian security forces had deployed it around Tahrir Square to disable cameras just before they sent in their thugs to disperse the crowd.
Would the global outcry that helped drive Mubarak from office have occurred if a blackout of protest videos had prevented us from viewing the crackdown?
This is more than speculation. since thousands of cellphone cameras in the Middle East and North Africa have been used to document human rights abuses and to share them with millions via social media. I went in Libya approximately a month before the beginning of the revolution and I was astonished by the number of iPhones noticed over there.
This is more than speculation also because the role of mobile technologies for the above mentioned events has been recognized also by Mr. Obama during his speech on Middle East.
As correctly stated, Smartphones like the iPhone and Droid are becoming extensions of ourselves. They are not simply tools to connect with friends and family, but a means to document the world around us, engage in political issues and organize with others. They literally put the power of the media in our own hands.
Apple’s proposed technology would take that power away, that is the reason why the community is moving in order to urge Steve Jobs to pull the plug on this technology.
- Consumerization of Warfare (paulsparrows.wordpress.com)
- Mobile Warfare (paulsparrows.wordpress.com)
- Now Apple wants to block iPhone users from filming live events with their smartphone (dailymail.co.uk)
- Is Apple Launching a Pre-emptive Strike Against Free Speech? (huffingtonpost.com)
- Apple’s bizarre patent (openmobile.posterous.com)
Today I took part as speaker to an event organized by my Company concerning Cloud and Mobile security. For this occasion I prepared some slides summarizing some concepts spread all over my blogs.
In my vision (you should know if you follow my blog) mobile vulnerabilties are mainly due to:
- False security perception by users: they consider their device as a “simple” phone, forgetting they bring a small dual-core in their pockets;
- “Light” behaviour from users: Sideloading, Jailbreak and Rooting are not good security practices;
- Consumerization of Devices: well known (partially abused) concept: some mobile devices come from the consumer world and hence do not natively offer enterprise class security or suffer from intrinsic vulnerabilities:
- Consumerization of Users: many users think they have consumer device so they think they do not deserve enterprise class security measures.
And the risks are:
- False Security Perception leads to high probabilities of theft or loss of the device, and most of all, of its data;
- “Light” behaviour from users dramatically increases the probability to directly install malware or surf towards insecure shores…
- Consumerization of Devices leads to vulnerabilities that may be exploited to access and steal sensitive data or authentication credentials;
- Consumerization of Users leads the users themselves to adopt imprper habits not appropriate for an enterprise use, which in turn make the device even more vulnerable to malware (i.e. installing non business application, lending it to others, etc.).
How to mitigate the risks?
- Educate users to avoid “promiscuous” behaviours (no root or sideloading or jaibreak, do not accept virtual candies from unkown virtual persons);
- At an organizational Level, define security policy for managing (un)predictable events such as device thieft or loss;
- Beware of risks hidden behind social Network;
- Use (strong) Data Encryption;
- Do not forget to use security software;
- Enforce Strong Authentication;
- Keep the device update.
This in turn corresponds to enforce a device management policy in which mobile devices are treated like “traditional” endpoints (but they will sone become tradional endpoints).
You may find the slides on SlideShare… They are mainly in Italian but if you want, ask me and I will provide an additional translated version.
- 464,856 hits since November 2010
08/13/2011 - My Post on Android Malware Mentioned on Engadget.
04/14/2011 - The Article Smart Grid: L'ultima Frontiera del Cybercrime published on ICT Security Magazine May 2011.
03/14/2011 - Security Summit 2011: Paolo Passeri guest at Round Table "Mobile Security: Rischi, Tecnologie, Mercato"
02/14/2011 - The Article Gears of Cyberwar published on ICT Security Magazine January 2011.
About This Blog
In this blog I express my personal opinion, which does not necessarily reflects the opinion of my organization, about events and news or interest, concerning information security, winking to mobile world and, why not, to some curious personal event.
Every information is reported with its source.
Anyone intending to use information contained in my post is free to do so, provided that mention my blog in your article.
Top Posts & Pages
- List Of Hacked Celebrities Who Had (Nude) Photos Leaked
- 2012 Cyber Attacks Statistics
- 1-15 May 2013 Cyber Attacks Timeline
- 2012 Cyber Attacks Timeline Master Index
- A (Graphical) World of Botnets and Cyber Attacks
- March 2013 Cyber Attacks Statistics
- April 2013 Cyber Attacks Statistics
- 2013 Cyber Attacks Timeline Master Index
- May I Be Arrested For Using LOIC?
- About Me
- 1-15 May 2013 Cyber Attacks Timeline hackmageddon.com/2013/05/23/1-1… #Infosec - 2 days ago
- Apparently someone flags the Cisco Website as malicious... virustotal.com/en/url/fb74e6d… - 2 days ago
- RT @marco_cova: IE8 0-day exploit (CVE-2013-1347) analyzed on Wepawet: bit.ly/13IZs2E - 3 days ago
- RT @jc_vazquez: Vista Equity Partners to Buy Websense #News #InfoSec on.wsj.com/13BfWaw via @WSJ - 5 days ago
- Pentagon OKs Androids, BlackBerrys for soldiers nakedsecurity.sophos.com/2013/05/07/pen… - 6 days ago
- April 2013 Cyber Attacks Statistics wp.me/p14J6X-2oX - 6 days ago
- RT @LastlineLabs: Marco Cova from Lastline talking about hacktivism on Italian TV ow.ly/l8Az6 - 1 week ago
- RT @lastlineinc: Malware can make itself invisible: in the case of RSA security's breach, malware went undetected for 1/2 year http://t.co/… - 1 week ago
- RT @gianlucaSB: SMS-based command and control protocols are here ow.ly/l47Ye - 1 week ago
- Skype with care Microsoft is reading everything you write h-online.com/security/news/… - 1 week ago