About these ads

Archive

Posts Tagged ‘Mobile Security’

Looking Inside a Year of Android Malware

August 14, 2011 2 comments

As you will probably know my Birthday post for Android Malware has deserved a mention from Engadget and Wired. Easily predictable but not for me, the Engadget link has been flooded by comments posted by Android supporters and adversaries, with possible trolls’ infiltrations, up to the point that the editorial staff has decided to disable comments from the article. The effect has been so surprising that someone has also insinuated, among other things, that I have been paid to talk s**t on the Android.

Now let me get some rest from this August Italian Sun and let me try to explain why I decided to celebrate this strange malware birthday for the Android.

First of all I want to make a thing clear: I currently do own an Android Device, and convinced, where possible, all my relatives and friends to jump on the Android. Moreover I do consider the Google platform an inseparable companion for my professional and personal life.

So what’s wrong? If you scroll the malware list you may easily notice that the malware always require an explicit consent from the user, so at first glance the real risk is the extreme trust that users put in their mobile devices which are not considered “simple” phones (even if smart), but real extensions of their personal and professional life.

You might say that this happens also for traditional devices (such as laptops), but in case of mobile devices there is a huge social and cultural difference: users are not aware to bring on their pocket dual (very soon four) cores mini-PCs and are not used to apply the same attention deserved for their old world traditional devices. Their small display size also make these devices particularly vulnerable to phishing (consider for instance the malware Android.GGTracker).

If we focus on technology instead of culture (not limiting the landscape to mobile) it easy to verify that the activity of developing malware (which nowadays is essentially a cybercrime activity) is a trade off between different factors affecting the potential target which include, at least its level of diffusion and its value for the attacker (in a mobile scenario the value corresponds to the value of the information stored on the device). The intrinsic security model of the target is, at least in my opinion, a secondary factor since the effort to overtake it, is simply commensurate with the value of the potential plunder.

What does this mean in simple words? It means that Android devices are growing exponentially in terms of market shares and are increasingly being used also for business. As a consequence there is a greater audience for the attackers, a greater value for the information stored (belonging to the owner’s personal and professional sphere) and consequently the sum of these factors is inevitably attracting Cybercrooks towards this platform.

Have a look to the chart drawing Google OS Market share in the U.S. (ComScore Data) compared with the number of malware samples in this last year (Data pertaining Market Share for June and July are currently not available):

So far the impact of the threats is low, but what makes the Google Platform so prone to malware? For sure not vulnerabilities: everything with a line of code is vulnerable, and, at least for the moment, a recent study from Symantec has found only 18 vulnerabilities for Google OS against 300 found for iOS (please do no question on the different age of the two OSes I only want to show that vulnerabilities are common and in this context Android is comparable with its main competitor).

Going back to the initial question there are at least three factors which make Android different:

  1. The application permission model relies too heavily on the user,
  2. The security policy for the market has proven to be weak,
  3. The platform too easily allows to install applications from untrusted sources with the sideloading feature.

As far as the first point is concerned: some commenters correctly noticed that apps do not install themselves on their own, but need, at least for the first installation, the explicit user consent. Well I wonder: how many “casual users” in your opinion regularly check permissions during application installation? And, even worse, as far as business users are concerned, the likely targets of cybercrime who consider the device as a mere work tool: do you really think that business users check app permission during installation? Of course a serious organization should avoid the associated risks with a firm device management policy before considering a wide deployment of similar devices, most of all among CxOs; but unfortunately we live in an imperfect world and too much often fashion and trends are faster (and stronger) than Security Policies and also make the device to be used principally for other things than its business primary role, hugely increasing risks.

This point is a serious security concern, as a matter of fact many security vendors (in my opinion the security industry is in delay in this context) offer Device Management Solution aimed to complete the native Application Access Control model. Besides it is not a coincidence that some rumors claim that Google is going to modify (enhance) the app permission security process.

As far as the second point is concerned (Android Market security policy), after the DroidDream affair, (and the following fake security update), it is clear that the Android Market Publishing (and Security) model needs to be modified, making it more similar to the App Store. There are several proposals in this context, of course in this place is not my intention to question on them but only to stress that the issue is real.

Last but not least Sideloading is something that makes Android very different from other platforms (read Apple), Apple devices do not allow to install untrusted apps unless you do not Jailbreak the devices. Android simply needs the user to flag an option (By The Way many vendors are opening their Android devices to root or alternate ROMs, consider for instance LG which in Italy does not invalidate the Warranty for rooted devices) or HTC which, on May 27, stated they will no longer have been locking the bootloaders on their devices.

So definitively the three above factors (together with the growing market shares) make Android more appealing for malware developers and this is not due to an intrinsic weakness of the platform rather than a security platform model which is mainly driven by the user and not locked by Manufacturer as it happens in case of Cupertino.

About these ads

Sometimes They Come Back

June 6, 2011 1 comment

Not even a week after the light version of DroidDream, a new nightmare rises from the Android Market to menace the dreams of glory of the Google Mobile OS (which has just confirmed his #1 Rank on the comScore April 2011 U.S. Mobile Subscriber Market Share Report).

Curiously, also the new malware, discovered by F-Secure, and dubbed Android/DroidKungFu.A, “has its roots” on DroidDream since it uses the same exploit, rageagainstthecage, to gain root privilege and install the main malware component.

Once installed, the malware has backdoor capabilities and is able to: execute command to delete a supplied file, execute a command to open a supplied homepage, download and install a supplied APK, open a supplied URL, run or start a supplied application package.

Of course, who is familiar with Android malware may easily imagine the next step of the infection: the malware is in fact capable to obtain some information concerning the device and send them to a remote server: The collected information include: IMEI number, Build version release, SDK version, users’ mobile number, Phone model, Network Operator, Type of Net Connectivity, SD card available memory, Phone available memory.

In few words, the device is turned into a member of a botnet (without realizing it we are closer and closer to Phase 4 of Mobile Malware, consult slide 9 of my presentation for the different phases of Mobile Malware).

Guess where the malware was detected first? Of course from some parallel Markets in China, at least according to some Researchers of the North Carolina University who detected two infected applications in more than eight third-party Android app stores and forums based in China. Nothing new under this sun of June. Luckily the researchers haven’t found infected apps in non-Chinese app stores… At least so far.

As previously stated DroidKungFu takes advantages of the same vulnerabilities than DroidDream, but this time the situation seems to be much worse. As a matter of fact it looks like DroidKungFu is capable of avoiding detection by security software.

The malware makes its best with Android 2.2 and earlier, but the owners of later versions of Android are not entirely safe: the security patches severely limit DroidKungFu, but the malware is still able to collect some user data and send them to a remote site.

Again, follow basic, common-sense guidelines for smartphone security in order to mitigate the risks of infection (here you may find some useful suggestions), even because Google Wallet is at the gates and I dare not even think to the aftermaths of a malware leveraging vulnerabilities on the Secure Element

If Phishing Goes Mobile…

May 30, 2011 5 comments

One of the most surprising things I noticed concerning the Lockheed Martin Affair, was the affirmation contained in the Reuters Article, made  by Rick Moy, president of NSS Labs, indicating that the initial RSA attack was followed by malware and phishing campaigns seeking specific data to link tokens to end-users (an indirect evidence of the same authors behind the infamous RSA breach and the Lockheed Martin attack.

My initial surprise only lasted few seconds, since, this year is showing us a brand new role for the phishing attacks which are more and more targeted to steal corporate sensitive data, and constitute the first level of attack for Advanced Persistent Threats.

At first sight could be quite difficult to believe that users are still tricked by old-school phishing techniques, but a deeper analysis could show in my opinion, a possible (in part psychological) explanation relying on the fact that the users themselves are still used to think to phishing as something targeted to steal personal information (often with pages crafted with gross errors), and seems to be unprepared to face the new shape of phishing which targets corporate information with cybercrime purposes and industrial methods, which definitively means to perpetrate the attack with plausible and convincing methods, and most of all leveraging arguments the user hardly doubts about (I could doubt of an E-mail from my bank asking me to provide my account and credit card number, maybe, most of all in case I am not an infosec professional, I could feel more comfortable in providing my username to a (fake) provisioning portal of my Company).

But my information security beliefs are falling one after the other, and after reading this really interesting article by Adrienne Porter Felt and David Wagner of the University of California (the marvelous LaTeX layout!)  I can only confirm that mobile devices will be next frontier of phishing.

According to this paper the risk of a success of a phishing attack on mobile devices is dramatically greater than traditional devices due to some intrinsic factors such as the smaller size of the screen, the fact that many applications embed or redirect to web pages (and vice versa some or web pages redirect to applications), the fact that mobile browsers hide the address bar, and most of all the absence of application identity indicators (read the article and discover how easily a fake native application can resemble completely a browser page) which makes very difficult to discover if a certain operation is calling a fake application on the device or it is redirecting the user to a fake application resembling a legitimate login form.

Moreover, the intrinsic factors are worsened by (as usual) the user’s behavior: as a matter of fact (but this is not a peculiarity of mobile devices), users often ignore security indicators, do not check application permissions and are more and more used to legitimate applications continuously asking for passwords with embedded login forms and. Last but not least I would add the fact that they are not still used to think to mobile applications as targets of phishing (Zitmo Docet).

Guess what are the ideal candidates for Mobile Phishing attacks? Easy to say! Facebook and Twitter since they are the most common linked applications used by developers to share their creations (the power of free viral marketing!).

Given the speed with which these devices are spreading in the enterprise (see for instance this GigaOM infographic), there is much to worry about in the near future. An interesting solution could be the operating system to support a trusted password entry mechanism. Will SpoofKiller-like trusted login mechanisms be our salvation as the authors of the paper hope?

Mobile Security: Vulnerabilities and Risks

May 24, 2011 5 comments

Today I took part as speaker to an event organized by my Company concerning Cloud and Mobile security. For this occasion I prepared some slides summarizing some concepts spread all over my blogs.

In my vision (you should know if you follow my blog) mobile vulnerabilties are mainly due to:

  • False security perception by users: they consider their device as a “simple” phone, forgetting they bring a small dual-core in their pockets;
  • “Light” behaviour from users: Sideloading, Jailbreak and Rooting are not good security practices;
  • Consumerization of Devices: well known (partially abused) concept: some mobile devices come from the consumer world and hence do not natively offer enterprise class security or suffer from intrinsic vulnerabilities:
  • Consumerization of Users: many users think they have consumer device so they think they do not deserve enterprise class security measures.

And the risks are:

  • False Security Perception leads to high probabilities of theft or loss of the device, and most of all, of its data;
  • “Light” behaviour from users dramatically increases the probability to directly install malware or surf towards insecure shores…
  • Consumerization of Devices leads to vulnerabilities that may be exploited to access and steal sensitive data or authentication credentials;
  • Consumerization of Users leads the users themselves to adopt imprper habits not appropriate for an enterprise use, which in turn make the device even more vulnerable to malware (i.e. installing non business application, lending it to others, etc.).

How to mitigate the risks?

  • Educate users to avoid “promiscuous” behaviours (no root or sideloading or jaibreak, do not accept virtual candies from unkown virtual persons);
  • At an organizational Level, define security policy for managing (un)predictable events such as device thieft or loss;
  • Beware of risks hidden behind social Network;
  • Use (strong) Data Encryption;
  • Do not forget to use security software;
  • Enforce Strong Authentication;
  • Keep the device update.

This in turn corresponds to enforce a device management policy in which mobile devices are treated like “traditional” endpoints (but they will sone become tradional endpoints).

You may find the slides on SlideShare… They are mainly in Italian but if you want, ask me and I will provide an additional translated version.

Good Reading!

Grab Your Data? There’s An App For That!

April 20, 2011 1 comment

The news of the day is undoubtedly the discovery that Apple devices are a bit ‘too nosy’ and regularly record the position of the device into a hidden (!!) unencrypted and unprotected file.

The unwelcome and serendipitous discovery, which was announced today at Where 2.0, has been performed by two researchers, Alasdair Allan and Pete Warden, while they were working on a project concerning visualization of Mobile Data. It looks like this unrequested feature has been introduced since the arrival of iOS 4.0 and allows the locations and their relative time stamps to be written on an easily accessible file on the device and, even worse, backed up on every PC the device has been synchronized with.

Even if the purpose of the file is unknown (at least so far), and would be appropriate to wait a reply from Apple (if any) before coming to any conclusion, this event, once again, brings to the fore privacy issues for mobile devices, strictly related to the security model for these devices, and, more in general, to the cultural approach and revolution users must face (and get used to) when dealing with mobile technologies.

For sure the main issue here is the lack of respect by Cupertino towards the users (customers?). We know that this is not the first time that a mobile applications attracts criticism for the use of private data (think for instance to the affair of Google Latitude). In the case of Apple Equipment (differently from the creature of Google) the user may not explicitly approve the sharing (would be better to say the tracking since there is no evidence of sharing so far) of his data. But even if we do not consider the ethic point of view, from a security perspective the event has a devastating impact: if the file containing the data may be easily accessed, this means that, in case of theft, could be quite easy, for a malicious user, to grab the data and reconstruct the habits of the users. If we think, for instance, to industrial espionage, this occurence has a dramatic consequence enhanced by the evidence that this kind of devices are often used by CxOs. (Who are the most targeted by the risks of consumerization of IT, of which this is yet another example).

Moreover, in most circumstances I discussed the risks of geolocation (and its correlation with users’ habits) and the importance that this data could have if massively stolen (for instance by mean of a Mobile Botnet) by Cybercrooks and conveyed to a C&C Server. In a similar scenario bad guys capable of stealing such a similar amount of data would have no difficulty at all to organize an auction “to the death” between hungry marketing agencies, which would pay gold to put their hand on them. I must admit that the thought that these “bad boys” could be just the manufacturers of my iPhone (luckily I own an Android) does not make me feel very comfortable. This situation is also paradoxical: many security vendors offer privacy advisors for (other) mobile platforms, but the evidence that one user should defend his privacy from the manufacturer itself sounds absurd and frustrating. Of course I continue to repeat that it is better to wait for an Apple official reply, but, honestly speaking the fact that these data are only available for devices provided with a cellular plan, sounds very strange.

Meanwhile, if you want to know more and enjoy (I hope so) to verify where have you been since you bought your brand new iToy, you may have a really interesting look at this link where the authors of the discovery posted an app to unleash the file and graphically map the positions.

Last but not least, there is no evidece (so far), of a similar “Feature” on the Droids.

On the other hand, these are tough times for the privacy of smartphones owners. As a matter of fact, quite curiously, today another, apparently unrelated, piece of news coming from the opposite site of the Ocean caught my attention. It concerns Michigan State Police, which has been using data extraction tools to collect information from the cell phones of motorists detained for minor traffic infractions. This has been possible by mean of Cellebrite, a mobile Forensics Tool capable to perform:

“Complete extraction of existing, hidden, and deleted phone data, including call history, text messages, contacts, images, and geotags. The Physical Analyzer allows visualization of both existing and deleted locations on Google Earth. In addition, location information from GPS devices and image geotags can be mapped on Google Maps,”

Even if the latter issue raises the question concerning to what extent the law can go when facing privacy of the citizens, the two news have in common the (mis)use of mobile data and I could not help but thinking that mobile data are continuously under attack and users should consequently consider carefully the usage of their devices (this is the reason why I used the term of cultural revolution).

Who knows, maybe Michigan State Police hoped to make further fines for speeding after detaining the motorists by tracking GPS position and timestamps. Probably if they had known the existence of the above mentioned feature of iOS, they would have avoided to buy the software and grab directly the data… At least for iOS 4 users…

Tweets Of War

March 24, 2011 4 comments

In a recent post, I discussed the influence and the role of (consumer) mobile technologies and social networks (“Mobile Warfare”) in the events that are changing the political landscape in the Mediterranean Africa, coming to conclusion that they are setting new scenarios which will have to be taken seriously into consideration by all those governments which still put in place severe limitations to human rights.

To me, “to be taken into consideration” means that all those governments will have to deploy “extreme measures” (hopefully less extreme than completely unplugging the Internet connection as already done by Egypt and Libya) in order to prevent mobile technologies from acting as catalyzers for the protests and also from turning common citizens into real time reporter for the most powerful magazine ever issued: the social network). More realistically these measures might include threats specifically targeted for mobile equipment involving hacking techniques commonly known in the infosec arena, such as Distributed Denial Of Service, or also malware aimed to alter the normal functioning of the devices.

On the opposite Site is also clear that modern army will also deploy “unconventional weapons” targeted to maintain Internet connectivity during military operations, mainly for PSYOPS purposes (or at least I was supposed to believe so). As a matter of fact the tweets, pictures, and videos shot from mobile devices during the dramatic days in Tunisia, Egypt and Libya had a dramatic impact on the foreign public opinion. In Tunisia and Egypt the dramatic images shot  from mobile devices contributed to create the international pressure which led to the fall of their respective governments; in Libya, they acted as an accelerator for the definition of “No Fly Zone” and the consequent “Odissey Dawn” operation.

But there is also another point which makes more and more important to maintain Internet connectivity during military operations and is not simply related to PSYOPS, rather than to real military operations. A simple screenshot of twitter may give a dramatic evidence of this, simply searching the #LibyanDictator term.

It looks like twitter was used by rebels to provide NATO with coordinates of the enemy forces.

More in general, think to have a Mobile device with a GPS, and an Internet Connection, and you may “simply” pass the coordinates of the enemy troops to allied forces…

On the opposite front: think to make mobile devices unusable or, worst case, to alter their GPS with a malware and you may avoid to pass precious information to enemy, or worst, provide him with false coordinates (and watch him bombing his allies in few minutes)…

Probably I am going too much far with my imagination, anyway is clear that war strategists will have to become more and more familiar with virtual (that is made of bit and bytes) mobile (and social networks) battlefields.

Relazione Tavola Rotonda Mobile Security

Ho pubblicato su Slideshare la relazione da me redatta della Tavola Rotonda “Mobile Security: Rischi, Tecnologie, Mercato” tenutasi il 14 marzo a Milano all’interno del Security Summit 2011.

La relazione, che ho inserito all’interno di un thread del gruppo Linkedin Italian Security Professional, è visibile al link sottostante. Ancora un grazie al gruppo che ha ospitato questo interessantissimo appuntamento!

Mobile Warfare

March 23, 2011 13 comments

It has been recognized that mobile technologies have had a significant impact on the events that occurred in North Africa. In my opinion, their impact was so impressive that I refer to them with the term of “mobile warfare” indicating with this term the fact that they are going to play a crucial role in the (let us hope fewer and fewer) wars of the future.

Since the Wikileaks affaire, and the consequent possibility to convert an Android Device into a Wikileaks Mirror during the attempt to put the main site off-line by mean of massive DDoS Attacks, it was clear to me that Mobile Technologies would have played a very important (never uncovered before) role in 2011, not only in Hacktivism, but, more in general, in human rights related issues.

I had a dramatic confirmation of this role during the Jasmin Revolution in Tunisia, where mobile technologies made every single citizen a reporter, capable of sharing in real time with the rest of the world information such as images, videos and  tweets pertaining the dramatic events happening inside the country.

But it was with the #Jan25 and #Egypt tweets that the World discovered for the first time the power of the mobile warfare.  In those dramatic days every single person of the planet only needed to access her Twitter account in order to become a virtual witness of the events; dramatic facts reported in great detail by hundreds of extemporaneous reporters “armed” only with a Smartphone, and made available in real time to the rest of the world thanks to the “six degrees of separation allowed by Social Networks”. The strength and the impact of this mobile warfare were so huge to force the declining Egyptian Government to shut the internet off for several days starting from January, the 27th.

Can we really understand what does it mean for a country to shut the Internet off? As single persons we are so used to the Web that we could not resist a single hour without checking the status of our mates. But for a country, an Internet connection disruption means a nearly complete stop for all economic and financial activities, including banking, trading, and so on. The only fact to have enforced such a dramatic decision (and the upcoming consequences) is particularly meaningful of the threat led by the Mobile Warfare and perceived by the Egyptian Government. But to have a clear understanding, we must also consider the fact that, at the same time, also the Egyptian Government tried to unleash the power of the mobile warfare with its clumsy attempt to stop the revolution by broadcasting Pro-Government SMS, thanks to country’s emergency laws, causing the following protests of Vodafone.

And what about Libya? I have a direct experience since I was in Tripoli for work at the beginning of last February (so one month and half ago even if it looks like a century has passed since then). I was not even completely out of the finger leading me from the aircraft to the airport facility, that I was impressed in noticing so many Libyan pepole playing with their iPhones. Since I just could not help thinking  to the Egyptian situation, I asked to some of them if they had the feeling that something similar to Egypt could happen in Libya. Guess what they answered? They all simply agreed on the fact that, due to the different economic and political situation, it was impossible! Of course the point is not their answer rather than the fact that I was surprised to see so many smartphones (ok we are speaking about the airport which maybe is not so meaningful in terms of statistics) and more in general so many devices capable to provide an high level internet user experience (even if with the bottleneck of the local mobile networks) and be potentially used as a mobile warfare.

That event was just a kind of premonition since, a couple of weeks later, during the first days of the protests, and in particular during the reaction of the regime, smartphones and social networks once again played a leading role, allowing the world to witness in real time those dramatic events with a spreading rate unknown before. For the second time, approximately three weeks after Egypt, a country decided to disconnect the Internet in order to prevent the spread of information via the Social Networks. This time it was Libya’s turn, which decided to unplug the Web on February, the 18th. Once again the power of the mobile warfare was unleashed, disconnecting a country from the Internet in few minutes (how long would a real army have taken to do a similar sabotage?).

Is mobile warfare the cause or effect?

We must not make the mistake to consider the mobile warfare as an effect of the movements raised first in Tunisia, than in Egypt, and finally in Libya. Mobile warfare is simply the cause, since it is just for the action of mobile warfare that events could spread rapidly inside a single country, and later among different countries (in both cases with an unprecedented speed), encouraging other people to follow the example and acting, in turn, as a powerful catalyzer for the movements. As an example, consider the following article, which in my opinion is particular meaningful: it shows the Middle East Internet Scorecard, that is the dips of Internet connections registered in different countries belonging to Middle East in the week between February 11 and February 17 (that is when the social temperature in Libya was getting extremely hot): one can clearly recognize a viral spread of the “unplugging infection”.

What should we expect for the future?

Mobile Warfare has played and is still playing a significant role in the wind of changes that are blowing in North Africa.  Thanks (also) to mobile technologies, people (most of all students) living in countries where human rights suffer some kind of limitations, have the possibility to keep continuously in touch with people living in different countries, learning their habits, and, in turn being encouraged to “fight” for achieving (or at least for attempting to achieve) a comparable condition. This revolution is not only technological but it is most of all cultural since it is destroying all the barriers that kept many countries separated each other and that allowed many population to live (apparently) in peace simply because they completely ignored the existence of a world outside: we could consider this as the equivalent of the old infosec paradigm (Homeland) Security Through Obscurity”.

At the opposite side, it is likely that all those Governments, having a peculiar idea about what human rights are, will deploy some kind of countermeasure to fight the mobile warfare and its inseparable companion: the social network. I do not think that completely preventing the use of mobile technologies is an applicable weapon, since they became too many important for a country (politics, economics, finance, etc.): nowadays each kind of information flows in real time, consequently no country may allow to go slower.

Moreover,  for the reasons I explained above, the Internet disconnection is not a sustainable countermeasure as well, since no government in the world may allow to be cut-out for too long, in order to simply prevent people from tweeting or sharing ideas or videos on social networks. Even because, for instance, U.S. has secret tools to force Internet in case of disruption, which include the Commando Solo, the Air Force’s airborne broadcasting center, capable to get back to full strength the Wi-Fi signal in a bandwidth-denied area; satellite- and nonsatellite-based assets that can provide access points to get people back online; and finally cell towers in the sky, hooking up cellular pods to the belly of a drone, granting 3G coverage for a radius of a few kilometers on the ground would have 3G coverage underneath the drone. Would be interesting to verify if any of these technologies are currently being used in the Odissey Dawn operation.

For all the above quoted reasons, according to my personal opinion the countermeasures will aim to make unusable the resources of information collection (that is mobile devices), and the resources of information sharing (that is social networks).

So this new generation of Cyber-warfare will involve:

  • A preventive block of Social Network in order to prevent whatever attempt to preventively share information. For the above quoted reason a total block will damage the whole economy (even if I must confess a preventive block of this kind will be quite easily bypassable by external proxies);
  • A massive Denial of Service for mobile devices through massive exploit of vulnerabilities (more and more common and pervasive on this kind of devices), through massive mobile malware deployment or also by mean of massive execution of mobile malware (as, for instance, Google did in order to remotely swipe the DroidDream malware). Honestly speaking I consider the latter option the less likely since I can easily imagine that no manufacturer will provide cooperation on this (but this does not prevent the fact that a single country could consider to leverage this channel).
  • Spoofing the mobile devices in order to make them unreachable or also in order to discredit them as source of reputable information.
  • A “more traditional” Denial Of Service in order to put Social Networks offline (even if this would need a very huge DDoS due to the distribution of the resources of the Social Network providers.

In all the above quoted cases would be legitimate to expect a reaction, as done for instance, by the infamous Anonymous group.

Mobile Security: Impressioni a Caldo

March 16, 2011 4 comments

Fortunatamente il virus che mi ha colpito sta mitigando i suoi effetti, la mente è un po’ più lucida e quindi mi permette di raccogliere le idee e tirare le somme sulla tavola rotonda del 14 marzo.

In effetti è stata una occasione propizia per confrontarsi con la prospettiva degli operatori e valutare come gli stessi intendano affrontare il problema della sicurezza mobile considerato il fatto che esso è si un problema tecnologico, ma interessa principalmente l’utente: parafrasando una felice espressione emersa durante la tavola rotonda, espressione tanto cara agli operatori, si può affermare che il problema della mobile security arriva “all’ultimo miglio”, ovvero sino a casa (in questo caso virtuale) dell’utente stesso.

Ad ogni modo su un punto gli addetti del settore, operatori inclusi, sono tutti d’accordo: sebbene il problema della sicurezza mobile parta da lontano, ovvero dal processo di Consumerization dell’IT che ha “prestato” al mondo Enterprise strumenti di lavoro non nativamente concepiti per un uso professionale; il ruolo principale, in termini di sicurezza, rimane quello dell’utente. Gli utenti hanno eccessiva familiarità con i dispositivi, dimenticano che sono a tutti gli effetti ormai vere e proprie estensioni del proprio ufficio, e questo li porta a comportamenti superficiali, quali ad esempio l’utilizzo di pratiche di root o jailbreak, l’utilizzo di Market paralleli e la mancata abitudine di controllare i permessi delle applicazioni durante l’installazione.

Naturalmente questo ha conseguenze molto nefaste poiché le minacce che interessano il mondo mobile sono molteplici e peggiorate dal fatto che oramai, con i nuovi dispositivi acquistati nel 2011 ci porteremo almeno 2 core nel taschino. Prendete le minacce che interessano i dispositivi fissi, unitele al fatto che il dispositivo mobile lo avete sempre dietro e lo utilizzate per qualsiasi cosa ed ecco che il quadro si riempe di frodi, furto di informazioni (di qualsiasi tipo visto l’utilizzo corrente dei dispositivi), malware, spam, Denial of Service, e non ultima, la possibilità di creare Botnet comandate da remoto per effettuare DDoS, SMS spam, rubare dati su vasta scala.

Sebbene il punto di arrivo sia lo stesso (ovvero la necessità di una maggiore consapevolezza da parte dell’utente), le opinioni sul ruolo del processo di Consumerization non sono omogenee tra chi, come il sottoscritto, ritiene che le tecnologie non abbiano i necessari livelli di sicurezza richiesti per un uso professionale (e questo fattore è peggiorato dall’atteggiamento dell’utente) e chi sostiene invece che le tecnologie sono intrinsecamente sicure ma il problema è in ogni caso riconducibile all’utente che si rivolge, lui stesso, ai dispositivi, anche per uso professionale, con un atteggiamento consumer.

Riguardo gli aspetti relativi a tecnologia e mercato la mia opinione è molto chiara: i due punti sono intrinsecamente connessi  e questo si traduce, sinteticamente, nella necessità di portare nel mondo mobile le stesse tecnologie di protezione degli endpoint tradizionali. Secondo la mia personale esperienza, il mercato ha difatti iniziato il processo, che diverrà sempre più preponderante, di considerare il mondo degli endpoint mobili come una estensione naturale del mondo degli endpoint tradizionali (notebook, desktop, etc.) ai quali si dovranno pertanto applicare le stesse policy e gli stessi livelli di sicurezza (con le opportune differenziazioni dovute alla diversa natura dei dispositivi) proprie del mondo wired. Fondamentale in questo scenario è il modello di gestione unificata endpoint fissi e mobili in grado di applicare in modo astratto e device indipendent le stesse politiche di sicurezza a tutti i dispositivi indipendentemente dalla natura degli stessi.

Per quanto concerne la tecnologia, (pre)vedo due filoni protagonisti del mondo mobile: il DLP e la Virtualizzazione. Il DLP poiché ritengo il modello di sicurezza mobile perfettibile, e di conseguenza lo ritengo terreno fertile per i produttori di sicurezza in grado di ampliare, con le proprie soluzioni, il modello di sicurezza nativo (con qualche riserva su Apple vista la poca apertura di Cupertino); la Virtualizzazione, di cui ho già avuto modo di parlare, consentirà di risolvere i problemi di tecnologia e privacy connessi con l’utilizzo professionale del proprio dispositivo. Grazie alla virtualizzazione, di cui dovremmo vedere i primi esempi nella seconda metà di quest’anno, una Organizzazione potrà gestire il proprio telefono virtuale all’interno del dispositivo fisico dell’utente, controllando le policy e le applicazioni e tenendo i due mondi completamente separati. Questa soluzione dovrebbe essere una ottima spinta per risolvere i problemi tecnologici e di privacy (non dimentichiamoci infatti che spesso l’utente finisce inevitabilmente per inserire informazioni personali anche nel dispositivo professionale), delegando, almeno per la macchina virtuale enterprise, il modello di sicurezza dall’utente all’Organizzazione.

Infine si arriva, inevitabilmente alla domanda fatale: la sicurezza ha un costo: chi paga? A mio avviso il modello è (relativamente) semplice e, personalissima opinione, è sufficiente voltarsi indietro per capire come potrà essere il modello di sicurezza futuro.

Naturalmente la distinzione tra consumer ed enterprise è d’obbligo: per quanto ho affermato in precedenza le organizzazioni, soprattutto se di una certa dimensione, saranno autonome nella realizzazione (e di conseguenza nel sostenerne i costi) della propria architettura di sicurezza mobile concependola come una estensione trasparente del modello di sicurezza per gli endpoint tradizionali. Questa è la tendenza verso cui sta andando il mercato e verso la quale stanno convergendo i produttori con l’offerta di suite di sicurezza complete per sistemi operativi fissi e mobili contraddistinte da modelli di gestione unificata.

Diverso è il caso del mondo consumer ma anche in questo caso prevedo che, implicitamente, i terminali mobili verranno trattati alla stregua di terminali fissi e quindi le funzioni di sicurezza potranno essere offerte, ad esempio, come un add-on del piano dati, analogamente a quanto accade oggi per l’antivirus/personal firewall, che ormai tutti gli operatori offrono in bundle con la connessione ad Internet. In questo caso è importante notare anche il fatto che l’età media degli utilizzatori è sempre più bassa pertanto, soprattutto nel mondo consumer, gli stessi mostreranno sempre maggiore familiarità con le tecnologie mobili e le loro necessarie estensioni in ambito di sicurezza al punto di considerarle tutt’uno.

Rimane ovviamente ancora da verificare l’aspetto relativo ad eventuali investimenti infrastrutturali: una interessante domanda rivolta agli operatori ha infatti evidenziato se vi è allo studio la creazione di una baseline (ovvero l’analisi dei livelli di traffico per evidenziare anomalie dovute, ad esempio, ad eccessivo traffico generato da malware). Allo stato attuale, essendo il problema trasversale tra tecnologie e legge, la baseline è dettata dalla stessa compliance.

(Mobile) Security Summit 2011

March 3, 2011 1 comment

L’edizione del Security Summit 2011 si terrà a Milano dal 14 al 16 marzo 2011. All’interno della manifestazione suggerisco una interessante tavola rotonda dedicata alla Sicurezza in ambito Mobile in cui interverrò direttamente. Mobile Security: Rischi, Tecnologie, Mercato, questo il titolo del seminario, organizzato dal Gruppo Italian Security Professional. L’evento, in cui sarà interessante confrontare le minacce del mondo mobile con il punto di vista degli operatori, si terrà il 14 marzo alle ore 16:30; per chi potrà essere a Milano in quei giorni, sicuramente una occasione interessante.

Il programma della tavola rotonda, già on-line, è il seguente:

Modera: Paolo Colombo – Italian Security Professional

Intervengono:
Stefano Brusotti, Telecom Italia, Responsabile Security Innovation
Raoul Chiesa, CLUSIT/ENISA
Aronne Elia, International project PMO, Vodafone Italia
Fabio Gianotti, Head of Engineering & Innovation, H3G, Security
Paolo Passeri, Technical Manager, Business-e

Special guest:
Philippe Langlois, fondatore P1 Security e Senior Researcher Telecom Security Task Force.

Follow

Get every new post delivered to your Inbox.

Join 2,707 other followers