During Summer we always try to spend our free time in a more profitable manner, for instance reading gossip chronicles.
From this point of view, July 2012 has not been a particularly lucky month for Carly Rae Jepsen. On July the 7th, her website has been the target of a DDoS attack by a member of the infamous collective @TheWikiBoat. During the second half of July, she has joined the (not so) exclusive club of celebrities who had compromising pictures and video stolen from their computers and mobile devices. This is not an isolated episode since celebrities have shown an insane predilection to make (possibly) XXX photos and store them with few or no precautions at all. With the consequence that it is not so uncommon that the private material gets stolen with the purpose to blackmail the victims or simply to sell it.
Unfortunately the experience has shown that, almost always, both ideas end up in a miserable failure and the photos get usually leaked, causing fans to run to their search engines in the hunt for the private snaps.
Honestly speaking, I do not understand how it feels to take photos of oneself in compromising positions (but I am not a celebrity, at least so far). For sure, if I were a celebrity I would be aware of my level of exposition and its consequent capability to attract the unwelcome attentions of stalkers (and addicted hackers). That level of exposition, alone, justifies the need to pay more attention for private material, most of all if it contains XXX shots. But maybe celebrities have not time for complex passwords…
To let you understand how often these events occur, I browsed the chronicles of the last years compiling the following gallery. Even if most of the leaks came from the so-called hacker ring targeting more than 50 celebrities, you will find many surprising (sometimes recurring) victims, before coming to the disappointing conclusion that “the leopard does not change his spots”.
I am afraid that this chart will soon need an update.
Yesterday I posted evidence about the presence of the infamous Carrier IQ Software in Italy. Today another episode (I presume will not be last) of what it si becoming an endless Saga. Following the forthcoming investigations of privacy regulators in the U.S. and Europe, and the last-minute speculations concerning the fact Carrier IQ technology has been used by FBI, Carrier IQ has just published a 19 pages document trying to explain in detail what the IQ agent does. After reading the document, it is clear that the affair will not stop here.
The documents analyzes what the software really does, tries to confute Trevor Eckhart’s assertions and, most of all, admits that some SMS may have been collected (even if not in human readable form), because of a software flaw.
Interesting to mention, there are three ways in which Carrier IQ’s customers (the operators, not the end users!) install the IQ Agent: pre-load, aftermarket and embedded. The pre-load and embedded versions which differ among themselves for the fact that the pre-loaded agent may not provide RF data, cannot “typically” be deleted by an end user.
In any case Network Operators and handset manufacturers determine whether and how they deploy Carrier IQ software and what metrics that software will gather and forward to the Network Operator.
Several Remarkable Points:
In typical deployments, the IQ Agent uploads diagnostic data once per day, at a time when the device is not being used. This upload, which averages about 200 kilobytes, contains a summary of network and device performance since the last upload, typically 24 hours.
The profile, written by Carrier IQ based on information requested by operators, defines which of the available metrics may to be gathered and contains the following information:
- Should information be collected in anonymous mode or with the hardware serial number and the subscriber serial number being used (e.g. IMEI & IMSI)?
- The frequency of metrics uploads and instructions on what to do if the user is roaming or not on the network
- The specific metrics from which to gather data
- Instructions for pre-processing of metrics to create summary information
Profiles may also be subsequently updated.
As far as Trevor Eckhart’s video is concerned, and his findings related to the fact that the agent logs SMS and keystrokes in clear text, Carrier IQ indicates this log log essentially as a consequence of debug enabled, which is not a common (and recommended) situation in normal usage. Moreover the only captured keystroke is a specific numeric key code entered by the user to force the IQ Agent software to start an upload.
Our privacy is safe? Not at all, few lines after the above quoted statement the company declares that:
Carrier IQ has discovered that, due to [....] bug, in some unique circumstances, such as a when a user receives an SMS during a call, or during a simultaneous data session, SMS messages may have unintentionally been included in the layer 3 signaling traffic that is collected by the IQ Agent. These messages were encoded and embedded in layer 3 signaling traffic and are not human readable.
Although the company states that no encoded content of the SMS is available to anyone.
As far as phone numbers and URLs are concerned, this kind of information is collected by the agent if selected on a profile by the Network Operator. In any case, according to the company:
The metrics gathered by the IQ Agent are held in a secure temporary location on the device in a form that cannot be read without specifically designed tools and is never in human readable format.
About the gathered data, Carrier IQ has no rights to the data that collected into its Mobile Service Intelligence Platform.
Did you find the clarifications enough satisfactory? At first glance I am not able to understand how the collected data may be considered anonymous (as supposed from the first statement of Carrier IQ), if the operator may select a profile in which it can grab (and correlate) IMSI, IMEI or Phone Number together with the URLs visited by the (unaware) user. In this moment I cannot tell if, with a clause hidden between the lines of the contracts, mobile operators advise their customers that some personal information may be collected to improve the user experience. In any case the user should be at least provided with the option to choose. Some Device Manufacturers ask for user consent to perform similar operations. I am not aware of a similar approach by operators.
Mmh… The story will not finish here, indeed I guess the affair will soon spread to Mobile Carriers.
- Breaking: First Known Detection of Carrier IQ in Italy (paulsparrows.wordpress.com)
Examples in which political news provide hints for Information Security are happening too often (think for instance to the UK Phone Hacking Scandal). The latest comes from the affair involving Dominique Strauss-Kahn and his alleged sexual encounter with a maiden during the horrible day of May, 14th 2011. The details which are being disclosed on that story show that the BlackBerry owned by DSK played a crucial role in the event, both because it had likely been hacked, and because it was used as a decoy to catch DSK at the airport.
All the traditional ingredients of Mobile Security are mixed up in this story: a device used for both personal and business purposes, which is hacked and whose stolen information is used to harm the victim.
The details were given on Friday, the 25th of November, when Financial Times published an anticipation of an investigation carried on by the journalist Edward Epstein to be published in full by the New York Reviews of Books. The investigation tells with an unprecedented level of details the two hours that sank Dominique Strauss-Kahn and wrecked his political career on May, 14th 2011 during his stay at the Sofitel New York Hotel, and the alleged sexual assault encounter with Nafissatou Diallo, the maid he had encountered in the presidential suite.
DSK was then head of International Monetary Fund and leading Socialist Contender against Nicolas Sarkozy (well ahead him in opinion polls) for the French Presidential Election in April 2012. As known the aftermaths of the scandal (although all the charges were dismissed by the prosecutor on August 23rd, 2011) destroyed his political ambitions for the rush at the French Presidential Chair.
The account of Edward Epstein reveals several shadow zones which seem to support the hypothesis according to which DSK was the victim of a plot (for instance the strange visits of Nafissatou Diallo to room 2820, a room on the same floor of the Presidential Suite borrowed by DSK, whose occupant’s identity was never released by Sofitel on grounds of privacy).
You may guess at this point what this history has to deal with Information Security. Well, it has much to deal with, since one of the Shadow Zones just concerns one of DSK’s Blackberry cell phones, the one he called IMF Blackberry, used to send and receive texts and e-mails for both personal and IMF business, which DSK believed had probably been hacked, and which has not been found since then. Moreover the lost BlackBerry was used as a decoy to catch him on board of Flight 23, few minutes before living for Paris.
If you think the mobile security risks are exaggerated and the promiscuous use of mobile devices for personal and professional purposes is not harmful and do not constitute a security hazard, you should better read the following lines.
The account of Mr. Epstein tells that, the morning of May, the 14th, DSK had received a text message from Paris from a woman friend temporarily working as a researcher at the Paris offices of the UMP, Sarkozy’s political party. The message warned him that at least one private e-mail he had recently sent from his BlackBerry to his wife, had been read at the UMP offices in Paris. It is unclear how the UMP offices might have received this e-mail, but if it had come from his IMF BlackBerry, he had reason to suspect he might be under electronic surveillance in New York.
At 10:07 AM he called his wife in Paris on his IMF BlackBerry, telling her of his problem. He asked her to contact a friend who could arrange to have both his BlackBerry and iPad examined by an expert. An exam that would never happen for his Blackberry…
The call records show that DSK used his IMF BlackBerry for the last time at 12:13 PM to tell his Daughter Camille he would be late for lunch. This happened approximately 7 minutes after the maiden entered his room, which occurred at 12:06 PM according to Hotel key records, and most of all after the controversial encounter, likely occurred in this Time Interval, which is still a matter of dispute.
DSK realized his IMF BlackBerry was missing only nearly two hours later, at 14:15 PM while going to the Airport in taxi. At the beginning he believed he had left the cellphone to the Restaurant and immediately called his daughter (with a spare mobile phone) asking her to go back there for a check. The footage at the Restaurant shows that she effectively went there looking for the lost object. Of course she was not able to find it and at 14:28 PM she sent him a message indicating she could not find it.
At 15:01 PM, while approaching the airport, DSK was still attempting to find his missing phone, calling it from his spare with no answer. According to the records of the BlackBerry company, the IMF device had been disabled at 12:51 PM.
At 15:29 PM, he called the hotel from the taxi, indicating his room number and giving a phone number, so that he could be called back, in case his phone was found.
Thirteen minutes later he was called back from a hotel employee who was in the presence of a police detective. The hotel employee falsely told him that his phone had been found and asked where it could be delivered. DSK told him that he was at JFK Airport and that he had a problem since his flight left at 4:26 PM. He was reassured that someone could bring it to the airport in time, so he gave her the Gate and Flight number which allowed the police to call DSK off the plane and take him into custody at 4:45 PM.
DSK’s BlackBerry is still missing and the records obtained from BlackBerry show that the missing phone’s GPS circuitry was disabled at 12:51 PM. Probably the cell phone was “lost” inside the Sofitel, for sure this occurrence has prevented DSK to verify if he was under surveillance or not.
The reasons why DSK was so concerned about the possible interception of his messages on this BlackBerry are not clear even if Epstein suggests a couples of scenarios. The phone could contain some embarrassing information related to the scandal occurred to Carlton Hotel in Lille where high-class escort women were allegedly provided by corporation to government officials (I believed this kind of affair only happened in Italy) (DSK denies that he was connected to the prostitution ring.). Otherwise his concern could also derive from other matters, related to his IMF role, such as the sensitive negotiations he was conducting for the IMF to stave off the euro crises.
Still doubtful about Mobile Security Risks?
Few days ago Juniper Networks has released a report on the status of Android Malware. The results are not encouraging for the Android Addicted since they show a 472% increase in malware samples since July 2011 (see the infographic for details).
This does not surprising: already in May in its annual Malicious Mobile Threats Report, report, Juniper had found a 400% increase in Android malware from 2009 to the summer of 2010. This trend is destined to further grow since the Juniper Global Threat Center found that October and November registered the fastest growth in Android malware discovery in the history of the platform. The number of malware samples identified in September increased by 28%. whilst October showed a 110% increase in malware sample collection over the previous month and a noticeable 171% increase from July 2011.
As far as the nature of malware is concerned, Juniper data show that the malware is getting more and more sophisticated, with the majority of malicious applications targeting communications, location, or other personal information. Of the known Android malware samples, 55%, acts as spyware, 44%, are SMS Trojans, which send SMS messages to premium rate numbers without the user’s consent.
The reason for this malware proliferation? A weak policy control on the Android market which makes easier for malicious developers to publish malware applications in disguise. From this point of view, at least according to Juniper, the model of Cupertino is much more efficient and secure.
Easily predictable Google’s answer came from the mouth of Chris DiBona, open source and public sector engineering manager at Google. According to DiBona, Open Source, which is widely present in all the major mobile phone operating systems, is software, and software can be insecure. But Open Source becomes stronger if it pays attention to security, otherwise it is destined to disappear. In support of this statement he quotes the cases of Sendmail and Apache, whose modules which were not considered enough secure disappeared or came back stronger (and more secure) than ever.
But DiBona’s does not stop here (probably he had read this AV-test report which demonstrates that free Android Antimalware applications are useless): “Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself.”
From this point of view Google hopes that Ice Cream Sandwich will lead Android Security at the next level even if some features are raising security concerns among Infosec professionals.
As you will probably know my Birthday post for Android Malware has deserved a mention from Engadget and Wired. Easily predictable but not for me, the Engadget link has been flooded by comments posted by Android supporters and adversaries, with possible trolls’ infiltrations, up to the point that the editorial staff has decided to disable comments from the article. The effect has been so surprising that someone has also insinuated, among other things, that I have been paid to talk s**t on the Android.
Now let me get some rest from this August Italian Sun and let me try to explain why I decided to celebrate this strange malware birthday for the Android.
First of all I want to make a thing clear: I currently do own an Android Device, and convinced, where possible, all my relatives and friends to jump on the Android. Moreover I do consider the Google platform an inseparable companion for my professional and personal life.
So what’s wrong? If you scroll the malware list you may easily notice that the malware always require an explicit consent from the user, so at first glance the real risk is the extreme trust that users put in their mobile devices which are not considered “simple” phones (even if smart), but real extensions of their personal and professional life.
You might say that this happens also for traditional devices (such as laptops), but in case of mobile devices there is a huge social and cultural difference: users are not aware to bring on their pocket dual (very soon four) cores mini-PCs and are not used to apply the same attention deserved for their old world traditional devices. Their small display size also make these devices particularly vulnerable to phishing (consider for instance the malware Android.GGTracker).
If we focus on technology instead of culture (not limiting the landscape to mobile) it easy to verify that the activity of developing malware (which nowadays is essentially a cybercrime activity) is a trade off between different factors affecting the potential target which include, at least its level of diffusion and its value for the attacker (in a mobile scenario the value corresponds to the value of the information stored on the device). The intrinsic security model of the target is, at least in my opinion, a secondary factor since the effort to overtake it, is simply commensurate with the value of the potential plunder.
What does this mean in simple words? It means that Android devices are growing exponentially in terms of market shares and are increasingly being used also for business. As a consequence there is a greater audience for the attackers, a greater value for the information stored (belonging to the owner’s personal and professional sphere) and consequently the sum of these factors is inevitably attracting Cybercrooks towards this platform.
Have a look to the chart drawing Google OS Market share in the U.S. (ComScore Data) compared with the number of malware samples in this last year (Data pertaining Market Share for June and July are currently not available):
So far the impact of the threats is low, but what makes the Google Platform so prone to malware? For sure not vulnerabilities: everything with a line of code is vulnerable, and, at least for the moment, a recent study from Symantec has found only 18 vulnerabilities for Google OS against 300 found for iOS (please do no question on the different age of the two OSes I only want to show that vulnerabilities are common and in this context Android is comparable with its main competitor).
Going back to the initial question there are at least three factors which make Android different:
- The application permission model relies too heavily on the user,
- The security policy for the market has proven to be weak,
- The platform too easily allows to install applications from untrusted sources with the sideloading feature.
As far as the first point is concerned: some commenters correctly noticed that apps do not install themselves on their own, but need, at least for the first installation, the explicit user consent. Well I wonder: how many “casual users” in your opinion regularly check permissions during application installation? And, even worse, as far as business users are concerned, the likely targets of cybercrime who consider the device as a mere work tool: do you really think that business users check app permission during installation? Of course a serious organization should avoid the associated risks with a firm device management policy before considering a wide deployment of similar devices, most of all among CxOs; but unfortunately we live in an imperfect world and too much often fashion and trends are faster (and stronger) than Security Policies and also make the device to be used principally for other things than its business primary role, hugely increasing risks.
This point is a serious security concern, as a matter of fact many security vendors (in my opinion the security industry is in delay in this context) offer Device Management Solution aimed to complete the native Application Access Control model. Besides it is not a coincidence that some rumors claim that Google is going to modify (enhance) the app permission security process.
As far as the second point is concerned (Android Market security policy), after the DroidDream affair, (and the following fake security update), it is clear that the Android Market Publishing (and Security) model needs to be modified, making it more similar to the App Store. There are several proposals in this context, of course in this place is not my intention to question on them but only to stress that the issue is real.
Last but not least Sideloading is something that makes Android very different from other platforms (read Apple), Apple devices do not allow to install untrusted apps unless you do not Jailbreak the devices. Android simply needs the user to flag an option (By The Way many vendors are opening their Android devices to root or alternate ROMs, consider for instance LG which in Italy does not invalidate the Warranty for rooted devices) or HTC which, on May 27, stated they will no longer have been locking the bootloaders on their devices.
So definitively the three above factors (together with the growing market shares) make Android more appealing for malware developers and this is not due to an intrinsic weakness of the platform rather than a security platform model which is mainly driven by the user and not locked by Manufacturer as it happens in case of Cupertino.