About these ads

Archive

Posts Tagged ‘Mobile’

1-15 May 2013 Cyber Attacks Timeline

And here we are with our bi-weekly review of the main cyber attacks. This time is the turn of the first half of May.

Probably this month will be remembered for the huge cyber-heist against two Payment Processors, and affecting two banks (National Bank of Ras Al-Khaimah PSC in the United Arab Emirates and the Bank of Muscat in Oman), which suffered a massive loss of $45 million due to an endless wave of unlimited withdrawals from their ATMs.

Other relevant actions related to Cyber-criminal operations include the massive breaches against MSI Taiwan (50,000 records affected) and most of all, the Washington state Administrative Office of the Courts (up to 160,000 SSN and 1 million driver’s license numbers).

On the other hand, the hacktivists concentrated their efforts on the so-called OpUSA (7 May), even if it looks like that most of the attacks were nuisance-level. Instead, and this is a great news, after months of intense activity, the operation Ababil come to a stop.

On the cyber war front, this month reports an unedited conflict between Taiwan and Philippines.

Last but not least, even if this attack dates back to 2007, on the Cyber-Espionage front, Bloomberg has shaken this lazy month revealing the repeated attacks by the infamous Comment Crew hackers against Qinetiq, a very critical Defense contractor. The cyber threats from the Red Dragon (real or alleged) keep on scaring the western world.

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012 and now 2013 (regularly updated). You may also want to have a look at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

May 2013 Cyber Attacks Timeline Part I Read more…
About these ads

What Security Vendors Said One Year Ago…

January 10, 2012 2 comments

I did not resist, so after publishing the summary of Security Predictions for 2012, I checked out what security vendors predicted one year ago for 2011. Exactly as I did in my previous post, at the beginning of 2011 I collected the security predictions in a similar post (in Italian). I also published in May an update (in English) since, during the Check Point Experience in Barcelona held in May 2011, the Israeli security firm published its predictions. Even if the latters have been published nearly at the half of 2011, for the sake of completeness, I decided to insert them as well in this year-to-year comparison.

Then, I included Symantec (for which this year I did not find any prediction), McAfee, Trend Micro, Kaspersky, Sophos and Cisco. I included Check Point in a second time and I did not include Fortinet, At that time I missed their five security predictions, which I only discovered later so I decided to provide an addendum for this post including Fortinet as well in order to provide a deeper perspective.

The security predictions for 2011 are summarized in the following chart, which reports what the vendors (with the partial above described exception of Checkpoint) expected for the past year in terms of Information Security trends.

But a strict side-by-side comparison with the 2012 information security predictions (extracted by my previous post) is more helpful and meaningful:

As you may notice mobile threats were on top even among the predictions for 2011. This prediction came easily true most of all for Android which suffered (and keeps on suffering) a huge increase in malware detection samples (even if the overall security risk remains contained). Social Media were on top as well: they have been crucial for the Wind of the Changes blown by the Arab Spring but in the same time Social Media have raised many security concerns for reputation, the so called Social Network Poisoning (who remembers Primoris Era?). Although 2011 was the year of the Anonymous, hacktvism ranked “only” at number 4, behind Advanced Persistent Threats, which however played a crucial role for information security (an APT was deployed for the infamous RSA Breach, but it was not an isolated case).

Also botnets, web threats and application vulnerabilities ranked at the top of Security predictions for last year (and came true). As far as botnets are concerned, fortunately 2011 was a very important year for their shutdown (for instance Hlux/Kelihos, Coreflood, Rustock). In several cases the botnets were taken down thanks to joint operations between private sectors and law enforcement agencies (another prediction came true). On the application side, this prediction came true most of all thanks to the Sony breach, the Liza Moon infection and the huge rate of SQLi based attacks and ASP.NET vulnerabilities. We have also assisted to an hard blow to SSL/TLS and XML Encryption.

But what is more surprising (and amusing) in my opinion is not to emphasize which predictions were correct, but rather to notice  which predictions were dramatically wrong: it looks like that, against the predictions, virtualization threats were snubbed by cybercrookers in 2011 (and nearly do not appear in 2012). But the most amusing fact is that no security vendor (among the ones analyzed) was able to predict the collapse of the Certification Authority model thanks most of all to the Comodo and Diginotar Breaches.

Browsing Security Predictions for 2012

January 8, 2012 4 comments

Update 01/11/2012: Year-to-Tear comparison with 2011 Security Predictions

The new year has just come, vacations are over, and, as usually happens in this period, information security professionals use to wonder what the new year will bring them from an infosec perspective. The last year has been rich of events, whose echo is still resounding, and as a consequence, if RSA and Sony breach were not enough, the main (and somehow obvious) question is: will 2012 stop this trend or rather bring it to unprecedented levels, or, in other words, which threat vectors will disturb the (already troubled) administrators’ sleep?

Unfortunately my divination skills are not so developed (in that case I would not be here), but security firms can give a crucial help since they started to unveil their security predictions for 2012, at least since the half of December, so putting them together, and analyzing them is quite a straightforward and amusing task. Maybe even more amusing will be, in twelve years, to see if they were correct or not.

The security prediction that I take into consideration included, at my sole discretion (and in rigorous alphabetical order):

•    Cisco;
•    Fortinet;
•    Kaspersky;
•    McAfee;
•    Sophos;
•    Trend Micro;
•    Websense;

That is the only leader vendors for which I found predictions issued with original documents (feel free to indicate if I missed someone and I will be very glad to include them in the chart).

In any case, the landscape is quite heterogeneous since it encompasses security vendors covering different areas: one vendor, McAfee, covering all the areas (network, endpoint and content security), two vendors and one half focused on network and content security (Cisco, Fortinet and partially Sophos thanks to the Astaro acquisition), and two vendors focused essentially on endpoint security (Kaspersky and Trend Micro).

The following table summarizes their predictions:

In order to correctly understand the chart a premise is needed: as you will probably have already noticed, in several cases the predictions reflect the specific security focus for the analyzed vendor. For instance, Websense is focused on DLP, and that is the reason why the adoption of DLP is one of its predictions. Analogously McAfee is investing huge resources for Security on Silicon, and this implies that embedded systems and Malware Moving Beyond OS are present among its predictions. Same speech could be applied for Trend Micro and its Cloud Prediction and so on.

Some trends for this year are clearly emphasized: easily predictable Hactivism appears on 6 of the 7 vendors, as mobile (with different connotations) does. Social Media is on the spot as well as are SCADA, Embedded Systems and, quite surprisingly in my opinion, cloud. I would have expected a greater impact for APTs, but for a complete and more accurate analysis one should consider them together with threats targeting embedded systems or ICS. Even because according to several security firms, for instance Kasperky, APT Stuxnet-like will be used for tailored campaigns, whilst more “general purpose malware”, including botnets will be used for massive campaigns (this item is summarized as Mass Targeted Campaigns).

 

Some “old acquaintances” will be with us in 2012: consumerization, at least according to Sophos and Trend Micro (even if consumerization is strictly connected, if not overlapped with mobile) and, if the Comodo and Diginotar affaires were not enough, Rogue Certificates, according to McAfee. Instead some “new entries” are absolutely interesting, such as the threats related to NFC (even if in this case I would have expected a greater impact) or related to Virtual Currency. Besides let us hope that the prediction to adopt DNSSEC be more than a prediction but a consolidated practice.

The most conservative security firm? In my opinion Cisco. The most “visionary”? Maybe Fortinet, I found the “Crime as a Service (CaaS)” absolutely awesome, and most of all not so visionary, since there are already some (even if clumsy) attempts.

In any case with this plenty of Cyber Nightmares is not a surprise the fact the Enterprise security market is going to reach $23 billion worldwide in 2012 with a 8.7% growth year-on-year.

Again On The Carrier IQ Saga

December 13, 2011 2 comments

Yesterday I posted evidence about the presence of the infamous Carrier IQ Software in Italy. Today another episode (I presume will not be last) of what it si becoming an endless Saga. Following the forthcoming investigations of privacy regulators in the U.S. and Europe, and the last-minute speculations concerning the fact Carrier IQ technology has been used by FBI, Carrier IQ has just published a 19 pages document trying to explain in detail what the IQ agent does. After reading the document, it is clear that the affair will not stop here.

The documents analyzes what the software really does, tries to confute Trevor Eckhart’s assertions and, most of all, admits that some SMS may have been collected (even if not in human readable form), because of a software flaw.

Interesting to mention, there are three ways in which Carrier IQ’s customers (the operators, not the end users!) install the IQ Agent: pre-load, aftermarket and embedded. The pre-load and embedded versions which differ among themselves for the fact that the pre-loaded agent may not provide RF data, cannot “typically” be deleted by an end user.

In any case Network Operators and handset manufacturers determine whether and how they deploy Carrier IQ software and what metrics that software will gather and forward to the Network Operator.

Several Remarkable Points:

The IQ Agent is able to summarize the diagnostic information before it is uploaded to the network, greatly reducing the amount of data transmitted and subsequent data processing costs. (as you will read later, looks like summarization is not done for security purposes).

In typical deployments, the IQ Agent uploads diagnostic data once per day, at a time when the device is not being used. This upload, which averages about 200 kilobytes, contains a summary of network and device performance since the last upload, typically 24 hours.

The profile, written by Carrier IQ based on information requested by operators, defines which of the available metrics may to be gathered and contains the following information:

  1. Should information be collected in anonymous mode or with the hardware serial number and the subscriber serial number being used (e.g. IMEI & IMSI)?
  2. The frequency of metrics uploads and instructions on what to do if the user is roaming or not on the network
  3. The specific metrics from which to gather data
  4. Instructions for pre-processing of metrics to create summary information

Profiles may also be subsequently updated.

As far as Trevor Eckhart’s video is concerned, and his findings related to the fact that the agent logs SMS and keystrokes in clear text, Carrier IQ indicates this log log essentially as a consequence of debug enabled, which is not a common (and recommended) situation in normal usage. Moreover the only captured keystroke is a specific numeric key code entered by the user to force the IQ Agent software to start an upload.

Our privacy is safe? Not at all, few lines after the above quoted statement the company declares that:

Carrier IQ has discovered that, due to [....] bug, in some unique circumstances, such as a when a user receives an SMS during a call, or during a simultaneous data session, SMS messages may have unintentionally been included in the layer 3 signaling traffic that is collected by the IQ Agent. These messages were encoded and embedded in layer 3 signaling traffic and are not human readable.

Although the company states that no encoded content of the SMS is available to anyone.

As far as phone numbers and URLs are concerned, this kind of information is collected by the agent if selected on a profile by the Network Operator. In any case, according to the company:

The metrics gathered by the IQ Agent are held in a secure temporary location on the device in a form that cannot be read without specifically designed tools and is never in human readable format.

About the gathered data, Carrier IQ has no rights to the data that collected into its Mobile Service Intelligence Platform.

Did you find the clarifications enough satisfactory? At first glance I am not able to understand how the collected data may be considered anonymous (as supposed from the first statement of Carrier IQ), if the operator may select a profile in which it can grab (and correlate) IMSI, IMEI or Phone Number together with the URLs visited by the (unaware) user. In this moment I cannot tell if, with a clause hidden between the lines of the contracts, mobile operators advise their customers that some personal information may be collected to improve the user experience. In any case the user should be at least provided with the option to choose. Some Device Manufacturers ask for user consent to perform similar operations. I am not aware of a similar approach by operators.

Mmh… The story will not finish here, indeed I guess the affair will soon spread to Mobile Carriers.

The Missing BlackBerry Of Dominique Strauss-Kahn

November 28, 2011 2 comments

Examples in which political news provide hints for Information Security are happening too often (think for instance to the UK Phone Hacking Scandal). The latest comes from the affair involving Dominique Strauss-Kahn and his alleged sexual encounter with a maiden during the horrible day of May, 14th 2011. The details which are being disclosed on that story show that the BlackBerry owned by DSK played a crucial role in the event, both because it had likely been hacked, and because it was used as a decoy to catch DSK at the airport.

All the traditional ingredients of Mobile Security are mixed up in this story: a device used for both personal and business purposes, which is hacked and whose stolen information is used to harm the victim.

The details were given on Friday, the 25th of November, when Financial Times published an anticipation of an investigation carried on by the journalist Edward Epstein to be published in full by the New York Reviews of Books. The investigation tells with an unprecedented level of details the two hours that sank Dominique Strauss-Kahn and wrecked his political career on May, 14th 2011 during his stay at the Sofitel New York Hotel, and the alleged sexual assault encounter with Nafissatou Diallo, the maid he had encountered in the presidential suite.

DSK was then head of International Monetary Fund and leading Socialist Contender against Nicolas Sarkozy (well ahead him in opinion polls) for the French Presidential Election in April 2012. As known the aftermaths of the scandal (although all the charges were dismissed by the prosecutor on August 23rd, 2011) destroyed his political ambitions for the rush at the French Presidential Chair.

The account of Edward Epstein reveals several shadow zones which seem to support the hypothesis according to which DSK was the victim of a plot (for instance the strange visits of Nafissatou Diallo to room 2820, a room on the same floor of the Presidential Suite borrowed by DSK, whose occupant’s identity was never released by Sofitel on grounds of privacy).

You may guess at this point what this history has to deal with Information Security. Well, it has much to deal with, since one of the Shadow Zones just concerns one of DSK’s Blackberry cell phones, the one he called IMF Blackberry, used to send and receive texts and e-mails for both personal and IMF business, which DSK believed had probably been hacked, and which has not been found since then. Moreover the lost BlackBerry was used as a decoy to catch him on board of Flight 23, few minutes before living for Paris.

If you think the mobile security risks are exaggerated and the promiscuous use of mobile devices for personal and professional purposes is not harmful and do not constitute a security hazard, you should better read the following lines.

The account of Mr. Epstein tells that, the morning of May, the 14th, DSK had received a text message from Paris from a woman friend temporarily working as a researcher at the Paris offices of the UMP, Sarkozy’s political party. The message warned him that at least one private e-mail he had recently sent from his BlackBerry to his wife, had been read at the UMP offices in Paris. It is unclear how the UMP offices might have received this e-mail, but if it had come from his IMF BlackBerry, he had reason to suspect he might be under electronic surveillance in New York.

At 10:07 AM he called his wife in Paris on his IMF BlackBerry, telling her of his problem. He asked her to contact a friend who could arrange to have both his BlackBerry and iPad examined by an expert. An exam that would never happen for his Blackberry…

The call records show that DSK used his IMF BlackBerry for the last time at 12:13 PM to tell his Daughter Camille he would be late for lunch. This happened approximately 7 minutes after the maiden entered his room, which occurred at 12:06 PM according to Hotel key records, and most of all after the controversial encounter, likely occurred in this Time Interval, which is still a matter of dispute.

DSK realized his IMF BlackBerry was missing only nearly two hours later, at 14:15 PM while going to the Airport in taxi. At the beginning he believed he had left the cellphone to the Restaurant and immediately called his daughter (with a spare mobile phone) asking her to go back there for a check. The footage at the Restaurant shows that she effectively went there looking for the lost object. Of course she was not able to find it and at 14:28 PM she sent him a message indicating she could not find it.

At 15:01 PM, while approaching the airport, DSK was still attempting to find his missing phone, calling it from his spare with no answer. According to the records of the BlackBerry company, the IMF device had been disabled at 12:51 PM.

At 15:29 PM, he called the hotel from the taxi, indicating his room number and giving a phone number, so that he could be called back, in case his phone was found.

Thirteen minutes later he was called back from a hotel employee who was in the presence of a police detective. The hotel employee falsely told him that his phone had been found and asked where it could be delivered. DSK told him that he was at JFK Airport and that he had a problem since his flight left at 4:26 PM. He was reassured that someone could bring it to the airport in time, so he gave her the Gate and Flight number which allowed the police to call DSK off the plane and take him into custody at 4:45 PM.

 DSK’s BlackBerry is still missing and the records obtained from BlackBerry show that the missing phone’s GPS circuitry was disabled at 12:51 PM. Probably the cell phone was “lost” inside the Sofitel, for sure this occurrence has prevented DSK to verify if he was under surveillance or not.

The reasons why DSK was so concerned about the possible interception of his messages on this BlackBerry are not clear even if Epstein suggests a couples of scenarios. The phone could contain some embarrassing information related to the scandal occurred to Carlton Hotel in Lille where high-class escort women were allegedly provided by corporation to government officials (I believed this kind of affair only happened in Italy)  (DSK denies that he was connected to the prostitution ring.). Otherwise his concern could also derive from other matters, related to his IMF role, such as the sensitive negotiations he was conducting for the IMF to stave off the euro crises.

Still doubtful about Mobile Security Risks?

Follow

Get every new post delivered to your Inbox.

Join 3,042 other followers