Carrier IQ Rootkit Logs Everything On Millions Of Phones

If you use an Android, BlackBerry, or Nokia smartphone then you may be at risk of being illegally wire tapped by Carrier IQ–a provider of performance monitoring software for Smart Phones. A “rootkit” is software that hides itself while utilizing privileged access like watching your every move.

Earlier this month a user named Trevor Eckhart announced that he found software, made by Carrier IQ, that may be logging your every move on your mobile phone. He found that the application IQRD, made by Carrier IQ, was running on his phone and he could not kill or force stop the app.He also noted the app runs everytime his phone was turned on.

After connecting his HTC device to his computer he found that IQRD is secretely Key logging every single button that he clicks on the phone, even the touch screen number pad. IQRD is also shown to be logging text messages. He was also able to show that Carrier IQ is also logging web searches. While this doesn’t sound all that bad by itself, what’s creepy about it is that Carrier IQ is logging what happens during an HTTPS connection which is suppose to be encrypted information. Additionally, it can do this over a Wi-Fi connection with no 3G; so even if your phone service is disconnected IQRD still logs the information.

Carrier IQ’s Mobile Intelligence platform is currently deployed with more than 150 million devices worldwide. Paul Ohm, a former Justice Department prosecuter and professor at the University of Colorado Law School, stated that this isn’t just creepy, but it’s also likely grounds for a class action lawsuit against a federal wiretapping law.

Unfortunately, this software is a real pain to remove. If you don’t want to be tracked and your device has Carrier IQ on it then your only option may be to erase and reinstall your OS.

Dropbox for Teams

Those folks over at Dropbox have now created a Team version of their software – basically, it allows you to start with 5 user accounts and share 1000 gigs of data among the five users. You can designate a limited amount available for each user or can simply allow all users to use the space until you need more.

If you have more than 5 users, you can add them in for an additional $125 per year and are given another 200 gigs of storage. There is no top limit to the storage or users you can get.

How much does this cost? Only $795 per year (as opposed to $1,000 per year for 5 – 100 gig accounts). You also get unlimited revisions (aka PackRat – a $40 per user per year cost under the individual plan) and something new – phone support!

Need more faqs? Just check it out here – https://www.dropbox.com/help/category/Teams

 

Skype in the Enterprise: Is Your Security Program Ready to Chat?

SecureState was recently asked if using Skype within a business environment for very specific cases was a good idea. The company asking the question was unsure of the security implications and what risk would be introduced by implementing the Skype application.

Concerns over security and privacy have existed ever since Skype was launched over eight years ago.  What is the consensus now regarding data protection when using Skype in the enterprise?

Multiple researchers have performed analysis on the Skype application.  It has proven to be difficult to analyze due to a number of deliberate measures put in place to prevent viewing the underlying actions of the software. These countermeasures include packing of the binary, polymorphic integrity checks, checks/traps for debuggers, and obfuscation of code and network traffic.  Multiple researchers have performed analysis on the Skype application. The main points from their research is that the cryptography employed is actually done well, but the application still is mostly a black box.

Putting Risk in Context – it’s useful to step back and evaluate the fuller picture in the context of your existing operations.

For example, how are you communicating today in your organization?  If you are making calls which route across a PSTN (Public Switched Telephone Network) then you are already putting your conversations into the hands of service providers, governments, and whoever else may have physical access to the lines.  Perhaps you think you’re safe because you’re purely digital, and you route VOIP calls across an MPLS VPN to your remote offices.

However, yet again trust has been placed in an unknown entity:  that service provider’s network, operations, and controls (or lack of).

Looking at another example, do you permit employees to dial in to conference bridges from their home phones or personal cell phones?  Do your employees ever use their cell phones in a public location such as a crowded bus on their way to work?  You may be laughing or scoffing, but such lax data security practices have occurred more times than you’d care to think about.

In terms of tightening data protection to reduce the risk of direct data leakage,  this boils down to establishing data classification and data handling procedures and policy, and indoctrinating employees in that policy.

Skype traffic should be treated as a public entity or third-party service provider.  Usage of the service and the type of data or information which passes through the Skype network should then map to your data handling procedures accordingly.

Another factor to consider is that you now have another piece of software deployed that needs to be managed and updated.  Many organizations already have a hard enough time keeping up with patch management for major components such as operating systems, browsers, and browser plug-ins. The introduction of additional software increases the operational burden as well as the surface area which can be attacked.

In fact, while much of Skype’s traffic is encrypted, traffic which contains advertisements is not, making it prone to injection of malicious data.  Before permitting Skype software to be installed, work with the team who manages desktop software to make sure they have an established process for the following activities:  deploying software in a preconfigured manner, tracking software updates, and pushing out updated versions upon release.

As with all risk decisions, there is no black and white answer that is universal to every organization regarding Skype.

SSO and the Cloud

At the Cloud Security Alliance (CSA) Congress last week and there were several vendors offering Identity as a Service/SSO tools. I’ve also been looking at potential tools for customers. Based on the material I’ve read and talks with some of their engineers, Symplified (http://www.symplified.com/) looks like a good tool. They also recently announced a partnership with CipherCloud who provides encryption and tokenization services. Ping Identity is another tool I’ve researched but not tested (https://www.pingidentity.com). Domain 12 (Identity, Entitlement, & Access management) of the recently released CSA Security Guidance for Critical Areas of Focus in Cloud Computing V3.0 has some good information on Identity in the cloud and things to look for when choosing a vendor.

You can download a copy of this paper here – https://cloudsecurityalliance.org/wp-content/uploads/2011/11/csaguide.v3.0.pdf

The Importance of Software Updating

When the integrity of your system and network is at stake, neglecting a critical software update is the last task that should be placed on the back burner.

According to an article posted on Dark Reading over the summer “Six out of every 10 users of Adobe Reader are running unpatched versions of the program, leaving them vulnerable to a variety of malware attacks…”

All software updates, although seemingly trivial, can offer protection against a variety of vulnerabilities. Most of us will readily update our anti-virus software; we all understand that it can prevent a virus from taking control of our computer or deleting our data. While the antivirus software actively scans incoming files/emails, AV software is similar to a last line of defense; it is there when your computer has already been the target of an exploitation.

It is really the everyday applications such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office that are prime candidates for exploitation by hackers if left unpatched.  Unbeknownst to many of us, there is software that can scan your computer and network and check for these un-patched systems. The software can report back exactly which software updates are missing, and then use another tool to actually exploit those vulnerabilities.

Depending on the severity of the security hole, an attacker could take complete control of your computer. An attacker could literally remote connect and disable the physical keyboard and mouse, leaving you to watch them do as they wish.

Granted, you could unplug the Ethernet port or power off the computer, but still terrifying to think about if you have confidential or proprietary data on your system.

Reportedly, the RSA hack that occurred earlier this year used Microsoft Excel to execute a VBA script to exploit an Adobe Flash vulnerability. The Excel script put a backdoor on the computer that allowed the attacker full access to the machine, as well as the networks the user had access to.

While an operating system update is annoying, having to install and restart your system in the middle of the day, they are critical at times. Patching your email, instant messenger, web browser, etc, should be a top priority. In fact, any software that is used around sensitive information should be regularly updated. Most, if not all, software that runs on your operating system will regularly check for updates.

However, make sure to check that any hardware peripheral devices that have software applications on them, such as a secure USB/HDD drive also automatically checks for its own software updates.

Norway hit by major data-theft attack

Data from Norway’s oil and defense industries may have been stolen in what is feared to be one of the most extensive data espionage cases in the country’s history, security officials said Thursday.

Industrial secrets from companies were stolen and “sent out digitally from the country,” the Norwegian National Security Authority said, though it did not name any companies or institutions that were targeted.

At least 10 different attacks, mostly aimed at the oil, gas, energy and defense industries, were discovered in the past year, but the agency said it has to assume the number is much higher because many victims have yet to realize that their computers have been hacked.

This is the first time Norway has unveiled such an extensive and widespread espionage attack. The methods varied, but in some cases individually crafted e-mails that, armed with viruses, would sweep recipients’ entire hard-drives for data and steal passwords, documents and confidential documents.

The agency said in a statement that this type of data-theft was “cost-efficient” for foreign intelligence services and that “espionage over the Internet is cheap, provides good results and is low-risk.” Veire would not elaborate, but said it was not clear who was behind the attacks.

The attacks often occurred when companies were negotiating large contracts, the agency said.

Important Norwegian institutions have been targeted by hackers before.

In 2010, some two weeks after Chinese dissident and democracy activist Liu Xiaobo was named that year’s Nobel Peace Prize winner, Norway’s Nobel Institute website came under attack, with a Trojan Horse, a particularly potent computer virus, being installed on it.

Other attacks on the institute in that same period came via email, containing virus-infected attachments

 

Malware on Androids up over 400% from last year (and other trends)

Malware targeted toward Android devices continues to surge pushing 2011 to become the busiest year in history for both mobile and general malware.

The amount of malware infecting Android devices during the third quarter grew almost 37 percent from the second quarter. Android’s growing demand among consumers has made it an increasingly ripe and inviting target for cybercriminals.

Among all mobile platforms, Nokia’s Symbian OS is still seeing the greatest amount of malware. But almost all new mobile malware over the third quarter was aimed squarely at Android.

One common scheme against Android is led by Trojans that collect personal information and steal money from the user by sending SMS messages. Another type of malware records phone conversations and sends them to the attacker

Phony antivirus products, AutoRun malware, and password-stealing Trojans were among the most common types of malware in the quarter, staging a rebound from previous quarters. Malware aimed at the Mac also continues to grow as Apple computers experience greater demand among both consumers and businesses.

The number of botnet infections inched down over the third quarter but staged some dramatic gains in countries such as Argentina, Indonesia, Russia, and Venezuela. Cutwail, Festi, and Lethic proved to be the most dangerous and damaging botnets last quarter.

And though spam has dropped in numbers since 2007, it’s grown in sophistication, according to McAfee. Spearphishing, or targeted spam, is increasingly being adopted by more attackers and is proving to be a highly effective form of malware.