Security in 2012: A look back at Q1

Today, ‘Mobile’ has become a technology buzzword. Mobile technology, of course, refers to portable technology, which run the gamut from mobile phones and laptops to global positioning system (GPS) devices. Like any other kind of technology, mobile technology has its disadvantages and concerns, including that of security.

Android under attack

Android-based smartphones suffered from more criminal attacks this quarter. With the increased use of smartphones for web browsing, it is no surprise that the number of mobile attacks increased. The popularity of apps led to the existence of bogus Android apps like the fake ‘Temple Run’ and optimizer apps. One prominent mobile threat this quarter was one-click billing fraud, which can charge a user up to $1,300 just for clicking a button.

Data breaches and APTs

As the name implies, persistence is key when it comes to Advanced Persistent Threats (APTs). Attackers go deep into a target’s network to get what they want. Highly targeted attacks are categorized as ‘campaigns’, as these refer to a series of failed or successful attempts to compromise a targeted network. One notable example of this is the Luckycat campaign, which targeted several industries. Common lures for targeted attacks this quarter include popular sports figures and sociopolitical events.

Social media threats

Social networking has created a generation of users more likely to reveal personal data to third parties. Social media has become an effective platform for cybercriminals to spread malware. Even more troubling is the fact that the presence of cybercriminals and cunning social engineering lures put not only users at risk, but also the companies they work for. Even newly formed social networking sites were not spared this quarter, with survey scams finding their way to Pinterest.

Vulnerabilities

The number of reported vulnerabilities this quarter showed that threats can easily spread among systems and possibly even mobile devices. One vulnerability, MS12-020 (CVE-2012-002), was given the highest rating on Microsoft’s exploitability index, as it can consistently be exploited even by unathenticated users. MS12-020 allows cybercriminals to remotely execute commands on infected systems.

Among vendors, Apple posted the highest number of reported vulnerabilities this quarter, along with a record-breaking number of patches.

Cybercrimes

Blended threats are cybercriminals’ answer to causing greater damage to unsuspecting users. Ransomware reared its ugly head once more, taking systems or files ‘hostage’ until victims paid up. One SINOWAL variant spread using a compromised Dutch site. Other notable threats included spoofed emails bearing a malicious JavaScript and backdoors that stole sensitive information.

Some days, you just want to stay inside and read a book.

Can Dropbox, other cloud providers survive Google Drive?

The 800-pound gorilla has landed and is leveraging its existing relationship with hundreds of millions of users to port them to their cloud storage and file sharing service Google Drive. Can smaller cloud storage players survive this assault?

Like Apple and Microsoft, Gartenberg noted that Google has a relationship with a millions of consumers who use its Gmail, Google Docs, Chrome web browser and any number of other applications. Because of those existing relationships, Google has an advantage in being able woo existing customers over to its new storage and synchronization service.

While Google Drive will no doubt compete with Microsoft’s SkyDrive and Apple’s iCloud, the companies more at risk are smaller specialized service providers, such as DropBox, Box, SugarSync and YouSendIt. Those sites have appealed more to technology enthusiasts, not average consumers. And, when it comes to adoption, relationships matter

Google offers 5GB of capacity for free and allows an upgrade to 25GB for $2.49 a month, 100GB for $4.99 a month or 1TB for $49.99 a month. When you upgrade to a paid account, your Gmail account storage will also expand to 25GB. On an annual basis, Google Drive charges $60 for 100GB.

The price difference is clearly an issue – many existing Dropbox users will move due to this alone.

While Google Drive is currently aimed an consumers, it won’t be long before business-class offerings that allow IT managers administrative control, will emerge.

Box.net is clearly the leader in mass market enterprise cloud storage – For example, Box allows multiple email domains to exist inside the same enterprise account, allowing different business groups to have their own email accounts for collaboration purposes.

This may change …. soon.

 

New, sneakier Flashback malware infects Macs

A new, sneakier variant of the Flashback malware was uncovered yesterday by the French security firm Intego.

Flashback.S, which Intego described Monday, uses the same Java vulnerability as an earlier version that has infected an estimated 820,000 Macs since its appearance and still plagues over 600,000 machines.   But unlike Flashback.K, the variant that first surfaced last month and has caused consternation among Mac users, Flashback.S never asks the victim to enter an administrative password for installation, but instead relies only on the silent exploit of the Java bug to sneak onto the system.

Flashback.K used different infection tactics: Even though it exploited the same Java vulnerability — identified as CVE-2012-0507 — it also displayed the standard OS X password-request dialog. If users entered their password, the malware installed itself in a different location, where it was even harder to detect.   The hackers responsible for Flashback appear to be making money through click fraud, where large numbers of people are redirected to online ads not normally served by the site the user is viewing. The criminals receive kickbacks from shady intermediaries for each ad clicked.   The Java flaw used by both Flashback.S and the earlier Flashback.K was patched by Oracle in mid-February, but Apple, which maintains its own edition of Java for OS X and so is responsible for patching Java bugs, did not issue its fix until April 3, seven weeks later.   Users are infected by Flashback.S when they browse to compromised or malicious sites; the tactic is called a “drive-by” to reflect the lack of required user action beyond steering to a URL.

Because Flashback.S uses different names for the files it drops on a Mac, and installs those files in a different location than Flashback.K, it’s possible that the malware seek-and-destroy tool Apple released April 12 won’t eradicate the variant.

It wouldn’t be a surprise if Apple’s tool did not eliminate Flashback.S: Last year, cyber criminals and Apple went several rounds over MacDefender, a family of fake antivirus programs that wriggled onto a large number of Macs. Several times, the hackers responded to Apple moves by modifying their tactics or code to sidestep just-deployed defenses.   Flashback is easily the most widespread and pernicious malware Mac owners have yet faced.

 

Self-Encrypting Drives: The Evolution of Encryption

Self-encrypting devices (SEDs) have garnered little attention from those outside the information security industry. Although SEDs solve many problems such as data loss and performance issues, many organizations do not use or understand the technology. What is a self-encrypted hard drive? The drive itself protects the data, with either 128-bit or 256-bit AES keys that are stored in the drive itself – the encryption keys are generated within the drive, so there are no keys to lose. The keys never leave the drive.

There’s the media encryption key that encrypts the data, and the authentication key that is used to unlock the drive and decrypt the media encryption key. Without the authentication key, there is no media encryption key in the drive at all. You create the password, then the only way to get back onto the drive–and to the data that’s on the drive–is with the password (or passwords) you set up.

The three main benefits of Self-encrypting devices are:

1. They replace software-based encryption – can be expensive and negatively impacts device performance. Easily manage and control authorized users and authentication methods.
2. Significantly reduce the time IT spends on configuration, maintenance, and encryption key management.
3. There is no complication or performance overhead, unlike disk encryption software, since all the encryption is invisible to the operating system and the host computers processor.

Based on the Trusted Computing Group’s standard, hard drives and solid state drives (SSD), are offering self-encryption built-in. The key difference with these next-generation encrypted drives is that these units have the encryption integrated into a single chip on drive in the drive.

Securing data storage is especially important for small businesses, due to legal specifications that require companies to report breaches, and to maintain data for long periods of time for accountability purposes.

When it comes to Hardware Full Disk Encryption, there are two main use cases – Data At Rest protection, and Cryptographic Disk Erasure.   In Data At Rest protection a laptop is simply closed which powers down the disk. The disk now self-protects all the data on it. Because all the data, even the OS, is now encrypted, with a secure mode of AES, and locked from reading and writing the data is safe. The drive requires an authentication code which can be as strong as 32 bytes (2^256) to unlock.   When a Cryptographic Disk Erasure command is given (with proper authentication credentials), the drive self-generates a new media encryption key and goes into a ‘new drive’ state. The old data has become irretrievable. Unlike other forms of sanitization, this action takes a few milliseconds at most. So a drive can be safely repurposed very quickly.

Disadvantages

Pure hardware-based FDE does not have any strong authentication component Lack of scalable management; no central management component   Hardware Full Disk Encryption is only safe when the computer is off or hibernated. If the computer is stolen while turned on or only suspended, a restart which boots from a USB stick or CD may reveal the data without need for the password because it may not be prompted to be entered. Some specific hardware configurations may have additional protection mechanisms to limit this exposure.

 

Sign Up For A Free Computing Course

Udacity is a web-based college/university that offers free courses in various computer-related subjects.  Courses typically last 7 weeks, and you can follow at your own pace in your own time.  At the end of the course there’s an exam, so that you can be awarded a grade.

The courses are free to access, and cover a variety of topics, with more due to be added soon.   Check out www.udacity.com to find out more.

Microsoft SkyDrive Finally Gets Its Desktop App

Until now, the main difference between the way that you use Dropbox and Microsoft; SkyDrive is that the latter is only available via a web site.  There’s no officially supported way to mount your SkyDrive as a virtual drive in Windows 7, to which you can copy and save files.

As of today, that’s changed.  Microsoft has finally released a Windows app that integrates your SkyDrive into the operating system.  So now you have a drive which you can use just like any other, but which is held in the cloud and automatically synced to your other computers too.  Safe, secure, and reliable.  Well, as much as any cloud-based service can be.

You can get the SkyDrive Windows app from https://apps.live.com/skydrive.  You’ll need to sign up for a Windows Live ID if you don’t already have one.  And be aware that Microsoft has cut the storage allowance for new accounts, so you only get 7 gig for free instead of 25.  But it’s still more than the 2 GB which you get for free with Dropbox.

 

Can I Get an iPhone Virus?

Question: Can I Get an iPhone Virus?

While getting an iPhone virus is a legitimate concern on an Internet where there are thousands (and likely many, many times more) or viruses, most users don’t have to worry about their phone picking up a virus.

Answer: While the technically correct answer is yes, iPhones (and iPod touches and iPads, since they run the same operating system) can get viruses, the likelihood of that happening (at least right now) is extremely low. There have only been a few iPhone viruses created and most were created by security researchers and haven’t been released on the Internet.

Of the iPhone viruses that are “in the wild,” there are worms, a kind of virus, that almost exclusively attack iPhones that have been jailbroken. So, as long as you haven’t jailbroken your device, your iPhone, iPod touch, or iPad should be safe from viruses.

But Should I Get iPhone Virus Protection To Be Safe?   The answer, for now at least, is no. There aren’t any identified iPhone viruses in the wild–there have only been proof-of-concept viruses and attacks.

As you can see, deciding whether you need iPhone virus protection depends on what you do with your phone. Another way to answer the question, though, is based on what antivirus software is available for the iPhone. Turns out, not much.

However, as a reminder, if you have jailbroken your device, you should be concerned about malware and viruses.

Three versions of Microsoft’s Windows 8 OS

For those with Intel-compatible machines, the OS will be available in two versions – Windows 8 and Windows 8 Pro. For those with devices, largely tablets, powered by ARM-designed chips there will be a Windows RT version.

Microsoft wants to simplify how it markets Windows 8, which is expected to launch in autumn 2012. The complex versions of previous Windows – from basic to home, premium to ultimate – have confused consumers.

Microsoft has called Windows 8 the most significant redesign of the Windows interface since its groundbreaking Windows 95 OS.

The ARM version of the OS is the newest edition and reflects Microsoft’s desire to unify the engine known for running desktop computers with that for tablets and smartphones. Windows RT will sit alongside Apple’s iOS and Google’s Android operating systems.

A preview version of Windows 8 launched late last year and more than 100,000 changes had been made since the developer version went public. For the first time since its inception, the trademark Windows “Start” button will no longer appear – instead being replaced by a sliding panel-based menu.

Free Utility Flips And Rotates Video Files

Ever needed to mirror reverse a video or rotate it 90 or 180 degrees? Then this free utility will do the job for you. It’s virus free but like many freebies these days offers to install a toolbar during program installation. Just say “no” and all will be sweet.

You can’t blame some software authors trying to make a buck out of their labors but frankly these optional toolbars are becoming far too common for my liking. That’s why these days you really need to be vigilant when installing new products, free commercial or otherwise.

You’ll find it at http://www.dvdvideosoft.com/products/dvd/Free-Video-Flip-and-Rotate.htm

EU: Possession of Hacking Tools to Become a Criminal Offense

Cyber attacks on IT systems would become a criminal offense punishable by at least two years in prison throughout the EU under a draft law backed by the Civil Liberties Committee.

Possessing or distributing hacking software and tools would also be an offense, and companies would be liable for cyber attacks committed for their benefit.

The proposal, which would update existing EU legislation on cyber attacks, was approved with by 50 votes in favor, 1 against and 3 abstentions.

The proposal would establish harmonized penal sanctions against perpetrators of cyber attacks against an information system – for instance a network, database or website. Illegal access, interference or interception of data should be treated as a criminal offense.

The maximum penalty to be imposed by Member States for these offenses would be at least two years’ imprisonment, and at least five years where there are aggravating circumstances such as the use of a tool specifically designed to for large-scale (e.g. “botnet”) attacks, or attacks cause considerable damage (e.g. by disrupting system service), financial costs or loss of financial data.

Using another person’s electronic identity (e.g. by “spoofing” their IP address), to commit an attack, and causing prejudice to the rightful identity owner would also be an aggravating circumstance – for which MEPs say Member States must set a maximum penalty of at least three years.

MEPs also propose tougher penalties if the attack is committed by a criminal organization and/or if it targets critical infrastructure such as the IT systems of power plants or transport networks.

No word on how this would deal with security firms trying to test and help modify existing security firewalls. It appears just having the hacking tools would get you in trouble.