The good news about mobile malware in 2015 is that growth has slowed down. The bad news is that the malware entering the market is more virulent than ever.
While there hasn’t been a sharp rise in the volume of mobile malware this year, the increasingly malicious nature of the types of malware and attacks is alarming,Blue Coat Systems said last week in its 2015 Mobile Malware Report.
“Ransomware is getting more evil, more robust, similar to the evolution it followed on the desktop,” said Chris Larsen, a senior malware researcher at Blue Coat.
For example, one ransomware strain resets the personal identification number on an Android phone. The ransomware can be foiled by resetting the phone to its factory settings, but in the process, the contents of the mobile will be lost.
The PIN reset malware appears to have been written by a cyberversion of the Gang Who Couldn’t Shoot Straight. That’s because it replaces a user’s PIN with a random number that’s unknown not only to the user but also to the extortionists.
Don’t Live in Russia
While researchers find many new variants of mobile malware every day, the average mobile user isn’t encountering them, Blue Coat reported.
“The standard advice is don’t jailbreak or root your phone, get your apps from the Apple Store or Google Play, and don’t live in China or Russia,” Larsen told TechNewsWorld.
“And don’t surf for porn,” he added. “We’ve seen porn sites linked to a lot of ransomware.”
Warning users about risky behaviors, though, many times reaches deaf ears.
Phishing Knows No OS
“The challenge for security leaders is that no matter how much you train your staff about security, there always seems to be that one employee who downloads a porn app directly from an untrusted third-party website to their phone,” said Ken Westin, a senior security analyst atTripwire.
“To our horror, those individuals are then connecting their devices to the corporate WiFi or accessing corporate email and documents from that same infected phone,” he said.
While more malware is being written for the Android platform than for Apple’s iOS, the most effective attacks on mobile phone users remain agnostic, Blue Coat reported.
“Phishing scams don’t care what kind of device they’re on. Luring people with porn doesn’t care what kind of device it’s on,” Larsen said.
“The device will affect what kind of payload a bad guy can do,” he added, “but if you’re just trying to scam information, the device doesn’t matter.”
Beware Wearables
A recent proof of concept by a security researcher described how a fitness band could be hacked to infect a personal computer with malware. Although only a theoretical exercise, it’s one that should open the eyes and minds of IT departments everywhere.
“Enterprises have enough problems handling regular computing assets — laptops and things like that — from a cyberdefense perspective,” said Ben Johnson, chief security strategist atBit9 + Carbon Black.
“Now you start factoring in watches and other devices that everyone who walks off the street can have and it’s going to be a nightmare,” he told TechNewsWorld. “It increases the surface area for attacks tremendously.”
A big driver behind acceptance of employee mobile devices in the workplace was productivity. That’s not the case with wearables.
“The reason and benefit for allowing them is not as clear,” Johnson said. “However, it’s going to be hard for IT or the security team to inspect everyone’s watch and see if it’s a regular watch or a smartwatch.”
Bring Your Own Tools
Even if organizations had the resources to monitor wearables, it’s doubtful they would do so.
“They’re not going to try to prevent you from wearing your special watch, your Fitbit or your heart monitor to work,” Johnson said.
“I’ve had CISOs tell me, ‘When I hire a carpenter to come to my house, I don’t give him his tools. When I hire a programmer, I expect him to show up with what he needs to do his job,’ ” he added.
Moreover, because of the shortage of qualified technical personnel, “you’re at the mercy of offering perks and allowing flexibility,” Johnson said.
Owners may perceive their wearables as innocuous, but any device with wireless connectivity can be a threat.
A CEO taking a noontime run in the park, for example, could have his fitness band or heart-rate monitor infected by a fellow runner or someone lurking in the weeds with a laptop. When the CEO returns to the office, the infection can jump from the wearable to a device connected to the corporate network.
“There hasn’t been proof that anything like that exists yet, but that’s not far off,” Johnson said.
Senate OKs CISA
The U.S. Senate last week approved and sent to House the Cybersecurity Information Sharing Act on a vote of 74-21.
“The bill essentially allows for a loose interpretation of ‘cyberthreat intelligence’ and makes companies immune from prosecution by allowing them to share it with any government agency directly, including the NSA,” said Justin Harvey, CSO ofFidelis Cybersecurity.
“This moves us back into an Edward Snowden situation where companies can collect metadata on citizens under the thin veil of collecting threat data and share it directly with the NSA,” he added.
When passing the measure, the Senate rejected a number of amendments that opponents maintained would protect the privacy of individuals.
“By failing to require companies to remove all personally identifiable information prior to sending data to the government, today’s vote in the Senate potentially exposes the online activity of millions of Americans to collection and storage, while doing little to protect us from hackers or other bad actors,” said Virginia Sloan, president ofThe Constitution Project.
“It also opens the door to law enforcement and intelligence agencies obtaining without a warrant sensitive personal data ordinarily protected by the Fourth Amendment,” she added.
One-Way Sharing Must End
The Senate’s refusal to include privacy protections in the bill ultimately could sabotage it should it become law, maintainedSeculert CEO Richard Greene.
“My concern is that until those issues are addressed, many in the private sector will choose not to participate, which will ultimately limit the effectiveness of the entire program,” he said.
When the subject of sharing threat intelligence arises, two barriers commonly are cited. One, liability, is addressed in the Senate legislation. The other, willingness by secretive government agencies to share high-level intelligence with the private sector, is not.
“If the bill would open up unique threat intelligence to the private sector, then it’s worth doing,” said Chris Petersen, founder and CTO ofLogRhythm.
“If the bill only allows for the private sector to share with the public sector, then it probably isn’t worth doing,” he told TechNewsWorld.
“The free market is doing a pretty good job now of sharing industry-to-industry threat intelligence. What isn’t available is the unique intelligence held by the likes of the NSA, CIA and DOD,” Petersen noted.
“If this bill would unlock that kind of intelligence so we can protect our critical infrastructure, there’s a value in that,” he continued.
Breach Diary
- Oct. 26. Police in Northern Ireland arrest a 15-year-old boy in connection with a data breach at TalkTalk in which the payment card information of 4 million customers was placed at risk.
- Oct. 27. Bon Secours St. Francis Health System in Greenville, South Carolina, is actively investigating a data breach by a former employee in which nearly 2,000 medical records were compromised, the company says.
- Oct. 27. Retailer Marks & Spencer notifies some 800 customers that a technical issue at its website allowed some of their personal information to be exposed to other members of the site.
- Oct. 27. Southern Methodist University releases a survey of 40 executives in financial, retail, healthcare and government industries finding 46 percent of them say they’re spending the right amount money on security, while 64 percent say their peers are spending too little on it.
- Oct. 29. The European Parliament, on a vote of 285 to 281, approves a resolution recommending states in the European Union drop all criminal charges against Edward Snowden.
- Oct. 29. A U.S. appeals court in New York denies a motion to suspend an NSA mass surveillance program prior to a law banning the program that takes effect Nov. 29.
- Oct. 29. A new Safe Harbor agreement with better privacy protections for Europeans should be ready “shortly,” U.S. Secretary of Commerce Penny Pritzker tells reporters in Frankfurt, Germany.
- Oct. 29. Webhost.com announces on Facebook that its main server was breached and personal information of more 13.5 million customers stolen.
- Oct. 29. First National Bank of Omaha begins reissuing payment cards to an undisclosed number of customers in seven states, citing a data breach at a “national business,” which it declined to identify.
- Oct. 29. British Gas alerts 2,200 of its customers that their email addresses and account passwords were posted online. Information was not obtained from a data breach of its systems but from some other source, the company asserts.
- Oct. 29. Optimal Payments is investigating information that personal information from some of its customers obtained in data breaches of two of its units in 2012 or earlier has been posted for sale on the dark Web, the company discloses.
- Oct. 30. Morrisons supermarket in the UK is sued by 2,000 employees over their personal information being leaked by a disgruntled former employee. Andrew Skelton, 43, was convicted of the data theft in July and sentenced to eight years in prison.
- Oct. 30. Police arrest a second suspect in the TalkTalk data breach. The 16-year-old boy was pinched in West London and subsequently released on bail.
Upcoming Security Events
- Nov. 7. B-Sides Dallas/Fort Worth. UT Dallas, Science Learning Center building. Free.
- Nov. 7-8. Collegiate Pentesting Competition. B. Thomas Golisano College of Computing and Information Sciences bilding, Rochester Institute of Technology.
- Nov. 10. FedCyber 2015 Annual Summit. Tyson’s Corner Marriott, 8028 Leesburg Pike, Tyson’s Corner, Virginia. Registration: $395; academic, $145; government and military, free.
- Nov. 10-13. Black Hat Europe. Amsterdam RAI, The Netherlands. Registration: before Nov. 6, 1,295 euros plus VAT; after Nov. 5, 1,495, plus VAT.
- Nov. 11-12. Seattle SecureWorld. Meydenbauer Center, 11100 NE 6th St., Bellevue, Washington. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
- Nov. 13-14. B-Sides Delaware. Wilmington University, New Castle Campus, 320 North Dupont Highway, New Castle, Delaware. Free with registration.
- Nov. 18. Leverage Machine Learning Using Splunk User Behavioral Analytics. Noon ET. Webinar sponsored by Splunk. Free with registration.
- Nov. 24-25. Cyber Impact Gateway Conference. ILEC Conference Centre and Ibis London Earls Court, London, UK. Registration: Before Oct. 9 — end users, 1,799 pounds plus VAT; solution providers, 2,799 pounds plus VAT. Before Oct. 30 — end users, 1,899 pounds plus VAT; solution providers, 2,899 pounds plus VAT. Standard — end users, 1,999 pounds plus VAT; solution providers, 2,999 pounds plus VAT.
- Dec. 7-9. Gartner Identity & Access Management Summit. Caesars Palace, 3570 Las Vegas Blvd. South, Las Vegas. Registration: $2,695; public sector, $2.225.
- Dec. 12. Threats and Defenses on the Internet. Noon ET. Northeastern University, Burlington Campus, 145 South Bedford St., Burlington, Massachusetts. Registration: $6.