Posts

Mobile Apps Failing Security Tests

It’s been said that there are over a million different apps for the smartphone. Well, however many may exist, know that not all of them are passing security tests with flying colors.

5WYou may already be a user of at least several of the 25 most downloaded apps And what’s so special about the top 25? 18 of them flunked a security test that was given by McAfee Labs™ this past January. And they flunked the test four months after their developers had been notified of these vulnerabilities.

App creators’ first priority is to produce the next winning app before their competitors do. Hence, how secure it is doesn’t top the priority list, and that’s why there’s such a pervasive problem with security in the mobile app world.

Because these apps failed to set up secure connections, this opens the door for cybercriminals to snatch your personal information such as credit card numbers and passwords. And this is growing because this weakness in apps is so well known and it’s pretty easy for cybercriminals to purchase toolkits that help them infect smartphones via these vulnerable apps.

The technique is called a “man in the middle” attack. The “man” stands between you and the hacker, seizing your personal information. The “man” may capture your usernames and passwords for social media accounts and so much more—enough to open up a credit card account in your name and then max it out (guess who will get the bills); and enough to commit a lot of damage by manipulating your Facebook account.

So What Can You Do?

Here’s some tips to help you protect yourself from these unsecure apps:

  • Before purchasing an app, get familiar with its security features—read reviews and check what permissions the app is asking access to. You don’t want to end up with an app that accesses way more information about you than necessary for what you want the app for in the first place.
  • Download only from reputable app stores, not third-party vendors. This will reduce your chance of downloading a malicious app.
  • Don’t have your apps set to auto login. Even though it may be a pain when you want to access Facebook, it’s better to be safe than sorry.
  • Make sure you use different passwords for each of your apps. Sorry, I know that’s a hassle, but that’s what you must do. And make sure your password is long and strong.

Here’s to staying safe on our mobile devices.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

What is a Rootkit?

A rootkit is a kind of software that conceals malware from standard detection methods. A good analogy for a rootkit would be a burglar breaking into your house. The burglar is dressed all in black, so that his form blends into the darkness. He tiptoes around to hide his sounds so he’s more likely to go undetected as he steals your belongings. But unlike the burglar, who usually takes your stuff and leaves, an efficient rootkit can stick around for years doing its work, robbing your computer or mobile device of data.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813How do you get a rootkit? One way is via a , or a malicious file that looks benign, like a plug-in that you download or an opening an email attachment. Rootkits can also be spread through infected mobile apps.

Once downloaded, a  rootkit will interfere with your device’s functions, including your security software. If you run a security scan, a rootkit will often prevent your security software from showing you this information so you’ll have no idea that malware is running on your device.

Because of this, it is difficult to detect a rootkit. Detection methods include looking for strange behavior on your device or scanning your device’s memory. If you do believe that you have a rootkit on your computer or mobile device, you can either reinstall your operating system (after backing up your data, of course) or use a rootkit removal tool like

  • Don’t open suspicious links or attachments. Although they might look harmless, they could have malware installed on them.
  • Keep your OS updated. Make sure that you install the latest updates for your operating system and any hardware updates that are available for your device as these often close up security holes.
  • Install comprehensive security software. Security software, like McAfee LiveSafe™ service, can safeguard your computer or mobile device from rootkits. Make sure to keep your software updated against new threats.

For more security tips and news, check out the Intel Security Facebook page or follow them on Twitter at @IntelSec_Home.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Malware at all time High

Malware is everywhere and isn’t about to disappear. The latest PandaLabs report says that last year alone, of all the malware that ever existed, cyber crooks created and distributed 20 percent of that. Malware comes in the form of Trojans, worms, viruses, adware/spyware and miscellaneous, with Trojans leading the pack.

6DRansomware seems to be gunning for the top spot, though, with a recent resurgence.

What about 2014? The 2013 Annual Security Report anticipates that the Internet of Things and Android devices will head the headlines (Android continues to be a favorite target of cyber criminals).

PandaLabs foresees that Android will get socked by hundreds of thousands of new malware strains. In 2013, criminals unleashed over two million new malware threats for Android.

Another area of attack is social media, and in 2013, even large companies, movie stars and politicians were affected.

The Trojan is a true warrior, in that it’s responsible for three-quarters of attacks, says PandaLabs. There was a huge leap in the number of circulating viruses as well, and is attributed to basically two virus families: Xpiro and Sality, says Luis Corrons, the technical director for PandaLabs.

Sality has been around for quite some time, but Xpiro is the new virus on the block, and can infiltrate “executable files on 32-bit and 64-bit systems,” says Corrons.

We’re in the midst of the malware plague; never mind the Bubonic plague. The whole planet is under attack, but some countries more so than others. China is the most infected, along with Turkey and Ecuador: 54.03, 42.15 and 40.35 percent of compromised personal computers, respectively.

Of the 10 least harmed countries, nine are in Europe; the other is Japan. For Sweden, Norway and Finland, the percentage of infected personal computers is 20.28 percent, 21.13 percent and 21.22 percent, respectively.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

McAfee Labs 2014 Predictions

As we wind down the year, it’s a time to reflect, but also to look forward. Some of us may be thinking about resolutions and what we need to do in the upcoming year—exercise more, eat better, have better work/life balance, etc. Others of us will be thinking about how we’re going to ring in the New Year.

This time of year the McAfee Labs™ team is busy looking at what the new threats are going to be and what are new trends they expect to see. Today they released their 2014 Threat Predictions, and here’s what they believe will be in store for us:

Mobile Malware

While this is not new, this category of malware is growing like wildfire and McAfee Labs sees no slow down on this in 2014. And besides continued growth in this category (mostly on the Android platform), they believe that some  types of mobile attacks will become prevalent.

One of these growing attacks is ransomware targeting mobile devices. Once the cybercriminal has control of your device, they will hold your data “hostage” until you pay money (whether that’s conventional or virtual, like Bitcoin) to the perpetrator. But as with traditional ransomware, there’s no guarantee that you really will get your data back.

Other mobile tactics that will increase include exploiting the use of the Near Field Communications (NFC) feature (this lets consumers simply “tap and pay,” or make purchases using close-range wireless communications), now on many Android devices, to corrupt valid apps and steal data without being detected.

Virtual Currencies

While the growth of Bitcoin and other virtual currencies is helping promote economic activity, it also provides cybercriminals using ransomware attacks with a perfect system to collect money from their victims. Historically, payments made from ransomware have been subject to law enforcement actions via the payment processors, but since virtual currency is not regulated and anonymous, this makes it much easier for the hackers to get away with their attacks.

Attacks via Social Networking Sites

We’ve already seen the use of social networks to spread malware and phishing attacks. With the large number of users on Facebook, Twitter, Instagram and the likes, the use of these sites to deliver attacks will continue to grow.

In 2014, McAfee Labs also expects to see attacks that leverage specific features of these social networking sites, like Facebook’s open graph. These features will be exploited to find out more information about your friends, location or personal info and then be used for phishing or real-world crimes.

The other form of social attacks in 2014 will be what McAfee Labs calls “false flag” attacks. These attacks trick consumers by using an “urgent” request to reset one’s password. If you fall for this, your username and password will be stolen, paving the way for collection of your personal information and friend information by the hacker.

2014ThreatPredictions

Here’s some security resolutions to help you stay safe online in 2014:

  • Strengthen your passwords: If you’re still using easy to remember passwords that include your home address and pet’s name, it’s time to get serious about creating strong passwords that are at least eight characters long, and a combination of numbers, letters and symbols. Don’t include any personal information that can be guessed by hackers.
  • Don’t open or click on suspicious emails, text or links: By simply opening an email with a piece of ransomware within it you could be leaving your devices vulnerable to hijacking.
  • Be aware when downloading apps: Since apps are the main way mobile malware is spread today, make sure to do your research before downloading any app and only download from reputable app stores.
  • Limit your use of NFC, Wi-Fi and Bluetooth: If your phone has NFC capabilities, you may be unaware of default settings. Turning this feature off, as well as turning off Bluetooth and Wi-Fi connections, will not only help you save battery life on your devices, but prevent attacks from hackers looking to exploit your wireless connections.
  • Check your bank statements and mobile charges regularly: This way, you can discover and report any suspicious charges
  • Install comprehensive security on all your devices: With the growing amount of threats that we’re seeing, you want to make sure that your all your devices (not just your PC) are protected. Consider installing security software such as McAfee LiveSafe™ service that protects your data, identity and all your devices (PCs, Macs, smartphones and tablets).

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

NFC app on androids facilitates automation

Near field communications (NFC) is the exchange of information between two devices via wireless signal. For example, a wireless signal emitting from your cell phone can act as a credit card when making a purchase. In the case of a mobile wallet application, those devices would be a mobile phone and a point-of-sale device at a checkout counter.

And NFC does so much more on Androids. A program called Trigger, which is available in Google Play, allows you to create customized automation tasks for numerous everyday things we do.

Bored of putting your phone on silent every time you get into the office? Tired of turning off Bluetooth to conserve battery every time juice gets low? This app interacts with your surroundings to configure settings on your phone automatically. Combine triggers and actions to create tasks, then activate the tasks that you create with conditions that you set!

Here are examples of what you can do:

In your car: Use Bluetooth as a trigger to open GPS and launch your favorite music app.

On your nightstand: Program an NFC tag to set your ringer to vibrate, dim your display and set an alarm.

In your home: Configure mobile data to turn off when your phone detects your own WiFi signal.

The current triggers are as follows:

  • NFC
  • Bluetooth
  • WiFi
  • Battery level
  • Location
  • Time triggers

And here are a few examples of the actions that you can perform:

  • Change WiFi, Bluetooth, mobile hotspot, airplane mode, auto-sync, GPS (root users) and mobile data settings.
  • Change your volume or notification tones.
  • Change your display brightness, timeout, auto-rotation or notification light settings.
  • Check in on social media like Foursquare or Google Places.
  • Send messages using Twitter, SMS, email or Glympse.
  • Start or stop applications (root required for stopping applications), dock modes, open URLs, speak text or navigate to an address.
  • Set alarms or create calendar events.

There’s even more, but suffice to say this app allows you to easily program your device to do the actions you manually do regularly.

So go ahead and create your own combinations to automate your life. The only limit is what you can come up with!

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

Android Viruses are the Real Deal

Smartphones now make up half of all activated mobile phones. And as we know, smartphones are small computers, capable of performing most of the same functions as a PC, primarily through the use of mobile applications.

Some claim that mobile malware threats are still too scarce to worry about. But while PCs definitely remain the bigger targets, smartphones are quickly capturing criminal hackers’ attention, with instances of mobile malware increasing by 600% from 2010 to 2011.

CIO.com’s Al Sacco, “a security-conscious mobile beat reporter,” reported on his experience dealing with his first smartphone infection. His McAfee Mobile Security app identified the Android virus on his Motorola Atrix 4G. “Security expert, I am not, and I’m the first to admit it,” Sacco defers. “But I do know a thing or two about smartphones and the mobile landscape, and I can say without a doubt that the Android threat is very real… It’s better to be paranoid about real threats than to shake them off as nonexistent. And that’s a fact.”

“Paranoid” is a strong word, implying mental illness. And I know that isn’t really what Sacco meant. But maintaining an acute awareness of potential threats to your smartphone and taking action to prevent them isn’t mentally ill, it’s just smart.

What’s really crazy is using an Android device without mobile security, because it’s only a matter of time before that device is infected.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Online Payment Alternatives to PayPal

I’m a little more than a casual online shopper, so I make lots of electronic payments. I prefer to avoid stores, so I buy almost everything aside from food via the Internet. I frequently use eBay. I’m also something of an airline mileage fanatic, so I prefer to pay with a credit card that earns me miles and free upgrades.

PayPal is great but the various fees they charge you to receive payments are not so great. And if, like me, you prefer not to connect your PayPal account to your bank account, they certainly don’t make it easy for you.

You can link your PayPal account to a credit card, but once you’ve spent or received a total of $10,000, you are required to connect a bank account. PayPal will draw funds from that bank account from then on, which means no more credit card rewards. If you look closely, there is an option for PayPal to draw funds from your credit card instead, but it’s an obscure link that most people miss.

PayPal’s ubiquity makes it hard to avoid, but there are a few other options.

Amazon WebPay allows you to make online or mobile payments using your email address, just like PayPal. This is a no-brainer. There are no fees for sending or receiving money, and you can add funds with a bank account or credit card. Not everyone accepts Amazon WebPay, but I use it whenever it’s an option.

Square is an application for Android and iPhones. The app, along with Square’s external attachment, turns a mobile phone or tablet into a credit card terminal, allowing anyone to accept person-to-person payments. I use Square when someone owes me money after a night out. Instead of splitting a dinner check with a large group, I can pay with my card and everyone else can pay me. There is, however, a 2.75% fee per transaction.

Dwolla charges a 25-cent fee for each transaction, which can take place online or at a brick and mortar store. Their mobile application allows smartphone users to find nearby merchants that accept Dwolla.

Take five or ten minutes to investigate each of these options in order to determine which makes the most sense for your particular online payment needs.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers hacking hotels on CNBC. Disclosures