Posts

Mobile Phone Hacking: proactive and reactive Responses

Mallorie’s Android phone was acting odd, like it was possessed. The thing had a mind of its own, sending garbled texts and gambling. Ghost? Or hacked?

6WMallorie locked down the phone when it was charging so it wouldn’t purchase poker chips. One day she forgot to lock it and it went on a shopping binge. Packages began appearing at her doorstep.

Obviously, someone had access to her credit card. But how? And what could poor Mallorie do to disable this thief?

Millions of mobile devices get infected. But police officers won’t bother with this. Mallorie cancelled her credit card and deleted the “possessed” apps. Then she crossed her fingers.

How do mobile phones get attacked?

A study showed that 86 percent of Android malware employs “repackaging.” Here’s how it’s done:

  • Download an application
  • Decompile it.
  • Add malware.
  • Recompile the app.
  • Submit it back into public circulation—after changing its name.
  • Someone else downloads this changed-name application, and the malicious payload infects their device.
  • A repackaging variation, “updating,” involves adding a code that will tag a malicious payload at a later date.


How can you tell your mobile has been infected?

  • It begins behaving oddly. Something is off—sometimes slightly, sometimes blatantly, such as the device is sending your address book to a foreign IP address. Hook your mobile to a WiFi and see where it sends information to.
  • Unfamiliar charges on the bill. Malware on a phone will produce unauthorized charges. The device is hooked to an accounting mechanism, making it a snap for thieves to send premium SMS text messages or make in-app purchases—which cost you money.

How can you protect your mobile?

  • Keep its software up to date: easy to do on iOS but difficult on Android.
  • Some phones cannot be updated; these phones have OS vulnerabilities within them, making them open to attack. Users end up downloading malware which uses this OS vulnerability to infect the device.

Android vs. iOS for security

  • iOS beats Android for security against malware.
  • Apple placed restrictions on application functionality (e.g., premium SMS messages can’t be sent), which is why Android isn’t as secure against malware as is iOS.
  • Another reason: Android’s app review process is not top-notch at screening out bad applications (but it’s improving).
  • Both Android and iOS allow your personal data to leak out to ad networks. This isn’t considered malicious since a user may wish this to occur.

Scope of Problem

  • The verdict isn’t quite out on this.
  • Some say the problem is limited just to third-party app sellers and this can be avoided by going to iOS’s or Google Play’s app store.
  • Others believe everybody has a compromised application on their mobile.
  • More research is warranted to define scope of problem.

Who should protect the user?

  • The app maker? The carrier? Or the operating system provider?
  • Nobody has taken this responsibility currently. It’s kind of like a “that’s not my problem you downloaded a malicious app that we didn’t write,” or, “You wanted it; I only delivered it—not my problem.”
  • The buck is passed because user protection is expensive.

Solutions?

  • It would be great if the app store could provide very in-depth screening for all the types of malicious actions that apps can perform.
  • The caveat: This isn’t in the platform provider’s best interest because they want their store to carry a lot of applications.
  • Stores want more and more apps, and better ones, and don’t want anything to slow that process down.
  • Data can be secured when you communicate via a wireless network with a VPN like Hotspot Shield VPN. All web transactions can be secured via https.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

P2P Security Concerns for Small Business

Peer to peer file sharing is a great technology used to share data over peer networks.  It’s also great software to get hacked. This is the same P2P software that allows users to download pirated music, movies and software.

In my own P2P security research, I have uncovered tax returns, student loan applications, credit reports and Social Security numbers. I’ve found family rosters which include usernames, passwords and Social Security numbers for entire family. I’ve found Christmas lists, love letters, private photos and videos (naughty ones, too) and just about anything else that can be saved as a digital file.

Installing P2P software allows anyone, including criminal hackers, to access your client’s data. This can result in business securitybreaches, credit card fraud and identity theft. This is the easiest form of hacking. There have been numerous reports of numerous government agencies, drug companies, mortgage brokers and others discovering P2P software on their networks after personal data was leaked.

Blueprints for President Obama’s private helicopters were recently compromised because a Maryland-based defense contractor’s P2P software had leaked them to the wild, wild web.

#1 HaveP2P security policies in place not allowing the installation of P2P software on your workplace computers or employee laptops.

#2 A quick look at the “All Programs Menu” will show nearly every program on your computers. If you find an unfamiliar program, do an online search to see what it is you’ve found.

#3 Set administrative privileges prevent the installation of new software without your knowledge.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Banks Blame Cybercrime Victims for Hacking

It’s Tuesday morning after a long weekend, the bookkeeper comes in a little late but hits the books right away. She comes into your office and asks you about a series of wire transfers you made over the holiday weekend to new employees who apparently live overseas. And then your heart sinks. Because you have heard about how small business bank accounts are hacked, but didn’t think it would happen to you.

It’s happening to the tune of around 1 billion dollars a year. Small business bank accounts are being hacked and the banks are pointing the finger at their customers. Why? Because in many cases there are no actual data breaches at the banks. Cybercrime is often taking place right in the small businesses offices on their own PCs.

Blooomberg reports “Organized criminal gangs, operating mostly out of Eastern Europe, target small companies, school districts and local governments that maintain fat commercial bank accounts protected by rudimentary security measures at community or regional banks. The accounts typically aren’t covered by insurance as individual accounts are.”

However one bank fought back and won. iovation reports “one Michigan judge recently decided in favor of Comerica Bank customers, holding the bank responsible for approximately $560,000 out of a total of nearly $2 million in unrecovered losses. A copy of the bench decision is available from Pierce Atwood LLP, and the firm also outlines significant highlights and observations regarding this cybercrime case.

Small businesses are under siege today and must know their bank accounts are being targeted by cyber-thieves. One solution is certainly a secure IT infrastructure and another, in some cases, may be moving to a bigger bank. Some smaller banks simply can’t handle the loss whereas bigger banks may have the resources to absorb them. If you bank with a small bank now is the time for a heart to heart talk.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

How Is All This Hacking Affecting My Identity?

Without question, 2011 is the year for hackers of all kinds to get their 15 minutes of fame. But it feels like it’s lasting a lot longer than 15 minutes. With so many different breeds of hackers, each with their own agenda and an endless supply of potential targets, the media has certainly been more than willing to give them all the attention they could possibly want.

Major publications, including The Wall Street Journal, The New York Times, and Forbes, seem to have journalists working fulltime to cover the hacker chronicles. Significant players and events like Wikileaks, HB Gary, Anonymous, Lulz, IMF, Sony, RSA, Epsilon, the News of The World voicemail hacking scandal in Britain, and so many others have helped bring data security and identity theft issues to the forefront of the public’s attention. Much of the coverage has been sensationalist, but the reality is that we are indeed hemorrhaging information all over the place.

Initially, hackers went after sensitive personal data like Social Security numbers. Then they moved on to credit card numbers and bank account numbers, and then usernames and passwords. Military records have been breached, corporate emails have been exposed, and there have been targeted attacks on government records. At one point last year, the total number of records breached hovered around half a billion. But if we were to broaden the definition of what counts as a breached record, I’d guess that number would have to quadruple, at least.

No matter how you slice it, your information is at risk, whether it’s on your own PC or some other computer or database somewhere. It isn’t a matter of if but when you’ll receive a letter from some company saying they were breached and you are at risk.

In security, as in sports, is the best defense is a good offense. The worst thing you can do now is nothing.

To ensure peace of mind, subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance and lost wallet protection. If your credit or debit cards are ever lost, stolen or misused without your authorization, you can call McAfee Identity Protection and they’ll help you cancel them and order new ones. If their product fails, you’ll be reimbursed for any stolen funds not covered by your bank or credit card company. (See Guarantee for details.) For additional tips, please visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss the Epsilon breach on Fox News. (Disclosures)