[March 1: See update at end]

Google Code is a well-known platform that provides a collaborative environment for developers working on open source projects. It’s also a target for malware developers. Contrary to what you may think, this is not the first time that Google Code has been used to spread or store malware. (You can find examples in the discovery of uploaded images that led to fake codecs in 2009 and in Windows Trojans/backdoors/password-stealing keyloggers found in 2010.) Further, we have recently found an Android malware that uses Google Code as a distribution platform for both potentially unwanted programs (pay-per-install campaigns or adware) and malicious applications (downloaders).

The first variant of the current malware in Google Code was found in a third-party Android market repacked in a Chinese version of a legitimate memory-optimization application. Every time the application executes or the boot process finishes (device rebooted or turned on), the payload starts as a service running in the background. The service checks a remote server (with the URL encoded in a file inside the “assets” folder) for applications to download that store information in a database created inside the device. (Click the image to enlarge it.)

The data obtained from the web server includes the name of the package, the name of the apk file, and the path used to download the application–which points to a Google Code project:

The database records whether a specific application was downloaded, installed, or opened. Once the data is stored, an execution thread downloads, without user’s consent, the first application in the database. This app is stored under the folder download in the SD card:

As soon as the download finishes, the malicious application tries to install the application by displaying a notification that tricks the user into believing it is a system update. (Translation from Chinese: 系统更新 = “System update” and 您好, 已经获取… = “Hello, the latest patch has been downloaded, please click here to install”):

When the user taps that notification, the downloaded application starts to install using the normal Android procedure. Suspicious applications stored in several Google Code projects have been analyzed; some of them have been classified as PUPs because they have unwanted behavior such as sending private data (IMEI, phone number) to remote servers. Researchers have found a new variant of the malware that, instead of being packed in a legitimate application, is pure malicious code which does not show any icon in the main menu. However, it can be seen installed in the Downloaded section of Manage Applications using a deceptive honeycomb icon and the title Android 3.0 Patch:

Although none of the analyzed samples contains root exploits, this variant has code to check if the device is already rooted. If so, it will proceed with a silent install of the downloaded application with the command “pm install –r.” Another difference with the variant in the Google Code project is that the malicious behavior starts only if the screen of the device is turned off, probably to make the system update appear normal.

Despite the fact that most of the applications available in Google Code projects are neither malicious nor PUPs, the links stored in the remote server, along with the text of the notification, can change at any time. Thus virtually any application can be installed on the device without the user’s consent. McAfee Mobile Security detects all these variants as Android/FakeUpdates.

Update: The affected projects have been removed by Google.

Read the original:
Google Code Projects Host Android Malware

So someone is attacking you, maybe with a flood of traffic as a noisy backdrop to distract you while the bad guy slips in undetected. So how do you stop the hacker amidst the noise, fast enough to act to stop the attack? That was the subject of many vendors and conversations at RSA – how to survive the security data deluge. For one thing, just storing the raw data for logging and monitoring can be daunting. But what about getting it back, from whatever sensor, in time to do something about it in a security context?

That question has a lot of security professionals trying new and innovative approaches, highlighted at the show. From slick frontend apps that parse data, to fast hardware and correlation engines, the floor was abuzz with ways to handle security data sprawl within your organization. Here are a few approaches.

1. Outsource the whole thing to the cloud: Well really this could be a hybrid setup, with an appliance installed locally at your facility and then a remote monitoring setup. The advantage is that it’s mostly hands off. The disadvantage is that you might see delays, since the cloud portion of the equation could be many thousands of miles away, and so there’s transfer latency that needs to be factored into the equation.

2. Combine all your logs into one place with a dashboard to monitor it: The advantage of this system is that you retain all your data in house. But do you have enough in house talent to set it all up? And then, you would have to tune the system and make it all work fast enough to respond to an incident in a proactive manner.

3. Trick scammers with sinkhole technology: By placing the digital equivalent of a tarpit at various locations you expect attackers to hit, you can either block them, delay them, or reply with fake information that sends them on a wild goose chase, making them think they’ve broken in so they concentrate their efforts on hacking a decoy of sorts. This really doesn’t directly address the problem of parsing massive log files, but it could blunt large attacks and spearphishing attempts at the perimeter, thereby providing less traffic internally, to keep your logs far less busy. Some third party vendors direct whole sections of DDoS traffic to a remote location where they have the network bandwidth to shunt the attack, forming a remotely hosted proxy sinkhole of sorts.

It seems organizations are using a blended approach to handle the problem, with some sensors managed remotely by third party vendors, consolidating sensor logs you want to keep more internal to the organization, and experimenting with decoy technologies.

Whatever your approach, take some time to vet the technology in a closed, sandboxed test environment before rolling it out enterprise-wide. This way any surprises won’t take down large sections of your network and cause outages.

Go here to read the rest:
Find the bad guy in a deluge of big data – RSA day three

So you browse your favorite restaurant review site and settle on a great Mediterranean restaurant, and “magically” a variety of preferences get fed back to your Facebook profile, to be shared, re-shared and re-shared, ricocheting around the internet to form purportedly value-added experiences elsewhere you visit. That’s great news if you want your preferences bounced around, giving websites and apps information that could possibly provide a more personalized experience wherever you visit. It’s also bad – trying to protect maddeningly automatic Personally Identifiable Information (PII) and preference sprawl, all at the speed of light.

There is a macro trend flooding the interwebs that almost EXPECTS users’ information to be fed and cross-fed elsewhere online. When I signed up on pinterest.com, it expected (and indeed required) me to provide Facebook or Twitter logins, so the ooze of my information back and forth begins, in order to give me customized output based on it.

This “frictionless sharing” can make it devilishly difficult to control personal privacy sprawl. I have a friend who – a few years back – determined to keep his own identity completely off of the internet. This included no pictures, signing up for mandatory online services using aliases, etc. It was simpler then. Moving forward, my friend will have quite a time as more and more online services move to a 2-factor authentication scheme where users have to provide things like passwords, along with – you guessed it – Facebook/Twitter logins, which are then linked to everything else.

Aside from the obvious parallel of my friend feeling like he’s being forced to sign up for the Matrix, mostly to volunteer to be invaded by curiously personal floods of advertising, should he have a right to keep his own private life pretty much to himself?

Advertisers, on the other hand, are creatively looking for ways to get in front of more targeted eyeballs than just wide net venues like traditional TV. One of those ways is invading the app world and embedding revenue models into things people are already doing, and monetizing the data. Your data. Well, sort of, really more like a snapshot of someone just like you, aggregatized and sold as a pile of targeted data. My friend would argue that doesn’t seem very anonymous in the traditional sense. And he wouldn’t be alone.

For those who value their own privacy, it’s a tough road ahead. Someone remarked that we are seeing the end of the age of privacy, but at what price? Those who have had experiences with personal information spreading wildly out across the internet to those they don’t know, ala racy tropical vacation pictures involving margaritas and double-dares, know the pain incurred and subsequent reputation damage that can happen firsthand. But what can you do once your data is out there besides change your identity, and possibly lay off the margaritas? Good question, and one that lots of folks will wrestle with as the app sprawl goes wild, taking your information with it, and then trying to get it back.

My colleague Stephen Cobb points out an article showing how a single breached Facebook account became a potential leverage point for scams aimed at the myriad friends that account owner had. This highlights that your security/privacy is only as strong as its weakest link, which might be a close friend who’s not particularly interested in either privacy or security – until they get burned, and then you do too.

See more here:
Facebook/app data privacy – sharing gone wild

Kaspersky Lab, a leading information security software developer, has detected Mydoom.m, a new version of I-Worm.Mydoom. This malicious program spreads via the Internet as an attachment to infected messages. However, this latest addition to the Mydoom family uses a unique propagation technique which caused several well known search engines – Google, Yahoo!, Lycos and AltaVista – to malfunction.Mydoom.m is activated when a user opens an attachment to an infected message. The worm installs itself to the system, and then propagates by scanning files on the victim machine. It sends a copy of itself to all email addresses which it finds. It then sends a search request to Google, Yahoo!, Lycos and AltaVista, analyses the data it receives and sends itself to email addresses contained in the search results. The large number of requests generated by machines infected by Mydoom.m led to disruptions in the service provided by these search engines.Mydoom.m didn’t only cause search engines to malfunction; its main malicious payload is a backdoor function. Once the worm has penetrated the victim machine, it opens a port to receive remote commands. Virus writers will then have full control over the infected machine, and will be able to delete or modify

Go here to read the rest:
Mydoom.m: search engines suffer along with users

In an escalation of the tendency to require companies to be forthright with their users following a breach, a European Union proposed bill intended to overhaul a 17-year old law is making progress. This week EU will outline the overhaul to the existing rules, hoping to encourage more expedient communication efforts following a breach, in an effort to speed notification to the affected parties.

According to Justice Commissioner Viviane Reding, “Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay,” and she hopes breach notifications will occur within 24 hours. The new bill also hopes to bring increased sanctions with it for reporting delays, though exact details remain to be sorted out during the next week.

The U.S has a patchwork of notification legislation that varies state-by-state, with some states like Massachusetts taking a very strong stance. Expect other states to beef up their reporting requirements in the near future, in response from consumers and lawmakers alike.

In the meantime, it’s a good exercise to plan for data breach drills at your organization. Internally it will help highlight potential weak links in the security chain long before potentially being trotted out to the press and customers as an uncomfortable spectacle. If you set aside a certain evening to run a drill every 6 months or so you’ll be far more prepared than your competition, and will have a much higher chance of staying out of the headlines altogether for data breaches. Setting aside a couple nights a year for your staff will cost far less than the cheapest data breach recovery, so it’s money well spent. It will also help both your organization and its customers sleep more soundly at night, knowing the steps you are taking to protect both groups.

View post:
EU – data breaches to be reported within 24 hours

Two weeks ago, I discussed the difficulties of obtaining relevant data regarding medical identity theft.
I started my research in this field after I read some old stories on the Internet:

• Lind Weaver refused to pay hospital bills she received for the amputation of her right foot. It was in 2006, but the story still makes the headlines in 2011.
• Joe Ryan got a bill from a Denver, Colorado, hospital for a surgery. In was in 2004, but everybody talks about it today.
• The Virginia Prescription Monitoring Program welcome page was replaced in April 2009, with a US$10 million ransom demand.
• The Indian police arrested, in November 2009, the director of a business process outsourcing company for his involvement in stealing medical history data of a UK-based entity.

Okay, you got the wrapping paper off the new tablet hotness, fired it up and now cannot put it down. But what should you be doing in the New Year to properly feed, protect, and care for your newly found addiction? Well here are some of the basics – things that are easy to do now and may prevent a lot of pain later.

#1: Install the latest updates: As my colleague Aryeh Goretsky pointed out on a recent podcast, due to the supply chain behind the scenes, your “new” tablet was manufactured months ago and has taken a long rambling journey to reach the place where it was purchased. This means you’ll probably need to install patches and updates, even if it’s brand new to you. Be sure to patch using the native update utility for the device, but also pay attention to software like Java and Flash, which provide their own update path, outside of the regular operating system updates. Java has been the target of recent exploits because it tend to placed on the back burner update-wise, and exploits have bitten many users.

#2: Protect it from loss: Tablets are mobile by definition so keep in mind it’s very easy for thieves to swipe them at a moment’s notice if they’re left sitting in the top of a bag or on a table at a coffee shop while you pick up your latte. Tablets are likely to be a popular target for turning into quick cash through resale on the Internet or other channels. At the same time they can hold lots of personal data that you’d rather not share with others. So you might want to look into various tracking options using 3G and/or GPS features found on many tablets, enabling a remote locking and/or “phone home” setup that lets you freeze a thief out of the device and possibly help locate it so you can it back.

#3: Automate your backups: The last thing you want after spending a half year collecting e-books, addresses, documents and music, is to have to start over. Many tablet offerings have a cloud-based backup that can be scheduled so you don’t have to think of it, it just happens. This is a convenient way to go – if you trust the cloud as a place to store your personal data. For those who want something more private, there are apps for automating backups over your home network to a hard drive you can see, touch, and securely store. You may even be able to back up your data to a Micro SDHC card in the tablet (be sure to remove and store it in a safe location when done with your backup, though). Backups are like eating veggies, we all know we should do more, but it may not be the most exciting thing to think about. Just find something that works for you. It doesn’t have to be perfect, but if it safely protects your data without you thinking about it much, you’ll be very, very thankful later if something bad happens.

#4: Think before you install: With the bewildering number of apps available for modern tablets, the tendency to flood your tablet with apps can be seductive. Don’t give in. We all remember the first computer we owned, where we installed everything, clicked on everything, and then had to re-format and start over a few months later as things slowed to a crawl. Less is more on your tablets. Also, keep in mind your tablet has much of the full operating system power and sophistication of the average computer a few years ago. That means scammers are eyeing the tablets for all sorts of nasty schemes. The more apps you have, the more potential for holes that allow intruders access. Just be careful. Also, install from the official app source for your tablet and resist the urge to install from third-party websites that tend to be patrolled less rigorously for rogue applications.

#5: Social Networking: If you use your tablet for social networking or email it won't be long before the device contains a lot of valuable credentials. To prevent someone abusing those credentials, some networks, such as Facebook, provide a system for notifying you if someone tries to access your account from an unrecognized device. It makes sense to enable this type of feature and in Facebook you do so via your Account Settings, choosing Security, then clicking on Login Approvals. Check where it says: “Require me to enter a security code each time an unrecognized computer or device tries to access my account.” Also enable Login Notifications. Now you will get the chance to register each of your computers or mobile devices with Facebook the first time you connect from them. You register them using a code that Facebook sends via SMS to your cell phone. You can deregister devices whenever you like and check on which devices are logged into Facebook at any time.

#6: Security software: As noted above in #4, there is small-but-growing amount malicious software for tablets. Some tablet vendors, screen software for malicious behavior before allowing it into their stores, while others allow you to directly install software. Even for the former, it is always possible that a malicious app will slip through the screening process. Many antimalware vendors, including ESET, now offer versions of their security software which run on tablet operating systems like Google Android.

Follow these steps and you’ll have far less to worry about in the future as you invest time and effort putting content on your tablet device. Adopting sensible practices right away will give you peace-of-mind using your tablet now, and help you stay safe online for a long time to come.

See the original post here:
New Year’s resolutions for your new tablet

I heard a number of interesting mobile-related talks at the 28th Chaos Communications Congress (28c3) this week. Not every talk at the Congress was about newly discovered bugs or zero-day exploits; sometimes we got the building blocks necessary to better understand systems and increase security. I enjoyed key presentations on reverse-engineering USB 3G data sticks and the internals of 2G and 3G mobile data protocols.

Reverse-engineering a Qualcomm baseband
Guillaume Delugré acknowledged researcher Ralph Phillip Weinmann’s work from last year during Delugré’s talk on reverse-engineering a popular 3G USB data stick.

Guillaume Delugré discusses how he reverse-engineered Qualcomm firmware and developed a debugger.

The USB stick runs a proprietary OS named REX. Delugré reverse-engineered a diagnostic mode used by Qualcomm engineers. Although some work has been done on documenting and using the diagnostics interface (the ModemManager project), he developed more detailed specifications.

Delugré explains the format for an undocumented diagnostics interface.

Cellular protocol stacks for Internet
Harald Welte, a lead developer of the Openmoko project and a Linux kernel developer, gave a good breakdown of various mobile data protocols. Cellular voice communication on GSM has gotten a lot of coverage over the years, but outside of the mobile industry there has been little to no information on how the data protocols function.

Harald Welte presents details on mobile data protocols.

The talk covered the layout of a number of the mobile data protocols, including the latest 3G protocols.

Diagram of UMTS network architecture.

Perhaps in the next year we will see more development in the exploitation and security of mobile devices.

See the rest here:
Chaos Congress Peers Into Mobile Security, Protocols

We’ve noted recently that many companies store credit card information in an unencrypted form, sometimes several years' worth. So what happens if your systems get hacked before you get around to securing that credit card data? Sure, there’s the embarrassment of telling your customers their data has been exposed–a legal requirement in more than 40 states–but what about the hit to the bottom line, the cost in dollars and cents (or euros or pounds, etc.)?

Small businesses increasingly conduct payment card transactions online, a trend that will grow in the coming year. Also, many small businesses don’t have access to trained staff which might have more sophistication regarding securing a payment system, a fact that hasn’t escaped the scammers’ attention. Attacks on larger organizations are much more likely to be met with sophisticated defenses, but small and medium sized organizations simply may not have the budget for a dedicated security specialist, or specialized security equipment to guard against a breach.

But if they can’t afford the dedicated staff or specialized equipment, they can hardly afford the expense of a breach either. So if it happened to your company, what would it cost? Tracy Reed, of Copilotco, was asked to tell a company just that. Although some of Reed's data points are in 2009 dollars, inflation isn’t your friend. Whatever the 2011 numbers are, this dataset is a sobering picture of just how much a breach might cost.

“According to Gartner the average loss to the customer is $939 per credit card,” says Reed, “So if your company has transacted roughly 65,000 cards, half of which would theoretically still be current and valid at the time of a breach, the reimbursement costs of the fraudulent charges to the cards alone would be $15,258,750.” Reed adds, “The card companies further charge to replace compromised credit cards.” Costs to a merchant can be as much as $50 per card. The banks themselves have a card replacement cost that ranges from $2 to $5 per card. Reed put the merchant cost in this scenario at $812,500.

After the notifications, charge-offs, and card replacement comes a security audit. About this Reed says, “The card companies will require a forensic audit of the systems to determine how the compromise happened. According to Security Metrics, the cost of a forensic audit starts at $50,000.” Rounding out the audit costs, he continues, “After an intrusion a company is then classified as a Level 1 merchant and is subject to the strongest security and audit procedures. This means an annual on-site audit which will typically cost $100,000.”

And then there’s the fines. Tracy says, “Major payment brands can impose fines as a result of the data exposure. Fines can be as high as $500,000. Non-compliance is a major determining point whether fines will be imposed.”

All told, that’s a bill of $16,471,250. Let’s say he’s only half right, you’re expenses would “only” be the cost of a nicely equipped mid-size business jet and all the entertainment for your staff after you fly them to Cancun in style. You could probably pay for the ride home too, along with all the umbrella drinks for the week.

We haven’t yet spoken about the brand damage. Awhile back I read that Sony’s data breach costs topped $171 million and were still rising. Let’s just say it would cost your company dearly. Now, what would it cost you to protect your systems? A few extra developer hours? Maybe some System Administrator time? That suddenly seems very cheap, and your customers would agree. That sort of thing would make everyone happier, and a lot less stressed in the new year, though you still may have to spring for staff bonuses to get everyone to Cancun. But you can make them pay for the drinks.

Follow this link:
What would a credit card breach cost your company?

We recently noted that the data broker industry, in conjunction with social media outlets will become increasingly relied upon as a kind of shadow credit score for judging candidates’ qualifications. Now we see a startup that uses your Facebook profile directly to determine a “credit score” used for microloans.

We hear horror stories of lost employment (or simply not being selected) because of content on social media sites. Now Lenddo, a Hong Kong based startup, is betting money on it.

To determine a prospective applicant’s suitability for a loan, the applicant must submit the logins to three services, starting with Facebook. Users will then be asked for logins to other services like Twitter, Gmail, Yahoo and Windows Live. Three logins are required.

Then Lenddo generates a score based on information gathered, which is then used to determine if you get the loan. What determines the score? Part of that is the “secret sauce”, so details are a bit sketchy, but CEO Jeff Stewart says it is heavily weighted by the information they can gather about the friends you have listed on the qualifying sites. On their website it says, “Lenddo enables you to score your social graph and compare it to your peers. The Lenddo score is a living, breathing score that YOU have control over; you have the ability to increase your score and open yourself up to new opportunities, such as a personal loan, personalized discounts, or other financial products.”

“Social graph” is an interesting term. This is the kind of shadow social media capital we opined would start accruing, and will become more accurate and telling as the data silos about you become more robust over time. Data mining efforts like this will start to move more and more to the mainstream as more of a standard measurement, and more businesses may bet on the data.

This trend also increases the importance of both website security, and your own personal data security management to avoid getting scammed and costing you personally in multiple ways.

They say you’re known by the company you keep. Now that may mean more than you bargained for. If you haven’t locked down your social media profiles, the holiday season downtime might be a good time to take a look. After all, increasingly the solidity (and selectivity) of your e-profile will have more and more direct effect on how you live, maybe even one day when you try to get a loan. Before you try to go out and add the Forbes 400 to your friend list, this venture is only serving the Phillipines market currently. But quantifying social media capital and using it for financial determinations seems like a strong bet for the future. This might be just the tip of the iceberg.

Read more:
Facebook credit score?