Threats increase on mobile platforms – especially Android – as popularity grows

network SECURITY

ISSN 1353-4858 March 2014

www.networksecuritynewsletter.com

Featured in this issue:

Contents

Call the digital fire brigade

T

he delayed launch of the national Computer Emergency Response Team (CERT) – popularly known as a digital fire brigade – in the UK looks set to happen in 2014.

But even as CERT-UK has barely got going, there are already calls for CERTs

in Europe to co-ordinate responses to cyber-attacks. Tracey Caldwell reports on the issues look likely to affect the effective operation of UK-CERT and its ability to share information with similar bodies around the globe. Full story on page 5…

Using DNS to protect networks from threats within

L

egacy ‘defence in depth’ offerings continue to do a good job at protecting the perimeter, but have not focused on activity generated from the inside.

Attacks have a direct impact on network user satisfaction, network integrity and stability, and reputation. And ISPs

are becoming more prone to sophisticated botnet attacks launched from inside the perimeter of the network. Pat Barnes of Nominum explains the role of DNS in maintaining the integrity of the network infrastructure. Full story on page 9…

Bring your own software

T

he term Consumerisation of IT (CoIT) has been buzzing for a while in the IT world, with Bring Your Own Device (BYOD) its best-known manifestation.

Yet even as BYOD seems to be fading as a threat, Bring Your Own Software

(BYOS) is raising its head as the next potentially dangerous trend. So what are the expected advantages of BYOS? And do they warrant the possible risks? Daniëlle van Leeuwen of G Data Software explains. Full story on page 12…

Threats increase on mobile platforms – especially Android – as popularity grows

I

n the wake of the Mobile World Congress trade show, security firms have issued reports on the threats facing mobile platforms – which means Android – and they all paint a similarly bleak picture.

According to Kaspersky’s analysis of threats in 2013, nearly 100,000 new malicious programs for mobile devices were detected during the year, more than double the previous year’s figure. Some 98.1% of the malware was targeted at Android. The firm also detected 10

million malicious apps, and the number of mobile malware modifications designed for phishing, the theft of bank card information and money from bank accounts increased by a factor of almost 20. Malware averaged three infection attempts per user during the year. There’s more here: http://bit.ly/201403kaspersky. ESET said it discovered 79 malware families for Android in 2013, compared to three in 2010. It said it also saw Continued on page 2…

NEWS Threats increase on mobile platforms – especially Android – as popularity grows 1 Nearly all web applications have flaws

2

FEATURES Call the digital fire brigade 5 The UK is finally getting a national Computer Emergency Response Team (CERT). Yet even as CERT-UK prepares itself to co-ordinate responses to online attacks on a national level, there are calls for CERTs across Europe to work together. Tracey Caldwell reports on the issues. Using DNS to protect networks from threats within 9 ISPs are becoming more prone to sophisticated botnet attacks launched from inside the perimeter of the network, which can have a major impact on network integrity and stability. Pat Barnes of Nominum explains the role of DNS in maintaining the integrity of the network infrastructure. Bring your own software 12 Now that Bring Your Own Device (BYOD) seems to be fading a little as a threat, network managers have a new problem to worry about. The next big thing is Bring Your Own Software (BYOS). Daniëlle van Leeuwen of G Data Software looks at whether this is another dangerous trend. Can we make email secure 13 Email is still as vulnerable as it was 20 or more years ago. Is it time to re-evaluate the security of the Internet’s most fundamental communications system, and ask ourselves an important question: can we fix it? Danny Bradbury finds some answers. The cost of network-based attacks 17 How do you calculate the true business value that a secure network provides? And how does an enterprise evaluate and warrant a significant investment in network security products? The good news is that there is a rich tool and service set available to help understand these issues, explains Florian Malecki of Dell. The looming XP disaster in industrial environments 18 Support for Microsoft XP will end soon. But what effect this will have on mission-critical industries where systems rely heavily on Windows products? And will this looming issue cause companies to look more closely at their relationships with vendors, asks Mike Keightley of Yokogawa. REGULARS News in brief

3

Reviews

4

Events

20

ISSN 1353-4858/14 1353-4858/10 © 2014 2011 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.

NEWS

Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 Web: www.networksecuritynewsletter.com Publisher: GregHopwood Valero Publisher: David E-mail: [email protected] Editor: Steve Mansfield-Devine Editor: Mansfield-Devine E-mail:Steve [email protected] E-mail: [email protected] Senior Editor: Sarah Gordon Senior Editor: Sarah Gordon International Editoral Advisory Board: International Advisory Board: Dario Forte, Edward Editoral Amoroso, AT&T Bell Laboratories; Dario Forte, Edward Amoroso, AT&T BellJon Laboratories; Fred Cohen, Fred Cohen & Associates; David, The Fred Cohen, Fred Cohen & Communications; Associates; Jon David, The Fortress; Bill Hancock, Exodus Ken Lindup, Fortress; BillatHancock, ExodusLongley, Communications; Lindup, Consultant Cylink; Dennis QueenslandKen University Consultant at Cylink; Queensland University of Technology; TimDennis Myers, Longley, Novell; Tom Mulhall; Padget of Technology; TimMarietta; Myers, Novell; Mulhall; Padget Petterson, Martin EugeneTom Schultz, Hightower; Petterson, Martin Marietta; Eugene Hightower; Eugene Spafford, Purdue University; WinnSchultz, Schwartau, Inter.Pact Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production Support Manager: Lin Lucas Production Support Manager: Lin Lucas E-mail: [email protected] E-mail: [email protected] Subscription Information Subscription Information An annual subscription to Network Security includes 12 An annual issues and subscription online accesstoforNetwork up to 5 Security users. includes 12 issues and online access for up to 5 users. Prices: Prices: 1282 for all European countries & Iran 1112 forfor allall European & Iran and Japan US$1435 countriescountries except Europe US$1244 countries except Europe and Japan ¥170 100 for for all Japan ¥147 foruntil Japan (Prices525 valid 31 December 2014) (Prices valid until March to 2014) To subscribe send 31 payment the address above. To subscribe send payment to the address above. Tel: +44 (0)1865 843687 Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 or via www.networksecuritynewsletter.com Email: [email protected], Subscriptions run for 12 months, from the date payment or via www.networksecuritynewsletter.com is received. Subscriptions run for 12 months, from the date payment is received. postage is paid Rahway,Global NJ 07065, PermissionsPeriodicals may be sought directly fromat Elsevier Rights USA. Postmaster send all Oxford USA address corrections to: Network Department, PO Box 800, OX5 1DX, UK; phone: +44 1865 Security, 365 Blair Road, Avenel, NJ 07001, USA 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page Permissions may beselecting soughtfirst directly from Elsevier then Global Rights (www.elsevier.com), ‘Support & contact’, ‘Copyright Department, OX5 clear 1DX, permissions UK; phone: and +44 make 1865 & permission’.POInBox the 800, USA,Oxford users may 843830, +44 1865 853333, Clearance email: [email protected]. You paymentsfax: through the Copyright Center, Inc., 222 Rosewood may contact through Elsevier’s home Drive,also Danvers, MAGlobal 01923,Rights USA; directly phone: +1 978 750 8400, fax: +1page 978 (www.elsevier.com), firstthe ‘Support & contact’, ‘Copyright 750 4744, and in theselecting UK through Copyright Licensingthen Agency Rapid & permission’. In (CLARCS), the USA, users may clear permissions and make Clearance Service 90 Tottenham Court Road, London W1P payments through the Copyright Clearance Center, Inc., 222 Rosewood 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 countries may have a local reprographic rights agency for payments. 750 4744, and in the UK through the Copyright Licensing Agency Rapid Derivative Works Clearance (CLARCS),tables 90 Tottenham Court Road, London SubscribersService may reproduce of contents or prepare lists of W1P arti0LP, UK; tel: +44 (0)20 7631 5555; circulation fax: +44 (0)20 Other cles including abstracts for internal within7631 their5500. institutions. countries may have a local reprographic rights agency for payments. Permission of the Publisher is required for resale or distribution outside Derivative Works the institution. Permission of the Publisher is required for all other Subscribers may reproduce tables of contents or prepare lists of artiderivative works, including compilations and translations. cles including abstracts internal circulation within their institutions. Electronic Storage orfor Usage Permission outside Permission of of the thePublisher Publisherisisrequired requiredfortoresale storeorordistribution use electronically the Permission of the Publisher is required for orallpart other any institution. material contained in this journal, including any article of derivative compilations an article. works, Exceptincluding as outlined above, noand parttranslations. of this publication may Electronic Storage or Usage be reproduced, stored in a retrieval system or transmitted in any form Permission of the Publisher required tophotocopying, store or use electronically or by any means, electronic,ismechanical, recording or any material contained this journal, including anyPublisher. article orAddress part of otherwise, without priorinwritten permission of the an article. Except as outlined above, no part of this publication may permissions requests to: Elsevier Science Global Rights Department, at be a retrievalnoted system or transmitted in any form thereproduced, mail, fax andstored emailinaddresses above. or by any means, electronic, mechanical, photocopying, recording or Notice otherwise, without prior written of any the injury Publisher. Address No responsibility is assumed by thepermission Publisher for and/or dampermissions requests to: Elsevier ScienceofGlobal Rights Department, at age to persons or property as a matter products liability, negligence the mail, fax and email addresses noted above. or otherwise, or from any use or operation of any methods, products, Notice instructions or ideas contained in the material herein. Because of No responsibility is assumed by thesciences, Publisherinforparticular, any injury independent and/or damrapid advances in the medical age to persons or propertyand as drug a matter of products verification of diagnoses dosages should liability, be made.negligence Although or from anyis use or operation of anytomethods, products, all otherwise, advertisingormaterial expected to conform ethical (medical) instructions or ideas contained in the material herein. Because of standards, inclusion in this publication does not constitute a guarantee rapid advances of in the thequality medical sciences, in product particular, independent or endorsement or value of such or of the claims verification of its diagnoses and drug dosages should be made. Although made of it by manufacturer. all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.

12987 Pre-press/Printed by Mayfield Press (Oxford) by Limited Pre-press/Printed Mayfield Press (Oxford) Limited

2

Network Security

…Continued from front page types of threat previously confined to Windows, including dropper, clicker and banking trojans. And some of the threats exploited vulnerabilities of the operating system itself, which is a new development. Webroot also said that it is seeing greater complexity in Android malware. Overall, threats to the platform increased 384% in 2013, with 42% of applications for Android classified as ‘malicious, unwanted or suspicious’. Its report is here: http://bit.ly/201403webroot. Fortinet also says that Android is the platform of choice for malware developers, representing 96.5% of all mobile malware infections. Symbian still shows up, at 3.45%, while iOS, BlackBerry, PalmOS and Windows barely register. Its report is here: http://bit.ly/1f7dGNG. Meanwhile, devices running versions of Android prior to 4.2.1 – which accounts for around 70% of those in use – are vulnerable to a severe yet simple remote execution vulnerability, Rapid7 has revealed. The firm has now added a module for the vulnerability to its Metasploit framework. An attacker could gain access to the device’s camera, location data, address book and data on any attached SD card. Joshua Drake – who, with Joe Vennix, created the Metasploit module – said he had managed to execute code on Google Glass using the exploit. The flaw was patched in version 4.2.2 of Android, issued nearly a year ago, but the platform suffers from a low level of patching by users and by carriers and device makers. Only around 2% of Android users are running the latest 4.4 KitKat version of the OS. There is more information here: https://community.rapid7.com/community/metasploit/blog/2014/02/12/weeklymetasploit-update.

Nearly all web and mobile applications have flaws

A

ccording to research by security intelligence firm Cenzic, nearly all web and mobile application software has at least one flaw that could be exploited by attackers. The median number of vulnerabilities per application was 14.

The ‘Cenzic Application Security Trends Report 2014’ claims the firm found flaws

in 96% of applications tested. It also claims there has been a steady growth in the incidence of security flaws in mobile applications. The report found that privacy violation and excessive privileges appear in over 80% of mobile applications. There are also increasing incidences of vulnerabilities found in applications shared with third parties. Cloud service providers and supply chain partners that may be outside the organisation’s sphere of influence are a major source of threats, the firm says. One of the more serious effects of these flaws is information leakage. Around 23% of vulnerabilities were related to this problem, in which an application inappropriately discloses sensitive data, such as technical details of the application or user-specific data. The age-old problem of Cross-Site Scripting (XSS) is highly prevalent. Some 25% of vulnerabilities were related to XSS, in which an application allows attackers to send malicious scripts by relaying the script from an otherwise trusted URL. In addition, flaws in authentication or authorisation made up 15% of vulnerabilities, and session management errors accounted for 13%. “In the three years that we have compiled this study, the frequency of application vulnerabilities discovered has remained consistently, astoundingly high,” said Bala Venkat, chief marketing officer at Cenzic. “While some improvements in the development process have been made, other newer areas of vulnerability have emerged. It’s a graphic illustration of the gigantic game of whack-a-mole that enterprises and software developers are playing – and a clear message that it’s time to rethink the way we develop and test our applications.” In the report, Cenzic has outlined some key best practices that can help secure their applications – implement safe coding practices; use web application firewalls (WAFs), which enable policy-based blocking of specific vulnerabilities that exist in applications without rewriting application code; and ensure proper server configurations. The report is available here: www. cenzic.com/downloads/Cenzic_ Vulnerability_Report_2014.pdf.

March 2014