- Email: [email protected]
Google attempts Android malware fix, but problems persist
NEWS ....Continued from front page
The publication – the result of research that included oral and written submissions from academics, researchers, police officers and politicians – points out that, while the Committee welcomes the new strategy, “it remains, in essence, focused at too high a level to address the key concerns of everyday Internet users”. Ordinary computer users need to be better informed about the risks, says the Committee, and need a “trusted source of authoritative advice and up-to-date information about malware and Internet scams”. The Government’s existing Get Safe Online website isn’t doing enough, the report states, and needs significant investment and improvement. And the Government and police forces need to work more closely with ISPs. The report also discusses the difficulty of prosecuting cyber-criminals. It concludes: “In the event that the industry cannot demonstrate an effective self-regulatory model, we recommend that the Government investigate the potential for imposing statutory safety standards.” The report is available at: www.publications.parliament.uk/pa/cm201012/ cmselect/cmsctech/1537/1537.pdf. Three new regional cybercrime teams have been created in Yorkshire and the Humber, the Northwest and the East Midlands. Each consists of three officers who will work alongside the current Metropolitan Police Central e-crime Unit. They will also use existing skills developed by the Greater Manchester Police (GMP) and West Midlands Police (Birmingham). This move is part of a four-year, £30m budget to combat cybercrime. “The Government has acknowledged a need to collaborate and provide a structured response to the cyber security of the UK and these three additional policing units are going to play a critical role in our ability to combat the threat,” said Deputy Assistant Commissioner Janet Williams, who leads the e-crime efforts of the Association of Chief Police Officers (ACPO). “It is anticipated the hubs will make a significant contribution to the national harm reduction target of £504m. In the first six months of the new funding period alone we have already been able to show a reduction
February 2012
of £140m with our existing capability. While a training period is required before the hubs are fully functional, they will undoubtedly provide an enhanced ability to investigate this fast-growing area of crime and provide an improved Internet investigation capability.”
Software flaws put users at risk
A
rapid growth in software security flaws – specifically end-point vulnerabilities – is putting Internet users at increased risk, according to Secunia’s yearly report for 2011. And businesses aren’t doing enough to protect themselves – for example by improving their patch management, the firm said.
According to the report, third-party software, rather than the Windows operating system or Microsoft applications, is almost exclusively responsible for the growth in vulnerabilities, with the share of third-party vulnerabilities on a typical end-point increasing from 45% in 2006 to 78% in 2011. That left 12% affecting operating systems and 10% being found in Microsoft programs. The report shows that the number of end-point vulnerabilities increased once again in 2011 to over 800 vulnerabilities – a tripling within only a few years – more than half of which were rated by Secunia as either highly or extremely critical. “Many businesses are not doing enough to help themselves,” said Stefan Frei, research analyst director, Secunia. “By not addressing errors in software installed on typical end-points, organisations and individuals are in effect leaving their ‘windows’ wide open for cybercriminals to enter and compromise their most sensi-
New figures from Secunia show that trojans remain by far the most common threat.
tive data,” he continued. “One problem often lies with the company’s security strategy. The programs that an organisation perceives as top priorities to patch as opposed to the programs that cybercriminals target are often vastly different. A typical corporate infrastructure contains layers of programs that organisations consider business-critical. Many organisations will focus on patching the top layer – business-critical programs – only. Cybercriminals, however, will target all programs and only need one vulnerable program to compromise the host.” The report reveals that for an organisation with over 600 programs installed on its network, more than 50% of the programs that are vulnerable in one year will not be vulnerable the next year, and vice versa. “Identifying all installed programs and implementing an agile, dynamic patching strategy according to criticality in the remediation phase, as opposed to a short-sighted approach of only patching a static set of preferred programs, clearly wins in terms of achieving optimal risk reduction with limited resources, said Frei. The report also found that the software portfolio installed on a typical end point comprises programs from 12 different vendors. It therefore involves 12 different update mechanisms to keep a typical end point secure.
Google attempts Android malware fix, but problems persist
I
n the face of mounting concern about the malware issue surrounding Android, Google is attempting to eliminate trojan-infected apps from its Android Market store. However, an alternative market for banned apps may appear, and the platform continues to suffer from other security issues.
Google has introduced Bouncer, which will scan new and existing apps in the Android Market for known malicious code. It uses static analysis and also simulates running the code on an Continued on page 19...
Computer Fraud & Security
3
FEATURE
“Automated IAM solutions make constant user access privilege monitoring practical and economical. Constant monitoring reveals risks as they emerge, which allows managers to respond before any loss or damage occurs“
esses designed to satisfy auditors and regulators. They have little practical effect on front-line access risk management because they’re too slow to spur immediate changes. These processes are often based on time-consuming manual data collection and analysis. Automated IAM solutions make constant user access privilege monitoring practical and economical. Constant monitoring reveals risks as they emerge, which allows managers to respond before any loss or damage occurs. This intelligence enables managers to respond immediately and decide whether the individual has the appropriate access rights.
Risk is a constant in business. As more public organisations open their information systems via the web, cloudbased applications or mobile devices, the potential for a security breach will increase. Mounting risks are not necessarily unmanageable risks, however. Effective policies coupled with IAM solutions that enable public organisations to assign users to roles with defined access privileges, generate and analyse user access data to detect anomalies, locate sensitive information throughout the organisation, and quantify and immediately address unacceptable risks will allow public organisations to become more open and more secure at the same time.
“Once the wrong person has access to sensitive data, it’s as good as compromised“
About the author
For an access risk management strategy to work, the use of access intelligence to identify and quantify access risk, along with the ability to remediate inappropriate access, have to be regular, on-going processes. In too many public organisations, reviews and overhauls of user access privileges are little more than pro-forma proc-
Again, the focus always comes back to who is allowed to access the data and to what extent. Elaborate security systems that don’t provide real-time information of who is accessing vital systems and data and what they’re using it for cannot mitigate unacceptable risk. Once the wrong person has access to sensitive data, it’s as good as compromised.
Marc Lee is director of EMEA operations for US-based Courion Corporation. He has more than a decade of experience in developing and implementing partner strategies for enterprise software vendors across EMEA. Prior to Courion, he was responsible for building sales and channel programmes for Imprivata in Northern Europe and JBossc in the UK and EMEA. In his current position, Lee is tasked with building on Courion’s business in EMEA.
...Continued from page 3 actual device. Although Google has carried out ad hoc scanning whenever there has been a security scare, Bouncer now automates that process. Any apps flagged by Bouncer as suspect are then subject to a manual review. This addresses the problem only for apps delivered via Google’s Android Market. Many users will continue to obtain apps via other online app markets – which may have been created purely to deliver malware. So Bouncer doesn’t deliver the same level of assurance as
Apple’s system in which all apps must be digitally signed by Apple or they will refuse to run on the device (assuming it hasn’t been jailbroken). The situation for Android might not be helped by the idea put forward by a group of developers to create an alternative Android marketplace that would host apps refused by Google, as well as promoting a separate build of the operating system. CyanogenMod is a popular build of Android, with about a million user installs, that allows users to do things
like grab screenshots, remove interface shells and strip out adware or spyware installed by device manufacturers or network operators. Now the developers have mooted the idea of creating their own marketplace for apps that can provide capabilities not normally permitted, such as root access. There’s more information here: https://plus.google. com/103583939320326217147/posts/ ViJ665K38Xa. The scale of malware infections on Android devices is the subject of much Continued on page 20...
Identity and Access Management (IAM) software solutions are designed to automate the process of aligning your employees, based on the roles you’ve defined, with the appropriate user access. Again, knowing who has access is the nucleus of access risk management. Allow access to the right users so they can do the right things with the information, and risk diminishes dramatically.
February 2012
Computer Fraud & Security
19
CALENDAR ...Continued from page 19 debate. Google acknowledges that there’s a problem but says that focusing on the number of trojanised apps is the wrong approach: the real issue is how many users end up installing malware. The firm said that, during the second half of 2011, this number fell by 40% compared to the first half. There have been criticisms that antimalware firms (many of which market Android products) tend to exaggerate the scale of the problem. This wasn’t helped recently when Symantec warned that “millions” of Android users may have been infected with a specific strain of trojan, only to admit later that it had misdiagnosed aggressive ad tracking as malware. Symantec initially said it had identified 13 apps ‘infected’ with a trojan it had named Android.Counterclank, and estimated that these apps had been download between one million and five million times. According to Symantec, the trojan was a variation on the previously identified malware Android. TonClank, also known as Plankton. However, researchers at rival security firm Lookout identified the ‘malware’ as code from an SDK that helps developers create a revenue stream from their apps through embedded search. Symantec has also warned about Android malware dubbed Android. Bmaster which was first discovered by researcher Xuxian Jiang at North Carolina State University. The malware, which downloads a Remote Administration Tool (RAT) to the device, was discovered on apps on a third-party marketplace and is attached to a legitimate app used to control phone settings. In a blog post about the malware, Cathal Mullaney of Symantec said that the firm reckons there are 10,000-30,000 Android devices connecting to botnet Command and Control (C&C) servers on any given day – a small number compared to PCs, but enough to drive significant revenue for cyber-criminals. Meanwhile, US-CERT has warned that a range of HTC Android phones can leak wifi passwords. Rogue applications that have basic wifi permissions may be able to view wifi credentials and, 20
Computer Fraud & Security
if the apps also have Internet privileges, send these details – SSID, usernames and passwords – to cyber-criminals. This could have serious implications for organisations whose employees are using these phones. HTC has issued a solution here: www.htc.com/www/help/ wifi-security-fix/. On the plus side, US intelligence agency NSA has released SE Android, a security enhanced version of the OS that imposes stricter access control mechanisms. It’s based on the NSA’s Security-Enhanced Linux (SE Linux), which appeared in 2000. Details are available here: http://selinuxproject.org/ page/SEAndroid.
M86 report shows rise in cybercrime sophistication
Calendar 27 February–March 2, 2012 RSA Conference 2012 San Francisco, California, US www.rsaconference.com/events.htm
27 February–2 March 2012 Financial Cryptography and Data Security Island of Bonnaire, Antilles fc12.ifca.ai/index.html
7–9 March 2012 Military Cyber Security Washington DC, US www.militarycybersecurity.com
14–16 March 2012 Black Hat Europe
he latest bi-annual M86 Security Labs Report shows a significant growth in cybercrime via sophisticated targeted attacks and social media scams, as well as a rise in malicious email attachments. This is all in spite of a four-year low in spam volumes last year.
Amsterdam, The Netherlands www.blackhat.com/html/bh-eu-12/bh-eu12-home.html
The firm noted that while spam levels have declined, the proportion of malicious spam increased from 1% to 5% in the last half of 2011. The key findings of the report include the fact that cyber-criminals are pursuing a wider range of organisations, including commercial, national critical infrastructure and military targets. Victims in 2011 included RSA, Lockheed Martin and the Asia-Pacific Economic Co-operation (APEC) organisation. Stealing or faking digital certificates has become an important component of a targeted attack. And M86 says that 2011 saw Blackhole establish itself as the most successful exploit kit. Social media is now a haven for fraudulent posts and scams, M86 noted, and it is now mainstream practice for spammers to use bogus social media notifications to dupe users into clicking on infected links. The complete version of the report is available here: http://m86. it/2HSecReport.
Wheaton, Illinois, US http://bit.ly/z8c1cD
T
19–20 April ForenSecure’12 (formerly Netsecure)! April 19 & 20, 2012
24–26 April 2012 Infosecurity Europe London UK www.infosec.co.uk
24–29 April 2012 SANS AppSec 2012 Las Vegas, US www.sans.org/appsec-2012/
25 April 2012 Security B-Sides London, UK www.securitybsides.org.uk/
21–25 May 2012 Hack In The Box Security Conference 2012 Amsterdam, The Netherlands http://conference.hackinthebox.org/
February 2012
The publication – the result of research that included oral and written submissions from academics, researchers, police officers and politicians – points out that, while the Committee welcomes the new strategy, “it remains, in essence, focused at too high a level to address the key concerns of everyday Internet users”. Ordinary computer users need to be better informed about the risks, says the Committee, and need a “trusted source of authoritative advice and up-to-date information about malware and Internet scams”. The Government’s existing Get Safe Online website isn’t doing enough, the report states, and needs significant investment and improvement. And the Government and police forces need to work more closely with ISPs. The report also discusses the difficulty of prosecuting cyber-criminals. It concludes: “In the event that the industry cannot demonstrate an effective self-regulatory model, we recommend that the Government investigate the potential for imposing statutory safety standards.” The report is available at: www.publications.parliament.uk/pa/cm201012/ cmselect/cmsctech/1537/1537.pdf. Three new regional cybercrime teams have been created in Yorkshire and the Humber, the Northwest and the East Midlands. Each consists of three officers who will work alongside the current Metropolitan Police Central e-crime Unit. They will also use existing skills developed by the Greater Manchester Police (GMP) and West Midlands Police (Birmingham). This move is part of a four-year, £30m budget to combat cybercrime. “The Government has acknowledged a need to collaborate and provide a structured response to the cyber security of the UK and these three additional policing units are going to play a critical role in our ability to combat the threat,” said Deputy Assistant Commissioner Janet Williams, who leads the e-crime efforts of the Association of Chief Police Officers (ACPO). “It is anticipated the hubs will make a significant contribution to the national harm reduction target of £504m. In the first six months of the new funding period alone we have already been able to show a reduction
February 2012
of £140m with our existing capability. While a training period is required before the hubs are fully functional, they will undoubtedly provide an enhanced ability to investigate this fast-growing area of crime and provide an improved Internet investigation capability.”
Software flaws put users at risk
A
rapid growth in software security flaws – specifically end-point vulnerabilities – is putting Internet users at increased risk, according to Secunia’s yearly report for 2011. And businesses aren’t doing enough to protect themselves – for example by improving their patch management, the firm said.
According to the report, third-party software, rather than the Windows operating system or Microsoft applications, is almost exclusively responsible for the growth in vulnerabilities, with the share of third-party vulnerabilities on a typical end-point increasing from 45% in 2006 to 78% in 2011. That left 12% affecting operating systems and 10% being found in Microsoft programs. The report shows that the number of end-point vulnerabilities increased once again in 2011 to over 800 vulnerabilities – a tripling within only a few years – more than half of which were rated by Secunia as either highly or extremely critical. “Many businesses are not doing enough to help themselves,” said Stefan Frei, research analyst director, Secunia. “By not addressing errors in software installed on typical end-points, organisations and individuals are in effect leaving their ‘windows’ wide open for cybercriminals to enter and compromise their most sensi-
New figures from Secunia show that trojans remain by far the most common threat.
tive data,” he continued. “One problem often lies with the company’s security strategy. The programs that an organisation perceives as top priorities to patch as opposed to the programs that cybercriminals target are often vastly different. A typical corporate infrastructure contains layers of programs that organisations consider business-critical. Many organisations will focus on patching the top layer – business-critical programs – only. Cybercriminals, however, will target all programs and only need one vulnerable program to compromise the host.” The report reveals that for an organisation with over 600 programs installed on its network, more than 50% of the programs that are vulnerable in one year will not be vulnerable the next year, and vice versa. “Identifying all installed programs and implementing an agile, dynamic patching strategy according to criticality in the remediation phase, as opposed to a short-sighted approach of only patching a static set of preferred programs, clearly wins in terms of achieving optimal risk reduction with limited resources, said Frei. The report also found that the software portfolio installed on a typical end point comprises programs from 12 different vendors. It therefore involves 12 different update mechanisms to keep a typical end point secure.
Google attempts Android malware fix, but problems persist
I
n the face of mounting concern about the malware issue surrounding Android, Google is attempting to eliminate trojan-infected apps from its Android Market store. However, an alternative market for banned apps may appear, and the platform continues to suffer from other security issues.
Google has introduced Bouncer, which will scan new and existing apps in the Android Market for known malicious code. It uses static analysis and also simulates running the code on an Continued on page 19...
Computer Fraud & Security
3
FEATURE
“Automated IAM solutions make constant user access privilege monitoring practical and economical. Constant monitoring reveals risks as they emerge, which allows managers to respond before any loss or damage occurs“
esses designed to satisfy auditors and regulators. They have little practical effect on front-line access risk management because they’re too slow to spur immediate changes. These processes are often based on time-consuming manual data collection and analysis. Automated IAM solutions make constant user access privilege monitoring practical and economical. Constant monitoring reveals risks as they emerge, which allows managers to respond before any loss or damage occurs. This intelligence enables managers to respond immediately and decide whether the individual has the appropriate access rights.
Risk is a constant in business. As more public organisations open their information systems via the web, cloudbased applications or mobile devices, the potential for a security breach will increase. Mounting risks are not necessarily unmanageable risks, however. Effective policies coupled with IAM solutions that enable public organisations to assign users to roles with defined access privileges, generate and analyse user access data to detect anomalies, locate sensitive information throughout the organisation, and quantify and immediately address unacceptable risks will allow public organisations to become more open and more secure at the same time.
“Once the wrong person has access to sensitive data, it’s as good as compromised“
About the author
For an access risk management strategy to work, the use of access intelligence to identify and quantify access risk, along with the ability to remediate inappropriate access, have to be regular, on-going processes. In too many public organisations, reviews and overhauls of user access privileges are little more than pro-forma proc-
Again, the focus always comes back to who is allowed to access the data and to what extent. Elaborate security systems that don’t provide real-time information of who is accessing vital systems and data and what they’re using it for cannot mitigate unacceptable risk. Once the wrong person has access to sensitive data, it’s as good as compromised.
Marc Lee is director of EMEA operations for US-based Courion Corporation. He has more than a decade of experience in developing and implementing partner strategies for enterprise software vendors across EMEA. Prior to Courion, he was responsible for building sales and channel programmes for Imprivata in Northern Europe and JBossc in the UK and EMEA. In his current position, Lee is tasked with building on Courion’s business in EMEA.
...Continued from page 3 actual device. Although Google has carried out ad hoc scanning whenever there has been a security scare, Bouncer now automates that process. Any apps flagged by Bouncer as suspect are then subject to a manual review. This addresses the problem only for apps delivered via Google’s Android Market. Many users will continue to obtain apps via other online app markets – which may have been created purely to deliver malware. So Bouncer doesn’t deliver the same level of assurance as
Apple’s system in which all apps must be digitally signed by Apple or they will refuse to run on the device (assuming it hasn’t been jailbroken). The situation for Android might not be helped by the idea put forward by a group of developers to create an alternative Android marketplace that would host apps refused by Google, as well as promoting a separate build of the operating system. CyanogenMod is a popular build of Android, with about a million user installs, that allows users to do things
like grab screenshots, remove interface shells and strip out adware or spyware installed by device manufacturers or network operators. Now the developers have mooted the idea of creating their own marketplace for apps that can provide capabilities not normally permitted, such as root access. There’s more information here: https://plus.google. com/103583939320326217147/posts/ ViJ665K38Xa. The scale of malware infections on Android devices is the subject of much Continued on page 20...
Identity and Access Management (IAM) software solutions are designed to automate the process of aligning your employees, based on the roles you’ve defined, with the appropriate user access. Again, knowing who has access is the nucleus of access risk management. Allow access to the right users so they can do the right things with the information, and risk diminishes dramatically.
February 2012
Computer Fraud & Security
19
CALENDAR ...Continued from page 19 debate. Google acknowledges that there’s a problem but says that focusing on the number of trojanised apps is the wrong approach: the real issue is how many users end up installing malware. The firm said that, during the second half of 2011, this number fell by 40% compared to the first half. There have been criticisms that antimalware firms (many of which market Android products) tend to exaggerate the scale of the problem. This wasn’t helped recently when Symantec warned that “millions” of Android users may have been infected with a specific strain of trojan, only to admit later that it had misdiagnosed aggressive ad tracking as malware. Symantec initially said it had identified 13 apps ‘infected’ with a trojan it had named Android.Counterclank, and estimated that these apps had been download between one million and five million times. According to Symantec, the trojan was a variation on the previously identified malware Android. TonClank, also known as Plankton. However, researchers at rival security firm Lookout identified the ‘malware’ as code from an SDK that helps developers create a revenue stream from their apps through embedded search. Symantec has also warned about Android malware dubbed Android. Bmaster which was first discovered by researcher Xuxian Jiang at North Carolina State University. The malware, which downloads a Remote Administration Tool (RAT) to the device, was discovered on apps on a third-party marketplace and is attached to a legitimate app used to control phone settings. In a blog post about the malware, Cathal Mullaney of Symantec said that the firm reckons there are 10,000-30,000 Android devices connecting to botnet Command and Control (C&C) servers on any given day – a small number compared to PCs, but enough to drive significant revenue for cyber-criminals. Meanwhile, US-CERT has warned that a range of HTC Android phones can leak wifi passwords. Rogue applications that have basic wifi permissions may be able to view wifi credentials and, 20
Computer Fraud & Security
if the apps also have Internet privileges, send these details – SSID, usernames and passwords – to cyber-criminals. This could have serious implications for organisations whose employees are using these phones. HTC has issued a solution here: www.htc.com/www/help/ wifi-security-fix/. On the plus side, US intelligence agency NSA has released SE Android, a security enhanced version of the OS that imposes stricter access control mechanisms. It’s based on the NSA’s Security-Enhanced Linux (SE Linux), which appeared in 2000. Details are available here: http://selinuxproject.org/ page/SEAndroid.
M86 report shows rise in cybercrime sophistication
Calendar 27 February–March 2, 2012 RSA Conference 2012 San Francisco, California, US www.rsaconference.com/events.htm
27 February–2 March 2012 Financial Cryptography and Data Security Island of Bonnaire, Antilles fc12.ifca.ai/index.html
7–9 March 2012 Military Cyber Security Washington DC, US www.militarycybersecurity.com
14–16 March 2012 Black Hat Europe
he latest bi-annual M86 Security Labs Report shows a significant growth in cybercrime via sophisticated targeted attacks and social media scams, as well as a rise in malicious email attachments. This is all in spite of a four-year low in spam volumes last year.
Amsterdam, The Netherlands www.blackhat.com/html/bh-eu-12/bh-eu12-home.html
The firm noted that while spam levels have declined, the proportion of malicious spam increased from 1% to 5% in the last half of 2011. The key findings of the report include the fact that cyber-criminals are pursuing a wider range of organisations, including commercial, national critical infrastructure and military targets. Victims in 2011 included RSA, Lockheed Martin and the Asia-Pacific Economic Co-operation (APEC) organisation. Stealing or faking digital certificates has become an important component of a targeted attack. And M86 says that 2011 saw Blackhole establish itself as the most successful exploit kit. Social media is now a haven for fraudulent posts and scams, M86 noted, and it is now mainstream practice for spammers to use bogus social media notifications to dupe users into clicking on infected links. The complete version of the report is available here: http://m86. it/2HSecReport.
Wheaton, Illinois, US http://bit.ly/z8c1cD
T
19–20 April ForenSecure’12 (formerly Netsecure)! April 19 & 20, 2012
24–26 April 2012 Infosecurity Europe London UK www.infosec.co.uk
24–29 April 2012 SANS AppSec 2012 Las Vegas, US www.sans.org/appsec-2012/
25 April 2012 Security B-Sides London, UK www.securitybsides.org.uk/
21–25 May 2012 Hack In The Box Security Conference 2012 Amsterdam, The Netherlands http://conference.hackinthebox.org/
February 2012