Two men checking mobile phones with giant rat looking over their shoulders

AndroRAT signals commercialization of mobile malware

Mobile malware is not new. According to Juniper Networks’ Third Annual Mobile Threats Report,  there were more than 276,000 malicious apps for mobile devices discovered from March 2012 through March 2013. The Android platform, with an estimated two thirds of the mobile market share in 2012, is the target of 92 percent of that malware.

Now, researchers at Symantec have discovered a new wrinkle that combines a Remote Access Tool for Android devices with a kit that lets unskilled users easily repackage legitimate apps with AndroRAT to create Trojans. The new binder kit is being advertised in the hacker underground market as “first ever Android RAT app binder + builder.”

“To date, Symantec has counted 23 cases of popular legitimate apps being Trojanized in the wild with AndroRAT,” Symantec’s  Andrea Lelli wrote in a recent blog post.  Only several hundred infections of AndroRAT have been found worldwide, most of them in the United States and Turkey, but the number is growing.

AndroRAT enables control of the infected device, allowing the criminal to remotely monitor and make phone calls, send SMS messages, access GPS coordinates, use the camera and microphone and access stored files.

The appearance of AndroRAT packaged in an off-the-shelf kit for infecting applications is a significant step in the commercialization of mobile malware, said Vikram Thakur, Symantec’s principal security response manager.

“All this tool is doing is lowering the bar for people entering the malware space,” Thakur said. “But it’s only one piece of the puzzle.” The user “still has to figure out how to monetize it.”

Making money from malware for mobile devices has for years been a stumbling block for cyber criminals. The devices are increasingly popular and powerful, but do not offer as many opportunities for ripping users off as do desktop and laptop computers that are more often used in commerce. As much fun as it might be to take control of someone’s smartphone, there is not a lot of money in it.

But the ability to leverage malware in large mobile botnets can make it worthwhile. Common schemes are to deliver ads to the infected device, send premium text messages for which the smartphone owner is billed or to have the device browse a for-pay video site. These do not produce a big return on any one device, but Symantec discovered a large mobile botnet in 2012 that was pulling in more than $1 million a year for its owner, Thakur said.

“The bad guys are not trying to suck out as much money as they can on day one,” he said. They are staying under the radar, taking a few dollars a month from each victim for a small -- but long term -- return on investment.

The next phase in such schemes is to take products such as the AndroRAT binder one step further and bundle it with tools for hosting and delivering premium content to compromised devices: An all-in-one tool that can turn any wannabe into a successful mobile bot herder.

So far, it does not appear that this has been done, Thakur said. “If it is happening in the underworld, it is in a very siloed manner.” But he expects that we will see activity of this kind in the future.

The good news is that most mobile malware today is delivered in applications that have to be installed on a smartphone or other device, which means that the user is the first and best line of defense. You should have an antivirus tool installed on your phone, but be careful about what else you install on it.

“If somebody is offering you a free version of an app that you would have to pay for somewhere else, think twice,” Thakur said. “Nothing is free.”

Posted by William Jackson on Jul 19, 2013 at 9:54 AM2 comments

Broken window showing poster of generic top level domain names

New domain names bound for collisions: 'Things are going to break'

The Internet is on the brink of the largest expansion of generic Top Level Domains in its history, with as many as 1,000 new strings expected to be added over the next year, more than quadrupling the current gTLD space.

Some observers, including the operator of two of the Internet’s root zone servers, worry that this expansion of public domains could result in naming collisions with private internal network domains, disrupting those networks.

“We know things are going to break,” said Danny McPherson, chief security officer of Verisign, the company that runs the A and J root servers. Networks in the .gov domain could be affected, as well as those supporting emergency services such as public safety answering points for the nation’s 911 system. “It makes us uneasy,” McPherson said.

At risk is any enterprise with a network naming scheme using domain names for non-public resources that are the same as new domain name strings now being considered for approval on the Internet. There are 1,833 such names now being considered by the Internet Corporation for Assigned Names and Numbers, and the approved new gTLDs could begin being delegated in the root system later this year.

The resulting collisions could cause some networks to become about as useless as the Washington Beltway on Friday afternoon.

The solution is to change those internal domain names to avoid naming collisions. But this can be a complex job for a large enterprise, and McPherson worries that many administrators are not aware of the issue. He believes the 12 root zone operators have a responsibility to monitor the global systems to identify potential collision situations and warn network operators in advance. But there is no zone-wide system to provide that visibility.

Top Level Domains are the suffixes on URLs that appear to the right of the final dot in the address, such as .gov and .com. There now are 317 of these, including country names such as .us and .uk. Name servers in the Domain Name System use authoritative lists maintained in the 13 root servers to associate URLs with an IP address to direct queries. The potential problem with the domain expansion is that requests for a network’s internal domains are routinely checked against the global DNS database as well as the local enterprise name database. If the domain name is not in the global database, it looks for it in the local database, and the query is directed to the proper server within the network.

But if that internal name is added to the Internet’s collection of domains, the internal request will be sent out to the Internet and the user will not be able to access resources on his own network.

How likely is this to happen? Take .home for instance. This is a default internal domain name used on millions of pieces of home networking equipment. McPherson said .home is one of the top five queries received by Verisign’s root servers. It also is one of the most coveted new gTLDs being considered, with 11 applicants. Other commonly used internal domain names being considered for the Internet include .inc, .corp, .cloud and .mail.

McPherson also is concerned that less commonly used names such as .med that might be used by hospitals and clinics for connecting with health care equipment could suddenly become unavailable internally if .med goes onto the Internet.

Ideally, if you are managing a network you would be warned by the root zone operators when they notice local domain queries from your network that would be likely to result in collisions. With no system in place for monitoring for this, however, the responsibility falls on network administrators to know their naming schemes, pay attention to ICANN’s new gTLD program,  and make sure they are not using new Internet domains internally.

Posted by William Jackson on Jul 12, 2013 at 12:38 PM1 comments

Man sitting on floor behind a pillar making a mobile call

Boom times for mobile security

It seems that everyone wants secure communications these days, and concerns about government spying and data leakage are creating demand for products and services to encrypt and protect mobile communications.

Silent Circle, which provides end-to-end mobile encryption for consumers and enterprises, has enjoyed a well-publicized growth spurt since its launch earlier this year, and other entries in the market are expanding the portfolio of available secure products and services.

“There’s a hell of a lot of concern about privacy and interception of information,” said Stephen Bryen, CEO of Ziklag Systems, which provides hardened Android phones for the enterprise. “People used to say, ‘what do I need that for?’ I don’t hear that any more. Right now it’s not hard to tell people they need something like this.”

Ziklag’s recently-launched FortressFone creates a secure platform with hardware-based encryption on the phone and a customer-owned server to manage key exchange between secured phones. Another product, KoolSpan’s TrustChip, is a self-contained encryption and key management engine on a Secure Digital card that can be installed in just about any kind of mobile device for encrypted end-to-end communications, which makes it practical for both enterprises and individuals.

KoolSpan has targeted private- and government-sector organizations for its chip and accompanying app, called TrustCall, but has recently seen a spike of consumer interest, said CEO Gregg Smith.

“We’re now creating a strategy around this,” Smith said. “We’ve had a dramatic increase in leads.”

These companies have the National Security Agency to thank for much of this interest, of course.

Security has always been a challenge — not just developing the technology for it but also creating a demand for it at the user level. Government has been an easy target for companies because agencies can mandate security. Companies such as Motorola, with its Assured Mobile Environment (AME) 2000, already are in the secure communications market, focusing on agencies, including the military, that want to implement and manage secure mobile systems. Motorola’s AME 2000 integrates an Android smart phone with hardware and software features for encrypting voice and data for government customers. Keys are stored in hardware, and it uses the NSA’s Suite B encryption. The platform recently added remote device and application management from Fixmo.

Consumers have always been all for security and privacy as long as someone else provides it and it does not inconvenience them. But recent revelations of wholesale sweeps of domestic communications data by the NSA, coming on top of concerns about widespread espionage by foreign governments, have put secure communications front-of-mind for many people, and the market now is expanding beyond government and the handful of paranoid consumers who have been willing to wrestle with cryptography.

The processing power available in small devices now makes security of these devices necessary, but also more convenient. The microSD card used by KoolSpan has the processing power of an early IBM laptop, Smith said. This allows the chip to handle key generation and exchanges with other phones and perform 256-bit encryption. A key is generated for each packet with little if any degradation in voice quality, Smith said.

All well and good, says Ziklag’s Bryen. But if the phone itself is vulnerable to attacks, the encryption is not safe. So FortressFone is a proprietary phone using a hardened Android kernel to protect all phone functions.

“We take the phone and reengineer it,” he said. “We change it significantly to harden it.” Secure calls are set up, and keys managed over a secure VPN data link to the SIP server that links the hardened phones.

It is conceivable that in the not-too-distant future encryption chips will come standard in smart phones and tablets, making secure communications an off-the-shelf feature for consumers.

Posted by William Jackson on Jul 11, 2013 at 11:12 AM1 comments

Two people use two separate keys to open bank deposit box

Can the two-man rule foil insider threats?

In the wake of embarrassing leaks by Edward Snowden about the National Security Agency’s domestic and international intelligence gathering, the agency is trying to figure out how it lost control of this information and how to prevent it from happening again.

As to how it happened, NSA Director Gen. Keith Alexander has a pretty good idea, at least at a high level: Too many people with access.

Alexander told the House Select Permanent Intelligence Committee on June 18 that NSA now has at least 1,000 systems administrators, a growing number of them contractors, like Snowden. Administrators are defined by their privileges on IT systems, their ability to access, define and change just about anything they want. One thousand is a lot of administrators to keep track of. Many people, Alexander included, think it is too many by at least one.

“Clearly the system did not work as it should have,” the general said in a June 23 appearance on ABC News’ This Week. “He betrayed the trust and confidence we had in him.”

The problem of administrative creep is not a new one, nor is it unique to the NSA or government.

“It’s a common audit finding that organizations have too many administrative personnel,” said Dave Frymier, chief information security officer at Unisys. Unisys faced the same problem when it found one day it had more than 100 Microsoft administrators. That number eventually was reduced to fewer than 15. “It just shows that they’re human,” he said of the NSA.

Alexander offered some ideas on how NSA plans to deal with the problem of trust. “We are now putting in place actions that would give us the ability to track our system administrators, what they're doing, what they're taking. A two-man rule,” he told ABC’s George Stephanopoulos.

The “two-man” rule requires two people with separate sets of credentials for access to sensitive resources. It can be expensive in terms of manpower and is not fool-proof, but most in the security community think it is a good idea, especially in an environment as sensitive as the NSA.

“I fall into the category of people who wonder why they hadn’t been doing this all along,” Frymier said. “It’s expensive, but it’s one of the better solutions to the problem.”

It is not the only solution, of course. The first — and most obvious — fix is to minimize the number of systems administrators. As with many simple solutions, however, this is easier said than done. While having a lot of administrators can be a security risk, it also helps to lighten workloads and make it easier to keep systems up and running. People tend to care about security risks only after an incident, but they care about having their systems running seven days a week, so convenience often trumps security.

A second solution is to reduce the privileges given to each administrator. Not all of them need all of the privileges all of the time. A system to grant privileges as required and to revoke them when a task is completed can make it easier to manage the managers. Microsoft has a more fine-grained administrative environment than Unix, and there are off-the-shelf tools to help with this process in a Microsoft environment. Unfortunately, NSA appears to be largely a Unix shop, Frymier said. But with its resources, the agency probably could develop its own administrative tools.

Another good security practice is to log all administrator activity. The problem with this is that logs often are looked at only after an incident, and administrators often have the ability to alter logs. This is where a system for real-time monitoring and alerting for suspicious activity would come in handy.

There are any number of other steps for segregating and protecting sensitive data, but none of them fool-proof. Eventually you have to trust someone with sensitive information. “At some point the problem is a human resource problem rather than a technical one,” Frymier said.

So the Cold War saw of “trust but verify” makes sense. “The two-man rule really is the best solution to the problem,” Frymier said. “It’s a good way to get a vast improvement.”

Posted by William Jackson on Jul 02, 2013 at 10:19 AM4 comments