Threats to Mobile Devices Using the Android Operating System

Threats to mobile phonesAndroid is the world’s most widely used mobile operating system (OS) and continues to be a primary target for malware attacks due to its market share and open source architecture. Industry reporting indicates 44 percent of Android users are still using versions 2.3.3 through 2.3.7-known as Gingerbread-which were released in 2011 and have a number of security vulnerabilities that were fixed in later versions.

The growing use of mobile devices by federal, state, and local authorities makes it more important than ever to keep mobile OS patched and up-to-date. The following are some known security threats to mobile OS and mitigation steps:

Security Threat Description Mitigation Strategy
SMS (Text Message) Trojansrepresent nearly half of the malicious applications circulating today on older Android OS. Sends text messages to premium-rate numbers owned by criminal hackers without the user’s knowledge, potentially resulting in exorbitant charges for tile user. Install an Android security suite designed to combat these threats. These security suites can be purchased or downloaded free from the Internet.
Rootkits are malware that hide their existence from normal forms of detection. In late 2011, a software developer’s rootkit was discovered running on millions of mobile devices. Logs the user’s locations, keystrokes, and passwords without the user’s knowledge. Install the Carrier IQ Test–a free application that can detect and remove he malicious software.
Fake Google Play Domainsare sites created by cybercriminals. Google Play enables users to browse and download music, books, magazines, movies, television programs, and other applications. Tricks users into installing malicious applications that enable malicious actors to steal sensitive information, including financial data and log-in credentials. Install only approved applications and follow IT department procedures to update devices’ OS. Users should install and regularly update antivirus software for android devices to detect and remove any malicious applications.

Google: Gmail users ‘have no legitimate expectation of privacy’

GmailAs tensions worsen among privacy-focused email users amid the escalating scandal surrounding government surveillance, a brief filed by attorneys for Google has surfaced showing that Gmail users should never expect their communications to be kept secret.

Consumer Watchdog has unearthed a July 13, 2013 motion filed by Google’s attorneys with regards to ongoing litigation challenging how the Silicon Valley giant operates its highly popular free email service.

The motion, penned in hopes of having the United States District Court for the Northern District of California dismiss a class action complaint against the company, says Gmail users should assume that any electronic correspondence that’s passed through Google’s servers can be accessed and used for an array of options, such as selling ads to customers.

Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use Web-based email today cannot be surprised if their emails are processed by the recipient’s [email provider] in the course of delivery,” the motion reads in part. “Indeed, ‘a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.’”

Elsewhere, Google’s legal counsel says the plaintiffs are attempting “to criminalize ordinary business practices” that the company has implemented for nearly a decade, specifically the automated scanning of emails.

According to Google, federal wiretap laws provide third-party email providers with liability from litigation if their practices are done “in their ordinary course of business.” An Electronic Communication Service (ECS) such as Gmail must scan emails sent to and from their systems, says Google, as part of providing the services they offer.

While plaintiffs go to great lengths to portray Google in a sinister light, the complaint actually confirms that the automated processes at issue are Google’s ordinary business practices implemented as part of providing the free Gmail service to the public. This is fatal to plaintiffs’ claims,” the attorneys write.

Plaintiffs claim that an illegal interception is committed each time an email sent to or from a Gmail account is scanned, but the company counters that claim by saying the automated scanning is not only outlined in the Terms of Service agreement, but necessary for the product to function in the way it does.

Gmail customers, the company claims, “are contractually bound to Google’s terms. Indeed, they devote much of the Complaint to attacking the disclosures in the TOS and Privacy Policy in an effort to avoid this express contractual consent.”

In short, there is no illegal ‘interception’ here because Plaintiffs’ own allegations confirm that the alleged practices at issue are part of Google’s ordinary course of business,” attorneys write.

In practice, plaintiffs’ theory would prevent ECS providers from providing a host of normal services that Congress could not possibly have intended to criminalize as an illegal interception,’” they continue. “For example, an ECS provider could not allow users to sort their emails using automated filters because any such system would require scanning the contents of the emails being delivered to the user, thus running afoul of plaintiffs’ theory. Nor could an ECS provider provide even basic features like allowing users to search their own emails for particular key terms because doing so would, again, involve the scanning of email content

Google is now asking for the court to reject the plaintiffs’ claims because their interpretation of what constitutes an illegal interception would make it “virtually impossible” for any email company to provide normal services. By saying customers lack no right to privacy, however, Consumer Watchdog is up in arms.

Google has finally admitted they don’t respect privacy,” John M. Simpson, Consumer Watchdog’s Privacy Project director, said in a statement “People should take them at their word; if you care about your email correspondents’ privacy don’t use Gmail.”

Google’s brief uses a wrong-headed analogy; sending an email is like giving a letter to the Post Office,” added Simpson. “I expect the Post Office to deliver the letter based on the address written on the envelope. I don’t expect the mail carrier to open my letter and read it. Similarly when I send an email, I expect it to be delivered to the intended recipient with a Gmail account based on the email address; why would I expect its content will be intercepted by Google and read?”

News of Google’s motion to dismiss the complaint comes just days after two pay-for-use providers of highly encrypted and seemingly secure email services announced they’d be calling it quits. Vaguely citing a federal investigation, Texas-based Lavabit said on Thursday last week that they’re shutting down its email service, reportedly used by National Security Agency leaker Edward Snowden. Hours later, competitor Silent Circle said they’d be doing the same.

Source: RT

U.S. mining data from 9 leading Internet firms; companies deny knowledge

U.S. mining data from 9 leading Internet firmsThe National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track one target or trace a whole network of associates, according to a top-secret document obtained by The Washington Post.

The program, code-named PRISM, has not been made public until now. It may be the first of its kind. The NSA prides itself on stealing secrets and breaking codes, and it is accustomed to corporate partnerships that help it divert data traffic or sidestep barriers. But there has never been a Google or Facebook before, and it is unlikely that there are richer troves of valuable intelligence than the ones in Silicon Valley.

Equally unusual is the way the NSA extracts what it wants, according to the document: “Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.”

PRISM was launched from the ashes of President George W. Bush’s secret program of warrantless domestic surveillance in 2007, after news media disclosures, lawsuits and the Foreign Intelligence Surveillance Court forced the president to look for new authority.

Congress obliged with the Protect America Act in 2007 and the FISA Amendments Act of 2008, which immunized private companies that cooperated voluntarily with U.S. intelligence collection. PRISM recruited its first partner, Microsoft, and began six years of rapidly growing collection beneath the surface of a roiling national debate on surveillance and privacy. Late last year, when critics in Congress sought changes in the FISA Amendments Act, the only lawmakers who knew about PRISM were bound by oaths of office to hold their tongues.

The court-approved program is focused on foreign communications traffic, which often flows through U.S. servers even when sent from one overseas location to another. Between 2004 and 2007, Bush administration lawyers persuaded federal FISA judges to issue surveillance orders in a fundamentally new form. Until then the government had to show probable cause that a particular “target” and “facility” were both connected to terrorism or espionage.

In four new orders, which remain classified, the court defined massive data sets as “facilities” and agreed to occasionally certify that the government had reasonable procedures in place to minimize collection of “U.S. persons” data without a warrant.

Several companies contacted by The Post said they had no knowledge of the program and responded only to individual requests for information.

“We do not provide any government organization with direct access to Facebook servers,” said Joe Sullivan, chief security officer for Facebook. “When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law.”

Source: Washington Post | Read more here

Categories: Intelligence, USA

Operation ‘Red October’: Global cyber-spy network uncovered by Russian experts

Operation 'Red October'

 

A sophisticated cyber-espionage network targeting the world’s diplomatic, government and research agencies, as well as gas and oil industries, has been uncovered by experts at Russia’s Kaspersky Lab.

The system’s targets include a wide range of countries, with the primary focus on Eastern Europe, former Soviet republics and Central Asia – although many in Western Europe and North America are also on the list.

“The majority of infections are actually from the embassies of ex-USSR country members located in various regions such as Western Europe and even in North America – in the US we have few infections as well. But most infections are concentrated around Russia,”  Vitaly Kamluk, chief malware expert at Kasperky Lab, told RT, adding that in Europe, the hardest-hit countries are apparently Beligum and Switzerland.

In addition to attacking traditional computer workstations, ‘Rocra’ – an abridgment of ‘Red October,’ the name the Kaspersky team gave the network – can steal data from smartphones, dump network equipment configurations, scan through email databases and local network FTP servers, and snatch files from removable disk drives, including ones that have been erased.

Unlike other well-known and highly automated cyber-espionage campaigns, such as ‘Flame’ and ‘Gauss,’ Rorca’s attacks all appear to be carefully chosen. Each operation is apparently driven by the configuration of the victim’s hardware and software, native language and even document usage habits.

The information extracted from infected networks is often used to gain entry into additional systems. For example, stolen credentials were shown to be compiled in a list for use when attackers needed to guess passwords or phrases.

The hackers behind the network have created more than 60 domain names and several server hosting locations in different countries – the majority of those known being in Germany and Russia – which worked as proxies in order to hide the location of the ‘mothership’ control server.

That malicious server’s location remains unknown, but experts have uncovered over 1,000 modules belonging to 34 different module categories.While Rocra seems to have been designed to execute one-time tasks sent by the hackers’ servers, a number of modules were constantly present in the system executing persistent tasks. This included retrieving information about a phone, its contact list, call history, calendar, SMS messages and even browsing history as soon as an iPhone or a Nokia phone is connected to the system.

The hackers’ primary objective is to gather information and documents that could compromise the security of governments, corporations or other organizations and agencies. In addition to focusing on diplomatic and governmental agencies around the world, the hackers also attacked energy and nuclear groups, and trade and aerospace targets.

No details have been given yet as to the attackers’ identity. However, there is strong technical evidence to indicate that the attackers are of Russophone origins, as Russian words including slang have been used in the source code commentaries. Many of the known attacks have taken place in Russian-speaking countries.

The hackers designed their own authentic and complicated piece of software, which has its own unique modular architecture of malicious extensions, info-stealing modules and backdoor Trojans. The malware includes several extensions and malicious files designed to quickly adjust to different system configurations while remaining able to grab information from infected machines.

These included a ‘resurrection’ module, which allowed hackers to gain access to infected machines using alternative communications channels and an encoded spy module, stealing information from different cryptographic systems such as Acid Cryptofiler, which has reportedly been used since 2011 by organizations such as NATO, the European Parliament and the European Commission.

The first instances of Red October malware were discovered in October 2012, but it has been infecting computers since at least 2007, Kaspersky Lab reported. The firm worked with a number of international organizations while conducting the investigation, including Computer Emergency Readiness Teams from the US, Romania and Belarus.

The EU is attempting to counter the huge rise in cyber-espionage by launching the European Cybercrime Center, which opened on Friday.

Source: RT

Worm Tries AutoRun, Then Social Engineering to Infect

Sophos and TrendMicro, and anumber of other security firms, are reporting a dramatic increase in the prevalence of a worm using AutoRun and social engineering to proliferate.

If you thought Microsoft solved the AutoRun problem, you aren’t alone. They tried to shut it down after it was famously and cleverly used to spread earlier variants of the Stuxnet worm that targeted the industrial control systems that controlled centrifuges at Iran’s Natanz nuclear enrichment facility. However, as we continue to move further and further from that date, and we continue to see the word AutoRun popping up in headlines, it is increasingly becoming one of those network security nuisances that just won’t go away.

Part of the problem here, according to Sophos, is that users still aren’t very good about patching their machines. It’s the same, simple old problem that never seems to change. Despite the fact that Microsoft shipped a patch to disable AutoRun nearly two years ago, some users still haven’t gotten around to implementing it. So the worm is spreading, in large part, through autorun.inf files loaded onto removeable media and writeable network shared.

Read more here: http://threatpost.com/en_us/blogs/worm-tries-autorun-then-social-engineering-infect-113012

The European Network and Information Security Agency (ENISA) recommends that honeypots be used to detect threats at an early stage

The European Network and Information Security Agency (ENISA) recommends that honeypots be used to detect threats at an early stage; the agency tested 30 current systems and came up with concrete recommendations.

Honeypots are digital traps used to analyse cyber attacks and their strategies and tools. In the study, ENISA tested honeypots for effectiveness and practicality, with a focus on open-source honeypots. The results are intended to help companies find the best digital traps for their particular situations and to promote further development in the area.

The evaluation system developed for the ENISA study places particular emphasis on user-friendliness. ENISA employees used the honeypot evaluation procedurePDF developed in 2006 by Christian Seifert, Ian Welch and Peter Komisarczuk as a basis for the system and added more “practical” categories. They also differentiated more between various types of honeypots; types tested include server-side honeypots, client-side honeypots, low-interaction honeypots, high-interaction honeypots, hybrid honeypots and sandboxes. Open source online honeypots for monitoring suspicious URLs were also evaluated.

As part of the study findings, ENISA recommends a number of digital traps, noting that dionaea, Glastopf, kippo and Honeyd are particularly easy to use. Among the client honeypots, Thug and Capture-HPC NG also received special mentions.

Read more here: http://www.h-online.com/open/news/item/ENISA-promotes-digital-hacker-traps-1759415.html

Rogue Microsoft Services Agreement Emails Lead to Latest Java Exploit

Hackers are distributing rogue email notifications about changes in Microsoft’s Services Agreement to trick people into visiting malicious pages that use a recently circulated Java exploit to infect their computers with malware. “We’re receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences…” The rogue email messages are copies of legitimate notifications that Microsoft sent out to users to announce changes to the company’s Services Agreement that will take effect in Oct.

However, in the malicious versions of the emails, the correct links have been replaced with links to compromised websites that host attack pages from the Blackhole exploit toolkit.  Read more here