The mobile phone industry is a fascinating example of marketing gone mad. Cutting edge technology is no longer the domain of the geeks and nerds; it’s been pimped and accessorised.
A consumer-driven marketplace such as the smartphone industry has created new dynamics and expanded the reach of the internet, delivering social networking, business and entertainment to the user anytime, anywhere. The limitless technological potential and sparkling aesthetics can be captivating at times, however it also serves as a platform to launch some of the most damaging and sophisticated attacks emerging today. The cunning militant will always know that the best time to strike is when their adversary’s attention is diverted elsewhere. While the world is busy choosing a smartphone to suit their guise, the criminals are effortlessly filling their pockets.
If you’ve ever had your phone lost or stolen, I share your frustration. Especially when that taxi driver bribes you to bring it back and later you look through the media archive, you find pictures of an unknown middle-aged woman you can only assume was his wife. Lucky for me, this was in a time when the worst case scenario is a lost contact list that I had not backed up.
The smartphones of today don’t just make calls and take pictures. They serve as handheld PC’s and can potentially provide a thief with enough information about your online presence so that further theft of finances and identity can occur. If you haven’t already configured your phone to use password locking, encryption and remote wiping functionality – you should. It’s an absolute necessity to have these features if you store documents, emails or use financial and social networking applications. But this only protects you from physical theft. If your phone is stolen, you know about it. Like a stolen card you can begin to take preventative measures such as cancelling numbers, changing passwords and notifying contacts. The great risk is the clandestine threat, when you do not realise you are being watched, and go about your business.
It should be no surprise by now that merely using a phone has its risks. Enabling Bluetooth on a device has led to many problems in the past that have enabled full compromise, as demonstrated by security researchers Kevin Finistere and Thierry Zoller, in their Bluetooth hacking revisited presentation . One encryption cipher used to provide privacy for GSM telephones, known as A5/1, has been successfully cracked. The result is that hackers can not only record your telephone conversations, but crack and tap your calls in real-time. The scary thing is that this can be done from anywhere in the cell radius, meaning they can potentially listen in to a conversation kilometres away using cheap Motorola phones and open-source software.
The dangers of using public Wi-Fi networks for social networking was demonstrated by Eric Butler’s Firefox web browser extension called Firesheep. This extension exploited the fact that some sites only encrypt the actual login process, namely the username and password you provide. The website needs to remember who you are, and provides you with an authentication cookie which your browser uses therein. The problem is that public Wi-Fi networks are unencrypted a lot of the time, and the remainder of your Facebook connection is also unencrypted. This means that someone can easily read the cookie from your HTTP traffic and use it to authenticate to the site, as you.
The common fraudster typically needs your identity and financial information to steal funds from you. Social networking websites provide criminals with a platform for identity theft without breaking a sweat. A basic understanding of social engineering techniques will reveal full names, birthdays, phone numbers, family members and addresses in little time. These can often be obtained passively, without the knowledge of the target or their friends.
The next step is to get access to your smartphone. Malicious software, referred to as malware, needs to be planted on the phone and executed. This is a surprisingly easy step – anyone who jail-broke their iPod or iPhone did so using a vulnerability in the phone. It is a method similar to this that has led many computers and smartphones in to the hands of the bad guys. The malware could be injected using a PDF document, an image on a website, an e-mail or even embedded in webpage code. While the PC and notebook fall victim to the same attacks, the smartphone is even more vulnerable due to sluggish software development and user naivety. Mobile phone application development is focused on functionality, and not security development. The hype surrounding the app-race gives attackers another means of entry – App Stores. Cyber criminals can code apps which include malware with the aim of gaining anonymous and complete access to the data residing on the phone. This will become very popular as consumers move to jail break phones so that unsigned and unverified applications can be run.
Furthermore, simple security tasks such as patch management are commonly overlooked. I know a lot of users who may click to update an application on their notebook, but do not update the firmware on their phones. The lack of security awareness makes the mobile world a playground for those criminally motivated.
There is no solution to the current malware crisis in personal computers, so we won’t be stamping out problems in the smartphone realm in a hurry. What we can do is attempt to slow the growth of criminal networks by adhering to the same security practices as those applied to your notebook:
The onus is also on the manufacturers to provide a security process that allows users to easily respond to threats as they arise.
The security industry has been fighting an uphill battle tracking and dissolving malware powered botnets. Hundreds of thousands of machines in Australia have been linked to many large criminal networks while the computer owners remain completely unaware. The smartphone market doesn’t just provide the soil by which criminal networks flourish, it fertilises them.
CSO Whitepapers on Mobile security
Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator
Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint
Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.
Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation
CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)