Monday, 10 February 2014

Malicious Android apps hit the 10 million mark

Big Data concept - mobile flying down a data tunnel
THE ANDROID OPERATING SYSTEM (OS) has over 10 million malicious apps, security firm Kaspersky has warned in its latest report.
In the Kaspersky Security Bulletin 2013, researchers said that by late January 2014 they had found 200,000 unique samples of mobile malware at the Google Play store and other sources, which get re-used and re-packaged to look like different apps.
"On January 30, 2014, the official Google Play market offered 1,103,104 applications. Kaspersky Lab has now logged 10 million dubious apps, as cybercriminals use also legitimate Android software to carry their malicious code," Kaspersky said in its report.
The firm said that the number of samples was up 34 percent from November 2013. Two months previously the firm recorded over 148,000 samples.
"To date we have collected 8,260,509 unique malware installation packs," the firm claimed.
The total number of mobile malware samples in Kaspersky's collection is 148,778, with 104,421 found in 2013 alone.
"If 2011 was the year when mobile malware gained traction, especially in Android-land, and 2012 was the year of mobile malware diversification, then 2013 saw mobile malware come of age," Kaspersky's report said.
The most prominent item among the mobile malware of 2013 was Obad, which is being distributed by multiple methods, including a pre-established botnet.
Android smartphones infected with Trojan-SMS.AndroidOS.Opfake.a are used as multipliers, sending text messages containing malicious links to every contact on the victim's device.
"This has been common practice in the PC threat landscape and is a popular service provided by bot-herders in [the] underground cybercriminal economy," Kaspersky said.
Kaspersky found that in most cases, malware targets the user's financial information, with most of the malicious Android applications having been developed in Russia.
"This was the case, for example, with the mobile version of Carberp Trojan that originated in Russia. It steals user credentials as they are sent to a bank server."
Last summer Kaspersky signed an agreement with chip designer Qualcomm to improve security at "the lower level" of a smartphone's mobile operating system (OS).
The security firm agreed to offer "special terms" for preloading Kaspersky Mobile Security and Kaspersky Tablet Security products on Android devices powered by Qualcomm Snapdragon processors.

Getting documents all too easy for Snowden

NSA seems to have had rubbish security behind the firewall.

Yet more evidence has emerged that the NSA, which has made much of its apparently god-like power to stroll into anybody's network, read anybody's data, and find any target it wants, is a neophyte when it comes to its own information security.
If a report published in the New York Times is correct, all Edward Snowden did to create his library of thousands of classified documents was run wget in recursive mode, and let it grab whatever documents were visible from his machine.
Incredibly, in spite of network security advice that's existed since the 1990s about using firewalls for internal segmentation (rather than merely as perimeter protection), visibility from Snowden – at the time an employee of an external contractor – was enough that something like “wget -O -r” (he could alternatively used curl) delivered to his machine the vast cache of files now being drip-fed to the media.
Quoting a “senior intelligence official” the NYT says “'We do not believe this was an individual sitting at a machine and downloading this much material in sequence,' the official said. The process, he added, was 'quite automated.'”
“Intelligence officials told a House hearing last week that he accessed roughly 1.7 million files,” the NYT notes.
Even better: it's already known that then-PFC Bradley Manning had also used wget to collect documents.
Snowden also seems to have demonstrated that the NSA's protection against social engineering is also rudimentary, since he was able to explain his actions on such excuses as his role as a network administrator required him to move lots of data around.
Snowden himself remarked, through his lawyers, that “It’s ironic that officials are giving classified information to journalists in an effort to discredit me for giving classified information to journalists. The difference is that I did so to inform the public about the government’s actions, and they’re doing so to misinform the public about mine.”


Tuesday declared 'The Day we Fight Back' against NSA et al

A broad coalition of technology companies and activist groups has declared Tuesday, February 11th 2014 has been “The Day We Fight Back Against Mass Surveillance”.
Timed to co-incide with the first anniversary of Aaron Swartz's death, the day has attracted support from some unsurprising sources – the Electronic Frontier Foundation, Greenpeace, the American Civil Liberties Union – and also some technology outfits that seem to be poking their heads above the parapet a bit, such as ThoughtWorks (which today told The Reg it is going public on an issue of this sort for the first time), tumblr (does Marissa know?), Colt and Mozilla.
As this is a day of mass protest, let's pretend we are at a big online rally to summarise the day.
What do we want?
To “... push back against powers that seek to observe, collect, and analyze our every digital action. Together, we will make it clear that such behavior is not compatible with democratic governance.”
When do we want it?
ASAP, please.
And now let's … actually seeing as we are online, we can't really march on anything, so what are we going to do to make our point?
Put a banner on your web site, post to social media or share a pre-prepared meme on Facebook to make the point you're sick of being snooped and won't stand for it any more. The idea is to “have the same impact as the SOPA/PIPA internet blackout movements.”
At the time of writing, 30 hours ahead of the day kicking off, the event's site has been liked about 83,000 times and generated 27,000 tweets. Reddit upvotes are in the low 200s. Collectively, those numbers don't suggest success on the scale of the SOPA/PIPA protests.
State surveillance is a multi-headed thing that is harder to stop than a single piece of legislation. The good news, as we've reported elsewhere today, is that the surveillance state also looks to be quite fragile.

Snapchat bug lets hackers aim DENIAL of SERVICE attacks at YOUR MOBE

A security consultant who works for Telefonica has turned up a bug in how Snapchat handles authentication tokens, which enables a denial-of-service attack against users' phones.
It's a simple enough problem, as Jaime Sánchez explains here: the tokens should expire, but don't. As a result, one token can be re-used on many machines, and with a little scripting, all those machines can be instructed to send pics.
“That could let an attacker send spam to the 4.6 million leaked account list in less then one hour”, Sánchez writes. Or, in a DoS scenario, the machines could be instructed to hose a single user.
If the DoS is aimed at an iPhone, he says, it will freeze; Android phones don't seem to lock up completely, but “it does slow their speed. It also makes it impossible to use the app until the attack has finished.”
Below is a YouTube video of the attack, demonstrated against an LA Times reporter's smartphone.

Sánchez claims that rather than fixing the problem or contacting him, Snapchat has blocked the accounts he used to test the vulnerability