Last week, a new report (PDF) on emerging threats from the Georgia Tech Information Security Center mentioned, among other predictions, that botnets were likely to hit mobile phones sometime in the next year. On Tuesday, I spoke with VeriSign CTO Ken Silva about that possibility and why it might happen within the coming year.
"Criminals will go where the money is," Silva told CNET News. "If you start doing things of financial interest with your mobile phone, they will find a way to get your money."
Silva said the mobile phone market is changing. Today's mobile phones don't just make phone calls, they stream video and support content. "Most consumers did not care about a smartphone until Windows Mobile, the Apple iPhone, and now Google Android came along. Now more and more consumers want smartphones. Kids want them; it's a cool phone to have."
Silva said that smartphones tend to use either Java-based Blackberry OS, Mac OS, or Windows Mobile OS as platforms, and it is this standardization of operating systems that should make it easier for criminals to target their victims. The way mobile users browse the Web already is standardizing. With Windows Mobile you have Internet Explorer, and on Apple's iPhone you have Safari. Both of these browsers have vulnerabilities that can be exploited, although not always on the mobile version.
Another compelling reason to think malware is coming soon to your smartphone is more bandwidth. Because of the streaming media options, this year's phones process data much faster than last year's models.
One possible malware vector might be new application downloads. "People are thirsty for applications to run on their devices," Silva said. "Despite the fact Apple has gone to great lengths to make sure the applications are signed (and) have gone through a vetting process, users continue to break their iPhone and install software outside the channel."
Silva doesn't, however, think denial-of-service (DoS) attacks will be the first choice of botnets operating on mobile phones. For one thing, DoS attacks require always-on computers, and mobile devices are not always on or connected to the Internet.
He ranks DoS attacks second behind data theft. "These smartphones now have e-mail on them--and also corporate e-mail on them. We're doing more personal transactions with them." Silva thinks it's the rise of mobile payments and the popularity of banking on mobile phones in Europe and Asia that are leading malware to the mobile phone.
"If we've learned nothing else from the desktop, we should have learned that software needs to be secure right from the get-go." We have opportunity on the mobile platform to write secure code, he said, knowing what has happened on the desktop.
As for the currently status of botnets operating on mobile phones: "Definitely theoretical." But Silva adds, "Someone--just to prove the point--will develop a toolkit to do it." So it's never too early to be thinking about this problem.
A group including Equifax, Google, Microsoft, Novell, Oracle, and PayPal, plus nine leaders in the technology community announced on Monday the creation of the Information Card Foundation (ICF) with the goal of increasing awareness of the use of electronic ID cards on the Internet, and encouraging interoperability in business around new standards.
"We need to come together in a neutral body to continue to promote the adoption of this technology," said Paul Trevithick, CEO of Parity and chairman of the ICF.
Information cards are online equivalents of physical ID cards, such as a driver's license. The basic idea is that customers would have an electronic wallet with various information cards. This would allow customers to bypass typing in user names and passwords. One example for how it could work is a student accessing a university network would simply present his or her electronic student information card.
That basic concept isn't new. Various vendors have introduced variations on this before. Microsoft recently introduced its own CardSpace concept with the Windows Vista operating system.
However, there are "still too many user names, too many passwords," said Kim Cameron, an architect of Identity and Access at Microsoft. "There's this endless digital baptism of filling in forms and logging in everywhere, and it creates a wonderful environment for the criminal element through phishing attacks and what have you because on the Internet no one does know you are a dog."
What ICF hopes to introduce instead is a tripartite system. In real time, a user would sync via encrypted connection with an ID provider (say a bank or credit card issuer), and also with a reliant party (a university network, a financial site, or an e-commerce site). Unlike having a credit card number, which anyone on the Internet can use anytime, the ID card model proposed by the ICF requires that all three players (user, provider, reliant party) be synced in real time before the transaction could proceed. The addition of a trusted third party in real time should make the new proposal more secure.
Trevithick said that nearly 50 companies participated in discussions at the RSA 2008 conference in February. Additional discussions are planned for upcoming security conferences through the end of 2008. The idea is to bring together as many players in the identification card space as possible. Currently, the ICF steering currently includes Trevithick, Cameron, Drummond Reed (VP of infrastructure at Parity), Mary Ruddy (founder of Meristic), Axel Nennker (consultant at T-Systems Enterprise Services), Pamela Dingle (consultant for Nulli Secundus), Ben Laurie (of OpenSSL and The Bunker), Andrew Hodgkinson (embedded software engineering consultant and contractor), and Patrick Harding (CTO at Ping Identity).
The foundation's site with more information will be live on Tuesday.
On Friday Opera announced that version 9.5 of the browser (download Opera 9.5 beta for Windows or Mac) will include built-in antimalware protection from Haute Secure (download for Windows 32-bit or Windows 64-bit).
This is, of course, to counter the antimalware protection built into Firefox 3, currently available as a final release candidate (download for Windows or Mac). Firefox uses data from Google and StopBadware to block a site before it loads on your browser.
Haute Secure counters that its offering is better because it relies upon a community of dedicated users to inform the product when to block and when not. In testing at CNET, the latest version of Haute Secure still misses some recently published phishing sites, while Firefox 3 RC2 blocked them immediately.
How did that happen? Haute Secure explains that the APIs provided by antiphishing sites such as PhishTank won't update until the site is confirmed to be bad, whereas Google can make that determination on its own. Still, Haute Secure prevents malicious sites (as opposed to mere phishing sites) from loading, and provides more information about those sites than does Firefox 3.
Haute Secure was founded by a group of former Microsoft employees, and its flagship product came out of beta in March.
Spammers will do just about anything to get their e-mail through corporate and desktop filters. According to MessageLabs, they're now using Google Docs, a perfectly legitimate way to publish to the Web. Only what they're publishing is the same old wares--this time, it's enhancement pills. This week I talked with Matt Sergeant, senior anti-spam technologist with MessageLabs, who told me how they they've tracking one Google Doc since May 8, 2008.
Later in the conversation, Sergeant talks about the resurgence of Storm. Only a few weeks ago, MessageLabs reported a notable decrease in computers infected with the Storm botnet.
Below is a transcript of part of my interview. The entire podcast can be heard here.
Matt Sergeant: What's happening with Google Docs is that Google Docs is a way to publish your documents online. So, for example, word processing documents and spreadsheets and so on, and much like if you were using Microsoft Word you can embed links within those documents. What this does for the spammers is it allows them to effectively publish online a Web page on hosting sites such as Google that has all the bandwidth in the world for hosting it, and it's also a Web site that is never going to get blacklisted by anyone because nobody would be stupid enough to blacklist Google. So in effect, for the spammers this is a human shield effect. They can host their information and links online on a very stable source of bandwidth and links, and not worry ever about it being taken down or blacklisted.
Me: When did you first see this happening?
Sergeant: The first one that we saw, which showed on our radar in extremely small numbers clearly as a test by the spammers, was on May the 8th. So I guess that's about two weeks ago now.
Me: Have you contacted Google?
Sergeant: We've contacted Google, and also there's a link at the bottom of each one of the documents that Google publishes online that says, "Report this as spam." We clicked that link and I imagine anyone else who got the e-mail clicked that link as well. Unfortunately, Google has proved themselves to be quite slow at tackling this kind of abuse. Weeks later this document is still available online despite the reporting as spam.
Me: When you say that Google has a history of this can you site another example in recent memory where they've been slow to act on spam like this?
Sergeant: Generally, yeah there's a couple of different issues that we see in spam with Google. The first and very obvious one is spam directly from Gmail accounts, often that's the Nigerian spammers who are sending out these offers of millions of dollars where there is in fact no money. By most people's standards, Google tends to be quite slow at shutting down those accounts, whether it be an account that's actually an e-mail or just a drop box account for people to reply to. So those accounts seem to stay active for longer than if they were being hosted somewhere else for example. The other thing we see with Google is redirector links, so they have these links on their Web site which allow anyone or just about, but obviously mostly the spammers to have a link that looks like it's going directly to Google, but in fact after you've visited Google it redirects you to the actual spammers Web site. These redirectors are quite common on loads and loads of Web sites out there, but obviously again they're gaining advantage from Google of all the bandwidth and unblock ability of the Google Web site.
Me: So give me an example of what we would see if we went to the spammers website, what sort of, where is it being hawked or Malware being served up.
Sergeant: In the example that we saw on May the 8th it was a very simple pills scam or a pills Web site. So the e-mail came in with a link to Google Docs and very little of a text in the e-mail itself. They're very hard to block because there was very little to go on regarding the contents of it. When you went to the Google Docs Web site you saw much more information about the pills available for sale and the prices and so on, and almost every bit of text within that was a link which took you to the spammers drop Web site, which is where you would actually go if you wanted to purchase some of those pills.
Security researcher Bill Rios reported Monday that a cross-site scripting (XSS) attack against Google Spreadsheet could have exposed all of Google's services. XSS can occur whenever a legitimate site accepts input from the user but does not filter that input properly and could allow the injection of potentially malicious instructions. In this case, however, once an attacker gained access to any xxxx.google.com site, they would have access to other Google services, such as Gmail, Docs, and Code.
In an e-mail to CNET News.com, a Google representative confirmed that the flaw as described by Rios has been fixed. "Google takes the security of our users' information very seriously," said a Google spokesperson. "We worked quickly to address the vulnerability and rolled out a fix before it was reported publicly. We have not received any reports of this vulnerability being exploited."
According to Rios, he was able to use Internet Explorer to change the content type of the HTTP response being returned to the server while using Google Spreadsheets. At issue here is whether or not the browser will ignore the content-type header in certain circumstances. Rios points out that all browsers have the potential to do this under certain circumstances, thus the problem isn't entirely with Google.
In his blog, Rios created a spreadsheet, placing an alert (document.cookie) script string surrounded by HTML tags in the first cell. When that string content is saved and downloaded as a comma-separated value or CSV, the content type should be text/plain. However, since Rios added HTML to the string, Internet Explorer will see that first and render it as HTML instead.
Whenever a victim is lured to this CSV URL, an Alert dialog box will pop up on the attacker's desktop containing the victim's current Google session information. The session cookie would be valid on other Google services used by the victim such as Gmail, Docs, etc.
Rios offers this XSS flaw as a cautionary tale, and recommends that security-minded readers check out a paper by Blake Frantz of Leviathan Security. In "Flirting with MIME types," Frantz found that, while other browsers were also indiscriminate about rendering file types as HTML, IE did so on 696 file types out of 735 tested. To give perspective, the next closest was Opera at 14, with Firefox at 8, and Safari at 7.
- prev
- 1
- next
