John Hering, co-founder and chief executive of Lookout
(Credit: James Martin/CNET )SAN FRANCISCO--In July, John Hering and Kevin Mahaffey demonstrated an SMS attack targeting a variety of smartphones at a security show. This week they are launching a company, with backing from some heavyweight investors, that will offer a fix for that problem, as well as protect smartphones from many other security issues.
Lookout has received $5.5 million in Series A funding from Khosla Ventures, Trilogy Partnership, and angel investors including Phil Paul, founder of Paul Capital Partners; Chris Sacca, former head of special initiatives at Google; and Joseph Ansanelli, former chief executive of Vontu.
Lookout is a cross-platform, Internet-connected application that offers advanced security and backup services, as well as the ability to locate devices that go missing or get stolen, and over-the-air management capabilities. The service is currently in private beta in more than 170 countries across 400 mobile networks, Hering, Lookout's chief executive, said in an interview.
It will be offered publicly on a subscription basis in early 2010 and an enterprise version will come later in 2010 or early 2011, he said. Pricing will be announced later.
Hering, Mahaffey, and the third co-founder, James Burgess, all met while attending the University of Southern California, and have honed their skills in the mobile space over the past five years, initially calling the company Flexilis.
They conducted research, helped handset makers with diagnostic tools, and discovered vulnerabilities in mobile devices and software--including uncovering a serious hole in the iPhone's implementation of Bluetooth in 2007 and hitting a world record by hacking a mobile phone from more than a mile away via Bluetooth in 2004.
With the funding and name change comes a move to San Francisco from Orange County in Southern California. The twentysomething executives were busy interviewing prospective employees in their sparse, new offices in the South of Market area in San Francisco. They have taken over part of the offices formerly occupied by Twitter.
"Hopefully, the Twitter luck will rub off on us," Hering said, as he gave a tour of the digs.
Lookout works on all the major smartphone platforms.
(Credit: James Martin/CNET )The Lookout software is downloaded to the device and gets updates and backs up data in real-time via Lookout servers in the cloud. Antivirus and firewall software protects against electronic threats such as hackers, malware, and spyware. A dashboard allows for easy management of multiple devices.
Security veterans like Symantec and McAfee, as well as a host of smaller companies, are quickly moving into the mobile security space. But Hering isn't worried.
"Other companies offer a more PC-based approach," he said. "We're protecting the device and data, and we're multi-platform."
Lookout silently blocks malware in the background, but particularly serious threats prompt a notification to the user. The software also will protect against bad or unauthorized apps that might be downloaded, and attacks attempted via Wi-Fi or Bluetooth.
The missing device locator function will most definitely attract attention. If the device is lost, the owner can use the Web app to make it "scream," and a truly obnoxiously loud siren will sound that will annoy everyone within earshot. If the device is set to silent or mute mode, the scream feature overrides that.
For people who think their device may have been stolen and want to track it down, there is a nifty way to trace it via an online map. Device owners can pull up the Find My Device Web app to see the approximate location of the device on a map, and either lock the device so no one can use it or access the data, or wipe the data entirely. If the device is recovered, the data is easily restored. A combination of Global Positioning System, cell tower, and Wi-Fi technology is used to track the devices.
For backup and recovery purposes, the data and settings on the device can be set to what they were at any point of time in the past, and data can be transferred to other devices.
As phones become increasingly powerful computers and storage devices that accompany users everywhere, they become even more attractive targets for attackers and thieves.
"Smartphones are the next computing platform," Hering said. "Ultimately, I think this will be the primary platform. It's in my pocket, and goes everywhere with me. There are not many computing devices that have that power and personal connection."
Chief Technology Officer Kevin Mahaffey and Chief Executive John Hering, co-founders of mobile security firm Lookout, which now occupies the former offices of Twitter in San Francisco.
(Credit: James Martin/CNET )F-Secure has identified three China-based companies as the creators of the "Sexy Space" Trojan, which was identified last week to have passed through Symbian Foundation's digital-signing process.
XiaMen Jinlonghuatian Technology, ShenZhen ChenGuangWuXian Technology, and XinZhongLi TianJin cloaked the malware, also known as Yxe, and submitted it to the Symbian Foundation under its Express Signing program, security company F-Secure said Wednesday in a statement.
Developers are required to submit mobile applications to the Symbian Foundation for evaluation, before the applications are accepted and enabled for handsets running the Symbian operating system. The apps are first automatically scanned for viruses. After that, random samples are submitted for human audit. Sexy Space had not been subjected to human scrutiny, Symbian's chief security technologist Craig Heath said last week.
F-Secure's senior security response manager, Chia Wing Fei, explained that the Trojan would have allowed attackers to simply send a link via text message to a malicious Web site and prompt the mobile recipient to download the worm. Once the malware would be installed, it could send similar text messages to all contacts listed on the phone.
"These messages are sent in your name and from your phone," Chia said. "It means you will pay for each SMS sent by the worm. A typical cost for a single text message might be 5 cents. If you have 500 contacts in your phone, an infection would cost you ($25)."
According to F-Secure, this is the first identified text message worm.
The Symbian Foundation became aware that Sexy Space was a Trojan earlier this month, and the signature was revoked. But an error on Symbian's servers meant the application was still available for download until last week.
F-Secure said that although the problem is currently not widespread, there have been a few confirmed reports in China and the Middle East so far.
All Symbian Series 60 third-edition phones by Nokia, LG and Samsung are potential targets of the malware, including popular models such as Nokia N95 and Nokia E71, said F-Secure. The Symbian platform is used in just under 50 percent of all smartphones.
Vivian Yeo of ZDNet Asia reported from Singapore.
The Symbian Foundation has acknowledged that its process for keeping malicious applications off Symbian OS-based phones needs improvement, after a Trojan horse program passed a security test.
The botnet-building Trojan, which calls itself "Sexy Space," passed through the group's digital-signing process, Symbian's chief security technologist Craig Heath said Thursday. Heath said the group is working on improving its security-auditing procedure.
"When software is submitted, we do try to filter out the bad eggs," Heath told ZDNet UK. "When apps are submitted, they are scanned. We are looking at how they could be scanned better."
Developers must submit the mobile applications they build to the Symbian Foundation for checking for the applications to be accepted by handsets with the Symbian operating system. Once the submission has been accepted, the applications are digitally signed by Symbian. Digital signatures, which are cryptographic security features, are designed to provide an amount of assurance that software for download comes from a trusted source.
The first stage of Symbian's signing process, antivirus scanning, is done automatically using an antivirus engine. Once an application has been submitted and scanned, random samples are then submitted for human audit.
In the case of the low-risk Sexy Space Trojan, which was disguised as a legitimate application called ACSServer.exe, the Trojan had not been subjected to human scrutiny, Heath said.
The Symbian Foundation became aware that Sexy Space was a Trojan two weeks ago, and the signature was revoked then, Heath said. However, an error on Symbian's servers meant the application was available for download until this week.
On the Symbian Signed Web site, the group's antivirus-scanning provider is identified as Finnish company F-Secure. Mikko Hyppönen, F-Secure's chief research officer, told ZDNet UK on Friday that the malware authors had probably tested their Trojan against the F-Secure antivirus engine to circumvent security measures.
"Virus writers scan their malware, and keep modifying it until it passes the filters," Hyppönen says. "Obviously, the signing process can be and has been circumvented."
Symbian uses graded signing processes for mobile applications, according to Hyppönen. The Sexy Space malware went through its express signing process, which is designed for freeware. "It shows the express signing process is not foolproof, but it's still much better than the apps not being signed at all," Hyppönen said.
Symbian is in the process of upgrading its automated scanning processes, Heath said, adding that human auditing is also going to be improved. However, human auditing will probably not be expanded, as this introduces cost and time delays into the process, he said.
The group is looking to automate more of the work involved in publishing applications. "Today, most of the processes behind (Symbian) require manual tasks," the organization said in a blog post on the launch of its new Symbian Horizon program. "Our goal for the near future is to develop a system that will automate this work allowing us to scale the program to include as many apps as possible."
The Symbian Horizon program intends to select applications submitted by developers and then support them through their development and submission to mobile app stores. Symbian said that one of the aims of Horizon was to automate the publication of apps as far as possible.
Tom Espiner of ZDNet UK reported from London.
VANCOUVER, B.C.--That innocent-looking mobile phone you use to call your mother and check e-mail represents the next frontier for malicious hackers, though it eluded researchers who stood to earn $10,000 for exploiting a smartphone at the CanSecWest security conference this week.
TippingPoint Technologies, which sponsors a Pwn2Own hacking contest each year at the event, was offering the prize money for each successful exploit of an iPhone, BlackBerry, and phones running Google's Android, Windows Mobile, and Symbian operating systems.
Researcher Dino Dai Zovi, on the left, discovered a vulnerability in QuickTime and won the Pwn2Own contest at CanSecWest two years ago remotely by having a friend act on his behalf. At this year's show, he served as a proxy for a researcher in Italy who was participating in the contest remotely, trying to exploit a Symbian-based smartphone. The exploit attempt failed, and no one won the $10,000 smartphone exploit prize. Next to him is TippingPoint security researcher Aaron Portnoy.
(Credit: Elinor Mills/CNET News)On Friday, a researcher in Italy wanted to participate in the contest remotely and was told he had to find someone at the show to serve as his proxy and physically use the mobile device to surf to the site where the malicious code is located. He found a proxy, but the exploit attempted on a Nokia phone running Symbian failed. Another researcher had tried to exploit the Symbian and BlackBerry systems on Thursday but failed.
Much of the first day of the three-day event on Wednesday was devoted to mobile security. Dragos Ruiu, who first organized CanSecWest 10 years ago, said he wanted to focus on mobile this year because of the ubiquity of the devices and the increasing risk they pose to information security.
"I carry two phones at any one time," he said, pointing to one in his pants pocket and another in his jacket pocket. "And now, they are more capable computers."
Ruiu wasn't sure why the mobile devices hadn't been hacked, while a similar browser-hacking contest had seen the major browsers exploited on the first day of the conference. "Maybe they are too bleeding-edge; maybe they are just difficult to develop exploits for," he said of the mobile platforms. "It's good news."
In an informal survey, attendees said they suspected that researchers were just being lazy in not turning their attention to mobile attacks at the show.
"Mobile-phone research is an emerging field," said Aaron Portnoy, a security researcher at TippingPoint. "Not many people have the prerequisite knowledge to exploit them, nor do they have an exploit prepared."
Things will undoubtedly be different by next year's CanSecWest, he said, adding that already, there are mobile exploits in the wild.
"There's a lot we don't know yet about them," said Charlie Miller, who exploited the Safari browser in about 10 seconds on Wednesday, winning $5,000 and the MacBook Pro used to perform the feat. (The other major browsers were exploited shortly thereafter.)
"They are all different platforms, different hardware," he said, adding that "there's a learning curve associated with it."
In his presentation on security in Google's Android mobile platform, University of Michigan graduate student Jon Oberheide said the code in mobile software is newer than that found on the desktop and less robust against attacks. Attackers aren't really targeting it yet because mobile phones aren't seen as being much use for sending spam and launching denial-of-service attacks, however, they are good for attacks targeted at individuals, he said.
Oberheide said smartphones are at risk of a man-in-the-middle type of attack in which a malicious attacker could interfere with data communications between the device and a trusted Web server. For instance, an attacker could send a spoof message saying an update for a Facebook app is available and instead send malicious code, he said.
In a presentation titled "The Smart-Phones Nightmare," researcher Sergio Alvarez pointed out all the different attack vectors for mobile devices, including e-mail, attachments, Web pages, SMS, MMS, Facebook, Wi-Fi, and Bluetooth.
Updated at 8 p.m. PST to include that the other major browsers were exploited in the contest as well.
Research In Motion issued on Monday interim patches to address critical security flaws in BlackBerry software.
The flaws affect BlackBerry Enterprise Server software version 4.1 Service Pack 3 through Service Pack 6. The BlackBerry Professional Software 4.1 Service Pack 4 is also affected, RIM notes in its security advisory.
RIM is asking corporate customers to install an interim patch for the BlackBerry Enterprise Server and an interim patch for the BlackBerry Professional Software.
RIM also advises BlackBerry users to open PDF attachments only from "trusted sources." The company notes in its security advisory:
Multiple security vulnerabilities exist in the PDF distiller of some released versions of the BlackBerry Attachment Service. These vulnerabilities could enable a malicious individual to send an email message containing a specially crafted PDF file, which when opened for viewing on a Blackberry smartphone, could cause memory corruption and possibly lead to arbitrary code execution on the computer that hosts the BlackBerry Attachment service.
Such security flaws will do little to bolster President-elect Barack Obama's hopes for keeping his BlackBerry while in the White House.
- prev
- 1
- next
