sign in sign up
<<
Home , Zombie (computing)

TECHNOLOGY NEWS : Finally a Serious Problem?

Neal Leavitt

The growing popularity of wireless technology may have finally attracted enough hackers to make the potential for serious security threats a reality.

n the world of computers and Device makers and wireless- THREATS ON THE MOVE communications, the more service providers have long focused Mobile devices increasingly face widely a technology is used, the on communications and other ser- various types of threats, as Figure 1 more likely it is to become the vices, with security remaining an shows. targetI of hackers. afterthought. Such is the case with mobile tech- Referring to the two most popu- nology, particularly , lar platforms, Ed Moyle, Attackers form a by infecting which have exploded in popularity senior analyst with market research multiple machines with that in recent years. According to market firm Security Curve, said, “Security victims generally acquire via e-mail analysis firm ABI Research, 370 mil- is now playing catch-up with the rapid attachments or from compromised lion smartphones were in use globally adoption of Android and iPhone, both applications or websites. The malware last year. of which are hard for enterprises to gives hackers remote control of the Many users download mobile appli- manage.” “zombie” devices, which can then be cations with little regard to whether Thus, after years of warnings about instructed to perform harmful acts in they’re secure, providing a ready way mobile security, there finally appears concert. for hackers to attack the devices. to be a reason to worry. “These command channels In addition, said Gustavo de Los In fact, the number and types of could also provide a way to update Reyes, executive director for AT&T mobile threats—including viruses, the malicious code so that it will Security R&D, “These phones are , malicious downloadable communicate or act differently,” said being used frequently for sensitive applications, , and spam— Juniper Networks research engineer transactions like banking, mobile pay- have spiked in recent months. Troy Vennon. ments, and transmitting confidential For instance, McAfee Labs’ threat The easiest way for an attacker to business data, making them attractive report for 2010’s fourth quarter benefit from a mobile zombie network targets if not protected.” reported a 46 percent increase in is to send SMS or multimedia message “The payoffs—financial and per- malware targeting mobile phones service (MMS) communications to a sonal information—could be huge,” over the same time period the previ- premium phone account that charges noted Purdue University computer ous year. victims fees per message, explained science professor Richard P. Mislan. “We’re seeing more than 55,000 Vennon. Smartphones generally connect to new pieces of [mobile] malware on The scammers act as the premium- the Internet, as well to PCs for software a daily basis,” said Dave Marcus, account owner’s affiliates, receiving updates or media synchronization, McAfee Labs’ director of security some of the money that their attacks providing convenient attack vectors. research and communications. generate, noted Bradley Antsis, vice

0018-9162/11/$26.00 © 2011 IEEE Published by the IEEE Computer Society JUNE 2011 11

r6tec.indd 11 5/24/11 12:41 PM TECHNOLOGY NEWS

100 computer, said Network Box USA’s Annoyance Stella. This could let a hacker place Steal money Trojans, spyware, and backdoors on 80 Invade privacy the machine and even conduct iden- Propagation Malicious tools tity or information theft, he added. 60 Some schemes use a sensational headline or promise information on a current hot topic to grab readers’ 40 attention and encourage them to click on a malicious link. Number of malware families 20 Spyware Hackers can use spyware available 20 2000 2004 2005 2006 2007 2008 2009 2010 2011 online to hijack a phone, allowing Year Source: Fortinet them to hear calls, see text messages and e-mails, and even track a user’s Figure 1. The number of threats to mobile devices, particularly those designed to steal location through GPS updates. money, has increased steadily during the past few years. Most commercial mobile spyware applications send an update of cap- president of technical strategy for users voluntarily install them,” said tured communications or location security vendor M86. Pierluigi Stella, chief technology data to a website where the spy logs The Yxe malware family that hit officer for vendor in to view the data, noted Juniper Net- China last year caused this problem. Network Box USA. works’ Vennon. In some cases, SMS Also in 2010, malware originating Once on a handset, the programs communications inform the spy that in Holland exploited a vulnerability in steal personal information such as the system has obtained new data. jailbroken smartphones—those that account passwords and logins and The software can even create a owners have modified to gain OS root send it back to the hacker. They also hidden access point inside a mobile access and remove manufacturers’ open communication chan- phone that lets a hacker turn on the usage limitations—to create a botnet. nels, install additional applications, device without it ringing, in essence The network sent SMS messages to and cause other problems. converting it into a microphone, premium numbers. Most mobile application mar- said Purdue University’s Mislan. Last year, another mobile botnet ketplaces don’t require that code in The spy could then hear nearby targeted European customers of a applications be cryptographically conversations. Dutch online bank. The malware signed by the developer before it can While some malware writers used in the attack included command be uploaded, noted Kurt Stammberger, sell or give away mobile spyware, logic that gave the hacker remote vice president of market development there are also online vendors—such control of victims’ smartphones. for security vendor Mocana. as ClubMZ, FlexiSPY, and Retina- With PCs, hackers often use “Until this becomes common,” he X Studios—that sell the software zombies within botnets to launch said, “malicious apps will proliferate commercially. denial-of-service attacks. Thus far, quickly on mobile platforms.” These companies say their prod- though, there have been no major ucts are only for legal uses and can mobile DoS incidents. Social networking be helpful in finding a stolen mobile As smartphone use has grown, so device or in monitoring the activi- Malicious applications has mobile social networking. ties of children, as well as employees In some cases, hackers have Malicious links on social networks using company phones. uploaded malicious programs or can effectively spread malware. Par- Mobile phone spyware is illegal in games to third-party smartphone- ticipants tend to trust such networks the US but is sold by websites hosted application marketplaces—such and are thus willing to click on links elsewhere, noted Simon Heron, prin- as those for Apple’s iPhone and that are on “friends’” social network- cipal with Network Box’s UK office. Google’s Android devices—or have ing sites, even though—unknown otherwise made them available on to the victim—a hacker may have Bluetooth the Internet. placed them there, said M86’s Antsis. Bluetooth enables direct com- “These malicious apps are usu- Clicking on a link could download munication, including the sharing of ally free and get on a phone because a malicious application on a victim’s content, between mobile devices.

12 computer

r6tec.indd 12 5/24/11 12:41 PM Wireless devices can broadcast Mobile phishing is particularly primarily because they’re challeng- their presence and allow unsolicited tempting because wireless commu- ing and expensive to develop. connections and even the transmis- nications enable phishing not only “Restricted [OS] kernel access sion of executables if users don’t via e-mail, as is the case with PCs, but means you can’t put the crypto- configure their Bluetooth operations also via SMS and MMS, noted AT&T’s graphic processes sufficiently low appropriately. de Los Reyes. down in the stack, close to the sili- On rare occasions, mobile mal- Social media phishing is con. Processor limitations, memory ware—such as the Cabir worm—has becoming a major issue as social constraints, and battery-life issues used Bluetooth to propagate. networking sites contain an increas- make some of these apps as slow as ing amount of personal information molasses,” explained Stammberger. Wi-Fi that phishers can use to make Hackers can intercept communi- their attacks more effective, said OTHER MEASURES cations between smartphones and Paul Henry, security and forensics Security vendor MobileIron Wi-Fi hotspots. analyst for market research firm recently launched a storefront so that The fundamental vulnerability is Lumension Security. businesses can deliver mobile appli- hotspot architecture with no encryp- tion to protect transmitted data. “If a user connects to [such] a The number and types of mobile threats— hotspot for the first time, the end- including viruses, spyware, malicious down- to-end connection between the loadable applications, phishing, and spam— user’s device and the hotspot pro- vider is not secured, so the [hacker] have increased in recent years. can intercept and control the user’s traffic,” said Carnegie Mellon Uni- versity computer science professor TRADITIONAL SECURITY cations directly to employees without Patrick Tague. In this scenario, the APPROACHES posting them publicly. This lets busi- hacker gets between the user and Mobile communications can nesses enforce security policies about the hotspot provider and hijacks use the same types of security— which users and devices can access the session via a man-in-the-middle including antivirus and specific corporate applications. attack. products—as fixed communications. This summer, trials will start for A hacker can also set up a peer- Vendors include Fortinet, F-Secure, the AT&T Smart Mobile Comput- to-peer network that mimics a Wi-Fi Juniper Networks, Kaspersky Lab, ing platform, which will include hotspot offering a high-quality Lookout Inc., Mocana, NetQin, Trend features such as mobile security, connection, which entices users to Micro, and Trusteer. mobile device management, a vir- connect. The hacker then intercepts Most of these products work much tual private gateway, , victims’ transmissions without their like their PC counterparts. For exam- policy controls, a virtual desktop, knowledge. ple, mobile antivirus products scan and cloud computing capabilities. files and compare them against a Customers will also be able to apply Phishing database of known their own security policies to this Phishing poses the same risk on code signatures. Noted Mocana’s platform. smartphones as it does on desktop Stammberger, this approach is com- The AT&T Security Research platforms. pute-intensive and “eats batteries for Center recently opened in New York In fact, many users trust their lunch.” City. Employees have expertise in a mobile device more than their com- Mobile security software is also broad range of areas, including secu- puters and thus are more vulnerable more likely to use the cloud to offload rity, cellular systems, networking, to phishing. some of the processing typically asso- and data mining. Additionally, said Juniper Net- ciated with PC-based products, said Under a distribution and mar- works’ Vennon, the lack of maturity Chris Perret, CEO of security vendor keting agreement signed last year, in phishing filters and reputation- Nukona. Verizon Wireless will promote Look- based services in mobile browsers, There are only a few mobile out Inc.’s mobile security products to combined with the immediacy and encryption software products, includ- customers. portability of telephone communica- ing SecurStar’s Phonecrypt and Handset and chip makers are also tions, makes the platform attractive Credant Technologies’ Mobile Guard- addressing mobile threats. For exam- for phishers. ian for Handhelds. They’re scarce ple, Mocana’s Stammberger said his

JUNE 2011 13

r6tec.indd 13 5/24/11 12:41 PM TECHNOLOGY NEWS

company is working with Freescale against these new threats,” he added. a lot of work that needs to be done Semiconductor, IBM, Intel, LG, Motor- “The greater visibility of these to get to the point where that trust is ola, and to “better leverage and attacks will place an increasing warranted.” improve their on-chip crypto-acceler- importance on mobile device makers ation hardware.” having enterprise-grade security Neal Leavitt is president of Leavitt Mocana also sells Acceleration features and configuration options Communications (www.leavcom. Harness, a technology for connect- in place. It will become necessary com), a Fallbrook, California-based ing OS-based security software with for security to be considered in all international marketing communica- tions company with affiliate offices on-chip hardware acceleration. phases of application development to in Brazil, China, France, India, and ensure that resiliency against attacks the UK. He writes frequently on tech- is built into mobile devices from the nology topics and can be reached at s the mobile ecosystem evolves start,” said Adrian Stone, director [email protected]. and hackers probe for vulner- of security response for BlackBerry Aabilities, devices will face vendor Research in Motion. a growing number of the types “Our dependence on an always- Editor: Lee Garber, Computer; of attacks traditionally launched on, connected, mobile device [email protected] against desktop systems, said Trust- environment is going to be profound eer chief technology officer Amit in critical contexts that we can’t Klein. imagine today,” said Stammberger. Selected CS articles and columns “We need to implement mobile “We have to be able to trust these are available for free at http:// security solutions now to protect devices, but we can’t now. There’s still ComputingNow.computer.org.

DEFEAt CybEr CriMinAls. CybErsECUrity AnD yoUr CoMpEtition.

Sharpen your skills and give yourself a major edge in the job market with a • Designated as a National Center of Academic Excellence in cybersecurity degree or a new graduate certificate from University of Maryland Information Assurance Education by the NSA and the DHS University College (UMUC). Our degrees and certificates focus on technical and policy aspects, preparing you for leadership and management roles—and • Advanced virtual security lab enables students to combat making you even more competitive for thousands of openings in the public simulated cyber attacks and private sectors. Courses are available entirely online, so you can earn your • Financial aid and an interest-free monthly payment bachelor’s, master’s or certificate while keeping your current job. plan available

Enroll now. 800-888-UMUC • umuc.edu/cyberwarrior

Copyright © 2011 University of Maryland University College

UMUC11277_IEEE_Computer_Cyber_7x4.75.indd 1 2/3/11 9:54 AM

14 compUtEr

r6tec.indd 14 5/24/11 12:41 PM