Traditional antivirus vendors are doing a good job detecting and blocking known mobile malware, according to Av-Test, a Germany-based independent service provider that tests antivirus and antimalware software.
The firm tested the detection capabilities of a variety of available Android mobile security apps using a malware set of 618 malicious application package (APK) files. Malicious apps that were discovered between August and December 2011 were included in the test set.
Avast, Dr.Web, F-Secure, Ikarus and Kaspersky rated highly, according to the firm’s latest analysis, Test: Malware Protection for Android 2012 (.pdf), issued today. Zoner and Lookout, two independent security firms with mobile security apps also performed well, Av-Test said. The apps had a detection rate of more than 90%.
Products that fell between 65%-90% included AegisLab, AVG, Bitdefender, ESET, Norton/Symantec, Quick Heal, Super Security, Trend Micro, Vipre/GFI and Webroot. Despite falling below 90%, Av-Test said the mobile security apps are still very good and should be considered.
“Some of these products just miss one or two malware families, which might be not prevalent in certain environments anyway,” Av-Test said in its report.
Mobile malware continues to make up about 1% of overall malware, but despite the threat currently being minimal, experts at RSA Conference 2012 have pointed to a variety of attacks, from banking Trojans to SMS fraud, which could pose a threat to enterprise networks. Some say attackers are not too far away from weaponizing applications to perform a variety of functions all aimed at collecting as much data as possible about the device owner.
Judging by the attendance at the mobile sessions during the conference, it’s clear that security professionals are concerned about mobile device security and are looking for ways to gain control and visibility into employee devices at the endpoint. Both Google Android and Apple iOS have been built with security features right into the platform.
“I would go as far as to say they are probably the most secure platforms ever built,” Kevin Mahaffey, CTO of Lookout told me in a mobile security interview at RSA Conference. Sandboxing and granular permissions that limit the device capabilities available to installed mobile applications make it much harder for an attack to be successful, Mahaffey said.
“We haven’t really seen malicious use of vulnerabilities on mobile devices yet, but plenty of researchers have demonstrated that it’s possible. There’s no magic pixie dust in iPhone or Android that makes it somehow immune from all the problems on the desktop,” Mahaffey said.
Anup Ghosh, founder and CEO of browser security vendor Invincea, shares a different view about the
Android platform. At RSA Conference, Gosh told me Android users should be concerned about mobile malware. Apple has done a good job of controlling its platform, keeping its ecosystem closed off to potential malware writers. Meanwhile, Android is using Java as part of its sandboxing strategy. It’s highly buggy, Ghosh said, with a lot of native interfaces to the underlying firmware.
According to Gosh: “When you download an app from the Android store you are giving explicit permissions, giving that app access to all kinds of system resources, which are all holes to that sandbox. It’s a fairly rich environment for adversaries to write malware. We’re still early as far as malicious code development goes, but they will follow the money.”
It doesn’t hurt to have a layer of security for protection. Mahaffey said a good mobile security app can protect device owners from malware or spyware, provide safe browsing capabilities and locate lost and stolen devices.
Av-Labs said that its test determined a grouping of 17 trustworthy mobile security apps. Even if a mobile security app performed poorly in its detection tests, some have other capabilities such as remote lock and wipe, backup and phone locating that may make them useful.
The firm tested the latest version of available mobile security apps using an Android emulator running the Gingerbread version of Android. The results were verified on a Samsung Galaxy Nexus running the latest Android version, Ice Cream Sandwich.
DNS services provider OpenDNS has hired away the chief technology officer of security vendor Websense Inc. and is laying the groundwork for a variety of DNS layer security services and products aimed at enterprises.
Dan Hubbard, who spent 14 years at Websense, is planning to build out OpenDNS’ security product portfolio. Hubbard played a significant role at Websense, building the Websense Security Labs and the company’s classification engine, which is at the heart of its security products. The engine is used to filter out malicious websites, block spam and phishing attacks and is also at the core of Websense’s content filtering technology.
Hubbard confirmed his departure this week. A Websense spokesperson said the company is already reshuffling executives to fill the CTO role. Charles Renert, an expert noted for his work with Symantec Security Labs and founding Determina, was promoted to vice president and will assume Hubbard’s responsibilities in the interim.
It’s going to be extremely interesting to see how OpenDNS’s enterprise security plans unfold under Hubbard’s guidance.
I spoke to Hubbard at a reception at RSA Conference 2012 where he exuded a lot of enthusiasm for his new gig at OpenDNS. Hubbard said there’s a potential for a whole new range of security technologies that take advantage of being in the DNS layer. The company, which launched in 2005, already provides malware protection for its users by blocking outbound botnet communications at the DNS layer. It also maintains PhishTank, the largest clearinghouse of phishing information on the Internet. OpenDNS has 12 data centers that handle DNS requests, but also have been collecting threat intelligence data for years. Combining threat intelligence with the ability to keep track of individual IP addresses opens up an interesting set of capabilities for protecting laptops and mobile devices.
The company already has a broad set of users of OpenDNS Enterprise, which provides inbound and outbound protection and is application-, operating system-, protocol- and port-agnostic since it is essentially cloud-based at the DNS layer. The company has been pushing itself as an extra layer sitting between the Internet and enterprise firewalls and antivirus technology at the endpoint. There are some built-in reporting capabilities providing data on attacks and malicious websites that were blocked by the service.
Hubbard’s move to OpenDNS and the company’s security strategy caught the eyes of at least two prominent security luminaries: Dan Kaminsky and Paul Vixie, who attended the reception. Last year, Kaminsky briefly shared with me his vision of what DNS-based security technologies can do. He believes a broad range of technologies can be built out leveraging DNSSEC architecture for authentication and establishing trust in Internet communications. It could provide a much needed injection of trust into the Internet, which has been evaporating in recent years because of a variety of issues, including breaches at SSL Certificate Authority vendors and well known weaknesses in the digital certificate system itself. Vixie has also publicly shared the potential of adding security to the DNS layer.
It was hard, however, to find the enthusiasm for OpenDNS from others at the RSA Conference. The first thing that comes to mind with OpenDNS is its consumer products that enable parents to shield porn and other websites from their children.
Several industry analysts and other security professionals I spoke to were too wrapped up in their own respective areas of expertise, but a few people said they share Kaminsky’s passion for the long-term potential of DNS-layer security technologies.
OpenDNS CEO David Ulevitch told me the company already has the foundation in place to provide a wide variety of security services. He said it just has to execute on its strategy and provide a convincing argument that enterprises can get value out of having security at the DNS layer.
Government and businesses – and individuals – often have competing priorities when it comes to information security and privacy, and those competing priorities are reflected in the multitude of ever-expanding compliance regulations in the U.S. IT pros are struggling to in light of these competing priorities and, from my vantage point sitting in on GRC sessions at RSA Conference 2012 this week, they are pretty stressed out.
Unfortunately, panelists speaking about hot topics in law and compliance at RSA Conference 2012 appeared to have little hope for a resolution to the tension anytime soon.
Panelist Benjamin T. Wilson, general counsel and senior vice president of industry relations for SSL certificate authority DigiCert Inc., called the tension between government and individuals/businesses a “megatrend” that’s overriding the compliance regulationsbeing written or modified in 2012. Regulators are torn between individuals and businesses: each want access to all kinds of information, but also want all their own information kept private.
Add in the many and varied regulations of other countries, who are themselves attempting to regulate how data is stored or transmitted, and the job of compliance manager becomes that much more difficult.
Microsoft’s Azure cloud service suffered a worldwide outage that started Tuesday and was apparently triggered by a timing miscalculation for the leap year. The company was continuing to work on Wednesday to resolve the Azure outage, which continued to affect some customers.
Microsoft said it became aware of an issue impacting the service management component of Azure at 5:45 p.m. Pacific Time on Tuesday.
“The issue was quickly triaged and it was determined to be caused by a software bug. While final root cause analysis is in progress, this issue appears to be due to a time calculation that was incorrect for the leap year,” Bill Laing, leader of the Azure engineering team, wrote in a blog post.
Microsoft created a fix and deployed it to most of the Windows Azure sub-regions, which restored the Azure service to most customers by 2:57 a.m. PST on Wednesday, he said.
“However, some sub-regions and customers are still experiencing issues, and as a result of these issues they may be experiencing a loss of application functionality. We are actively working to address these remaining issues,” he said.
In an email statement, a Microsoft spokesperson said some customers in three sub-regions – north central U.S., south central U.S. and North Europe – remained affected late Wednesday afternoon. Customers might have issues with Access Control 2.0, Marketplace, Service Bus and the Access Control & Caching Portal, which could result in loss of application functionality, the spokesperson said.
Windows Azure Storage was not impacted, according to Microsoft.
UPDATE: Microsoft reported Thursday at 10:13 a.m. Pacific Time that the Azure service disruption was completely resolved.
RSA Conference 2012 feels like a big ol’ group therapy session. Small circles of friends, larger circles of industry peers, huddled masses freeing themselves of a collective weight on their shoulders. No longer do they have to lie to themselves, their colleagues or bosses. “Hi, I’m Joe Security and I’m pwned!” They’ve come to grips with the fact that it’s OK to say security technologies suck, networks are compromised and attackers are winning.
OK, that last part has always been part of the dialogue. But the other two have only been whispered in the past. Now it’s being shouted at networking events and even from the big keynote pulpit here in San Francisco. Legacy investments in signature-based antivirus, intrusion detection and other detection technologies don’t serve the industry as well as they used to. Signature updates can’t keep up with the evolution of malware. And most attacks are too targeted or too stealthy, or both, to warrant signatures for the masses. It doesn’t work anymore and everyone’s free to say it without repercussion.
Granted, Art Coviello, RSA Security’s chief executive, has a vested interest in shouting it the loudest, but he made a good, encapsulating point during his keynote yesterday: “We have to stop being linear thinkers, blindly adding new controls on top of failed models. We need to recognize, once and for all, that perimeter-based defenses and signature-based technologies are past their freshness dates, and acknowledge that our networks will be penetrated. We should no longer be surprised by this.”
There’s a lot of whispering now about bringing big data concepts to security. Your resume had better soon include some business analytics experience if you wanna be tomorrow’s CISO. You’d also better figure out how to harness all that data your security gear spits out and learn how to baseline “normal” network behavior and address anomalies. And oh yeah, you better know how to talk to your executives about security.
Selling them your initiatives based on fear is so five years ago. You better learn your business, how it makes money, and how to deliver metrics that address not only bottom-line impact, but how the customer experience is affected, how internal processes need to reflect security and how you’re articulating security to the company to turn everyone into an advocate for you.
Journalists and analysts like tipping points and landmarks because it makes it easier for us to articulate our stories to readers. Most of the time those tipping points and landmarks are made up; not this time though. There’s a definite change in the air and some tangible direction for the industry. Let’s see how we did about this time next year.
The Cloud Security Alliance Summit at the RSA Conference 2012 got off to an entertaining start Monday with a keynote from an unlikely entertainer: Mike McConnell, former NSA and national intelligence director. McConnell had the crowd laughing with stories of his grandchildren and old times with Colin Powell, but he segued into a serious message: The country isn’t doing enough to address the threat of economic cyberespionage.
The U.S. is the “most digitally dependent nation” and its competitive advantage is its innovation, creativity, research and development, he said. “That information is regularly being taken from us,” added McConnell, who is now vice chairman at Booz Allen Hamilton.
McConnell didn’t point fingers at any country, but said some nation states make it a policy to conduct economic espionage and capture intellectual capital. “We are moving very slowly to address these threats. …We don’t have a cyberdefense capability on a global scale,” he said.
The country needs to establish a policy for what the NSA can do to protect the nation in cyberspace, he said. “The industry is going to have to accept some level of regulation.”
“The economics of cloud computing are compelling,” McConnell said. “It will happen. We need to address privacy, business interests and the national security dimension.”
Other highlights from the CSA Summit:
The CSA announced an “innovation initiative” to help speed development of cloud security by identifying key issues related to security that block the adoption of next-generation IT, documenting guiding principles that IT innovators should address, and incubating IT solutions that align with CSA principles.
Interestingly, the initiative includes not only a working group within CSA, but a for-profit entity that will work with innovators. Innovators don’t have to use CSA assistance in developing their technology, but can have a CSA working group assess its value.
The CSA also is starting a research project into SLAs and is looking for volunteers. The goal is to develop standards around SLAs – something no doubt many cloud users would appreciate.
CANCUN, Mexico — Kaspersky Labs cofounder and chief executive Eugene Kaspersky announced today that the Russian security company will not pursue an initial public offering in the forseeable future and will buy back the shares it sold to a private equity firm brought in 13 months ago to pursue an IPO.
In January 2011, General Atlantic bought 20% of Kaspersky, valued at about $200 million, from Eugene Kaspersky and his ex-wife Natalya. GA was brought in at the time to seek acquisition opportunities and set Kaspersky Lab up for an initial public offering.
“It’s quite a big deal, the biggest deal of my life,” Kaspersky said at the Kaspersky Security Analyst Summit 2012. “The company will stay private and stay focused on IT security.”
Kaspersky said the main motivation for the buy-back was the preservation of the company culture.
“IT security has to be flexivble and innovating. My impression is that being private is the right way because you don’t need to report [finances],” Kaspersky said. “I like the way company is going and the spirt of the company. To change their basic design, I’m afraid is dangerous. We are not going to change our ways, spirit, culture, emotion or strategy.”
Kaspersky said he could see the company branch beyond its core consumer and enterprise antimalware expertise. The company has a worldwide stable of security researchers with offices in 29 countries. Kaspersky said the company is profitable (less than 20% year over year growth), and promised to remain as transparent as possible in its financial disclosures.
“[If public], there are much more reports and governance and a longer decision-making process,” Kaspersky said. “I have the same feeling that I read in Richard Branson’s book that when you go public, the company goes slower. I don’t want that.”
CANCUN, Mexico — Kaspersky Labs senior security researcher Stefan Tanase knows all about the old adage “You never know until you ask.”
Tanase conducted an experiment recently where he emailed the webmasters of 100 websites infected with malware informing them of the problem asking in return only for some data on the infections in the form of log entries. What Tanase got in return was a big fat zero, as in no replies.
Undeterred, Tanase said Wednesday during the Kaspersky Lab Security Analyst Summit 2012, that he emailed another 200 and actually got a 3% reply rate time on his second attempt.
“The assumption I made is that webmasters don’t know their sites are infected,” he said. “The reality is that webmasters don’t care if their sites are infected.”
Tanase said he knows 52% of his emails reached their destination; 48% bounced back to him.
Of the three percent who did reply, one came from a monestary and a priest who asked for help in cleaning up the websites and under what conditions. Another respondent came from an advertising agency that wasn’t interested because the infected site in question was an old site no longer in use. Another, from an industrial equipment supplier, said they didn’t have a dedicated IT person on staff, but offered to send Tanase an administrative username and password and wondered if he could help–a major security fail.
The experiment, however, wasn’t a total bust; 3% may have replied, but upon a second scan, 5% had removed the malware from their sites.
“They may not have replied,” Tanase said, “but they did clean up their site.”
Every year the holiday season is a boon to typosquatters using scams to phish unsuspecting users of sensitive information or peddle rogue antivirus software.
By Hillary O’Rourke, Contributor
With the hassle of finding the best deal and coping with the constant crowds, online shopping has never been more popular for the holiday season. But with that ease comes a warning from Websense: keep an eye out for online scams, particularly typosquatted sites.
Researchers at security research company Websense, Inc. are warning online holiday shoppers of typosquatted online domains, domains that cybercriminals have registered that are virtual but malicious copies of familiar sites in hopes of taking advantage of those who misspell the URL.
Websense researchers have claimed they’ve recently found more than 2,000 typosquatted online domains set up. Websense published a list of domains it found as part of a network of typosquatters, attempting to pose as a legitimate UK brand-name sites. Websense said it has a “list of hundreds of hosts that are part of a typosquat hive (the hive itself contains thousands of hosts), and all of them are hosted in the US. We call it a hive because all of the listed hosts have a connection, and were most likely set up by the same cybercriminals.”
Researchers are also claiming that although the brand names may be spelled correctly in the domain, cybercriminals have created sites with the “.org” or “.net” domain suffixes as well. They added that they’ve seen a recent influx of these fraudulent domains in preparation for the holiday season.
The attackers often use these websites in fake emails and phishing sites in an attempt to lure consumers to claim online coupons. After a user clicks on the provided link, a pop-up shows up in another window with a different offer.
It’s important to remember that legitimate websites and the companies behind them sometimes employ a strategy of buying typosquat hosts that are similar to their site’s name. This is a good strategy for successful websites, as those companies usually understand the dangers of typosquatting and how their brand name can be affected and abused. Kudos go to Amazon, which registered a good number of potential typosquat hosts, including aqmazon (dot) com, amaxzon (dot) com, amzon (dot) com, and many more. These are all GOOD hosts registered by Amazon itself, leaving no chance for abuse as long as they remain registered to Amazon.
Typosquatting is used to quickly gain advertising revenue from sites receiving a high volume of accidental traffic. More recently, however, it’s often more about collecting as much information as the cybercriminals can get. With the holiday season in full swing, cybercriminals should expect to see success in both of those areas.
As the Websense says, it’s all “to ensnare the unaware.”
By Hillary O’Rourke, Contributor
The cybercriminals responsible for the Nitro attacks have certainly showed audacity in their latest move: Sending malicious emails claiming to be from security vendor Symantec with the company’s own report on those Nitro attacks.
According to a Symantec blog post, the group, which is currently targeting chemical companies, is using the same social engineering techniques they have used in previous attacks, but lately they have been sending malicious emails that are created to look like they were sent by Symantec’s technical support department.
“They are sending targets a password-protected archive, through email, which contains a malicious executable,” explained Symantec researchers keeping a close watch on the group’s attack techniques. “The executable is a variant of the Poison IVY and the email topic is some form of upgrade to popular software, or a security update.”
The security vendor originally exposed the gang in a report released on Nov. 1 on the Nitro attacks that began in July and lasted until September. Those attacks also involved emails carrying a variant of the Poison Ivy backdoor and were specially crafted for each targeted company. According to the blog post, they are still using the same hosting provider for their command and control (C&C) servers.
The Symantec blog post explains one of the emails ‘offers protection from “poison Ivy Trojan’!”
The fraudulent emails come with an attachment called “the_nitro_attackspdf.7z” with an archive containing a file called “the_nitro_attackspdf.exe.” According to the blog post, the large space between “pdf” and “.exe.” is to trick a user into thinking the attachment is a PDF.
When the attachment is opened, the executable creates a file called Isass.exe, more commonly known as Poison IVY, and then creates a PDF file that is none other than Symantec’s Nitro Attacks whitepaper (PDF).
“The attackers, in an attempt to lend some validity to their email, are sending a document to targets that describes their very own activity,” Symantec said.