Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Aug 13, 2012

Gauss: Stuxnet Like Worm Spotted Stealing Banking Information



A new cyber weapon which is believed to be linked with Stuxnet,Duqu,Flame in its operation (i.e to  target Iranian nuclear facility) has been discovered which was aimed at stealing financial information from customers of a series of Lebanese banks.

Like Flame, Gauss is also discovered by ITU (International Telecommunications Union) as part of its mission to maintain world cyber-peace.
Kaspersky said
“Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation”. Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations.
It shares some functionalities with Flame, such as the USB infection subroutines.
Kaspersky made some analsys on this Trojan and released a technical paper  which contains several details about the worm.

Jun 30, 2012

New Mac Virus Detected



A new Mac OS X exploit was discovered Friday morning by Kaspersky Labs which propogates through a zipfile attachment. The attachment tricks the Mac user into installing a variant of the MaControl backdoor via point-and-grunt. Embedded in the virus is an encrypted IP address belonging to a server in China which is believed to be a C+C server.

Jun 1, 2012

Stuxnet Origin Confirmed: Developed by US and Israel Governments to take off Iran's nuclear development


[NYT]: US officials confirm Stuxnet was a joint operation of US-Israeli governments to sabotage the computer systems at Iran’s nuclear facilities according to current and former US officials.
This Operation was code named Olympic Games.


 NYT reports:
From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.


Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.

At a tense meeting in the White House Situation Room within days of the worm’s “escape,” Mr. Obama, Vice President Joseph R. Biden Jr. and the director of the Central Intelligence Agency at the time, Leon E. Panetta, considered whether America’s most ambitious attempt to slow the progress of Iran’s nuclear efforts had been fatally compromised.

“Should we shut this thing down?” Mr. Obama asked, according to members of the president’s national security team who were in the room.

Told it was unclear how much the Iranians knew about the code, and offered evidence that it was still causing havoc, Mr. Obama decided that the cyberattacks should proceed. In the following weeks, the Natanz plant was hit by a newer version of the computer worm, and then another after that. The last of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium.

Read More

May 28, 2012

Flame :The most complex cyber threat ever discovered



Like Duqu and Stuxnet, Flame is one of the massive cyber wepon ever discovered which was specially designed to perform cyber espionage as well as retrieve valuable and important information (read: steal) without you knowing it.
This malware was identified when  UN’s International Telecommunication Union came to experts at Kaspersky Lab for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East.

This new malware is known as Worm.Win32.Flame, Flame for short.

Researchers says " It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage."

"Flame is a huge package of modules comprising almost 20 MB in size when fully deployed. Because of this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a LUA virtual machine. "

Read More at The Flame: Questions and Answers

Aug 6, 2011

Vulnerabilities in Chrome OS : Black Hat conference

Google’s highly desirable operating system, ChromeOS has loopholes that can be violated to take over the system easily.
According to tech website Venture Beat, two security experts, Matt Johanson and Kyle Osborn, on Tuesday revealed to a group of people while addressing the Black Hat conference that they have already found a way into Chrome OS which was officially launched by Google Inc. a few months ago.

Jul 29, 2011

Facebook offers bounty to security bug hunters


[AFP] Facebook began offering rewards of $500 or more on Friday to security researchers who identify vulnerabilities in the social network.

Jul 26, 2011

Italy's police website hacked in revenge attack


[TOI]:ROME: Hacker groups said that they had accessed the website of Italy's cyber police and published classified information online in revenge for arrests of hackers in Europe and the United States.

Jul 18, 2011

Murdoch's UK Sun newspaper website Hacked :The website says a fake report that Rupert Murdoch Found Dead

 Lulz Security hacker rouge group on Monday attacked the website of the Rupert Murdoch owned Sun newspaper, replacing the online version with a fake story that Murdoch found dead .

The hackers redirected visitors to the twitter feed of hacker group Lulz Security, which came to prominence after several cyber assaults on the websites of Sony Corp , the CIA, and News Corp's Fox TV. 
The group also claimed to have hacked the homepage of the phone-hack scandal hit News International, the Sun’s parent company, and the webpage of sister paper The Times was also inaccessible.
“We have owned Sun/News of the World – that story is simply phase 1 – expect the lulz to flow in coming days,” a message from the group warned.

Another message taunted “We have joy we have fun, we have messed up Murdoch’s Sun”
A News International spokeswoman said the company was “aware” of the attack.

The hacker collective said it was “sitting on their (the Sun’s) emails” and was prepared to publicise them on Tuesday.

Lulz has been in the spotlight after taking credit for cyberattacks on high-profile companies including Sony and Nintendo.

Lady Gaga's website hacked : fans' personal information stolen

Fans Exposed ...

  
Popular singer-songwriter Lady's Gaga's UK website was hacked by a group of cyber attackers. 
Hackers have managed to break into Lady Gaga's website and leaked information about its registered users, prompting the pop star's record label to contact the police.

SwagSec is a new group that targets artists and the music industry. Its members have so far hacked the websites of Amy Winehouse, Lauren Pritchard, Justin Bieber and the Klaxons.

Several sources report that Swag Seg, a US based group that (according to DigitalSpy) publicly revealed its plans to attack the websites of Gaga and fellow pop stars Amy Winehouse and Justin Bieber. The hack allegedly took place on June 27, with names and email addresses being lifted, but the information was only made public this week.


Gaga’s overseas label, Universal, contacted the authorities, revealing that “the hackers took a content database dump from ladygaga.co.uk and a section of email, first name and last name records were accessed. There were no passwords or financial information taken.” Well, thank goodness for that!

The label also stated that they “take this very seriously and have put in place additional measures to protect personally identifiable information. All those affected have been advised.”


Gaga is reportedly upset about the matter, and hopes that the cops will be able to solve this case and problem. We really hope that this security breach doesn’t cause Gaga to pull back from her activity in the digital realm. We’re also glad to hear that the hack wasn’t much worse, since it could have been.

Jul 15, 2011

Pentagon: 24000 military files stolen in cyberattack


The Pentagon has disclosed that it suffered one of its largest ever losses of sensitive data in March when 24,000 files were stolen in a cyber-attack by a foreign government. 

William Lynn, the US deputy secretary of defence, said the data was taken from the computers of a corporate defence contractor. 

He said the US government had a "pretty good idea" who was responsible but did not elaborate.
Many cyber-attacks in the past have been blamed on China or Russia, and one of the Pentagon's fears is that eventually a terrorist group will acquire the ability to steal data. 

Mr Lynn disclosed the March attack in a speech outlining a new cyber-strategy, which formally declares cyberspace a new warfare domain, much like air, land and sea. 

It calls for developing more resilient computer networks so the military can continue to operate if critical systems are breached or taken down.

Jul 12, 2011

10 Security Checklist to keep your Online Accounts safe

A Security Checklist for Online Accounts

1.  “Always use HTTPS” setting for Facebook, Twitter, Gmail, Google and all the other online services that support secure HTTP. This is especially important when accessing Internet over a Wi-Fi network because without HTTPS, anyone (and not just skilled hackers) can capture your login details using Firesheep, a simple Firefox extension.

2. I have a few Google Accounts and they all use 2-step verification now. That means if someone tries to log into my Google account from a different computer, they’ll have to type an additional code that is sent directly to my mobile phone as an SMS text message or over a voice call.

3. The 2-step verification can also alert you to potential hacking activity. If I ever get an SMS (or a voice call) from Google with the verification code but without requesting one, it is an immediate hint that someone knows my password though they won’t be able to get in without entering the verification code.

4. I have connected my mobile number with my Facebook account. This is extremely important because I get an instant SMS and an email alert whenever my Facebook account is accessed from a different computer or another mobile phone.

5. I carefully reviewed third-party sites that have access to my online accounts and revoked access to all the unwanted apps that I no longer use. In case you wish to do the same for your accounts, here are the direct links for Facebook, Google and Twitter.

6. I maintain two email addresses – one is public that is displayed on the blog while the other email address is known to a select few. Why?

6a. The public email address is associated with services like Twitter, YouTube, Facebook, Foursquare, LinkedIn, Flickr, Tumblr, Posterous, Skype and a couple of other social sites where I want people to find me if they have my email address in their address book.

6b. I use the other “secret” email address with services like Dropbox, Amazon, Google Apps, my bank, my hosting service, Apple iTunes, PayPal and few other places where account security is even more critical and where I am not looking to get social.

7. If I am testing a new online service, I almost always use a disposable email address to create a test account with that service. Some online services reject disposable addresses to prevent fake registrations but the one I use goes through as it is only an alias (or nickname) of my main email address.

8. I prefer using a virtual credit card with shopping sites that I am either using for the first time or where the fine print is too long and there’s a risk that I could be billed again if I don’t cancel the account. This also helps keep my credit card safe from relatively unknown sites.

9. Once in a while, I do mock drill with my most important online accounts to test the various recovery options I would have in case I forget my password or if I lose access to my secondary email address or misplace my mobile phone.

10. The last point - how do I remember and manage so many different passwords?

Some people prefer to use password managers which are very convenient but at this time, all I use is a simple 1-page document (see sample) to store information of all my online accounts and the corresponding passwords. This file is password-protected and I put it on Dropbox so the information is available on all my computers.

This may surprise some but I also have a hard copy of this file that family members can refer to in case I am travelling and they need urgent access to any of my online accounts. Also, since they would need my mobile phone to access my Gmail or Google account, I have included backup verification codes in the printed document itself – thus the Google account can be used without requiring the phone.

One more thing. If you have two email accounts, never ever set one emails as the secondary (or recovery) email address of the other. That’s because if one of your email accounts gets compromised, the hacker can easily take over the other account as well.

Jul 11, 2011

Military Meltdown Monday : 90,000 military emails Hacked.


Anonymous hackers group released 90,000 email logins stolen from the military contractor Booz Allen Hamilton in a leak it's branded "Military Meltdown Monday." Anonymous has also released exchanges between the contractor's executives--and claims it "found maps and keys for various other treasure chests buried on the islands of government agencies, federal contractors and shady whitehat companies. This material surely will keep our blackhat friends busy for a while." Some of the logins belong to American military personnel, including people working at U.S. Centcom.

The group, a spin-off of Anonymous that includes members of the now defunct hacking group Lulz Sec, claims it broke into the servers of technology contractor Booz Allen Hamilton and stole the login details. They have been published on BitTorrent file sharing sites for anyone to download.

"We infiltrated a server on their network that basically had no security measures in place," Anonymous said in an online statement.


[Via:govtinfosec]

Jul 5, 2011

paypal Twitter acc got Hacked


          PayPal U.K Twitter feed Hacked


PayPal's U.K. Twitter feed has apparently been taken over by outsiders critical of the company.
The Twitter handle @PayPalUK on Tuesday featured several negative tweets about the company and multiple links to PayPalSucks.com, a website that encourages users to seek out alternative payment services and touts "eBay/PayPal Anti-Trust Class Action" litigation.
"PAYPAL CAN FREEZE YOUR FUNDS FOR NO REASON, DO NOT USE PAYPAL!!" read one tweet on the compromised account.
"All your paypal accounts are now frozen while we clean up this mess.." another tweet said.
The Next Web received the following statement from PayPal:
PayPal UK’s Twitter feed was targeted by hackers tonight. PayPal would like to reassure all customers that PayPal’s UK customer systems and data have not been breached or hacked in any way. There is no link between customer systems and our Twitter account.
The Guardian supposes that this individual is a disgruntled customer and notes that the incident is not necessarily hacker-related: "Twitter accounts are protected by a simple password which can sometimes be guessed or stolen and means that the service can be accessed by anyone with that password.

Jul 4, 2011

Twitter account of Fox News got hacked : Disturbing tweets saying obama was shot dead


This was the Screenshot of a tweet that suddenly appeared on Fox News twitter account.

An official Twitter account belonging to the political team at Fox News has been compromised and fallen into the hands of hackers who have posted false stories claiming that Barack Obama has been assassinated.
The messages were posted at approximately 2am local time, and were quickly retweeted across the network.

Messages posted to the @FoxNewsPolitics account included:
BREAKING NEWS: President @BarackObama assassinated, 2 gunshot wounds have proved too much. It's a sad 4th for #america. #obamadead RIP
and
We wish @joebiden the best of luck as our new President of the United States. In such a time of madness, there's light at the end of tunnel
The rogue tweets seem to have begun after a message was posted on the FoxNewsPolitics account saying "Just regained full access to our Twitter and email. Happy 4th".
That message implies that whoever hacked into the account compromised the email address of the person who administers the FoxNewsPolitics account, giving an unknown third-party the ability to post tweets at will.


At the time of writing the false announcements are still present on the FoxNewsPolitics Twitter page - the July 4th Independence Day holiday may mean that no-one at Fox has been able to log into the account to remove the tweets.
A Twitter account calling itself "TheScriptKiddie" has claimed responsibility for the attack, but has since been suspended.
The Fox media empire appears to have drawn a lot of fire from hackers in recent months. In May, hackers stole details of employees usernames and passwords and defaced Twitter and LinkedIn pages.
Previously, the personal information of more than 250,000 people was stolenfrom Fox's The X Factor show.



Although some may be amused by the latest hack, users can clearly be put at risk if an account is exploited by somebody with malicious intentions (they could link to a website containing malware, as we recently saw with the recent breach of Simon Pegg's account for instance).
The employees of Fox responsible for the administration of the company's social media accounts might be wise to refresh their knowledge of password security and check that their computers have not been compromised with spyware.


Jun 24, 2011

We Hacked Arizona Data :LulzSec

This rouge hacker group released their latest intrusion into Arizona Department of Public Safety’s internal servers..
Lulz Security, a group of hackers who have claimed responsibility for a number of recent online data attacks, said Thursday that it had successfully breached the Arizona Department of Public Safety’s internal servers, gaining access to hundreds of law enforcement documents, police profiles and e-mails.

The group posted a huge log of data it said it had obtained, releasing them on public file-sharing Web sites and a link via its Twitter account.
Lulz Security said in a news release that it had chosen to attack Arizona law enforcement because it the group is opposed to the state’s law against illegalimmigration.
A Department of Public Safety spokesman, Capt. Steve Harrison, said the biggest worry was the release of personal information about officers, which could endanger their safety. He said the documents appeared to be authentic but were sensitive, not confidential.
The content of the documents obtained by Lulz Security include what appear to be the names, addresses and phone numbers of Arizona law enforcement officials. The data also covers hundreds of documents described as “not for public distribution.”
Some of the documents offer instructions and manuals for interrogating individuals who have been arrested.
The documents also include intelligence the department has collected about gangs in Arizona and Mexico..
Lulz Security also said it planned to release “more classified documents and embarrassing personal details of military and law enforcement” in the coming weeks.
In the last several months Lulz Security has attacked a number of government and private Web sites, including Sony, the Senate’s Web servers and the Central Intelligence Agency’s Web site.

Jun 21, 2011

Ddos attack :why what how



From last two months barely anybody heard about the term "DoS" or "DDoS", but nowadays everyone appears to be using it.
However, people do not seem to understand the actual meaning of the term. For example: one week ago my friend said that CIA website  has been "ddosed" for 2 hours(he meant, someone was insulting the website).
I'm getting pretty tired of the use of the term while barely anybody actually knows what it means or is facing real attacks, so I've decided to make this post to make it all clear.





What is a Dos or DDoS attack?

The purpose of a DoS or DDoS attack is to overload a server (as in "a computer" used to host services, not a "private server") by overloading it with connections.
An overload on a server will cause the server to go offline for a while and be unavailable for the users, meaning that any services such as a website or private server will be inaccessible.


Is there a difference between a DDoS and DoS attack?

Yes! There's a difference between a DDoS and DoS, even though the purpose will remain the same.
Many people believe it's the same and just use the term "DDoS" because an extra D rougher, but that's incorrect because people here are most likely facing a DoS attack instead of a DDoS attack.

DoS stands for Denial of Service. An attack coming from one single computer and internet connection.
If you have any tool on your computer to attack a server, it'll be a DoS tool. By using the tool you're exposing your own IP address, computer information and such information to the target of your attack.
In most cases a simple attack coming from one single computer is not strong enough to make a server unavailable.


My private server is down, is it a DDoS attack?

No. Like I said, barely anybody here has a proper botnet and is able to do such a DDoS attack.
If you are facing an overload of connections it is most likely a DoS attack coming from a single computer, if it was a real DDoS attack your internet connection probably wouldn't even be working unless you are using another internet connection to host your website (e.g. a dedicated or virtual server at another host/datacenter).



Can I defend my server, private server or website from such attacks?

Yes, it is possible but hard for a private server. Your host usually has an expensive firewall (such as CISCO's), but these gadgets are to fight real DDoS attacks.
Attacks done in this RuneScape private server business cannot be considered as real attack because they're too small to be recognized by firewalls, which will mean you have to fight it on your own.
Fighting attacks is easier when using an OS like Linux with Shell instead of Windows with remote desktop, however I'll spare you this story because you most likely do not want to use Linux due to all the typing instead of clicking. For people who are serious in life, internet and fighting the attacks, obtain some information about "null routing".




How to make Ddos attack !!

Jun 18, 2011

Who Are LulzSec ?





From the last 2 months we are hearing this name very often

In commemoration of the LulzSec Twitter account's 1,000th tweet, the group has issued a lengthy and remorseless statement attempting to explain its actions.

Hacker collective or, as they put it, "those evil bastards from Twitter" LulzSec has issued an official statement attempting to explain its actions. You can read it here.
"The main anti-LulzSec argument suggests that we're going to bring down more Internet laws by continuing our public shenanigans," the statement reads, "and that our actions are causing clowns with pens to write new rules for you. But what if we just hadn't released anything? What if we were silent? That would mean we would be secretly inside FBI affiliates right now, inside PBS, inside Sony... watching... abusing..."


The thrust of the statement is that Internet security is not what it could be, and that hackers don't always announce what they've hacked. "We certainly haven't," the statement continues, "and we're damn sure others are playing the silent game. [...] You are a peon to these people. A toy. A string of characters with a value. This is what you should be fearful of, not us releasing things publicly, but the fact that someone hasn't released something publicly. We're sitting on 200,000 Brink users right now that we never gave out. It might make you feel safe knowing we told you, so that Brink users may change their passwords. What if we hadn't told you? No one would be aware of this theft, and we'd have a fresh 200,000 peons to abuse, completely unaware of a breach."


The statement goes on to make light of the group's most recent actions -- releasing user names and passwords for a variety of sites across the Web, including Facebook, GMail, PayPal and Amazon accounts. "Welcome to 2011," it continues. "This is the lulz lizard era, where we do things just because we find it entertaining. Watching someone's Facebook picture turn into a penis and seeing their sister's shocked response is priceless. Receiving angry emails from the man you just sent 10 dildos to because he can't secure his Amazon password is priceless. You find it funny to watch havoc unfold, and we find it funny to cause it. We release personal data so that equally evil people can entertain us with what they do with it."

Said "equally evil people" have reportedly claimed PayPal accounts containing significant amounts of money; access to online games and services such as World of Warcraft; Facebook accounts; and email addresses containing private information. While losing access to one's account will provide a potent message to use more different passwords around the Web -- and more secure passwords, at that -- the unpleasant (and potentially life-wrecking) manner in which the group has delivered this message completely undermines whatever valid point it may have had to make about Internet security. But they don't care:
"Nobody is truly causing the Internet to slip one way or the other," the statement continues. "It's an inevitable outcome for us humans. We find, we nom nom nom, we move onto something else that's yummier. We've been entertaining you 1000 times with 140 characters or less, and we'll continue creating things that are exciting and new until we're brought to justice, which we might well be. But you know, we just don't give a living fuck at this point -- you'll forget about us in 3 months' time when there's a new scandal to gawk at."


Jun 17, 2011

Officials Comfirmed that CIA website Attacked ...




A U.S. official has confirmed that the website belonging to the Central Intelligence Agency, which was inaccessible for hours on Wednesday evening, suffered a cyber attack.
Hacker group LulzSec, which spearheaded attacks on PBS.org, Sony, the Senate, and other organizations, claimed responsibility for taking CIA.gov offline, tweeting, "Tango down - cia.gov - for the lulz."
Politico reports:
The disruption on the CIA’s public website Wednesday did not involve “any kind of outside intrusion,” a U.S. official told POLITICO. [...]
The technical issues cia.gov experienced are more consistent with a “distributed denial of service attack,” which is an attempt to overwhelm the servers of a website so people cannot access it.

In one of two hacks this week directed at Senate computers, LulzSec successfully stole information that it later posted on its website.
LulzSec said of the hack, "We don't like the US government very much. Their boats are weak, their lulz are low, and their sites aren't very secure. In an attempt to help them fix their issues, we've decided to donate additional lulz in the form of owning them some more!"
According to The Next Web, LulzSec has released personal information, such as email addresses and names, belonging to over 100,000 users, and on Thursday posted 62,000 users' logins that are believed to have been taken from the site Writerspace.com.


Jun 7, 2011

Top 10 dangerous Android Security Risks



Last year, Android became the world's second favorite mobile OS, racing past BlackBerry and Apple. 67 million of the nearly 300 million smartphones sold in 2010 were Android-powered devices like the Samsung Galaxy S, Motorola Droid X, and HTC EVO. New Android 3.0 ("Honeycomb") tablets will spur even more growth this year.
As a result, approximately half of enterprises are working to embrace Android devices. One of IT's biggest challenges: Android's consumer roots mean minimal support for enterprise-class security. Here, we consider today's biggest Android security risks and what can be done to mitigate them.
1. AWOL Androids: The top concern about any mobile device is loss. In a Juniper survey, 58 percent of smartphone and tablet users feared not being able to recover lost content. Apple iPhone users can restore nearly everything from iTunes, but Androids are not managed via desktop sync. Data loss can be avoided in two ways. First, install an auto-backup app (e.g., WaveSecureMyBackup) to enable quick restoration of all that matters to you. Second, enroll your Android with one of the many available "find me" services to locate and recover lost devices.
2. Flimsy passwords: If your Android falls into the wrong hands, more is needed to prevent thieves from stealing broadband service, ringing up SMS fees, reading your email, or abusing VPN connections. In Juniper's survey, 3 out of 4 users locked their smartphones. This is an excellent first line of defense, but users need to understand Android's limitations
3. Naked data: A major business risk posed by Android is lack of hardware data encryption. Fortunately, Android 3.0 ("Honeycomb") adds an API to let manufacturers offer encryption and IT enforce use. Unfortunately, existing Androids cannot yet perform hardware encryption. Until self-encrypting Androids appear, stored data can be protected in two ways. First, those remote lock apps and APIs can request remote wipe as well, resetting the device to factory defaults – but only when reachable, without wiping SD card data. For more rigorous protection, enterprises should scramble sensitive data such as email and contacts using self-encrypted apps (e.g., Good for Enterprise,Exchange Touchdown)
4. SMShing: This phishing variant uses texting to trick smartphone users into visiting fraudulent or malicious links. Hackers are now being drawn to Android's popularity and openness. For example, last summer, unlucky SMS recipients were invited to download Trojan-SMS.AndroidOS.FakePlayer, a free Movie Player. Once installed, FakePlayer started texting premium-rate numbers, without user knowledge, ringing up huge bills. To block potentially-costly texts, users can add SMS controls such as SMSLinkGuard. Enterprises may also consider using a Mobile Device Manager (MDM) that can monitor Android wireless expenses (e.g., SMS, roaming).
5. Unsafe surfing: Think web browsing on your Android is safe? Last fall, M.J. Keith showed that a known WebKit browser vulnerability could be exploited on Android 2.0 or 2.1. Thomas Cannon reported an Android 2.2 browser flaw that could give hackers full SD card access. Recently, Google fixed an Android Market cross-site scripting (XSS) vulnerability that enables arbitrary code execution, found by John Oberheide. Unfortunately, Android users cannot quickly patch around bugs, because OS updates are deployed infrequently by carriers. One work-around: Using an app like BadLink Check or TrendMicro to avoid known-malicious websites.
6. Nosy apps: Speaking of the Android Market, telling friend from foe can be hard. According to the App Genome Project, Android Market apps more than doubled in the past 6 months. A whopping 28 percent of those apps now access device location, while 7.5 percent access stored contacts. Do these apps really need to know that info and what are they doing with it? Android apps must request permissions during installation – users need to seriously review those requests, exercise caution, and avoid apps that seem too nosy. To flag intrusive apps already installed on your Android, check out Lookout Mobile Security's Privacy Advisor or Webroot.
7. Repackaged and fraudulent apps: Some apps aren't what they appear to be. Many repackaged apps found on third-party Android markets are legitimate free apps, repackaged to generate ad revenue. But repackaging is also used to implant Android trojans, such as the Android.Pjapps trojan (included in modified versions of the Steamy Windows app) and the Android.Geinimi trojan (turns infected phones into bots). Most of these can be avoided by installing apps only from the Google Android Market. Don't frequent unregulated third-party markets or manually install Android packages from untrusted sources.
But even apps distributed by the Google Android Market receive no official review. Last year, "09Droid" sold about 40 different mobile banking apps at the Android Market. Unfortunately, none were affiliated with those banks. It is unclear whether 09Droid intended to phish for banking passwords, but when banks complained, those fraudulent apps were pulled from the Market. Be very careful when downloading apps that access sensitive accounts. Check with banks or other institutions to confirm apps are distributed by an authorized developer and beware of look-alikes.
8. Android malware: According to traffic analysis by AdaptiveMobile, Android malware spike 400 percent last year. The total is still miniscule compared to other platforms, but more malware is likely to target Android's rapidly-expanding pool of potential victims. When Coverity assessed the Android kernel, it identified 359 code vulnerabilities, 88 of which posed "high risk" of exploitation. Because Android is an open development platform, hackers have ample opportunity to find and learn how to take advantage of these kinds of flaws.
Fortunately, application sandboxing is built into Android to limit potential damage by malicious apps – unless malware breaks out of that sandbox. That is apparently what DroidDream did last month. Hidden inside about 50 Android Market apps, including Sexy Girls, Advanced File Manager, Task Killer Pro, and Advanced Sound Manager, DroidDream "rooted" infected phones, sending IMEI/IMSI and OS version back to a command-and-control server. The "nature of this exploit" so concerned Google that it remotely removed installed apps from an estimated 50K phones. This "kill switch" was a fail-safe measure of last resort, but users can proactively defend themselves using Android anti-malware apps (e.g., Kaspersky, F-Secure).
9. Fake anti-malware: Alas, the fake anti-virus trend sweeping the PC world has now emerged for Android as well. When Google killed DroidDream, it installed a clean-up app called "Android Market Security Tool 2011." Android.Bgserv soon appeared on a third-party Chinese market, pretending to be Google's tool but carrying an SMS trojan. The lesson: Hackers prey on user emotions like fear – don't assume that security apps are legitimate. Check out sellers and read reviews. Enterprises should go further by testing apps in a lab environment, then using an MDM to suggest or auto-install verified safe apps on employee Androids. For example, Sybase Afaria now provides over-the-air app management for Android.
10. Lack of visibility and control: Ultimately, enterprises must embrace Androids – even employee-purchased Androids – so that IT can regain visibility into and control over business activities on these devices. Unlike iOS, Android does not yet offer native MDM to enable third-party device management. However, Android does provide APIs that MDM agent apps can use to read/write settings (e.g., password complexity), query attributes (e.g., installed apps, GPS location), and invoke remote lock or wipe. A bit of this can also be done via Exchange ActiveSync. Either way, IT can enroll Android devices, track their use, and enforce (at least limited) policies. Configurable settings are limited but rapidly expanding – more so for some manufacturers than others. But putting a management framework in place can help you leverage new Android security capabilities as they emerge

Comments system

Disqus Shortname