This week’s roundup covers several more data leaks as well as a global outbreak of Wi-fi snooping. The variety of leaks, attacks and involved industries shouldn’t be ignored – it’s a major sign of how big of an issue mobile malware is as well how much more is yet to come.
- We’ve been going over HP’s Cyber Security Report for 2013 which was released this week. The whole thing is worth a read but here are the most important findings regarding Mobile Security:
- 46 % of Android and iOS apps used encryption improperly, leaving users’ data vulnerable to theft or misuse.
- 52 % of security problems were due to insecure client-side operations.
- Insecure data storage and excessive permissions account for 50% of client side issues.
HP’s main conclusion is a sound one
- ; existing vulnerabilities can and will be exploited, resulting in similar results in mobile devices as seen on more traditional platforms.
The real difference is users don’t expect these attacks on mobile platforms and hence aren’t yet modifying their behavior accordingly considering the level of risk.
- On Thursday, the Canadian Broadcasting Corporation announced that more leaked NSA documents show that the CSEC (Communications Security Establishment Canada – Canada’s equivalent of the NSA or GCHQ)
could follow the movements of people who passed through airports and connected to Wi-Fi systems with mobile phones, tablets and laptops.
- The documents showed the agency could track the travellers for a week or more as they and their wireless devices showed up in other Wi-Fi “hot spots” in cities across Canada and beyond.
http://www.securityweek.com/canadas-eavesdropping-agency-blasts-tradecraft-leak
- It’s well worth mentioning that exactly the same type of system has supposedly been uncovered at the 2014 Winter Olympics in Sochi, Russia. NBC reported that devices were hacked within mere moments of connecting to a public Wi-Fi network.
http://gizmodo.com/in-sochi-every-single-phone-and-laptop-is-definitely-g-1516667992 Why is this significant?
- This serves as one more reminder of the consequences of non secured mobile browsing. Although Wi-Fi snooping isn’t new – many users are going to continue to connect to unsecured public Wi-Fi, whether at a coffee shop, library or an airport.
- Over this past weekend a hacker collective that self-titled “Nullcrew”, exposed details of a breach of 22,000 Bell Canada customer accounts. The attack was carried out by targeting a third party provider that is in possession of Bell customer details. While very few credit cards actually got exposed here – the case highlights two main points:
- 1. Most people won’t make the differentiation between Bell Canada and this third party provider. This is a growing problem where companies are being targeted, not directly, but through their partnered organizations.
- 2. Unless someone was just looking to embarrass Bell Canada – it looks like quite a bit of effort was put into acquiring a large number of mobile phone details – another potential example of mobile targeted attacks.
http://www.csoonline.com/article/2136228/malware-cybercrime/bell-canada-hacked.html
- During an audit of the Android ADB (Android Debug Bridge) source code, two security issues within the Android SDK Platform Tools were discovered.
- ADB is is a command-line utility included with Google’s Android SDK. ADB can control your device over USB from a computer, copy files back and forth, install and uninstall apps, run shell commands, and more
- When combined together, these issues can allow an unprivileged local user to gain access to the account of someone that uses the ADB tool. Essentially, a device running an ADB could be accessed and exploited. Google were made aware of the issue and have already released several patches.
Why is this still significant?
- Google are possibly the biggest and strongest player in the mobile world. If their development tool is vulnerable it should make you well aware of the potential dangers of every app.
- Finally, at next month’s RSA Conference, a security researcher will demo a hack that could allow an attacker to capture all the touchscreen movements a user makes on their Android or iOS device.
- This is the natural evolution of Keylogging – planting malware on victims’ computers to track their keyboard movements and steal sensitive inputted data. This is a Proof of Concept attack, which works on jailbroken iOS devices as well as rooted and stock Android devices.
- Once installed, the malware tracks where a user touches their screen, giving the attacker insight on logged passwords, usernames, banking information, password gestures and potentially much more
Why is this significant?
- It’s an intriguing step forward in malware capability. While older complex methods of data collecting are becoming more widespread, newer methods are also being developed.
- http://www.scmagazine.com/researcher-to-demo-hack-for-logging-android-ios-touchscreen-movements/article/331894/
See you next week!