Mobile security was a hot issue at the CanSecWest conference, especially with the prolific use of smart phones for both enterprise and personal use. During my commute to work, it seems that everyone on the train is using their smart phone, pushing those little buttons on their little keyboard to send emails, surf the Web, or check the score of last night’s hockey game. A smart phone is more than just a phone; users can use them to download applications to do anything from update their profile on social networking sites to search for a great Thai restaurant to bowling downhill. My husband even has an application on his smart phone whose sole purpose is to make the most annoying noise on the planet (needless to say, I was not excited when he showed it to me).
So why would an attacker target smart phones? Smart phones have properties that traditional computers may not have: they are always on, 24 hours a day, 7 days a...
We have already seen a file infector working on smartphones (see WinCE.Duts.A) and a worm that could spread by infecting storage cards (see WinCE.Infomeiti). Now, we have the first polymorphic worm (although some refer to it as a companion virus) that affects smartphones running Windows CE platform on ARM processors—it is known as WinCE.Pmcryptic.A. It spreads by generating new polymorphic copies of itself each time, and can cause a severe nuisance on a compromised phone (including unwanted phone calls to toll numbers).
After analyzing the sample, we discovered it contained many interesting payloads. So, we executed it on a test...
There’s nothing like coffee one-upmanship to make the blood boil. “You’re still drinking lattes? With actual milk from a cow? Good grief, where have you been?” Nowadays though, it seems that coffee one-upmanship is no longer enough to secure the seemingly coveted “hippest person in the café” crown. Now that portable devices are actually portable, cafés and other public spaces seem to be prime territory for people keen to show off their technological gadgetry.
I’ve been keeping an eye out during my recent café trips – doppio, natch – and usually around half of the customers are tapping away on notebooks, ultra-portables and tablet devices. This is, admittedly, in tech-enamored Tokyo, but the use of truly portable and network-capable machines is clearly going to increase as specs go up and costs come down. Cafés are finding that free Wi-Fi access is now expected by their gizmo-toting customers.
Reports started appearing on Saturday regarding the existence of malicious packages for the Apple iPhone. A package called "iPhone firmware 1.1.3 prep", which was described as “An important system update. Install this before updating to the new 1.1.3 firmware.” was reportedly causing problems for iPhone users once uninstalled.
According to various reports, installing the package doesn't have much effect on the iPhone. However, uninstalling it may cause problems, as the malicious package overwrites some other applications during the install. Some of the applications it overwrites are "Erica's Utilities" (a collection of command-line utilities for the iPhone) and OpenSSH. If the user chooses to uninstall the bogus package, these applications will also be removed. Affected users will need to reinstall these applications.
This is technically the first Trojan horse seen for the iPhone, however it does appear to be more of a prank than...
Recently there have been several reports of security flaws in a product provided by a company called Mobile Spy. The product is an application for Windows Mobile smartphones. The application logs various forms of communication data transmitted to and from the phone and sends it to a hosted database. A user can log in to the web service and view all the data that has been logged.
The idea behind this product is that it’s installed on a device without the knowledge of that device’s user (for example, an employee, child, spouse, etc.). The party who installed it can then monitor the user’s activity to ensure that the device is not being abused. A company manager, for example, can make sure that an employee is not making personal calls or sending personal text messages from a company device.
For the most part, this seems like a reasonable idea, but the security flaws in both the...
I was interested in getting some rough numbers on publicly disclosed vulnerabilities in Symbian and Windows CE/Mobile platforms and applications. I cannot say with any degree of confidence that what I present below is reflective, simply due to the fact that different bugs get categorized under different vendors, platforms, or keywords. What I can document is the method I used to arrive at the below numbers. I used cve.mitre.org and did the following:
• searched by vendor, platform for Windows Mobile & Windows CE • searched for keyword MMS picking out those relevant • searched for keyword SMS picking out those relevant • searched for keyword Symbian • searched for keyword Nokia picking out those relevant
So the summary is that there are 16 for Windows CE/Mobile and six for Symbian. I guess this demonstrates people are finding vulnerabilities in these two platforms. If we take out the third party applications on Windows CE/...
All of the recent rumors about Google releasing a "gPhone" were finally put to rest with their release of Android, which is a software stack for mobile devices. Android includes an operating system (Linux), middleware, and some default applications like a browser.
(Click for larger image)
Applications are developed using Java and use a framework provided by Google including their own virtual machine (Dalvik virtual machine). The entire framework is open source and Google (as part of the Open Handset Alliance) wants to bring openness to the mobile ecosystem, allowing anyone to write applications and make use of all of the functionality available on handsets.
Well, we’ve arrived at where we’ve been trying to get to for some time. That is to say that we now have the ability to release security advisories for Windows CE & Windows Mobile after working through the accepted responsible disclosure process with Microsoft. It hasn't been easy, with us initially reporting issues back in February 2006, but we’ve finally got here. This really marks a milestone for COTS mobile platforms even though we did achieve something similar back in 2003 with Nokia and their proprietary OS and recently with Palm OS, but getting vendor responses on mobile security issues (with maybe the exception of RIM) has historically been hard work.
A quick thanks to all those involved here at Symantec: Katie (before she left), Tyler, as well as the folks over...
On the day I got my iPhone I submitted a bug report to Apple. It wasn’t truly a bug, but I didn’t know of a better way to express my disappointment involving the absence of a software development kit for the iPhone. It just seemed like too unique of a device to not be able to create applications for it. Perhaps a bug report was a bit of a low blow, but I never expected I'd hear anything back. However, the day after Apple announced they were going to release an iPhone dev kit in February of '08, I got an email in response to my "bug." Now, this email was identical to what Apple posted in the "Hot News" portion of their Web site and while I'd seen it before on many of the Apple news sites, this time I actually read it. One big section stood out in particular:
“It will take until February to release an SDK because we’re trying to do two diametrically...
Let's say that an employee in your company gets a new laptop. He's excited about the laptop's WiFi capabilities, but the company he works for doesn't have wireless capabilities. What's he do?
One option is to bring in his own wireless router. He goes down to the local computer store, picks up a router for $39.95, and brings it to work. He plugs it in, boots up his laptop, connects to the network called "default," and is happy to use his laptop from anywhere in the building.
Another possibility is that he opens up the "wireless connections" panel of the laptop and sees a list of possible networks to join. He may not realize that the access points are on networks belonging to other individuals or companies. In the unlikely scenario of a targeted attack, he may even see an official-looking access point named after his company. In either case, he connects to somebody else's wireless work, finds that he can access the Internet, and...
O.K. - firstly - long time no blog. Secondly, apologies for that - a mixture of vacation, work, and work travel has recently seen me distracted a little from my blogging duties (my plate spinning is improving, however). Anyway, with the apologies out of the way, onto the subject of this blog. Recently I was invited by Microsoft to speak at BlueHat on Windows CE/Mobile security, even being given a guest spot on their blog and doing a podcast for them. Pedram from TippingPoint has provided a good summary of the talks that saves me from...
Further to the research already done on unlicensed mobile access (UMA) by our security researchers, I've been looking at a couple of alternatives to UMA services. As you’ll recall, most UMA threats surround increased exposure to the operator’s core network, as they are basically an extension of the core network and its protocols.
The services that I’ve been looking at are very similar but are not true UMA in this regard; rather, they may be best described as Mobile VoIP. A new crop of providers are appearing in this space, fuelled by WiFi-capable smart phone handsets. And, when they do appear, they don’t have any of the operator baggage to worry about, so are free to adopt the next generation standards rather than modify existing ones.
So, where’s the security point to this post? Well, when I say “looked at” these services, I didn’t mean admiring the user interface. I set up a couple of handsets...
Wireless Equivalency Protocol (WEP) has been one of the hottest topics in Irish news over the last few days. One of the leading providers of DSL in Ireland has supplied users with wireless routers protected using WEP. What made this newsworthy is that it has emerged that the WEP keys used to encrypt the network traffic and to control access to a private network were generated using the (Service Set Identifier) SSID. The algorithm used to generate the encryption keys has been analyzed and a tool is freely available which allows anyone within range of the router to trespass on a wireless network that has been secured using the default settings.
The DSL provider and media reports are advising customers that if they change their WEP keys, they will be safe from any trespassers or malicious attackers trying to get onto their network. While it is true changing the default WEP settings will mitigate this particular attack it will not make your wireless network secure.
So far in this series, I've posted a blog that talked about municipal Wi-Fi security in general and a second blog that talked specifically about Wi-Fi network identification. In this post, I want to cover muni Wi-Fi network authentication. There are essentially two parts involved with Wi-Fi authentication. The first part is how you authenticate to the network and the second is how the network authenticates to you.
Most people are familiar with the first part. Many Wi-Fi networks will dump your browser to a login page where they ask for a username and password, or even a credit card number to use to bill you. Some of the more secure networks will ask you to provide authentication information more directly. I...
On the desktop we have many different executable compactors, compressors and encryptors. These are used to protect and/or obfuscate binary files. These can be employed by software authors and malicious code authors to protect their code from reverse engineering (though, typically in vain). A while back, we saw a surge of malicious code authors using these tools to obfuscate their code against signatures. It became a case of:
10 Download executable compactor
20 Pass existing malicious code through it
30 Release on Internet
40 Wait for signature to be added to antivirus
50 GOTO 10
This got a bit boring for antivirus vendors like Symantec, so we introduced executable decompression support to our AV engines (as discussed in the Internet Security Threat...
