Friday, 25 May 2012

Lies, damned lies, and statistics… What do statistics tell us about the real risk from mobile malware?

The Evidence
Mobile malware, in particular Android mobile malware, is rising. This is a fact.

It has been rising slowly since 2004, as the figures below from McAfee detail, and the rate has been accelerating since autumn 2011 when a number of high-profile cases of Android mobile malware hit the press. This included Google’s official Android Appstore, then called Market now called Play, being used as a method to distribute Trojanised apps to unwitting customers. GGTracker [1], SuiConFo [2] and RuFraud [3] were all Trojanised Android apps that were attempting to defraud consumers largely by attacking the Premium Rate Service industry through the unauthorised sending of Premium Rate SMS messages.

Mobile Malware Explodes, Increases 1,200% in Q1/2012

Source: McAfee Threats Report: First Quarter 2012

“A comparison between the number of malicious Android application package files (APKs) received in Q1 2011 and in Q1 2012 reveals a more staggering find — an increase from 139 to 3063 counts.” Mobile Threat Report Q12012, F-Secure

Figures from Goode Intelligence’s annual mSecurity survey back this up with a rise in the number of reported mobile malware incidents – read infection – in the workplace from 7% in 2009 to 24% late in 2011; nearly a quarter of all organisations. This figure is alarming.

GI mSecurity Survey: Has your organisation experienced a mobile malware incident?

We are also seeing evidence from other sources including telecommunications regulators. In the UK, the country’s premium rate regulator, PhonepayPlus, has been involved in investigations into premium rate fraud directly caused by mobile malware.

With the assistance of Goode Intelligence, (providing research and analysis into the link between mobile malware and PRS fraud), PhonepayPlus are proactively tracking instances of mobile malware that are attacking PRS.

One of these investigations hit the news recently and resulted in a hefty £50,000 fine for a mobile aggregator, A1 Aggregator Ltd based in Latvia, for managing the SMS shortcodes that were used in the RuFraud malware attack. From late November 2011, after receiving 34 complaints from consumers of unauthorised PSMS charges on their phone bills, including an individual losing around £80, the regulator investigated further and tracked the fraud down to Trojanised versions of Android Apps distributed via Android Market (Play). The fake apps included Trojanised versions of Angry Birds Assassins Creed and Cut the Rope. Consumers had no knowledge of three PSMS messages being sent every time the Trojanised app was started. Each PSMS message was costing the unwitting user £5.00.

In this one case 1,391 mobile numbers in the UK were affected and an estimated £27,850 worth of fraud was attempted. Due to the swift action from the regulator, the shortcode was suspended and none of the £27,850 of UK consumer’s money was able to reach the fraudsters.

PhonepayPlus found evidence of the RuFraud Trojan operating in 18 countries.  Thankfully the UK has a regulator that is well advised and has put into place procedures to ensure that this emerging area of PRS fraud is actively monitored. What about the other 17 countries that were targeted by this malware? How many consumers have been affected and how much financial damage has been done in regions where regulation is not so proactive?

The Risk
There is evidence from multiple sources, including our own, that mobile malware is rising and it is targeting consumers for, amongst other reasons, financial fraud.

On the face of it, it seems that the risk of malware infection is getting stronger and both consumer and enterprise mobile users should take preventative measure to counteract that threat. These preventative measures include being cautious when downloading Android apps from appstores, including Google Play and from third-parties, and checking the permissions carefully. There is also the option of protecting your mobile device with a mobile security product that is proven to be effective in preventing mobile malware.

Android is being targeted as it has a more open platform for downloading and installing apps and it is becoming the number one mobile platform around the world. This makes it the number one target for malware in today’s mobile market.

However, we should also be cautious in assessing the current risk to both consumers and enterprise users from the threat of mobile malware. Apple’s iOS has been free of malware and there have been very small numbers of malware that have been known to affect BlackBerry devices. 

Additionally, Google should be applauded in acknowledging the threat from Trojanised apps in Play by deploying a solution, Bouncer [4], which attempts to detect mobile malware on upload. Bouncer was announced early in 2012, although it has been running during 2011, and it is probably too early to state how effective the solution is in preventing mobile malware on Play [5].

There is also an acknowledgement from third-party Android appstores that security is important as a business differentiator. Goode Intelligence surveyed a number of the third-party appstores and was pleased that over two-thirds of the respondents (68 percent) replied with a ‘yes’ to the question “Do you think there is a commercial benefit for an app store to offer malware detection and prevention technology?” The tools are available for these third-party Android appstores with AVG [6] amongst the vendors offering specific security solutions aimed at preventing the spread of malware from these appstores.

Yes the statistics do tell us of double and triple digit growth in mobile malware, mainly targeting the Android platform. However, the risk is still relatively low and the financial fraud that is being committed as a result of mobile malware is currently low in value. These are still early days in the history of malware targeting mobile platforms and indications are that the business drivers for attacking these platforms is growing which could result in the situation getting worse – especially in the short-to-medium term.

And in answer to the question of attacks on Apple iOS, will this happen? You betcha! As the famous US bank robber, Willie Sutton, said in response to the question why he robbed banks; "because that's where the money is." Whether they will succeed is another matter and the topic for another blog.

Alan Goode
May 2012

[2] Although this article from Andy Greenberg on Forbes questions how effective Bouncer is:
[3] Press release in the partnership between AVG and Livewire:

[5] Covered by Denis Maslennikov of Kaspersky Labs in this blog:
[6] Covered by Lookout Mobile Security in this blog:

Friday, 11 May 2012

Why 2012 is the year of Public Key Infrastructure

We are regularly bombarded by news stories that announce the death of this or the death of that. From memory, we have seen “the death of cash”, the “death of the PC” and the “death of the token”. Usually, these predictions are triggered by some sort of an event, perhaps the publication of a new report or after a security incident, e.g. The RSA Security breach. But, after the dust has settled and the crisis teams have moved onto the next event, what impact, if any, is felt on the product or technology that has been affected?

In a guest blog, Calum MacLeod, EMEA director, Venafi, explores the role of PKI in a post-Comodo world and suggests that 2012 could be “the year of Public Key Infrastructure”.

Alan Goode May 2012

Why 2012 is the year of Public Key Infrastructure

Comodo, Sony, RSA Security and many more have been badly breached recently - but does that mean the death toll for PKI? Calum MacLeod, Venafi EMEA director, cautions on ringing that bell yet

Recently, the IT security world was shaken to its very core. Established and trusted organizations fell from grace as they became victims of hacking. In the case of Comodo and StartSSL the resultant outcry has seen many quick to declare that public key infrastructure (PKI) is dead or dying. However, I believe it is the best we’ve got and it will not be replaced any time soon – to argue otherwise is a waste of energy. In fact, I actually think the reverse and that 2012 is the year of PKI.

I could spend ages telling you about the various hacks and what went wrong but - as many others have already done that – including myself. Let’s assume however you either know or have read about it elsewhere.

Instead, let’s focus on the critical role certificates and PKI play in securing data and authenticating systems across all types of organizations. And think of all the systems that now leverage (and very effectively I might add) PKI, including the traditional IT data center infrastructure, public and private clouds, and an exploding number of mobile devices that require authentication, to name just a few.

Within a PKI, a certificate authority assigns each system or user a unique identity - a digital certificate - that allows the certificate holder to work within the protected environment. This allows organizations to let customers, partners, and employees to authenticate to systems and users. I would argue, perhaps controversially, that PKI delivers a virtually seamless experience for users while providing trusted security.

And it is the word trusted that many of you will scoff at.

How can they be trusted?
To pretend that they’re infallible is churlish. Instead, what needs to be recognized is that the world we live in is imperfect and, a bit like a car, we need more than one security feature if we’re to prevent ourselves flying through the windscreen.

Let’s use the car analogy to illustrate the point. Cars have brakes to stop them in an emergency. Yet, all too often, there are accidents. Has anyone pointed the finger at the braking system and declared it dead? Of course not. Instead, the designers have worked tirelessly to improve the overall safety of vehicles, installing impact bars and roll cages, seatbelts, and an airbag just to make sure. An organizations security should be approached in much the same way.

To do this, we need to first understand the challenges faced. Depending on the IT environment where keys and certificates are being deployed, some or all of these risks may apply:

  • Certificates that are not renewed and replaced before they expire can cause serious unplanned downtime and costly outages
  • Private keys used with certificates must be kept secure or unauthorized individuals can intercept confidential communications or gain unauthorized access to critical systems
  • Regulations and requirements (like PCI-DSS) require much more stringent security and management of cryptographic keys, and auditors are increasingly reviewing the management controls and processes in use
  • The average certificate and private key require four hours per year to manage, taking administrators away from more important tasks and cost hundreds of thousands of dollars per year for many organizations
  • If a certificate authority (CA) is compromised or an encryption algorithm is broken, organizations must be prepared to replace all of their certificates and keys in a matter of hours
  • The rollout of new projects and business applications are hindered because of the inability to deploy and manage encryption to support the security requirements of those projects
Manage Certificates Properly
As this highlights, certificate and encryption or private key management can be complicated. The fact that there are typically several people involved in the management of certificates and private keys makes the probability of error even higher.

By clearly defining roles and responsibilities so that everybody knows what they’re responsible for can significantly decrease the likelihood of failure and make it easier to work out how to improve processes when something does go wrong. In some areas, system administrators will manually enroll for and install certificates. In others, a central system may be used for automated installation.

The last thing you want as an organization is to be running around trying to figure out who is responsible for a key or certificate when an issue arises. Compile a list of responsible groups and/or individuals for each key and certificate in your inventory and develop a method for keeping the information current.

Prepare for it
If you act on the principle that you’re going to be hacked – it’s just a matter of time – then at least you’ll be prepared should happens.

Just like brakes in a car, encrypt everything. Ensure that your encryption systems provide the security they are designed to deliver while simultaneously reducing operational risk and administrative workload. Finally, know where everything is.

PKI and SLL are sensible platforms for certificate management. Abolishing them and putting something else in their place is not feasible – the vehicle already exists and it is not going away anytime soon. Instead, organizations need to recognize the challenge of using them and decide how they’re going to handle the coming explosion in certificates.