Those Who Cannot Remember the Past are Condemned to Repeat it.

During the last decade, many Information Security practitioners have predicted the rise of mobile phone malware. The predictions thus far have fallen short, however, there have been the occasional incidents of malware infections but to date nothing has occurred on a mass scale. I cannot predict when such malware becomes lucrative enough to develop, but I do believe that the transformation of a mobile phone to a fully functional computing system with a robust browser may signal that the day is coming soon. With the recent increase in mobile phone functionality there is an increase in sensitive data stored on the device, thus making it a valued target.

Those of us who supported and used corporate computer systems during the early part of the millennium, remember the chaos caused by virus and worm outbreaks. Being a desktop support tech at the time, it was not unusual to spend several days chasing a worm around the corporate network while frantically locking and patching systems as you went. The users were not happy, management was not happy, customers were not happy, and I can personally tell you none of us in IT were happy.

At the time, patch management was not centralized at many small to mid-sized organization; servers were installed with the default settings; users ran with local administrative rights; code reviews were non-existent; and wireless, if encrypted at all, used WEP. Over time, many organizations became conscious of the value of securing their systems. Well, some organizations did anyway.

There is a lesson to be learned in the history of computing. The mobile platform that we all use today is, for all essential purposes, the PC of 1999 all over again. The aforementioned problems of the PC during the late 90′s still exist now on the mobile phone. Moreover, what limited security features that do exist on this platform are often not enabled or configured.

During 2009 we began to see the emergence of malicious software on the mobile phones. In July 2009, the BBC reported about mass distribution of spyware on Blackberry devices in the United Arab Emirates. In November, two iPhone worms were making the rounds (http://www.f-secure.com/weblog/archives/00001822.html and http://www.f-secure.com/weblog/archives/00001814.html). Several credit unions reported malicious applications in the Android Marketplace targeting banking credentials in December (http://www.bayportcu.org/site/mobilesecurityupdates.html and http://www.firsttechcu.com/home/security/fraud/security_fraud.html).

At ShmooCon 2010, I watched a talk presented by Tyler Shield of Veracode entitled “Blackberry Mobile Spyware – The Monkey Steals the Berries” (watch the presentation at http://shmoocon.org/2010/videos/BlackberryMobile-Shields.m4v). During the talk he demonstrated proof of concept malicious code for the Blackberry platform. Veracode has posted numerous blogs about the presentation and issues demonstrated but I think Chris Wysopal formerly of L0pht and @stake summarizes the situation facing mobile phone users the best:

“We need to leave the “detect and revoke” mentality of the PC world behind as we move to new platforms. Attackers are able to game the PC antivirus model by continuously flooding the software ecosystem with new unknown malware. The attackers will win in the mobile world too if we don’t change it. The mobile app store is a form of whitelisting that can assure the security of an entire platform if the whitelisting means something. That is if the apps are tested for security before being published.”

I could not agree more. The unfortunate truth is RIM, Google, and Apple are not performing any detailed code review and security testing right now. Moreover, the only mobile solution that provides any measure of centralized security is RIM’s Blackberry Enterprise Server and many companies are not leveraging those features and settings. The title of this post is a well known quote from George Santayana and is sometimes referred to as the Santayana’s Law of Repetitive Consequences. I fear the security failures of the past apply to the mobile platform of today. Let’s hope we take heed and act. I think everyone could agree that the thought of chasing malware around on a platform that knows no physical bounds would be counterproductive to any organizations’ goals.

~ Tim M.

**************

Hey, some jerk has posted your pictures (u understand what kind of pictures are there) and sent a link of them to all ur friends. I have already replied back. Said, that he is an idiot. See the link:

http://photobank.********.****.*****/id1073bv/get.php?email={Your Email is here}

{SOME NAME}

**************

Newsflash folks, they haven’t. Well, at least not the people purporting to have done so in this email!

Educate your users, don’t click on the link. We’ve had a user actually do so and managed to infect their machine. To most, it seems more of a pain to clean it than anything. But let’s put it this way: Your technical company (or your internal technical person) has to go clean this up. Say your outsourcing firm charges $100 per hour. Something like this takes at least 2 to 3 hours to clean let alone ensure it has been eradicated. I’m not counting the checks of ALL your other systems on the network. Now we’re talking more along the lines of 5 or 6 hours. Now factor in the cost of the downtime to the user who has been infected. Now you’re looking at $1,000 or more in real money that has been lost. Now factor in there is the very real possibility this user has had documents lost or destroyed by this virus.

User education doesn’t seem so expensive any more.

It has been my observation over the past few weeks that thee has been a sharp increase in these fake av’s. So be on the lookout and make sure you and your employees KNOW what programs are on your machine.

<!–Ads1–>

<!–Ads1–>

So, what is KeePass? From their site…

“KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).”

I’ve been using this program for the last few years and love it. It is a native Microsoft Windows program but others have ported it to a multitude of operating systems including MacOSX, Palm, WindowCE, PocketPC, Linux, Blackberry and more. So what this means is, you set-up one master password linked to this one file. You share this encrypted file among all your systems (including your smart phone) and you have all your usernames, passwords and associated websites all at your fingertips. Neat, huh?

I’m very much looking forward to their 2.0 release which is currently in beta. The added features (like sharing a password database and having it sync and merge changes) look like they could be a big help.

Find KeePass for Windows here and its Mac version here.

http://docs.google.com/Presentation?id=dghttrwg_26c47c5xcx

– Admin

What does this mean to you as a Business owner or employee?  It means that you should take steps to get your systems patched, quickly.  You should probably aim to have this done with in a week, possibly push it to November 1st or 2nd to check that patch does not negatively affect your systems.

Here is a link to the microsoft advisory http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Update

This affects Most versions of windows, and is available on windows update.

– Admin