MALICIOUS THREATS

MALICIOUS THREATS CELL PHONE MALWARE - HISTORY & DANGERS

Computer Viruses, Trojans, and other related Malware, designed with the clear objective of circumventing some levels of security, in real time, have been with the computing community since the mid nineteen eighties. In fact in their conceptual form they were documented by Fred Cohen, who demonstrated their potentials on the UNIX Operating System, work which was further progressed by Ralph Burger who wrote Computer Viruses – a High Tech Disease.

In their early incarnations, viruses tended to be very low in their numbers in the wild, and were mostly concerned with infecting Files, or Operating System Boot Sectors on Intel PC's. In fact in the mid eighties, when the considered potential dangers were presented to CESG (UK Government) it was commented that they [viruses] were considered to be just a passing nuisance! However, it was not long before the virus proliferation numbers increased, impacting Business Operations with infections like Cascade, Coffee Shop, and Joshie. Interestingly enough, one of the very first viral outbreaks to impact the UK MOD (Ministry of Defence) was actually the Cascade Virus, which caused the letters presented on the screen to cascade down to the lower section of the VDU – rather annoying. Out of this state of emerging insecurity saw the growth of the Anti-Virus Industry, and organisations like Norton, Shphos, and Dr Solomon's emerging as computing household names, provisioning end user, and business anti-virus solutions. Then came the advent of the Computer Worm, with its wider spread impact, followed by Polymorphic (self modifying code), and then smarter encapsulated methods of delivery intended to avoid detection of the deployed Anti-Virus Solutions, all getting very Cat-and-Mouse.

In the early days of the spread of viruses however, the intent of the originator was largely to boast their creativity with some very overt action by say displaying a message on the computer screen, generating sound, or in the case of some smarter, and more interesting viruses, inviting the user to play a game – if they won, they got to keep their Operating Systems intact, and in a working condition – if they lost their operational system was no more.

Today however the creators of Viruses, Trojans, and Malware have grown to be very business focused, and no longer send out their wares with the intent of simply announcing their presence. The objective now is to infiltrate the local secure logic of the device, embed or connect into some other form adverse code, and then to perform actions such as stealing information, or to say utilise the local resources of the infected systems – say by using its local hard drive to store information, or to use its Internet Connection to attack another computer or organisation! And all without the knowledge of the user/owner.

Today, the Computer Virus, Trojans, and Malware are well known vectors of attack, and in most homes, and businesses one tends to find some form of defence in the form of Commercial, or Free Anti-Virus solutions deployed to provision as level of protection.

Like all trends they tend to increase with the advancement of time, and technology, and in the case of the Computer Virus, Trojans and other Adverse Logic (AKA Malware) this is no different.

SPAM

The early days of SPAM, and the posed threat was again a case of history repeating itself. Around 2005, I raised and alerted the potential security issue of a new protocol, and conduit to support delivery of adverse and malicious content with a number of Government, and Industry focused bodies. The reception of this early warning information was a replication of the early day virus threats – SPAM was at that time concluded to be an annoyance, and was tolerated as something that just had to be dealt with as a nuisance factor! As we now accept, SPAM today is a major conduit and delivery channel to support the delivery of adverse objects ranging from Malware, Trojan Horses, and is a viable tool for utilisation to support the Hacking, and Criminal, and Organised Crime to generate Millions in revenue on an annual basis!

CELL PHONE MALWARE

Go into any Cell Phone Retail Outlet to buy a modern Cell Phone, and it soon becomes very obvious that is much more that a simple device on which the owner can make calls. The average device is now populated with a smart e-mail client, Office Applications, Widgets, Tools, High Capacity Storage, Download Centre, Update Manager, WiFi, Bluetooth, and 802.x Wireless Connectivity., not to mention the always on (area allowing) 3G, and Edge Connectivity, and VoIP – and to put the icing on the cake, all topped off with an Internet Browser.

The upshot here is that our Cell Phone is no longer the simple device which which we called business contacts, friends, and family, but now represents a Micro Hand Held Computer with processing, storage, and smart capabilities that far exceed the early incarnations of the first Desktop Systems running on 68000, and 16-bit 8086 processors. Without doubt, devices running on the latest Symbian, and Android Operating Systems are very smart, and technologically intelligent, and capable devices.

Working in the capacity of Academic Research, the issue of Cell Phone Security, and Threats were raised by Nottingham Trent School of Computing and Informatics as far back as 2005. However that observations of next generation of risk were again discussed at Conference in 2007, and 2009, and these new vectors of insecurity, and exposure were again considered not realistic. In fact in 2007, whilst presenting at a Conference in the East Midlands, it was the wide and considered opinion of some well known researchers that e-Crime was actually on the decline – and opinion which I contended at that time.

Cabir: So where are the real threats today? One of the first programs originated to target the HHMC was Cabir. In this case it was a produced as proof-of-concept Malware carrying no intended payload to cause adverse impact or damage to the target host. However, Cabir was made available on the Internet, and within approximately eight weeks it had been released into the wild, and spread to a global audience! In fact if one cares to look today, Cabir is available for download from multiple locations for free download – for whatever purpose.

So just what are the current levels of threats in relation to the Cell Phone? Well in basic terms it is a manifestation of the early threats posed at the Desktop PC. For instance, as they have access to a wide range of connectivity protocols, and can access the web, they are open to potentially the same (or similar) vectors of threat that are encountered at the desktop. Whilst the take up may be slow for on-line Banking, I am nevertheless aware of people who do do it. When working in public places, or travelling on WiFi enabled Public Transport such devices may connect to, and remember previously connected networks – thus with such configurations in place, by simply being in range, the device will hand-shake, and connect without any intervention by the owner! Added to this set of risks, there is the potential to socially engineer a target user to send him of her a link like:

Hi – long time no see. It was great meeting you last year at that Conference. I was really impressed with your background, and know the link below will be of interest:

www.notawiselink.com

With a little smart research, it can be easy to work out some basic facts about interests, event attended, and with a simple bit of Crafting, the attacker may then send out the hook – what is at the end of connection is of course very much down to the intent, and imagination of the sender – but one thing is for sure, connection could be bad for both you logical, and financial health.

Within the last 12 month period the criminal, and hacker interest, and for that matter research into the area of Cell Phone centric Malware has intensified, and is now considered by a growing number to be the next, and new vector of attack on personal, and business use of mobile assets. Consider the prospect of going to where the money is – Cached and stored credentials, notes, contacts information and possibly some locally stored business information assets, and Corporate IPR intelligence, all of which have an intrinsic value. It could also be that there is the core objective to infiltrate, and circumvent Cell Phone Security to install some form of Trojan object to gather, or use the devices personal space, connectivity, or whatever else the attackers has in mind – don't forget, as with the aforementioned cases of Viruses, and SPAM, just because it is not a high volume threat today should not be interpreted as something that may be discounted. In fact, this is now far from the case, where organisations like McAfee have written papers on the subject, with other Anti Malware Researchers such as Symantec, and Kerpersky Labs now developing, and making available Anti-Malware solutions for some derivatives of the Smart Cell Phone, or should I say HHMC (Hand Held Micro Computer).

CCONCLUSION

As with the outlined history of viral, and malicious threats, they have started small, and grown exponentially over time to present the current day threat the every computer user, and business alike potentially encounter each and every day at both home, and at work. With the advent of Cell Phone Malware, whilst these threats are in their early days, given proven mobile infection have been demonstrated to present threat to the device, then it may be assumed that the Criminal Fraternity, Hackers, and the Malicious will start to maximise exploitation to their own interest and end. In fact, according to the well respected Mikko Hyppoonen (F-Secure) there are now well over 300 types of Malware that have been crested for the HHMC, including Trojans, Worms, Spyware, and Viruses.

Where Cell Phone Anti-Malware is concerned, granted they is in its early incarnations, nevertheless it may be again concluded that, dependent on the users quest to achieve security, and to provision a reduction of risk to their HHMC, they may choose such a solution to provision such increased assurance.

The overall conclusion is, whilst these threats are currently at their bleeding edge, they should be expected to grow, and thus for business, and the end user of any such HHMC, no matter their Operating System upon which they reside, it is highly recommended that they at least remain tuned into any emerging threats.

Patch Me UP

It has proven to be an interesting week where vulnerabilities are concerned - Google Chrome would still seem to be up there with the best of them with exposures which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user's system – not a good start to the browsing day on the Internet.

We also see a week in which the applications are again proving to need a little maintenance to keep the Home, and Business Assets Secure - Adobe Flash Player, Adobe Reader, Sun Java JDK, Mozilla Firefox, Foxit Reader, Opera Multiple, Internet Explorer, and Microsoft Windows (O/S).

What should all of this tell us – well, one thing is FACT, if the computing asset of choice is not maintained in a current, and patched condition, it just may be that it could suffer some form of compromise before to long – so tune in, and apply those patches.

The Age of the Smart Cell Phones

The Age of the Smart Cell Phones is upon us, and no matter be they based on the good old Apple brand, or based on the smart platform of Android, these new tiny hand held devices bring to the palm of your hand computing power, which once upon a time would not have been achievable by the lump of plastic sitting on your desk – called a Computer (PC).

Each of these new Smart Devices have capabilities to connect to the Internet, communicate via protocols, such as Bluetooth, Wi-Fi (802.11x), and in some cases Ir. These devices have on-board, very capable CPU processing power, and host the potential to store information in Solid State Memory up to 32GB – simply amazing.

And no doubt, the future of these devices will see them jump to the front of the corporate usage line, with increased usage to drive the business mission forward – hmmm, all very positive stuff.

But there is always a downside, and here we are talking about Security. First of all, there are hundreds, if not thousands of applications in the pipeline for the Android, and for anyone who has ever installed one such application, they will have notice they, on occasions, demand many services which could be exploited for some distant miscreant purpose. However, in most cases I have observed the users simply feel so encouraged by the newly offered functionality to be enabled in their hand, they do tend to agree to everything, and go on to install.

Smart Cell Phones are also subject to potential attacks by specialty crafted URL’s, and of course, given they are Internet savvy, are open to Malware, Phishing, and any other level of crafted exploit aimed at the palm of the hand.

So where do we go from here – well when using, or for that, allowing employees to leverage their own personal Smart Cell Phones to conduct your Corporate Business, it may be a good idea to consider your on-campus Corporate Security Policies, and extend it out to such out-of- band assets.

To conclude, I recall one event where a large Corporate was refreshing 10,000 cell phones. The instruction was, go to the Canteen and hand in your old device. By return, the user received his/her band new and shiny all singing, and all dancing smarter Cell Phone. However, during the process, it was noticed that the S word had not been considered (Security) - Guess what, over 80% of the recycled Cell Phones destined to leave the hands of Corporate Control contained Company Business, and Sensitive Data, Contact Lists, and even is two cases, the user’s Personal Banking Details, and Transactions – Small device admitted, but nevertheless, the potential impact from a breach is still considerable.

Expect to see the Smatter Cell Phone come into its own in the next 12 month, and by the same note, expect to see the interest of the hackers also increase to circumvent the aspect of security – these are after all, smart devices, operating on the very perimeter of the Operational Environment, and thus carry risk!

Illegal Flowers and Cyber Threats

To be at the leading edge with public observation can be both a painful and lonely place to be - but then if we only speak in repetitions about what to be known or safe, I doubt this approach would amount to any form of commercial or academic learning or progress.

It was approximately two years commenting on what many had been saying in private, relating to the involvement of China in Cyber Spying, and the mounting attacks against government targets.  What was even more interesting was, at that time was, many in higher law enforcement positions, or other public office, fully agreed with what had been stated. However, it was made very clear that, with the Olympics pending, the timing of any such statement imperfect!

The counter argument was, that whilst, admittedly there was no clear and conclusive evidence that any such actions were state sponsored by the Chinese Government, or for that, even condoned, thus the underpin of the assertion could be considered flawed – right! However, given that China (.cn) boasts a Cyber connected Firewalled environment, supported by an estimated 30,000 operatives who are empowered with monitoring, and high surveillance capabilities, which can detect even, the slightest whiff of cyber-dissent, then does this not beg the question as to how such hostile cyber-aggression could be accomplished without state detection!

Could it be that the perpetrators have knowledge of the internal security mechanisms deployed within the surveillance shroud of the Great Firewall, so thus may easily circumvent its controls and detection mechanisms?  Or could it be that such actions are fully, or partly sectioned, and sponsored by Government Agencies?

Lastly is it the case that, whilst such activities are not state sanctioned, or sponsored, they do enjoy some liberal blind-eye tactics which allow such unfettered cyber attacks to continue?

Research into this subject, aligned to harvested data obtained from commercial organisations, clear evidence and artifacts have been found to exist, which, by interpretation strongly infers that attempted cyber incursions and attacks had been mounted from the electronic soil of China.

In some cases, the particular attacks ran on a daily basis, targeting a number of large commercial organisations located in both the UK and the US. What was even more interesting about the vectors of attack was, in a number of cases, the time, size, and profile of the attacks were extant on each and every day – one could ask the question why? In a number of these identified cases, some organisations found they could technically tolerate the conditions, as they had not manifested in any apparent operational impact. 

Even more worrying, even though these probes were regular, they were not reported in to any agency, or authority!

Back in 2008, post the reported attacks against the UK, the US, and Germany, which were tagged Titan Rain, protests were made to the Chinese Government about these miscreant cyber focused activities. At that time, whilst not fully explicit, the inference was that some state owned accountability was associated to the encountered aggressive cyber attacks.

The concern is now, were we, or are we, at the tip of the cyber-iceberg, with the remainder seven-eighths staying out of view, suggesting we should expect to see more of these types of activities in the future? – many feel the conclusive answer is - Yes!

It is worrying that a new survey has found that whilst most business believe that they have comprehensive safeguards to protect data, they still run a high risk that every time an employee sends an email, connects to an unknown Internet resource, saves data to a USB stick, or posts messages on Twitter, or where data could be handed over to competitors or worse.

The recession is inevitably leading to job losses, a situation that was brought to focus in a recent survey by “Cyber-Ark” which found that 60% of workers in the City of London would be prepared to steal data from their employer if they thought their job was at risk and 40% had already downloaded data just in case.
Most worrying. .

History - 2008 - China has been accused of sponsoring cyber-terrorism

At the International Crime Science Conference in London in 2008 it was stated that the Chinese government was behind the 'Titan Rain' attacks on the US and the UK.

The attacks were identified as coming from servers in China, but the Chinese government has never officially been accused of being behind the assault.

"Up to last year (2007) people did not take it very seriously, and then there were state-sponsored Chinese groups and all sorts of groups attacking the UK and the US and getting into the infrastructure. That happened again earlier this year (2008)."  It was also stressed that, there was a problem with what could be state sponsored electronic terrorism - no matter how much collaboration you have internationally, if you have a state-sponsored terrorist coming out of China or Russia you are not going to get them.

Titan Rain is the name given by the US government to a coordinated series of attacks on US computer systems. Hackers gained access to many US computer networks, including those at Lockheed Martin and Nasa.

INTERNET RISK – THE ISSUE

Communities are at risk form Cyber Criminals, and Organised Crime, but the fact of the matter is, in the majority of cases the public are not aware of the vulnerable position they can be in when they use on-line resources (AKA the Internet) – say buying goods, services, using an I-Phone, setting up their Home based Wireless Internet Connection, or just opening an e-mail. Each action can and does carry risk!

For example are Internet users aware that approximately 95% of all e-mail in circulation is SPAM. Are users aware that simply opening an e-mail could lead to their on-line banking and credit card details being compromised by a Cyber Criminal!

The other questions are related to, after the fact security issues - if users do fall victim to an insecurity, would they be aware, and for that matter know where to go to resolve their exposure?

Wireless and Broadband connectivity has done much to support learning and education, and many young people now have computers in their bedrooms – but if they are connected to the Internet, do you know who these young users are talking to – and for that matter, do they?

Education & Awareness: The solution is User Security Education & Awareness. Out of work with the House of Lords, on the Security of the Internet Paper published in 2007, through to work with EURIM to support a number of vulnerable groups (both elders and the young), materialised into a Security for a Digital Britain Conference which was ran on 24^th September 2009 in Nottingham, and more local event of this type are needed.

It is not just about the end users, but organisations and businesses as well – in the last 12 months we have proven insecurity with the way organisations do business, and deploy their systems – ranging from showing businesses how it was possible to gain unfettered access to rear end information (some relating to the client accounts and passwords), loss of systems with customer data on (your information), exposure of on-line authorisation systems to gain unauthorised access to user accounts, through to finding holes in deployed systems which were hosting sensitive applications (which was subject to a Radio 4 Report in 2009).

Sorry for the repetition, but the answer to making a difference is to start to deploy some forms of Public Security Awareness & Education – as with smoking, if you buy a packet of cigarettes, they come with a health warning – maybe the same applies in the logical sense when one purchases a new computer, or other Internet enabled device.