Read the EDA’s Report on Malware Infections – Malware Infections on EDA’s Systems Were Overstated and the Disruption of IT Operations Was Unwarranted
Researchers have spotted the first in-the-wild apps to exploit a critical Android vulnerability allowing attackers to inject malicious code into legitimate programs without invalidating their digital signature.
The two apps, distributed on unofficial Android marketplaces in China, help people find doctors and make appointments, according to a blog post published Tuesday by researchers from security firm Symantec. By exploiting the recently disclosed “master key” vulnerability—or possibly a separate Android flaw that’s closely related (English translation here)—attackers were able to surreptitiously add harmful functions to the apps without changing the cryptographic signature that’s supposed to ensure the apps haven’t been modified.
“An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available,” a Symantec researcher wrote. “Using the vulnerability, the attacker has modified the original Android application by adding an additional classes.dex file (the file which contains the Android application code) and also adding an additional Android manifest file (the file which specifies permissions).”
A snippet of malicious code injected into a legitimate Android app.
Despite its name, the master key vulnerability doesn’t involve any cracking of the underlying cryptography in the Android security model. Rather, it hides two files with the same name inside an app’s “APK.” Short for Android package, APKs are in essence bit-compressing .ZIP archive files that use a different extension and contain specially named files inside. Android’s cryptographic verifier checks signatures for the first instance of any file with duplicate names, according to Sophos’s Paul Ducklin, but the installer extracts and deploys only the last version. The exploit, developed by researchers from security startup Bluebox, works by including an APK’s digitally signed, legitimate file and a second file with the same name that’s modified to do whatever the attacker wants.
A related attack works in much the same way, except it always involves stashing two different versions of a file titled classes.dex. It works only when the targeted file contained in an APK is of a specific byte length, so it’s not as flexible as the master key attack. The mention of the classes.dex file in Tuesday’s blog post from Symantec suggests the malicious apps may have made use of this related exploit. For an explanation of the classes.dex attack and how it differs from the master key exploit, see posts here and here from Kaspersky Lab and Sophos.
First but probably not the last
Google has already issued updates to prevent attackers from using the exploits to tamper with legitimate apps found in the official Play Marketplace. The company has also released updates to handset manufacturers and carriers. But given the track record of millions of Android phones that never, or only rarely, receive updates to patch dangerous security vulnerabilities, it’s a fair bet that many handsets will remain vulnerable. Readers are strongly encouraged to obtain apps only from the Google Play marketplace and to think long and hard before changing default settings preventing the “side loading” of apps from alternative sources. A variety of apps, including this one from Bluebox and Norton Mobile Security from Symantec, will also flag apps modified by one or both of these exploits.
While researchers have identified several apps available in Google Play that exploit the master key bug, those modifications appear to have been inadvertent and harmless. The apps spotted by Symantec appear to be the first reports of a malicious exploit. They probably won’t be the last.
Great information in SC Magazine’s latest whitepaper report, ‘Four steps to respond and recover from sophisticated security attacks’, it discusses the four proactive steps that you can – and should – take now to help keep your organization safe. Click here to view more details: http://bit.ly/131uu2J
As we all know, cyber-attacks are becoming more sophisticated every year. At the same time, IT resources are moving outside the firewall and enterprises are distributing their applications and data across multiple devices. It’s now not enough to just simply protect an organization’s perimeter – these sophisticated attacks, which include APTs, are bypassing traditional defenses as well.
To discover the four steps, please download the paper for free here: http://bit.ly/131uu2J
The overwhelming advantages of cloud-based file storage are not in dispute. You have an automatic backup of your files, which can be accessed on any device, at any time. Small amounts of storage are generally free, and large swathes of server space are coming down in price all the time. They absolve your business from the headache of backup management, disaster recovery, and bandwidth for instant anytime access.
Convenient? Yes, most definitely. Safe and suitable for the enterprise? Well … let’s take a closer look.
The rise of cloud-based file syncing like Dropbox has led the charge to offer cross-platform file syncing for your personal files and all the major players have followed suit, from Google (Google Drive), toMicrosoft (SkyDrive), to Apple (iCloud). There’s also Box, Sugarsync, and many, many more. For consumers they are perfect, providing easy instant access to photos and documents from any device. That familiarity and accessibility is why they’ve crept into the enterprise.
According to Gartner analysts, “File sync and sharing is a critical capability for mobile workforces whose organizations have ongoing mobility initiatives with media tablets and BYOD programs.” But, they say, there are growing “concerns about the consequent lack of control on corporate information and progressive security and compliance exposures.”
The most obvious elephant in the room with third-party file synchronization is security. You trust these companies to keep your files safe and secure at all times. What kind of authentication do they use? Your files may be encrypted in transit, but all too often they are decrypted when they arrive and stored on the cloud server. Have they ever had a security breach? Is there any provision for client-side encryption? What about compliance? Are you living up to the standards that your industry or your clients demand?
You are also assuming that the providers have a disaster recovery policy. What is their level of commitment to keeping your files safe? How soon could you access a backup if there was a problem? Would there be any data loss? Where are your files physically stored?
Manageability is another concern. How well do these solutions integrate with your corporate structure? How do you manage user access and set the right permissions for staff? Is there any consideration of version control to prevent documents being overwritten, or to deal with simultaneous updates? Can you prevent employees from leaking data, or taking it with them when they leave?
It’s important to get answers to these questions before you give away the keys to your corporate file system.
If you can’t beat them
It’s not a viable solution to try and block the use of these third-party cloud-based solutions unless you are going to offer employees a good alternative. The advantages are too numerous, they’ll use these services regardless of policy, and the risk of data leakage when employees go outside your IT systems is even greater. What you need to do is seek out a secure alternative that brings control and oversight back to your IT department.
Much like the BYOD trend, the use of cloud-based services for sharing files is widespread and it’s likely that your employees are already using them, whether they are officially sanctioned or not.
If you don’t take immediate action to regain control over your assets, then there’s a real risk you’re going to lose data. For some enterprises it’s vital to retain control over data and host your own files. It’s still possible to set up a secure pipeline for document sharing, so employees can access files remotely.
Collaboration via the cloud can certainly be a good thing too, and many providers are starting to address enterprise concerns.
When you select a solution make sure that you have in-house controls, so you know exactly where your data is and who has access to it at all times. Make sure that you know what your cloud service partners can commit to. Don’t assume that your data is safe when you can’t even say exactly where it is.
By Michelle Drolet, founder and CEO, Towerwall
Special to Boston Business Journal – Tech Flash
This article was recently published in Boston Business Journal
Hi all, there is an e-mail scam doing the rounds. The message is an invite from some random person you won’t know with a link (how original). If you get such a message don’t use the link, check your LinkedIn account as if it’s a legit request it will be there waiting for approval.
Even if it is legit, make sure you vet all invite requests carefully. I have had several dodgy requests from what I believe to be bogus profiles who are likely up to no good. LinkedIn is about the quality of your contacts not the quantity.
Stay safe and Happy / Safe 4th of July.