Could iPhones Become A Security Risk?
Security isn’t just a small set of known actions or rules to follow.
Security is the complex solution, being as weak as the weakest factor of
it is. Apart from human factor, intranets of many companies may be
compromised by users accessing them via iPhones. The Tech Generation
daily relates to this in Iphone “is a security threat” – maybe.
The story goes on: companies don’t appreciate the security risks that
iPhones pose, according to a self interested survey from yes, you’ve
guessed it, a security firm.
DeviceLock said that it has introduced endpoint security support for
iPhones and timed the survey with its launch.
The survey, conducted by Vanson Bourne, shows that 65 percent of IT
decision makers knew that unauthorised users could access company data
using the iPhone, while almost the same percentage said they hadn’t
taken steps to secure company data.
Worse than that, 40 percent of businesses let staff download data onto
removable devices without providing any security at all.
Sacha Chavrin said: “The consumerization of corporate IT is an
increasing problem for IT departments The amount of removable and mobile
memory enabled devices that employees have on their person…is now
quite considerable.”
It means that the choice is either to tighten the security measures and
thus prevent a large amount of consumers and staff from accessing
corporate data, with obvious negative effects, or consider the possible
risk of allowing unauthorized access to data not assumed for public access.
Although the rational level of network activity monitoring can at least
track such incidents and partially prevent them from happening, the
choice between easy access and safety can result in creating situation
unlikely acceptable for many customers. iPhone, with most of its innards
closed from studying in terms of possibly security flaws, bring
additional element of vulnerabilities to all companies offering movile
access to their data.
Could iPhones Become A Security Risk?
Security isn’t just a small set of known actions or rules to follow. Security is the complex solution, being as weak as the weakest factor of it is. Apart from human factor, intranets of many companies may be compromised by users accessing them via iPhones. The Tech Generation daily relates to this in Iphone “is a security threat” – maybe.
The story goes on: companies don’t appreciate the security risks that iPhones pose, according to a self interested survey from yes, you’ve guessed it, a security firm.
DeviceLock said that it has introduced endpoint security support for iPhones and timed the survey with its launch.
The survey, conducted by Vanson Bourne, shows that 65 percent of IT decision makers knew that unauthorised users could access company data using the iPhone, while almost the same percentage said they hadn’t taken steps to secure company data.
Worse than that, 40 percent of businesses let staff download data onto removable devices without providing any security at all.
Sacha Chavrin said: “The consumerization of corporate IT is an increasing problem for IT departments The amount of removable and mobile memory enabled devices that employees have on their person…is now quite considerable.”
It means that the choice is either to tighten the security measures and thus prevent a large amount of consumers and staff from accessing corporate data, with obvious negative effects, or consider the possible risk of allowing unauthorized access to data not assumed for public access.
Although the rational level of network activity monitoring can at least track such incidents and partially prevent them from happening, the choice between easy access and safety can result in creating situation unlikely acceptable for many customers. iPhone, with most of its innards closed from studying in terms of possibly security flaws, bring additional element of vulnerabilities to all companies offering movile access to their data.
iPhone OS Critical SMS Vulnerabilities Being Patched
The ‘jailed’ environment in which all the iPhone OS applications exist, was designed as a security precaution, too. However, the old truth remains valid: if the security is tight enough to make users uncomfortable, they would seek the ways to loosen the security and thus all kind of undesired effects will spring into existence. Ars Technica comments the last iPhone piece of news, Apple patching critical SMS vulnerability in iPhone OS.
It goes on: Safari Charlie says that Apple is working on a patch for a serious flaw he identified in the SMS implementation on the iPhone. Further, he warns that users interested in security should avoid jailbreaking their phones.
Security researcher Charlie Miller has revealed that Apple is working on a patch for a security flaw he identified in the iPhone’s SMS implementation. The flaw can actually lead to arbitrary code execution, as he explained to Ars last month. Miller hasn’t yet detailed the flaw, citing an agreement with Apple, though he and partner Vincenzo Iozzo plan to detail their discovery later this month at the Black Hat Security Conference in Las Vegas.
During a presentation at the SyScan security conference in Singapore, Miller explained that a vulnerability in the iPhone’s handling of SMS messages makes it possible to send code instead of strictly text. Despite SMS’s 140 byte size limitation, the iPhone can reassemble larger messages that are broken up to fit the limitation, which allows larger programs to be sent. The iPhone can be instructed to execute SMS data as code instead of text, and when it executes the code it does so with root privileges and without any interaction from the user.
This vulnerability makes it possible to then turn off the signed code checks built in to iPhone OS and load unsigned libraries. That basically allows an attacker to load a complete shell environment and have complete control over the device, including access to any data stored on it. Miller told Ars last month that he didn’t know if the vulnerability still existed in iPhone OS 3.0, though the fact that Apple is working on a patch—and already has iPhone OS 3.1 in beta—suggests it still exists in the latest version, despite Apple patching 46 other potential security issues in the update.
The important message is this: the signed code check, the one preventing user from installing an arbitrary application, is the thing that makes users workaround the check, thus opening their device to many kind of attacks. The very idea of total monitoring of user activity, with overall control over their activity, isn’t making users happy and eventually brings up ‘discoveries’ similar to the mentioned bug. The security level for any given environment shouldn’t be too strict to make users uncomfortable – after that, the very idea of security dominating above all the other aspects becomes absurd.
Hardening Security: Protection For Virtual Machines
Well-known recent incidents in hosting industry, related to virtual environment ‘hacks’ resulting in taking over hundreds of VMs have resulting in security measures hardening and developing new means to protect virtual machines. FindMySoft in its post Trend Micro Core Protection Software Secures Virtual Machines announces further security hardening for VMWare-based VMs.
The story goes: Trend Micro, company that specializes in providing network antivirus and internet content security software, has decided to tackle the issue of virtual machines security and in this regard it has announced Core Protection, a security software solution that secures VMware ESX/ESXi environments. For the enterprise that uses Trend Micro Core Protection for Virtual Machines this translates into maximized economic benefits without giving up on datacenter security.
With Trend Micro Core Protection for Virtual Machines you can secure active and dormant VMware virtual machines in a comprehensive and efficient manner. Layered protection is ensured by using the VMsafe APIs from VMware and by using dedicated scanning VMs coordinated with real-time agents within the VM.
General Manager for the Enterprise Business Unit with Trend Micro, Tom Miller, comments: “As virtualization revolutionizes computing, it is introducing new risks to the security of the datacenter. Trend Micro Core Protection for Virtual Machines goes further than any other product in the industry towards providing specialized content security for virtual servers, both active and dormant, in today’s dynamic datacenter.”
Trend Micro Core Protection for Virtual Machines highlights:
- Security solution optimized for virtualized environments.
- Protects virtual machines (even dormant ones) against malware.
- Provides simplified security management by integrating with the VMware management infrastructure.
- It will be easy to deploy.
It is well known that virtual machines, looking well-protected against the malware, hacks and other plagues of ‘real’ computers, are as vulnerable as both host and hosted OS are. Thus, in many a case VM could be wide open to all kind of attacks, resulting from careless setup and lack of system-level protection.
Virtualized hosting solutions are becoming more popular, as ‘budget’ replacement for the expensive dedicated servers. Taking into account that VM users tend to treat ‘isolated’ in terms of VMS as ‘well-protected’, additional layers of protection, for both new and existing VMs could prevent the mentioned disaster from happening again. The advice for users of out-of-date VMWare-based virtual machines would be to both upgrade and to monitor the activity related to possible external threats, to handle it properly when necessary.
The weak link: 12% of e-mail users have actually tried to buy stuff from spam
Lack of knowledge, or simple carelessness may be responsible for the situation depicted by Ars technica in its post 12% of e-mail users have actually tried to buy stuff from spam. The number is depressing, since it demonstrates why the spam still exists and eats up precious network resources.
The post states: good luck trying to find an Internet user who admits to responding to spam. Still, they’re out there, and in pretty good numbers. According to a new report, a full 12 percent of Internet users have actually wanted to pay for some product or service being advertised by e-mail.
Be honest: have you ever responded to a spam e-mail? Do you know anyone who has? If you’re like most of us at Ars, you can’t fathom why anyone would respond to most of the messages we get, but a new study released by the Messaging Anti-Abuse Working Group (MAAWG) shows that there are just enough people responding to make spamming worthwhile—especially since most spam these days is sent by botnets.
According to the group’s latest report, a disturbing number of e-mail users respond to spam, and not just because they’re dumb — some of them did so because they were actually interested in the product or service. Shocking, we know.
The MAAWG conducted 800 interviews by phone and Internet across the US with people who had e-mail addresses not managed by a corporate IT staff. It found that two-thirds of the group said that they were very or somewhat experienced with Internet security, and a majority used filters of some kind in order to avoid spam. Eighty-two percent were aware of bots and botnets, though not many believed they were at risk of being victimized by one.
Slightly less than half (48 percent) said that they have never clicked on a spam e-mail. That’s the good news, but that means the other half have clicked on or responded to spam. But why? The answers will undoubtedly horrify you. A full 12 percent said that they were interested in the product or service being offered—those erection drug and mail order bride ads do reach a certain market, it appears.
Seventeen percent said that they made a mistake when they did so—understandable—but another 13 percent said they simply had no idea why they did it; they just did. Another six percent “wanted to see what would happen.”
The above statistics can be explained by both lack of knowledge or ignoring the fact that spam exists and would exist only if it world work. The information era haven’t yet formed the relevant codex of ethics, thus allowing spam and other kinds of dubious activity to thrive.
Taking into account informational aspect of the problem, the only reasonable technical solution is monitoring network activity and marking as suspicious not only the sites and servers created to exploit search engine algorithms vulnerabilities to promote miscellaneous goods and services, but also all the resources known to use unsolicited mass advertisement (via email and other communication means). Not more than a walkaround, this can only filter out junk information, while more permanent solution is being invented.
Network security basics: protecting one’s network against cyber-attacks
Internet wasn’t meant the exact replica of real world, with its threats and dangers projecting in cyberspace. The very nature of many protocols and services doesn’t assume there could be denial-of-service and other kinds of attacks, nor deliberate misuse of the resources. Astaro Internet security mentions several basic ideas in their post How to protect your network from cyber-attacks.
It is said that there are three measures network administrators can take to avoid the types of network attacks that plague government websites in many countries nowadays. The three areas to focus on are network based mitigation, host based mitigation and proactive measures.
Network based mitigation:
- Install IDS/IPS with the ability to track floods (such as SYN, ICMP etc.)
- Install a firewall that has the ability to drop packets rather than have them reach the internal server. The nature of a web server is such that you will allow HTTP to the server from the Internet. You will need to monitor your server to know where to block traffic.
- Have contact numbers for your ISP’s Emergency Management Team (or Response team, or the team that is able to respond to such an event). You will need to contact them in order to prevent the attack from reaching your network’s perimeter in the first place.
Host based mitigation:
- Ensure that HTTP open sessions time out at a reasonable time. When under attack, you will want to reduce this number.
- Ensure that TCP also time out at a reasonable time.
- Install a host-based firewall to prevent HTTP threads from spawning for attack packets
Proactive measures:
For those with the knowhow, it would be possible to “fight back” with programs that can neutralize the threat. This method is used mostly by networks that are under constant attack such as government sites.
However, one could add that the prevention is in most cases much more productive than defense and counterattacks. Most attackers do use the brute force or known vulnerabilities exploits at random; if the problem isn’t handled as soon as possible, the amount and thoroughness of attacks may grow, especially if the site or service, or whatever is being under attack is of much importance.
In other words, the optimal network security strategy is to use network monitoring and early prevention to detect possible threats, thus taking measures quickly, in as automated manner as possible. It also has social effect: if network prevents major assaults quickly and takes little or no damage, its reputation can repel most of probable attackers (not all the cyber-crimes are committed with the single purpose of deliberately harming the target).
Spam email: a social engineering tool of new age
Spam email, the primary type of junk Internet content, plagues us for decades. Tech Blorge blog mentions in its post Spam email fools millions of American Internet users an important point: junk mail can serve not only for selling illegal stuff and performing fraud, it is also a mighty tool to influence many people.
The post goes on: spam email has been with us for over 30 years now, having celebrated its birthday in May 2008. With that in mind, surely it’s been with us long enough that no one is now fooled into responding to the offers of mail order brides or penis enlargement solutions. Apparently not.
The phenomenon that has come to be known as spam was born on May 3, 1978, after a U.S. computer company sent out a message regarding a product launch to 400 email addresses. At that time, each email had to be sent manually by an actual human being. These days the whole thing is a lot easier for the crooks behind them, with botnets handling the process automatically.
Spam email ranges from phishing attempts, with criminals trying to persuade you to readily give up your bank or credit card details, to offers for weight loss cures, replica versions of branded products, and a lot more besides. Spam has become something which most people ignore, letting their email provider deal with it so they don’t have to.
But not everyone has cottoned onto the practice of spam email. Ars Technica reports on a new study by the Messaging Anti-Abuse Working Group (MAAWG) which suggests there are still a great many gullible people out there.
The MAAWG conducted 800 interviews both by phone and on the Internet. Everybody interviewed was resident in the U.S. and had an email address considered private and for home use. Although the majority of interviewees claimed to be experienced with Internet security, the numbers taken in by spam email are vast.
A slight minority of 48 percent stated they had never clicked on a spam email. But that leaves a majority 52 percent who had done so, and had admitted as much. Twelve percent of interviewees claimed to have responded to a spam email because they were actually interested in the product or service being advertised. Seventeen percent claimed they had made a mistake, 13 percent did it for no particular reason, while another 6 percent did it just to see what would happen.
These frightening numbers should bring more attention to junk mail problem: since so much people are willingly reading the email, the spam influence on minds and habits may be much more stronger than one could suspect. The majority of spam is dedicated to promoting and selling illegal goods and services, but, as spam share in all the information circulation grows, it can start serving as tool of social engineering, manipulating people by creating predefined patterns of attitude to brands, events and viewpoints.
The security is mostly in minds, not in algorithms nor hardware. The habit of totally ignoring spam email, a habit to qualify any unsolicited mass email as possible threat and thus a piece of junk could impact severely the whole spam industry. The very fact it grows and thrives indicates that the basic principle of security – “human beings must be as reliable as any other part of security system” – is too distant to reach in the immediate future.
Hackers attacks: human factors is vital in providing security
Regardless of how efficient, stable and reliable are security means, human beings habits are the main source of problems, as Ghana Business News mentions in its post, Hackers target companies on Twitter. Modern hackers are very selective in a way they choose their targets: the higher in rank is a person, the more important data can be obtained through compromising their accounts.
As the post states, hackers are getting more creative in targeting certain companies and Twitter has recently discovered the consequences of such an attack. About a month ago, an administrative employee at Twitter was targeted and her personal e-mail was hacked, according to a blog post today by Twitter co-founder Biz Stone. The hacker used information in the e-mail account to access this employee’s Google Apps account, which contained a wide variety of Twitter documents from ideas to financial details. Today TechCrunch said it had received 310 confidential Twitter documents in a zip file from the hacker who calls himself Hacker Croll.
In the last few years, security experts have seen an increase in the amount of highly-targeted attacks. Unlike, say, massive spam campaigns designed to get employees to divulge personal information like bank accounts, these types of attacks involve hackers targeting anywhere from one to five employees within a company. The motive is to steal confidential information that the hacker will use to make a profit, says Patrik Runald, chief security advisor at F-Secure, a security firm. The types of organizations frequently targeted in these attacks are defense contractors, governments and non-profits with ties to Tibet, he says.
After the Twitter incident first became public, some speculated about the quality of Google’s security but Biz Stone absolved Google Apps in his blog post. “This attack had nothing to do with any vulnerability in Google Apps which we continue to use,” he wrote. Instead, he wrote, the incident underscored the need for choosing strong passwords.
The simplest and most obvious set of truth – passwords may not be too trivial; one shouldn’t use the same passwords for different services; one should divulge the login credentials to untrusted parties – those are not addressed with proper attitude.
It is well known that the more secure is system, the less comfortable it becomes. E.g., if all the critical actions such as password, contact email etc change are monitored and the password strength and history are stored to prevent re-using them, the system becomes quite vulnerable on the other side: anyone with access to the database of used credentials can become aware of the pattern people use to generate safer passwords. Also, if system urges its users to change the password frequently, it becomes very unfirndly and uncomfortable. However, in case of officials having access to very confidential and important data, these measures should be considered appropriate, since data leak can cost too dearly.
Network security: trust is the essence
Online Security Authority has published a post dedicated to Security and Network Vulnerability Assessment, and it contains a very important mention on relationship between security issues and human beings nature: trust is the essence of all the area where security issues are involved.
Cyber-criminal would have to search another job, could they not rely on two big “friends”, goes the mentioned post. Human nature, with its traits of trusting, negligence, credulousness, ad curiosity is surely the strongest leverage in any hacker’s arsenal. Even in a world of advanced technology, hackers will use human weakness to unveil otherwise secure doors. However, technology is not perfect and telecom systems offer several opportunities to be exploited. These technical flaws are known as vulnerabilities.
Vulnerabilities in the whole World Wide Web are exploited all the time to attain control of computers and the complete networks and gain access to confidential data. Those network vulnerabilities can be found everywhere, but specifically in the web browsers and their plug-ins; in web servers and application software; and also in core equipments of the underlying network infrastructure of the Internet.
Unluckily, the host of the security coercion doesn’t end here. Big flaws can be found and exploited in several areas such as office programs, all operating systems, network device, mobile devices platforms and applications, to name a few.
These entire technical flaws give hidden doors that can be utilized to find a way around your security software, and “drop” a small program, which will “hook” your computer to a particular Botnet. Once captivated, your system will not show any problem and might even go unobserved to your existing antivirus and firewall software. In reality, that is the key aim of high-calibre hacker: to form a perfect piece of software, able to invisibly land and plant itself deep into a computer system, but ready to be activated when needed.
Trust, reputation, habits: these three entities should be taken into account when devising security-related tools and means to oppose the cyber-threats nowadays. It is also important to handle any security risk involved situation without disrupting any end user’s trust to products and services they were using: even if the problem was caused by user’s lack of competence and/or vulnerabilities found in a piece of software or service, curing should not be worse that the disease.
People are easily manipulated when they see names and trademarks they rely upon. These trust exploits should not result in generating negative effects, mainly the distrust. All the products and services may have flaws, security holes are routinely found in many a piece of software because Internet changes and evolves and social engineering may compromise even the strongest and most secure product- by attacking its users, the weakest link in all security systems.
Network Secirity News blog created
This blog is dedicated to network security and network monitoring news and announces.
-
Recent
- Could iPhones Become A Security Risk?
- Could iPhones Become A Security Risk?
- iPhone OS Critical SMS Vulnerabilities Being Patched
- Hardening Security: Protection For Virtual Machines
- The weak link: 12% of e-mail users have actually tried to buy stuff from spam
- Network security basics: protecting one’s network against cyber-attacks
- Spam email: a social engineering tool of new age
- Hackers attacks: human factors is vital in providing security
- Network security: trust is the essence
- Network Secirity News blog created
-
Links
-
Archives
- July 2009 (10)
-
Categories
-
RSS
Entries RSS
Comments RSS
