mobile security strippedWe’re all familiar with the cartoon image of a character stopping a water leak by plugging a finger into the hole, only for another leak to start, needing another finger, and so on, until the character is soaked by a wave of water.

It’s a little like the current, fragmented state of mobile security – the range of threats is growing fast, outpacing current security measures. Also, the devices themselves have inherent vulnerabilities that can be exploited by resourceful attackers. So it’s no surprise that enterprises are struggling with the issue of mobile security.

Finding flaws and mRATs

The list of potential security challenges and vulnerabilities across Android and iOS devices is complex. It starts with the devices’ mobility: they are connecting to public cellular networks, corporate networks, public hotspots to home internet providers and back again. This makes them vulnerable to Man in the Middle (MitM) attacks via rogue cellular base stations, WiFi hotspots or compromised public networks, allowing attackers to track, intercept and eavesdrop on data traffic and even voice calls, using SS7 protocol exploits.

Then, the Android and iOS mobile operating systems themselves have been shown time and time again to be plagued with vulnerabilities that smart malicious hackers can exploit to their advantage. One major recent example is ‘Quadrooter’, a privilege escalation vulnerability shown to affect over 900 million Android devices. These vulnerabilities often have long patching cycles which can take months to roll out, leaving millions of devices vulnerable to remote attack.

Similarly, iOS has also recently been in the headlines after news broke that it had been compromised in the NSO hack. This affected all Apple devices, making the iOS, the phones resources and any application running on it, including security apps such as anti-virus, vulnerable to attack. It’s worth highlighting that this wasn’t discovered by Apple or any detection applications but was only discovered because the attacker was negligent in concealing it.

Mobile remote access trojans (mRATs) give an attacker the ability to remotely access the resources and functions on Android or iOS devices, and stealthily exfiltrate data without the user being aware. mRATs are often embedded in supposedly benign apps available from appstores. Compromised or falsely certified apps are another security risk, as they can allow attackers to remotely take over devices, using the device resources without the user being aware.

As a result, the mobile security industry is always playing catch-up. Zero-day attacks, where cybercriminals exploit inbuilt vulnerabilities on mobile operating systems that haven’t yet been patched or even identified, are a major ongoing problem.

Protection versus performance

Ultimately, there are three main threat vectors for mobile devices. These are: targeting and intercepting the communications to and from devices; targeting the devices’ external interfaces (Cellular, WiFI, Bluetooth, USB, NFC, Web etc.) for the purpose of device penetration and planting malicious code (virtually as well as physically); and targeting the data on the device and the resources/functions the device/underlying OS provides access to such as microphone, camera, GPS, storage, network connectivity, etc.

While there is a wealth of technologies designed to help manage the security gaps on devices – from Enterprise Mobile Management to mobile anti-malware– these protections come at a price. First, a collection of multiple security tools and processes is a big drain on processing power, complex to manage, and doesn’t really fix the underlying device and OS vulnerabilities. Second, the conventional approach to mobile security is based on locking down or denying features and functions. This causes further problems on the end user’s acceptance front. It’s critical to balance security and usability: If protecting the device forces people to change the way they use it, they will find workarounds that will also undermine security measures.

So if enterprises are to continue harnessing the benefits of mobile devices without compromising their performance and usability, then we need to rethink our approach to mobile security, from the ground up.

Secure foundations

This new approach starts with the foundations of the mobile device: the OS and firmware. As the various software layers on devices have fundamental vulnerabilities which can be exploited, these should be replaced with secure, hardened versions from which the flaws have been removed/patched and advanced security layers have been put in place to effectively manage and protect against those three threat vectors mentioned above. This means attackers cannot use their conventional techniques to target vulnerabilities – but the device is still using an OS that the user is familiar with, giving users access to the full app ecosystem, so usability is not affected or restricted.

This stronger foundation is then used to build a strong, security architecture consisting of four layers to address each of the three main mobile threat vectors. The first layer is the Encryption Layer, in charge of encrypting all data stored on the phone, as well as all traffic from and to the device, securing all communications, whether voice, data or messaging, from any network sniffing and man-in-the-middle attacks.

The second layer is the Protection Layer, securing the device’s externally available interfaces, from WiFi, cellular, USB, NFC, Bluetooth to web. These need protecting against threats using an embedded firewall to monitor and block all downloads and exploit attempts.

Next layer is the Prevention Layer, monitoring for unauthorized attempts to access operating system functions like stored data, the microphone or camera, location technology and so on. These need their own specialist protective technologies.

The final layer is the Detection and Enforcement Layer monitoring, detecting and blocking execution attempts of malicious code or misbehaving apps, in the same way that we currently monitor for device and network anomalies on corporate networks.

In conclusion, mobile security is currently too fragmented, and the range of threats growing too fast for conventional protections. Instead of plugging leaks as they appear, we need to start again, from the foundations up – and fundamentally rethink the way in which we protect and secure mobile devices.

Help Net Security

Sysadmins and devs, fresh from a weekend spoiled by last week's OpenSSL emergency patch, have another emergency patch to install.

One of last week's fixes, for CVE-2016-6307, created CVE-2016-6309, a dangling pointer security vulnerability.

As the fresh advisory states: “The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received, then the underlying buffer to store the incoming message is reallocated and moved.

“Unfortunately a dangling pointer to the old location is left, which results in an attempt to write to the previously freed location. This is likely to result in a crash, however it could potentially lead to execution of arbitrary code.”

OpenSSL 1.1.0 users need to install 1.1.0b.

That one, rated critical, was turned up by Robert Święcki of the Google Security Team.

In the other bug (CVE-2016-7052), OpenSSL 1.0.2i omitted a certificate revocation list (CRL) sanity check from 1.1.0, meaning “any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.” Grab OpenSSL 1.0.2j to fix that one.

The latest patched code is available here or from your favorite operating system distribution. ®

Sponsored: Flash storage buyer's guide

The Register - Security

Welcome to “In Security,” the new biweekly web comic that takes a lighter look at the dark wave of threats crashing across business networks, endpoints, data and users. Click here for an introduction to the team.

What Is Ransomware?

Ransomware. While our friends at EveryApp manage to make it a laughing matter, the $ 209 million paid out to black hats in just the first three months of 2016 is nothing to scoff at.

This form of cryptovirology essentially says “stick ’em up” to unlock access to machines and vital data that has been scrambled by the bad guys. Organizations are reluctant to open their checkbooks to unlock the stolen goods, and for good reason. Less than half of ransomware victims fully recover their data even if they pay up. This is especially dangerous business when the data in question involves medical records or financial information.

Although ransomware has been a part of the threat landscape since 1996, it skyrocketed exponentially over the past few years. This has many organizations reeling, trying to figure out how to combat these attacks or, better yet, establish a proactive approach to thwarting these vexing vectors before they have a chance to garble gigs of precious data.

In Security web comic, episode 001 all about ransomware hitting the funny folks at EveryApp.

A Silent Danger

While ransomware has grown rapidly, it still represents an infinitesimal percentage of problems plaguing corporate systems. Although the attack strategies are generally more benign, malware and spyware still account for more than 96 percent of corporate data loss. They are a silent danger, stealing data and slowing systems over time as opposed to a one-and-done denial of service.

Also on the side of angels are companies ready to combat what experts expect to become a billion-dollar crime wave in the next few years.

Keeping Ransomware at Bay

Sadly, companies are most often attacked by insider threats. This doesn’t mean employees are making backroom deals with the mafia of the new millennium; they are simply rendering their organizations susceptible to attack, often unknowingly, through the course of daily business. Ransomware is still most often spread using malicious email links, followed by apocalyptic app downloads.

Education is key. CISOs and IT leaders should inform employees on best practices for endpoint management. They should also implement solutions to protect safe productivity and keep ransomware at bay.

Let us get you started on this lesson with a free report to help you get ahead of EveryApp and keep your black card in your wallet where it belongs.

Download the complete X-Force report: What you need to know about ransomware

Security Intelligence

The infamous Ramnit Trojan is on the prowl again, and this time it targets personal banking customers of six unnamed UK banks.

Ramnit Trojan rides again

The Trojan has not changed much since we last saw it targeting banks and e-commerce sites in Canada, Australia, the USA, and Finland in December 2015: it still uses the same encryption algorithms, and the same (but updated) data-grabbing, web-injection, and file-exfiltrating modules (the latter is after files with interesting keywords, like ‘wallet’, ‘passwords’, and bank names targeted in the configurations).

“The configuration side is where we can see that Ramnit has been preparing for the next phase, with new attack schemes built for real time web-fraud attacks targeting online banking sessions,” IBM X-Force researchers explain. “Not all attacks have to happen in real time or from the victim’s device. Ramnit’s operators can also gather credentials from infected users and use them at a later time, in account takeover fraud from other devices.”

IBM warns of the Trojan’s resurgence after X-Force researcher Ziv Eli spotted the malware’s operators have set up two new attack servers and a new command and control server.

Whether these are the same operators that developed and used Ramnit in the last six years and went into temporary hiding after, in February 2015, a coalition of European law enforcement agencies shut down C&C servers used by the RAMNIT botnet is impossible to tell.

The Trojan’s source code was never sold or shared on underground forums, and IBM researchers believe it to be either still in the hands of the original cybergang, or of another one that bought it off of them.

If past delivery techniques are used again, the Trojan will be spread via spam, malvertising and exploit kits. IBM has helpfully provided indicators of compromise for administrators to use to spot the malware.

Help Net Security

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Inside the xDedic Hacked Server Marketplace

June 16, 2016 , 10:00 am

uTorrent Forums User List Stolen

June 9, 2016 , 2:30 pm

Patched BadTunnel Windows Bug Has ‘Extensive’ Impact

June 15, 2016 , 3:23 pm

The Illusion Of An Encrypted Internet

June 7, 2016 , 12:56 pm

Meet the 18-Year-Old Who Hacked the Pentagon

June 21, 2016 , 3:15 pm

IoT Medical Devices: A Prescription for Disaster

July 11, 2016 , 11:31 am

Android KeyStore Encryption Scheme Broken, Researchers Say

July 7, 2016 , 11:52 am

Planes, Trains and Automobiles Increasingly in Cybercriminal’s Bullseye

June 29, 2016 , 8:19 am

Threatpost | The first stop for security news

Another month means another double bundle of security vulnerability patches for Android.

Google is sticking to the twin-release pattern it used last month: the first batch addresses flaws in Android's system-level software that everyone should install, and the second squashes bugs in hardware drivers and kernel-level code that not everyone needs.

The first patch set closes holes in Android 4.4.4 to the current build. Owners of Nexus gear will get these patches over-the-air very soon; everyone else will have to wait for their gadget makers and cellphone networks to issue them.

These holes include programming blunders in Mediaserver that can be exploited by a specially crafted MMS or an in-browser media file to potentially execute malicious code on a device. Getting a bad text or visiting an evil webpage could be enough to slip spyware onto your device, provided it is able to defeat ASLR and other defense mechanisms.

Mediaserver has other bugs, including four elevation-of-privileges holes allowing installed apps to gain more control of a device than they should, and code cockups that can crash a handheld.

The remaining patches address information leakages in the Wi-Fi, camera, SurfaceFlinger and Mediaserver code, and OpenSSL, all of which can be abused by installed apps to "access sensitive data without permission." The full list is here:

Issue CVE Severity Affects Nexus?
Remote code execution vulnerability in Mediaserver CVE-2016-3819, CVE-2016-3820, CVE-2016-3821 Critical Yes
Remote code execution vulnerability in libjhead CVE-2016-3822 High Yes
Elevation of privilege vulnerability in Mediaserver CVE-2016-3823, CVE-2016-3824, CVE-2016-3825, CVE-2016-3826 High Yes
Denial of service vulnerability in Mediaserver CVE-2016-3827, CVE-2016-3828, CVE-2016-3829, CVE-2016-3830 High Yes
Denial of service vulnerability in system clock CVE-2016-3831 High Yes
Elevation of privilege vulnerability in framework APIs CVE-2016-3832 Moderate Yes
Elevation of privilege vulnerability in Shell CVE-2016-3833 Moderate Yes
Information disclosure vulnerability in OpenSSL CVE-2016-2842 Moderate Yes
Information disclosure vulnerability in camera APIs CVE-2016-3834 Moderate Yes
Information disclosure vulnerability in Mediaserver CVE-2016-3835 Moderate Yes
Information disclosure vulnerability in SurfaceFlinger CVE-2016-3836 Moderate Yes
Information disclosure vulnerability in Wi-Fi CVE-2016-3837 Moderate Yes
Denial of service vulnerability in system UI CVE-2016-3838 Moderate Yes
Denial of service vulnerability in Bluetooth CVE-2016-3839 Moderate Yes

The second patch bundle contains fixes for driver-level code, and whether or not you need each of them depends on your hardware: if you have a chipset that introduces one of these vulnerabilities, you'll need to install a fix.

Nexus owners will get these automatically as necessary; other phone and tablet manufacturers may roll them out as and when they feel ready. That could be never in some cases.

The bundle predominantly fixes problems with Qualcomm's driver software – Qualy being a dominant phone system-on-chip designer, and its Snapdragon SoCs are used all over the place. These Qualcomm bugs are definitely ones to watch as these kinds of low-level flaws were used to blow apart Android's full-disk encryption system last month.

The patches includes fixes for Qualcomm's bootloader, and Qualcomm drivers for cameras, networking, sound, and video hardware. A malicious app on a Qualcomm-powered phone or tablet could exploit these to gain kernel-level access – completely hijacking the device, in other words. An app could use these holes to root a Nexus 5, 5X, 6, 6P and 7 so badly it would need a complete factory reset to undo the damage.

There are other bugs fixed in this batch because they can be exploited by malicious applications on Qualcomm-powered devices to access "sensitive data without explicit user permission." The full list is below:

Issue CVE Severity Affects Nexus?
Remote code execution vulnerability in Qualcomm Wi‑Fi driver CVE-2014-9902 Critical Yes
Remote code execution vulnerability in Conscrypt CVE-2016-3840 Critical Yes
Elevation of privilege vulnerability in Qualcomm components CVE-2014-9863, CVE-2014-9864, CVE-2014-9865, CVE-2014-9866, CVE-2014-9867, CVE-2014-9868, CVE-2014-9869, CVE-2014-9870, CVE-2014-9871, CVE-2014-9872, CVE-2014-9873, CVE-2014-9874, CVE-2014-9875, CVE-2014-9876, CVE-2014-9877, CVE-2014-9878, CVE-2014-9879, CVE-2014-9880, CVE-2014-9881, CVE-2014-9882, CVE-2014-9883, CVE-2014-9884, CVE-2014-9885, CVE-2014-9886, CVE-2014-9887, CVE-2014-9888, CVE-2014-9889, CVE-2014-9890, CVE-2014-9891, CVE-2015-8937, CVE-2015-8938, CVE-2015-8939, CVE-2015-8940, CVE-2015-8941, CVE-2015-8942, CVE-2015-8943 Critical Yes
Elevation of privilege vulnerability in kernel networking component CVE-2015-2686, CVE-2016-3841 Critical Yes
Elevation of privilege vulnerability in Qualcomm GPU driver CVE-2016-2504, CVE-2016-3842 Critical Yes
Elevation of privilege vulnerability in Qualcomm performance component CVE-2016-3843 Critical Yes
Elevation of privilege vulnerability in kernel CVE-2016-3857 Critical Yes
Elevation of privilege vulnerability in kernel memory system CVE-2015-1593, CVE-2016-3672 High Yes
Elevation of privilege vulnerability in kernel sound component CVE-2016-2544, CVE-2016-2546, CVE-2014-9904 High Yes
Elevation of privilege vulnerability in kernel file system CVE-2012-6701 High Yes
Elevation of privilege vulnerability in Mediaserver CVE-2016-3844 High Yes
Elevation of privilege vulnerability in kernel video driver CVE-2016-3845 High Yes
Elevation of privilege vulnerability in Serial Peripheral Interface driver CVE-2016-3846 High Yes
Elevation of privilege vulnerability in NVIDIA media driver CVE-2016-3847, CVE-2016-3848 High Yes
Elevation of privilege vulnerability in ION driver CVE-2016-3849 High Yes
Elevation of privilege vulnerability in Qualcomm bootloader CVE-2016-3850 High Yes
Elevation of privilege vulnerability in kernel performance subsystem CVE-2016-3843 High Yes
Elevation of privilege vulnerability in LG Electronics bootloader CVE-2016-3851 High Yes
Information disclosure vulnerability in Qualcomm components CVE-2014-9892, CVE-2014-9893, CVE-2014-9894, CVE-2014-9895, CVE-2014-9896, CVE-2014-9897, CVE-2014-9898, CVE-2014-9899, CVE-2014-9900, CVE-2015-8944 High Yes
Information disclosure vulnerability in kernel scheduler CVE-2014-9903 High Yes
Information disclosure vulnerability in MediaTek Wi-Fi driver CVE-2016-3852 High Yes
Information disclosure vulnerability in USB driver CVE-2016-4482 High Yes
Denial of service vulnerability in Qualcomm components CVE-2014-9901 High Yes
Elevation of privilege vulnerability in Google Play services CVE-2016-3853 Moderate Yes
Elevation of privilege vulnerability in Framework APIs CVE-2016-2497 Moderate Yes
Information disclosure vulnerability in kernel networking component CVE-2016-4578 Moderate Yes
Information disclosure vulnerability in kernel sound component CVE-2016-4569, CVE-2016-4578 Moderate Yes
Vulnerabilities in Qualcomm components CVE-2016-3854, CVE-2016-3855, CVE-2016-3856 High No

Based on past experience, Nexus users are going to get both sets of patches within the next seven days. Other Android users may have to wait an awful lot longer. ®

Sponsored: The Nuts and Bolts of Ransomware in 2016

The Register - Security